---
- name: sshd write configuration block to sshd_config
  blockinfile:
    path: /etc/ssh/sshd_config
    insertbefore: BOF # Beginning of the file
    marker: "# {mark} ANSIBLE MANAGED BLOCK"
    block: |
      PermitRootLogin no
      PubkeyAuthentication yes
      AuthorizedKeysFile .ssh/authorized_keys
      PasswordAuthentication no
    backup: yes
    validate: /usr/sbin/sshd -T -f %s
  notify: Restart SSHD
...