---
- name: "Add backup user"
  ansible.builtin.user:
    name: backup
    comment: Backup user
    shell: /bin/bash

- name: "Dsiable service user"
  ansible.builtin.user:
    name: service-user
    state: present
    password_lock: true
    shell: "/sbin/nologin"

- name: Undefine AllowUsers
  lineinfile:
    state: absent
    path: /etc/ssh/sshd_config
    line: "AllowUsers tormakris ansible service-user"

- name: Check if AllowUsers is defined
  lineinfile:
    state: absent
    path: /etc/ssh/sshd_config
    regexp: "^AllowUsers"
  check_mode: true
  changed_when: false
  register: checkallowusers

- name: Define AllowUsers if undefined
  lineinfile:
    state: present
    path: /etc/ssh/sshd_config
    line: "AllowUsers tormakris ansible backup"
  when: checkallowusers.found == 0

- name: "Restart sshd"
  service:
    name: sshd
    state: restarted

- name: Create .ssh directory of backup user
  file:
    path: /home/backup/.ssh
    state: directory

- name: Copy authorized_keys
  copy:
    src: authorized_keys
    dest: /home/backup/.ssh/authorized_keys
    mode: 0600
    owner: backup
    group: backup

- name: Copy ssh config
  copy:
    src: ssh_config
    dest: /home/backup/.ssh/config
    mode: 0600
    owner: backup
    group: backup
...