railiance-infra/ansible/roles/base/tasks/main.yml

---
- name: Ensure base packages
  ansible.builtin.package:
    name:
      - apt-transport-https
      - ca-certificates
      - curl
      - git
      - vim
      - ufw
      - fail2ban
      - python3
      - python3-venv
    state: present
    update_cache: true

- name: Harden SSH
  ansible.builtin.copy:
    dest: /etc/ssh/sshd_config.d/10-hardening.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      PasswordAuthentication no
      PermitRootLogin no
      PubkeyAuthentication yes

- name: Restart sshd
  ansible.builtin.service:
    name: ssh
    state: restarted

- name: Configure UFW
  ansible.builtin.ufw:
    state: enabled
    policy: deny
    direction: incoming

- name: Allow SSH in UFW
  ansible.builtin.ufw:
    rule: allow
    name: OpenSSH

- name: Allow k3s API in UFW
  ansible.builtin.ufw:
    rule: allow
    port: '6443'
    proto: tcp

- name: Allow Flannel VXLAN in UFW
  ansible.builtin.ufw:
    rule: allow
    port: '8472'
    proto: udp

- name: Enable fail2ban
  ansible.builtin.service:
    name: fail2ban
    state: started
    enabled: true

- name: Configure fail2ban SSH jail
  ansible.builtin.copy:
    dest: /etc/fail2ban/jail.d/sshd.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      [sshd]
      enabled = true
      port    = ssh
      filter  = sshd
      maxretry = 5
      bantime  = 3600
      findtime = 600
  notify: Restart fail2ban

- name: Set HISTCONTROL to ignorespace
  ansible.builtin.copy:
    dest: /etc/profile.d/histcontrol.sh
    owner: root
    group: root
    mode: '0644'
    content: |
      export HISTCONTROL=ignorespace

- name: Set timezone
  community.general.timezone:
    name: "{{ timezone | default('UTC') }}"