| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 |
- ---
- - name: Update apt cache
- ansible.builtin.apt:
- update_cache: yes
- cache_valid_time: 3600
- - name: Install base packages
- ansible.builtin.apt:
- name: "{{ base_packages }}"
- state: present
- - name: Deploy SSH hardening drop-in
- ansible.builtin.template:
- src: sshd-hardening.conf.j2
- dest: /etc/ssh/sshd_config.d/99-hardening.conf
- owner: root
- group: root
- mode: "0644"
- validate: "sshd -t -f /etc/ssh/sshd_config"
- notify: restart sshd
- - name: Allow SSH through UFW
- community.general.ufw:
- rule: allow
- port: "{{ ssh_port }}"
- proto: tcp
- - name: Allow role-specific ports through UFW
- community.general.ufw:
- rule: allow
- port: "{{ item }}"
- proto: tcp
- loop: "{{ allowed_ports | default([]) }}"
- - name: Enable UFW
- community.general.ufw:
- state: enabled
- policy: deny
- direction: incoming
- - name: Configure fail2ban SSH jail
- ansible.builtin.copy:
- dest: /etc/fail2ban/jail.local
- content: |
- [sshd]
- enabled = true
- port = {{ ssh_port }}
- maxretry = 5
- bantime = 3600
- findtime = 600
- owner: root
- group: root
- mode: "0644"
- notify: restart fail2ban
- - name: Enable and start fail2ban
- ansible.builtin.systemd:
- name: fail2ban
- enabled: yes
- state: started
- - name: Configure unattended-upgrades
- ansible.builtin.copy:
- dest: /etc/apt/apt.conf.d/20auto-upgrades
- content: |
- APT::Periodic::Update-Package-Lists "1";
- APT::Periodic::Unattended-Upgrade "1";
- owner: root
- group: root
- mode: "0644"
|
