--- # roles/common_secure/tasks/main.yml - name: Upgrade system packages ansible.builtin.apt: update_cache: true upgrade: full when: common_full_upgrade notify: reboot system - name: Install UFW Firewall ansible.builtin.apt: name: ufw state: present when: common_firewall_enabled - name: Enable UFW community.general.ufw: state: enabled logging: "on" when: common_firewall_enabled - name: Disable UFW Firewall ansible.builtin.apt: name: ufw state: absent when: not common_firewall_enabled - name: Allow all incoming connections from LAN by default community.general.ufw: default: allow direction: incoming src: "{{ common_firewall_internal_subnet }}" when: "common_firewall_allow_internal_incoming" - name: Reject incoming connections on WAN interface by default community.general.ufw: default: reject direction: incoming interface: "{{ common_firewall_wan_interface }}" when: - common_firewall_reject - common_firewall_enabled - common_firewall_wan_interface - name: Configure firewall rules community.general.ufw: port: "{{ rule.port }}" rule: "{{ rule.rule | default('allow') }}" delete: "{{ true if rule.state == 'absent' else omit | default(omit) }}" direction: "{{ rule.direction | default('in') }}" proto: "{{ rule.protocol | default('tcp') }}" interface: "{{ rule.interface if rule.interface != 'all' else omit | default(omit) }}" comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}" loop: "{{ common_firewall | default([]) }}" loop_control: loop_var: rule when: - common_firewall_enabled - common_firewall - name: Install sudo ansible.builtin.apt: pkg: sudo update_cache: true state: present - name: Configure SSH to disallow passwords ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ ssh_config_entry.regexp }}" line: "{{ ssh_config_entry.line }}" state: present loop: - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" } loop_control: loop_var: ssh_config_entry notify: restart ssh when: common_ssh_configure - name: Add authorized ssh keys for root ansible.posix.authorized_key: user: root state: present key: "{{ lookup('file', ssh_key_file) }}" loop: "{{ query('fileglob', '../files/*') }}" loop_control: loop_var: ssh_key_file - name: Lock the root account ansible.builtin.user: name: root password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"