53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
---
|
|
- name: Refresh apt cache
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
cache_valid_time: "{{ debian_baseline_apt_cache_valid_time }}"
|
|
|
|
- name: Install baseline hardening packages
|
|
ansible.builtin.apt:
|
|
name: "{{ debian_baseline_packages }}"
|
|
state: present
|
|
|
|
- name: Configure unattended-upgrades auto settings
|
|
ansible.builtin.copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
mode: "0644"
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "{{ debian_baseline_unattended_update_lists }}";
|
|
APT::Periodic::Unattended-Upgrade "{{ debian_baseline_unattended_auto_upgrade }}";
|
|
when: debian_baseline_enable_unattended_upgrades | bool
|
|
|
|
- name: Configure SSH hardening options
|
|
ansible.builtin.copy:
|
|
dest: /etc/ssh/sshd_config.d/99-hardening.conf
|
|
mode: "0644"
|
|
content: |
|
|
PermitRootLogin {{ debian_baseline_ssh_permit_root_login }}
|
|
PasswordAuthentication {{ debian_baseline_ssh_password_authentication }}
|
|
PubkeyAuthentication {{ debian_baseline_ssh_pubkey_authentication }}
|
|
X11Forwarding {{ debian_baseline_ssh_x11_forwarding }}
|
|
MaxAuthTries {{ debian_baseline_ssh_max_auth_tries }}
|
|
ClientAliveInterval {{ debian_baseline_ssh_client_alive_interval }}
|
|
ClientAliveCountMax {{ debian_baseline_ssh_client_alive_count_max }}
|
|
{% if debian_baseline_ssh_allow_users | length > 0 %}
|
|
AllowUsers {{ debian_baseline_ssh_allow_users | join(' ') }}
|
|
{% endif %}
|
|
notify: Restart ssh
|
|
|
|
- name: Configure baseline sysctls
|
|
ansible.builtin.copy:
|
|
dest: /etc/sysctl.d/99-hardening.conf
|
|
mode: "0644"
|
|
content: |
|
|
{% for key, value in debian_baseline_sysctl_settings.items() %}
|
|
{{ key }} = {{ value }}
|
|
{% endfor %}
|
|
notify: Reload sysctl
|
|
|
|
- name: Ensure fail2ban service is enabled
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
enabled: true
|
|
state: started
|