- name: Delete root pw file /root/.pw (if present) file: path: /root/.pw state: absent - name: Update APT package cache apt: update_cache: true cache_valid_time: 3600 tags: - apt - name: Install aptitude apt: pkg: aptitude state: present tags: - apt - name: Upgrade APT to the latest packages apt: upgrade: safe - name: Install required packages apt: state: present pkg: "{{item}}" with_items: - "{{harden_linux_required_packages}}" tags: - ufw - name: Add deploy user user: name: "{{harden_linux_deploy_user}}" password: "{{harden_linux_deploy_user_password}}" uid: "{{harden_linux_deploy_user_uid}}" shell: "{{harden_linux_deploy_user_shell}}" home: "{{harden_linux_deploy_user_home}}" tags: - user - name: Add authorized keys for deploy user authorized_key: user: "{{harden_linux_deploy_user}}" key: "{{item}}" with_items: - "{{harden_linux_deploy_user_public_keys}}" when: harden_linux_deploy_user_public_keys is defined tags: - user - name: Add deploy user to sudoers lineinfile: dest: /etc/sudoers regexp: "{{harden_linux_deploy_user}} ALL" line: "{{harden_linux_deploy_user}} ALL=(ALL) NOPASSWD:ALL" state: present tags: - user - sudo - name: Adjust APT update intervals copy: src: etc/apt/apt.conf.d/10periodic dest: /etc/apt/apt.conf.d/10periodic owner: root group: root mode: 0644 tags: - apt - name: Combine harden_linux_sshd_settings and harden_linux_sshd_settings_user (if defined) set_fact: harden_linux_sshd_settings: "{{harden_linux_sshd_settings | combine(harden_linux_sshd_settings_user|default({})) }}" tags: - ssh - name: Ensure sshd_config setting lineinfile: dest: "/etc/ssh/sshd_config" regexp: "{{item}}" line: "{{harden_linux_sshd_settings[item]}}" state: "present" notify: "restart ssh" with_items: - "{{harden_linux_sshd_settings | list}}" tags: - ssh - name: Combine harden_linux_sysctl_settings and harden_linux_sysctl_settings_user (if defined) set_fact: harden_linux_sysctl_settings: "{{harden_linux_sysctl_settings | combine(harden_linux_sysctl_settings_user|default({})) }}" tags: - sysctl - name: Sysctl settings sysctl: name: "{{item}}" value: "{{harden_linux_sysctl_settings[item]}}" sysctl_set: yes with_items: - "{{harden_linux_sysctl_settings | list}}" tags: - sysctl - name: Combine harden_linux_ufw_defaults and harden_linux_ufw_defaults_user (if defined) set_fact: harden_linux_ufw_defaults: "{{harden_linux_ufw_defaults | combine(harden_linux_ufw_defaults_user|default({})) }}" tags: - ufw - name: UFW - Configure defaults lineinfile: dest: /etc/default/ufw regexp: "{{item}}" line: "{{harden_linux_ufw_defaults[item]}}" state: present notify: "reload ufw" with_items: - "{{harden_linux_ufw_defaults | list}}" tags: - ufw - name: UFW - Apply firewall rules ufw: rule: "{{item.rule}}" interface: "{{item.interface | default('')}}" direction: "{{item.direction | default('in')}}" from_ip: "{{item.from_ip | default('any')}}" to_ip: "{{item.to_ip | default('any')}}" from_port: "{{item.from_port | default('')}}" to_port: "{{item.to_port | default('')}}" protocol: "{{item.protocol | default('any')}}" log: "{{item.log | default(False)}}" with_items: "{{harden_linux_ufw_rules}}" tags: - ufw - ufwrules - name: UFW - Allow configured networks to communicate ufw: rule: allow src: "{{item}}" with_items: - "{{harden_linux_ufw_allow_networks}}" when: harden_linux_ufw_allow_networks is defined tags: - ufw - name: UFW - Setup logging ufw: logging: "{{harden_linux_ufw_logging}}" tags: - ufw - name: Update Sshguard white list lineinfile: dest: /etc/sshguard/whitelist regexp: "^{{item}}" line: "{{item}}" state: present with_items: - "{{harden_linux_sshguard_whitelist}}" tags: - sshguard - name: UFW - Enable firewall/iptables ufw: state: enabled tags: - ufw - name: Change root password user: name: "root" password: "{{harden_linux_root_password}}" when: harden_linux_root_password is defined tags: - user