93 lines
2.6 KiB
YAML
93 lines
2.6 KiB
YAML
---
|
|
# roles/common_secure/tasks/main.yml
|
|
|
|
- name: Upgrade system packages
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
upgrade: full
|
|
when: common_full_upgrade
|
|
notify: reboot system
|
|
|
|
- name: Install UFW Firewall
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
when: common_firewall_enabled
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
logging: "on"
|
|
when: common_firewall_enabled
|
|
|
|
- name: Disable UFW Firewall
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: absent
|
|
when: not common_firewall_enabled
|
|
|
|
- name: Allow all incoming connections from LAN by default
|
|
community.general.ufw:
|
|
default: allow
|
|
direction: incoming
|
|
src: "{{ common_firewall_internal_subnet }}"
|
|
when: "common_firewall_allow_internal_incoming"
|
|
|
|
- name: Reject incoming connections on WAN interface by default
|
|
community.general.ufw:
|
|
default: reject
|
|
direction: incoming
|
|
interface: "{{ common_firewall_wan_interface }}"
|
|
when:
|
|
- common_firewall_reject
|
|
- common_firewall_enabled
|
|
- common_firewall_wan_interface
|
|
|
|
- name: Configure firewall rules
|
|
community.general.ufw:
|
|
port: "{{ rule.port }}"
|
|
rule: "{{ rule.rule | default('allow') }}"
|
|
delete: "{{ true if rule.state == 'absent' else omit | default(omit) }}"
|
|
direction: "{{ rule.direction | default('in') }}"
|
|
proto: "{{ rule.protocol | default('tcp') }}"
|
|
interface: "{{ rule.interface if rule.interface != 'all' else omit | default(omit) }}"
|
|
comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"
|
|
loop: "{{ common_firewall | default([]) }}"
|
|
loop_control:
|
|
loop_var: rule
|
|
when:
|
|
- common_firewall_enabled
|
|
- common_firewall
|
|
|
|
- name: Install sudo
|
|
ansible.builtin.apt:
|
|
pkg: sudo
|
|
update_cache: true
|
|
state: present
|
|
|
|
- name: Configure SSH to disallow passwords
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ ssh_config_entry.regexp }}"
|
|
line: "{{ ssh_config_entry.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
loop_control:
|
|
loop_var: ssh_config_entry
|
|
notify: restart ssh
|
|
when: common_ssh_configure
|
|
|
|
- name: Add authorized ssh keys for root
|
|
ansible.posix.authorized_key:
|
|
user: root
|
|
state: present
|
|
key: "{{ lookup('file', ssh_key_file) }}"
|
|
loop: "{{ query('fileglob', '../files/*') }}"
|
|
loop_control:
|
|
loop_var: ssh_key_file
|
|
|
|
- name: Lock the root account
|
|
ansible.builtin.user:
|
|
name: root
|
|
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
|