Update config to use upstreams order and add link to Mozilla guidelines

templates/sshd_config.conf.j2

-# MANAGED BY ANSIBLE
-# EVERY CHANGE WILL BE PURGED
-
 {% for item in sshd_ports %}
 Port {{ item }}
 {% endfor %}
 
-#AddressFamily any
 {% for item in sshd_listen_addresses %}
 ListenAddress {{ item }}
 {% endfor %}
@@ -30,16 +26,26 @@ TCPKeepAlive yes
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-###### EVERYTHING BELOW IS SUGGESTED BY MOZILLA ######
-
-LogLevel VERBOSE
+######## EVERYTHING BELOW IS SUGGESTED BY MOZILLA #########
+# See https://infosec.mozilla.org/guidelines/openssh.html #
 
+# Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 
-Subsystem       sftp    /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
-
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# Use kernel sandbox mechanisms where possible in unprivileged processes
+# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
+UsePrivilegeSeparation sandbox