46 lines
866 B
YAML
46 lines
866 B
YAML
---
|
|
- name: Ensure base packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- curl
|
|
- git
|
|
- vim
|
|
- ufw
|
|
- python3
|
|
- python3-venv
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Harden SSH
|
|
ansible.builtin.copy:
|
|
dest: /etc/ssh/sshd_config.d/10-hardening.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
PasswordAuthentication no
|
|
PermitRootLogin no
|
|
PubkeyAuthentication yes
|
|
|
|
- name: Restart sshd
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Configure UFW
|
|
ansible.builtin.ufw:
|
|
state: enabled
|
|
policy: deny
|
|
direction: incoming
|
|
|
|
- name: Allow SSH in UFW
|
|
ansible.builtin.ufw:
|
|
rule: allow
|
|
name: OpenSSH
|
|
|
|
- name: Set timezone
|
|
community.general.timezone:
|
|
name: "{{ timezone | default('UTC') }}"
|