99 lines
2.4 KiB
YAML
99 lines
2.4 KiB
YAML
---
|
|
# roles/common_secure/tasks/main.yml
|
|
|
|
- name: Upgrade system packages
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
upgrade: full
|
|
when: common_full_upgrade
|
|
|
|
- name: Install UFW Firewall
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
# update_cache: true
|
|
state: present
|
|
when: common_firewall_enable
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
logging: 'on'
|
|
when: common_firewall_enable
|
|
|
|
- name: Disable UFW Firewall
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: absent
|
|
when: not common_firewall_enable
|
|
|
|
- name: Reject incoming connections by default
|
|
community.general.ufw:
|
|
policy: reject
|
|
comment: 'Reject all by default'
|
|
when: common_firewall_reject and common_firewall_enable
|
|
|
|
- name: Allow SSH Connections
|
|
community.general.ufw:
|
|
rule: limit
|
|
port: ssh
|
|
proto: tcp
|
|
comment: 'Allow SSH'
|
|
when: common_firewall_ssh and common_firewall_enable
|
|
|
|
- name: Allow HTTPS Connections
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: https
|
|
proto: tcp
|
|
comment: 'Allow HTTPS'
|
|
when: common_firewall_https and common_firewall_enable
|
|
|
|
- name: Allow HTTP Connections
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: http
|
|
proto: tcp
|
|
comment: 'Allow HTTP'
|
|
when: common_firewall_http and common_firewall_enable
|
|
|
|
- name: Configure SSH to disallow passwords
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ ssh_config_entry.regexp }}"
|
|
line: "{{ ssh_config_entry.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
|
|
loop_control:
|
|
loop_var: ssh_config_entry
|
|
notify: restart ssh
|
|
when: common_ssh_configure
|
|
|
|
- name: Add authorized ssh keys for root
|
|
ansible.posix.authorized_key:
|
|
user: root
|
|
state: present
|
|
key: "{{ lookup('file', ssh_key_file) }}"
|
|
loop: "{{ query('fileglob', '../files/*') }}"
|
|
loop_control:
|
|
loop_var: ssh_key_file
|
|
|
|
- name: Lock the root account
|
|
ansible.builtin.user:
|
|
name: root
|
|
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
|
|
|
|
# - name: Configure SSH to disallow root login
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/ssh/sshd_config
|
|
# regexp: '^PermitRootLogin'
|
|
# line: 'PermitRootLogin no'
|
|
# state: present
|
|
# notify: restart ssh
|
|
# when: common_ssh_configure
|
|
|
|
# - name: Disable root shell
|
|
# ansible.builtin.user:
|
|
# name: root
|
|
# shell: /usr/sbin/nologin
|
|
# when: common_disable_root
|