- name: Secure Debian VPS hosts: vipy vars_files: - vars.yml become: true tasks: - name: Update and upgrade apt packages apt: update_cache: yes upgrade: full autoremove: yes - name: Create new user user: name: "{{ new_user }}" groups: sudo shell: /bin/bash state: present create_home: yes - name: Set up SSH directory for new user file: path: "/home/{{ new_user }}/.ssh" state: directory mode: "0700" owner: "{{ new_user }}" group: "{{ new_user }}" - name: Change SSH port and disable root login lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present backrefs: yes loop: - { regexp: "^#?Port .*", line: "Port {{ ssh_port }}" } - { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" } - { regexp: "^#?PasswordAuthentication .*", line: "PasswordAuthentication no", } - name: Restart SSH service: name: ssh state: restarted - name: Set SSH port to new port set_fact: ansible_port: "{{ ssh_port }}" - name: Install UFW apt: name: ufw state: present - name: Turn UFW off ufw: state: disabled - name: Configure UFW default rules ufw: policy: deny direction: incoming - name: Allow outgoing traffic ufw: rule: allow direction: outgoing - name: Allow SSH port through UFW ufw: rule: allow port: "{{ ssh_port }}" proto: tcp from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}" - name: Turn UFW on ufw: state: enabled - name: Install fail2ban apt: name: fail2ban state: present - name: Ensure fail2ban is running service: name: fail2ban enabled: yes state: started - name: Remove unnecessary services apt: name: "{{ item }}" state: absent purge: yes loop: - exim4 - apache2 - cups - rpcbind - nfs-common - telnet - ftp - samba - name: Install auditd apt: name: - auditd - audispd-plugins state: present - name: Enable and start auditd service: name: auditd enabled: yes state: started