ansible-common/roles/secure/tasks/main.yml
2024-01-06 17:46:48 +01:00

99 lines
2.4 KiB
YAML

---
# roles/common_secure/tasks/main.yml
- name: Upgrade system packages
ansible.builtin.apt:
update_cache: true
upgrade: full
when: common_full_upgrade
- name: Install UFW Firewall
ansible.builtin.apt:
name: ufw
# update_cache: true
state: present
when: common_firewall_enable
- name: Enable UFW
community.general.ufw:
state: enabled
logging: 'on'
when: common_firewall_enable
- name: Disable UFW Firewall
ansible.builtin.apt:
name: ufw
state: absent
when: not common_firewall_enable
- name: Reject incoming connections by default
community.general.ufw:
policy: reject
comment: 'Reject all by default'
when: common_firewall_reject and common_firewall_enable
- name: Allow SSH Connections
community.general.ufw:
rule: limit
port: ssh
proto: tcp
comment: 'Allow SSH'
when: common_firewall_ssh and common_firewall_enable
- name: Allow HTTPS Connections
community.general.ufw:
rule: allow
port: https
proto: tcp
comment: 'Allow HTTPS'
when: common_firewall_https and common_firewall_enable
- name: Allow HTTP Connections
community.general.ufw:
rule: allow
port: http
proto: tcp
comment: 'Allow HTTP'
when: common_firewall_http and common_firewall_enable
- name: Configure SSH to disallow passwords
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ ssh_config_entry.regexp }}"
line: "{{ ssh_config_entry.line }}"
state: present
loop:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
loop_control:
loop_var: ssh_config_entry
notify: restart ssh
when: common_ssh_configure
- name: Add authorized ssh keys for root
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', ssh_key_file) }}"
loop: "{{ query('fileglob', '../files/*') }}"
loop_control:
loop_var: ssh_key_file
- name: Lock the root account
ansible.builtin.user:
name: root
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
# - name: Configure SSH to disallow root login
# ansible.builtin.lineinfile:
# path: /etc/ssh/sshd_config
# regexp: '^PermitRootLogin'
# line: 'PermitRootLogin no'
# state: present
# notify: restart ssh
# when: common_ssh_configure
# - name: Disable root shell
# ansible.builtin.user:
# name: root
# shell: /usr/sbin/nologin
# when: common_disable_root