--- - name: Security hardening hosts: all roles: - fail2ban_role become: true vars: fail2ban_services: sshd tasks: - name: Disable Password Authentication lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' state: present backup: yes validate: /usr/bin/sshd -t -f %s notify: Restart ssh when: false - name: Disable root login lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' state: present backup: yes validate: /usr/bin/sshd -t -f %s notify: Restart ssh when: false - name: Disable Empty Passwords lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' state: present backup: yes validate: /usr/bin/sshd -t -f %s notify: Restart ssh #passwordless login - name: Copy SSH public key authorized_key: user: your_remote_user state: present key: "{{ lookup('file', '~/.ssh/ansible_key.pub') }}" manager_dir: yes #Set up fail2ban - name: Install Fail2ban package: name: fail2ban state: present become: true - name: configure Fail2ban template: src: jail.local.j2 dest: /etc/fail2ban/jail.local become: true notify: Restart Fail2ban - name: Ensure Fail2ban service is started and enabled service: name: fail2ban state: started enabled: true become: true #Configure Firewall UFW - name: Ensure UFW is installed package: name: ufw state: present - name: Ensure UFW is enabled community.general.ufw: state: enabled policy: deny direction: incoming - name: Allow SSH connections community.general.ufw: rule: allow name: OpenSSH - name: Allow HTTP connections community.general.ufw: rule: allow port: '80' proto: tcp - name: Reload UFW community.general.ufw: state: reloaded # Set file permission - name: Set file permission ansible.builtin.file: path: /home/adelya/tes.txt mode: '0644' owner: adel group: pkl state: file handlers: - name: Restart SSH service: name: sshd state: restarted - name: Restart Fail2ban service: name: fail2ban state: restarted become: true