69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
---
|
|
-
|
|
name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 0
|
|
|
|
-
|
|
name: Install base packages
|
|
apt:
|
|
name: "{{ host_base_packages }}"
|
|
state: present
|
|
|
|
-
|
|
name: Disable SSH password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
notify: restart sshd
|
|
|
|
-
|
|
name: Disable SSH root login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin no"
|
|
notify: restart sshd
|
|
|
|
-
|
|
name: Allow SSH through UFW
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "22"
|
|
proto: tcp
|
|
|
|
-
|
|
name: Allow additional UFW ports
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto | default('tcp') }}"
|
|
from_ip: "{{ item.from | default('any') }}"
|
|
loop: "{{ ufw_allow | default([]) }}"
|
|
|
|
-
|
|
name: Enable UFW with default deny
|
|
community.general.ufw:
|
|
state: enabled
|
|
default: deny
|
|
direction: incoming
|
|
|
|
-
|
|
name: Configure fail2ban backend
|
|
copy:
|
|
dest: /etc/fail2ban/jail.local
|
|
content: |
|
|
[DEFAULT]
|
|
backend = {{ fail2ban_backend }}
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
-
|
|
name: Ensure fail2ban is running
|
|
service:
|
|
name: fail2ban
|
|
state: restarted
|
|
enabled: yes
|