roles/common/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

---

# apt cache
- name: update apt cache
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: 3600

# SSH
- name: Copy sshd_config
  copy:
    src: ../templates/sshd_config
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart sshd
  service: name=sshd state=restarted enabled=yes

# FIREWALL
- name: install UFW
  apt: name=ufw state=latest

- name: allow ssh from everywhere and enable
  ufw:
    rule: allow
    name: OpenSSH
    state: enabled

- name: restart ufw
  service: name=ufw state=restarted enabled=yes

# FAIL2BAN
- name: install fail2ban
  apt: name=fail2ban state=latest

- name: Copy jail.conf
  copy:
    src: ../templates/jail.conf
    dest: /etc/fail2ban/jail.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart fail2ban
  service: name=fail2ban state=restarted enabled=yes

# DNS
- name: install systemd-resolved
  apt: name=systemd-resolved state=latest

- name: Check if systemd-resolved config exists
  ansible.builtin.stat:
    path: /etc/systemd/resolved.conf
  register: systemd_resolved_config
  check_mode: false

- name: Update DNS servers for systemd-resolvd
  ansible.builtin.include_tasks:
    file: 'systemd-resolved.yml'
  when: systemd_resolved_config.stat.exists | bool

- name: Check if systemd-resolved runs
  ansible.builtin.shell: pgrep systemd-resolve
  failed_when: false
  changed_when: false
  register: systemd_resolved_running
  check_mode: false