extras/ansible/roles/common/tasks/main.yml
---
- name: Install system tools
apt: name={{ item }} state=present
with_items:
- ntpdate
- unzip
- vim
- git
- tig
- screen
- htop
- fail2ban
- name: Remove packages
apt: name={{ item }} state=absent
with_items:
- exim4
- name: Set timezone
lineinfile: dest=/etc/timezone regexp="." line="{{ timezone }}"
notify: update timezone
- name: Update current time
command: ntpdate-debian
register: ntpdate
changed_when: "not '0.00' in ntpdate.stdout"
ignore_errors: yes
- name: Check SSH public key
local_action: command test -e {{ ssh_public_key_file }}
register: ssh_public_key_test
ignore_errors: yes
- name: Fail if no SSH public key
fail: msg="Please put your public SSH key at {{ ssh_public_key_file }}"
when: ssh_public_key_test.rc != 0
ignore_errors: yes
#- name: Add my public key to root
# authorized_key: user=root key="{{ lookup('file', ssh_public_key_file) }}"
# when: ssh_public_key_file
- name: Disable SSHd to use DNS
lineinfile: dest=/etc/ssh/sshd_config regexp=UseDNS
line="UseDNS no"
register: sshd_config_setting
- name: Reload SSHd
service: name=ssh state=reloaded
when: sshd_config_setting.changed
- name: Allow the agent forward
lineinfile: dest=/etc/ssh/ssh_config regexp=ForwardAgent
line="ForwardAgent yes"
- name: Enable Fail2ban SSH-DDOS
ini_file: dest=/etc/fail2ban/jail.conf section=ssh-ddos option=enabled value=true
notify: restart fail2ban
- name: Disable swap
command: swapoff -va
register: swapoff
changed_when: swapoff.stdout.strip()
ignore_errors: yes
# Security
- name: Kernel settings
sysctl: name={{ item.name }} value={{ item.value }} state=present
with_items:
- {name: 'kernel.exec-shield', value: 1}
- {name: 'kernel.randomize_va_space', value: 1}
- {name: 'net.ipv4.conf.all.rp_filter', value: 1}
- {name: 'net.ipv4.conf.all.accept_source_route', value: 0}
- {name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1}
- {name: 'net.ipv4.icmp_ignore_bogus_error_messages', value: 1}
- {name: 'net.ipv4.conf.all.log_martians', value: 1}
ignore_errors: yes