thingies

2025-07-01 16:14:44 +02:00 · 2025-07-01 16:14:44 +02:00 · 3343de2dc0
commit 3343de2dc0
parent 5f06a966aa
12 changed files with 286 additions and 57 deletions
--- a/ansible/infra/02_firewall_playbook.yml
+++ b/ansible/infra/02_firewall_playbook.yml
@ -0,0 +1,76 @@
+- name: Secure Debian VPS
+  hosts: vipy
+  vars_files:
+    - ../vars.yml
+  become: true
+
+  tasks:
+    - name: Install UFW
+      apt:
+        name: ufw
+        state: present
+
+    - name: Turn UFW off
+      ufw:
+        state: disabled
+
+    - name: Configure UFW default rules
+      ufw:
+        policy: deny
+        direction: incoming
+
+    - name: Allow outgoing traffic
+      ufw:
+        rule: allow
+        direction: out
+
+    - name: Allow SSH port through UFW
+      ufw:
+        rule: allow
+        direction: in
+        port: "{{ ssh_port }}"
+        proto: tcp
+        from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"
+
+    - name: Turn UFW on
+      ufw:
+        state: enabled
+
+    - name: Install fail2ban
+      apt:
+        name: fail2ban
+        state: present
+
+    - name: Ensure fail2ban is running
+      service:
+        name: fail2ban
+        enabled: yes
+        state: started
+
+    - name: Remove unnecessary services
+      apt:
+        name: "{{ item }}"
+        state: absent
+        purge: yes
+      loop:
+        - exim4
+        - apache2
+        - cups
+        - rpcbind
+        - nfs-common
+        - telnet
+        - ftp
+        - samba
+
+    - name: Install auditd
+      apt:
+        name:
+          - auditd
+          - audispd-plugins
+        state: present
+
+    - name: Enable and start auditd
+      service:
+        name: auditd
+        enabled: yes
+        state: started