67 lines
1.7 KiB
YAML
67 lines
1.7 KiB
YAML
---
|
|
# Security hardening tasks
|
|
|
|
- name: Apply sysctl settings
|
|
ansible.posix.sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
sysctl_set: true
|
|
state: present
|
|
reload: true
|
|
loop: "{{ common_sysctl_settings | dict2items }}"
|
|
|
|
- name: Install UFW (Debian/Ubuntu)
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_firewall_enabled
|
|
|
|
- name: Configure UFW defaults
|
|
community.general.ufw:
|
|
direction: "{{ item.direction }}"
|
|
policy: "{{ item.policy }}"
|
|
loop:
|
|
- { direction: 'incoming', policy: 'deny' }
|
|
- { direction: 'outgoing', policy: 'allow' }
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_firewall_enabled
|
|
|
|
- name: Allow firewall ports (UFW)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.split('/')[0] }}"
|
|
proto: "{{ item.split('/')[1] | default('tcp') }}"
|
|
loop: "{{ common_firewall_allowed_ports }}"
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_firewall_enabled
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_firewall_enabled
|
|
|
|
- name: Install automatic security updates (Debian/Ubuntu)
|
|
ansible.builtin.apt:
|
|
name: unattended-upgrades
|
|
state: present
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_auto_updates_enabled
|
|
|
|
- name: Enable automatic security updates (Debian/Ubuntu)
|
|
ansible.builtin.copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
mode: '0644'
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
- common_auto_updates_enabled
|