personal_infra/infra/playbook.yml

- name: Secure Debian VPS
  hosts: vipy
  vars_files:
    - vars.yml
  become: true

  tasks:
    - name: Update and upgrade apt packages
      apt:
        update_cache: yes
        upgrade: full
        autoremove: yes

    - name: Create new user
      user:
        name: "{{ new_user }}"
        groups: sudo
        shell: /bin/bash
        state: present
        create_home: yes

    - name: Set up SSH directory for new user
      file:
        path: "/home/{{ new_user }}/.ssh"
        state: directory
        mode: "0700"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"

    - name: Change SSH port and disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        backrefs: yes
      loop:
        - { regexp: "^#?Port .*", line: "Port {{ ssh_port }}" }
        - { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
        - {
            regexp: "^#?PasswordAuthentication .*",
            line: "PasswordAuthentication no",
          }

    - name: Restart SSH
      service:
        name: ssh
        state: restarted

    - name: Set SSH port to new port
      set_fact:
        ansible_port: "{{ ssh_port }}"

    - name: Install UFW
      apt:
        name: ufw
        state: present

    - name: Turn UFW off
      ufw:
        state: disabled

    - name: Configure UFW default rules
      ufw:
        policy: deny
        direction: incoming

    - name: Allow outgoing traffic
      ufw:
        rule: allow
        direction: outgoing

    - name: Allow SSH port through UFW
      ufw:
        rule: allow
        port: "{{ ssh_port }}"
        proto: tcp
        from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"

    - name: Turn UFW on
      ufw:
        state: enabled

    - name: Install fail2ban
      apt:
        name: fail2ban
        state: present

    - name: Ensure fail2ban is running
      service:
        name: fail2ban
        enabled: yes
        state: started

    - name: Remove unnecessary services
      apt:
        name: "{{ item }}"
        state: absent
        purge: yes
      loop:
        - exim4
        - apache2
        - cups
        - rpcbind
        - nfs-common
        - telnet
        - ftp
        - samba

    - name: Install auditd
      apt:
        name:
          - auditd
          - audispd-plugins
        state: present

    - name: Enable and start auditd
      service:
        name: auditd
        enabled: yes
        state: started
wip 2025-07-01 10:39:01 +02:00			`- name: Secure Debian VPS`
			`hosts: vipy`
			`vars_files:`
			`- vars.yml`
			`become: true`

			`tasks:`
			`- name: Update and upgrade apt packages`
			`apt:`
			`update_cache: yes`
			`upgrade: full`
			`autoremove: yes`

			`- name: Create new user`
			`user:`
			`name: "{{ new_user }}"`
			`groups: sudo`
			`shell: /bin/bash`
			`state: present`
			`create_home: yes`

			`- name: Set up SSH directory for new user`
			`file:`
			`path: "/home/{{ new_user }}/.ssh"`
			`state: directory`
			`mode: "0700"`
			`owner: "{{ new_user }}"`
			`group: "{{ new_user }}"`

			`- name: Change SSH port and disable root login`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: "{{ item.regexp }}"`
			`line: "{{ item.line }}"`
			`state: present`
			`backrefs: yes`
			`loop:`
			`- { regexp: "^#?Port .*", line: "Port {{ ssh_port }}" }`
			`- { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }`
			`- {`
			`regexp: "^#?PasswordAuthentication .*",`
			`line: "PasswordAuthentication no",`
			`}`

			`- name: Restart SSH`
			`service:`
			`name: ssh`
			`state: restarted`

			`- name: Set SSH port to new port`
			`set_fact:`
			`ansible_port: "{{ ssh_port }}"`

			`- name: Install UFW`
			`apt:`
			`name: ufw`
			`state: present`

			`- name: Turn UFW off`
			`ufw:`
			`state: disabled`

			`- name: Configure UFW default rules`
			`ufw:`
			`policy: deny`
			`direction: incoming`

			`- name: Allow outgoing traffic`
			`ufw:`
			`rule: allow`
			`direction: outgoing`

			`- name: Allow SSH port through UFW`
			`ufw:`
			`rule: allow`
			`port: "{{ ssh_port }}"`
			`proto: tcp`
			`from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"`

			`- name: Turn UFW on`
			`ufw:`
			`state: enabled`

			`- name: Install fail2ban`
			`apt:`
			`name: fail2ban`
			`state: present`

			`- name: Ensure fail2ban is running`
			`service:`
			`name: fail2ban`
			`enabled: yes`
			`state: started`

			`- name: Remove unnecessary services`
			`apt:`
			`name: "{{ item }}"`
			`state: absent`
			`purge: yes`
			`loop:`
			`- exim4`
			`- apache2`
			`- cups`
			`- rpcbind`
			`- nfs-common`
			`- telnet`
			`- ftp`
			`- samba`

			`- name: Install auditd`
			`apt:`
			`name:`
			`- auditd`
			`- audispd-plugins`
			`state: present`

			`- name: Enable and start auditd`
			`service:`
			`name: auditd`
			`enabled: yes`
			`state: started`