diff options
Diffstat (limited to 'roles/host')
| -rw-r--r-- | roles/host/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/host/handlers/main.yml | 11 | ||||
| -rw-r--r-- | roles/host/tasks/cpanel-dnsonly.yml | 2 | ||||
| -rw-r--r-- | roles/host/tasks/main.yml | 7 | ||||
| -rw-r--r-- | roles/host/tasks/ssh-harden.yml | 9 | ||||
| -rw-r--r-- | roles/host/tasks/systemd-user-network-check.yml | 7 | ||||
| -rw-r--r-- | roles/host/tasks/unprivileged-port.yml | 7 |
7 files changed, 32 insertions, 15 deletions
diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml index 1e7f955..549d056 100644 --- a/roles/host/defaults/main.yml +++ b/roles/host/defaults/main.yml @@ -10,3 +10,7 @@ host_containers_user: "{{ containers_user if containers_user is defined else 'co host_patching: false host_patching_apply: false host_patching_reboot: "never" + +host_ssh_harden: false + +host_cpanel_installed: false diff --git a/roles/host/handlers/main.yml b/roles/host/handlers/main.yml new file mode 100644 index 0000000..501bfeb --- /dev/null +++ b/roles/host/handlers/main.yml @@ -0,0 +1,11 @@ +- name: Restart sshd + ansible.builtin.service: + name: "sshd" + state: "restarted" + +- name: Reload systemd daemon + ansible.builtin.systemd_service: + daemon_reload: true + +- name: Reload sysctl + ansible.builtin.shell: "sysctl -p /etc/sysctl.d/50-UnprivilegedPort.conf" diff --git a/roles/host/tasks/cpanel-dnsonly.yml b/roles/host/tasks/cpanel-dnsonly.yml index dbb9062..27b00fe 100644 --- a/roles/host/tasks/cpanel-dnsonly.yml +++ b/roles/host/tasks/cpanel-dnsonly.yml @@ -9,7 +9,7 @@ - name: Turn off firewalld ansible.builtin.service: name: "firewalld" - state: stopped + state: "stopped" enabled: false - name: Create new tmp directory for podman diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml index 0a205da..20fc54d 100644 --- a/roles/host/tasks/main.yml +++ b/roles/host/tasks/main.yml @@ -26,7 +26,8 @@ - ansible.builtin.import_tasks: patching.yml when: host_patching | bool +- ansible.builtin.import_tasks: ssh-harden.yml + when: host_ssh_harden | bool + - ansible.builtin.import_tasks: cpanel-dnsonly.yml - tags: - - never - - cpanel-dnsonly + when: host_cpanel_installed | bool diff --git a/roles/host/tasks/ssh-harden.yml b/roles/host/tasks/ssh-harden.yml new file mode 100644 index 0000000..2df5bb2 --- /dev/null +++ b/roles/host/tasks/ssh-harden.yml @@ -0,0 +1,9 @@ +- name: Disable SSH password authentication + ansible.builtin.lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + state: "present" + validate: "sshd -t -f %s" + notify: + - Restart sshd diff --git a/roles/host/tasks/systemd-user-network-check.yml b/roles/host/tasks/systemd-user-network-check.yml index 0b87e85..c1bc290 100644 --- a/roles/host/tasks/systemd-user-network-check.yml +++ b/roles/host/tasks/systemd-user-network-check.yml @@ -6,9 +6,4 @@ ansible.builtin.copy: src: "check-network-online.service" dest: "/etc/systemd/user/check-network-online.service" - register: systemd - -- name: Reload systemd daemon - ansible.builtin.systemd_service: - daemon_reload: true - when: systemd.changed + notify: Reload systemd daemon diff --git a/roles/host/tasks/unprivileged-port.yml b/roles/host/tasks/unprivileged-port.yml index c724e49..69a21f4 100644 --- a/roles/host/tasks/unprivileged-port.yml +++ b/roles/host/tasks/unprivileged-port.yml @@ -4,8 +4,5 @@ regexp: "^net.ipv4.ip_unprivileged_port_start=" line: "net.ipv4.ip_unprivileged_port_start={{ host_unprivileged_port_start }}" create: true - register: sysctl - -- name: Reload sysctl - ansible.builtin.shell: "sysctl -p /etc/sysctl.d/50-UnprivilegedPort.conf" - when: sysctl.changed + notify: + - Reload sysctl |