ansible-common/roles/secure/tasks/main.yml

---
# roles/common_secure/tasks/main.yml

- name: Upgrade system packages
  ansible.builtin.apt:
    update_cache: true
    upgrade: full
  when: common_full_upgrade
  notify: reboot system

- name: Install UFW Firewall
  ansible.builtin.apt:
    name: ufw
    state: present
  when: common_firewall_enable

- name: Enable UFW
  community.general.ufw:
    state: enabled
    logging: "on"
  when: common_firewall_enable

- name: Disable UFW Firewall
  ansible.builtin.apt:
    name: ufw
    state: absent
  when: not common_firewall_enable

- name: Reject incoming connections on WAN interface by default
  community.general.ufw:
    default: reject
    direction: incoming
    interface: "{{ common_firewall_wan_interface }}"
  when:
    - common_firewall_reject
    - common_firewall_enable
    - common_firewall_wan_interface

- name: Configure firewall rules
  community.general.ufw:
    port: "{{ rule.port }}"
    rule: "{{ rule.state | default('allow') }}"
    proto: "{{ rule.protocol | default('tcp') }}"
    interface: "{{ rule.interface if rule.interface != 'all' else omit }}"
    comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"
  loop: "{{ common_firewall | default([]) }}"
  loop_control:
    loop_var: rule
  when: common_firewall_enable

- name: Install sudo
  ansible.builtin.apt:
    pkg: sudo
    update_cache: true
    state: present

- name: Configure SSH to disallow passwords
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ ssh_config_entry.regexp }}"
    line: "{{ ssh_config_entry.line }}"
    state: present
  loop:
    - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
  loop_control:
    loop_var: ssh_config_entry
  notify: restart ssh
  when: common_ssh_configure

- name: Add authorized ssh keys for root
  ansible.posix.authorized_key:
    user: root
    state: present
    key: "{{ lookup('file', ssh_key_file) }}"
  loop: "{{ query('fileglob', '../files/*') }}"
  loop_control:
    loop_var: ssh_key_file

- name: Lock the root account
  ansible.builtin.user:
    name: root
    password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
Initial Commit 2024-01-06 16:46:48 +00:00			`---`
			`# roles/common_secure/tasks/main.yml`

			`- name: Upgrade system packages`
			`ansible.builtin.apt:`
			`update_cache: true`
			`upgrade: full`
			`when: common_full_upgrade`
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`notify: reboot system`
Initial Commit 2024-01-06 16:46:48 +00:00
			`- name: Install UFW Firewall`
			`ansible.builtin.apt:`
			`name: ufw`
			`state: present`
			`when: common_firewall_enable`

			`- name: Enable UFW`
			`community.general.ufw:`
			`state: enabled`
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`logging: "on"`
Initial Commit 2024-01-06 16:46:48 +00:00			`when: common_firewall_enable`

			`- name: Disable UFW Firewall`
			`ansible.builtin.apt:`
			`name: ufw`
			`state: absent`
			`when: not common_firewall_enable`

[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`- name: Reject incoming connections on WAN interface by default`
Initial Commit 2024-01-06 16:46:48 +00:00			`community.general.ufw:`
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`default: reject`
			`direction: incoming`
			`interface: "{{ common_firewall_wan_interface }}"`
			`when:`
			`- common_firewall_reject`
			`- common_firewall_enable`
			`- common_firewall_wan_interface`
Initial Commit 2024-01-06 16:46:48 +00:00
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`- name: Configure firewall rules`
Initial Commit 2024-01-06 16:46:48 +00:00			`community.general.ufw:`
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`port: "{{ rule.port }}"`
			`rule: "{{ rule.state \| default('allow') }}"`
			`proto: "{{ rule.protocol \| default('tcp') }}"`
			`interface: "{{ rule.interface if rule.interface != 'all' else omit }}"`
			`comment: "{{ rule.comment \| default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"`
			`loop: "{{ common_firewall \| default([]) }}"`
			`loop_control:`
			`loop_var: rule`
			`when: common_firewall_enable`
Initial Commit 2024-01-06 16:46:48 +00:00
Install sudo on hosts using common.secure role 2024-01-23 14:18:28 +00:00			`- name: Install sudo`
			`ansible.builtin.apt:`
			`pkg: sudo`
			`update_cache: true`
			`state: present`

Initial Commit 2024-01-06 16:46:48 +00:00			`- name: Configure SSH to disallow passwords`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: "{{ ssh_config_entry.regexp }}"`
			`line: "{{ ssh_config_entry.line }}"`
			`state: present`
			`loop:`
[a] better firewall rule defining 2024-10-16 19:16:11 +00:00			`- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }`
Initial Commit 2024-01-06 16:46:48 +00:00			`loop_control:`
			`loop_var: ssh_config_entry`
			`notify: restart ssh`
			`when: common_ssh_configure`

			`- name: Add authorized ssh keys for root`
			`ansible.posix.authorized_key:`
			`user: root`
			`state: present`
			`key: "{{ lookup('file', ssh_key_file) }}"`
			`loop: "{{ query('fileglob', '../files/*') }}"`
			`loop_control:`
			`loop_var: ssh_key_file`

			`- name: Lock the root account`
			`ansible.builtin.user:`
			`name: root`
			`password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"`