--- - tags: debian_backports import_tasks: debian-backports.yaml - tags: unattended_updates import_tasks: unattended-updates.yaml - tags: network import_tasks: network.yaml - tags: node-exporter import_tasks: node-exporter.yaml - name: Install utilities apt: name: - curl - fzf - git - htop - iptables - iptables-persistent - jq - net-tools - ripgrep - rsync - tree - vim - name: Configure FZF for Bash lineinfile: path: /etc/bash.bashrc insertafter: EOF regexp: "^source /usr/share/doc/fzf/{{ item }}" line: "source /usr/share/doc/fzf/examples/{{ item }} # Managed by Ansible" with_items: - key-bindings.bash - completion.bash - name: Shorten Grub timeout lineinfile: path: /etc/default/grub regexp: '^GRUB_TIMEOUT=' line: "GRUB_TIMEOUT=1 # Managed by Ansible" notify: update grub - name: Configure cron email lineinfile: path: /etc/crontab insertafter: '^PATH' line: 'MAILTO={{ notify_email }}' - name: Turn off SSH password auth lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' notify: reload sshd - name: Configure SSH port lineinfile: path: /etc/ssh/sshd_config regexp: '^#?Port' line: 'Port {{ ssh_port }}' notify: reload sshd - name: Allow SSH iptables: chain: INPUT protocol: tcp destination_port: "{{ ssh_port }}" ctstate: NEW jump: ACCEPT ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables - name: Allow IPv6 ICMP iptables: chain: INPUT protocol: ipv6-icmp jump: ACCEPT ip_version: ipv6 notify: persist iptables - name: Allow related and established connections iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables - name: Allow local connections iptables: chain: INPUT source: "{{ item.cidr }}" jump: ACCEPT ip_version: "{{ item.v }}" with_items: "{{ trusted_ranges }}" notify: persist iptables - name: Deny inbound connections iptables: chain: INPUT policy: DROP ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables