init

ansible/roles/host/tasks/setup-base.yml

@@ -0,0 +1,69 @@
+---
+-
+    name: Update apt cache
+    apt:
+        update_cache: yes
+        cache_valid_time: 0
+
+-
+    name: Install base packages
+    apt:
+        name: "{{ host_base_packages }}"
+        state: present
+
+-
+    name: Disable SSH password authentication
+    lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PasswordAuthentication"
+        line: "PasswordAuthentication no"
+    notify: restart sshd
+
+-
+    name: Disable SSH root login
+    lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PermitRootLogin"
+        line: "PermitRootLogin no"
+    notify: restart sshd
+
+-
+    name: Allow SSH through UFW
+    community.general.ufw:
+        rule: allow
+        port: "22"
+        proto: tcp
+
+-
+    name: Allow additional UFW ports
+    community.general.ufw:
+        rule: allow
+        port: "{{ item.port }}"
+        proto: "{{ item.proto | default('tcp') }}"
+        from_ip: "{{ item.from | default('any') }}"
+    loop: "{{ ufw_allow | default([]) }}"
+
+-
+    name: Enable UFW with default deny
+    community.general.ufw:
+        state: enabled
+        default: deny
+        direction: incoming
+
+-
+    name: Configure fail2ban backend
+    copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+            [DEFAULT]
+            backend = {{ fail2ban_backend }}
+        owner: root
+        group: root
+        mode: "0644"
+
+-
+    name: Ensure fail2ban is running
+    service:
+        name: fail2ban
+        state: restarted
+        enabled: yes