personal_infra/ansible/infra/02_firewall_and_fail2ban_playbook.yml

- name: Secure Debian VPS
  hosts: vipy,watchtower
  vars_files:
    - ../infra_vars.yml
  become: true

  tasks:
    - name: Install UFW
      apt:
        name: ufw
        state: present

    - name: Turn UFW off
      ufw:
        state: disabled

    - name: Configure UFW default rules
      ufw:
        policy: deny
        direction: incoming

    - name: Allow outgoing traffic
      ufw:
        rule: allow
        direction: out

    - name: Allow SSH port through UFW
      ufw:
        rule: allow
        direction: in
        port: "{{ ssh_port }}"
        proto: tcp
        from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"

    - name: Turn UFW on
      ufw:
        state: enabled

    - name: Install fail2ban
      apt:
        name: fail2ban
        state: present

    - name: Ensure fail2ban is running
      service:
        name: fail2ban
        enabled: yes
        state: started

    - name: Remove unnecessary services
      apt:
        name: "{{ item }}"
        state: absent
        purge: yes
      loop:
        - exim4
        - apache2
        - cups
        - rpcbind
        - nfs-common
        - telnet
        - ftp
        - samba

    - name: Install auditd
      apt:
        name:
          - auditd
          - audispd-plugins
        state: present

    - name: Enable and start auditd
      service:
        name: auditd
        enabled: yes
        state: started
wip 2025-07-01 10:39:01 +02:00			`- name: Secure Debian VPS`
Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			`hosts: vipy,watchtower`
wip 2025-07-01 10:39:01 +02:00			`vars_files:`
uptime kuma works 2025-07-01 17:02:28 +02:00			`- ../infra_vars.yml`
wip 2025-07-01 10:39:01 +02:00			`become: true`

			`tasks:`
			`- name: Install UFW`
			`apt:`
			`name: ufw`
			`state: present`

			`- name: Turn UFW off`
			`ufw:`
			`state: disabled`

			`- name: Configure UFW default rules`
			`ufw:`
			`policy: deny`
			`direction: incoming`

			`- name: Allow outgoing traffic`
			`ufw:`
			`rule: allow`
thingies 2025-07-01 16:14:44 +02:00			`direction: out`
wip 2025-07-01 10:39:01 +02:00
			`- name: Allow SSH port through UFW`
			`ufw:`
			`rule: allow`
thingies 2025-07-01 16:14:44 +02:00			`direction: in`
wip 2025-07-01 10:39:01 +02:00			`port: "{{ ssh_port }}"`
			`proto: tcp`
			`from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"`

			`- name: Turn UFW on`
			`ufw:`
			`state: enabled`

			`- name: Install fail2ban`
			`apt:`
			`name: fail2ban`
			`state: present`

			`- name: Ensure fail2ban is running`
			`service:`
			`name: fail2ban`
			`enabled: yes`
			`state: started`

			`- name: Remove unnecessary services`
			`apt:`
			`name: "{{ item }}"`
			`state: absent`
			`purge: yes`
			`loop:`
			`- exim4`
			`- apache2`
			`- cups`
			`- rpcbind`
			`- nfs-common`
			`- telnet`
			`- ftp`
			`- samba`

			`- name: Install auditd`
			`apt:`
			`name:`
			`- auditd`
			`- audispd-plugins`
			`state: present`

			`- name: Enable and start auditd`
			`service:`
			`name: auditd`
			`enabled: yes`
			`state: started`