Home Explore Help
Sign In
kotoyuuko
/
ansible-proxy
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5053ace211
Branches Tags
ansible-proxy
/
roles
/
base
/
tasks
/
main.yml

main.yml 1.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. ---
    2. 

  2. - name: Update apt cache
    3. 

  3.   ansible.builtin.apt:
    4. 

  4.     update_cache: yes
    5. 

  5.     cache_valid_time: 3600
    6. 

  6. 

  7. - name: Install base packages
    8. 

  8.   ansible.builtin.apt:
    9. 

  9.     name: "{{ base_packages }}"
    10. 

  10.     state: present
    11. 

  11. 

  12. - name: Deploy SSH hardening drop-in
    13. 

  13.   ansible.builtin.template:
    14. 

  14.     src: sshd-hardening.conf.j2
    15. 

  15.     dest: /etc/ssh/sshd_config.d/99-hardening.conf
    16. 

  16.     owner: root
    17. 

  17.     group: root
    18. 

  18.     mode: "0644"
    19. 

  19.   notify: reload ssh
    20. 

  20. 

  21. - name: Allow SSH through UFW
    22. 

  22.   community.general.ufw:
    23. 

  23.     rule: allow
    24. 

  24.     port: "{{ ssh_port }}"
    25. 

  25.     proto: tcp
    26. 

  26. 

  27. - name: Allow role-specific ports through UFW
    28. 

  28.   community.general.ufw:
    29. 

  29.     rule: allow
    30. 

  30.     port: "{{ item }}"
    31. 

  31.     proto: tcp
    32. 

  32.   loop: "{{ allowed_ports | default([]) }}"
    33. 

  33. 

  34. - name: Enable UFW
    35. 

  35.   community.general.ufw:
    36. 

  36.     state: enabled
    37. 

  37.     policy: deny
    38. 

  38.     direction: incoming
    39. 

  39. 

  40. - name: Configure fail2ban SSH jail
    41. 

  41.   ansible.builtin.copy:
    42. 

  42.     dest: /etc/fail2ban/jail.local
    43. 

  43.     content: |
    44. 

  44.       [sshd]
    45. 

  45.       enabled = true
    46. 

  46.       port = {{ ssh_port }}
    47. 

  47.       maxretry = 5
    48. 

  48.       bantime = 3600
    49. 

  49.       findtime = 600
    50. 

  50.     owner: root
    51. 

  51.     group: root
    52. 

  52.     mode: "0644"
    53. 

  53.   notify: restart fail2ban
    54. 

  54. 

  55. - name: Enable and start fail2ban
    56. 

  56.   ansible.builtin.systemd:
    57. 

  57.     name: fail2ban
    58. 

  58.     enabled: yes
    59. 

  59.     state: started
    60. 

  60. 

  61. - name: Configure unattended-upgrades
    62. 

  62.   ansible.builtin.copy:
    63. 

  63.     dest: /etc/apt/apt.conf.d/20auto-upgrades
    64. 

  64.     content: |
    65. 

  65.       APT::Periodic::Update-Package-Lists "1";
    66. 

  66.       APT::Periodic::Unattended-Upgrade "1";
    67. 

  67.     owner: root
    68. 

  68.     group: root
    69. 

  69.     mode: "0644"
    70.