-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup-playbook.yml
58 lines (53 loc) · 2.18 KB
/
setup-playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
- name: Checkout and configure konstruktoid.hardening
hosts: all
any_errors_fatal: true
tasks:
- name: Add users
ansible.builtin.include_role:
name: users_add
apply:
become: true
vars:
users_add_userlist: "{{ SSH_USERLIST }}"
- name: Ensure role directory for konstruktoid.hardening does not exist
ansible.builtin.file:
path: "{{ lookup('env', 'HOME') }}/.ansible/roles/konstruktoid.hardening"
state: absent
delegate_to: localhost
run_once: true
- name: Create the empty directory
ansible.builtin.file:
path: "{{ lookup('env', 'HOME') }}/.ansible/roles/konstruktoid.hardening"
state: directory
mode: '0755'
delegate_to: localhost
run_once: true
- name: Clone hardening repository
ansible.builtin.git:
repo: https://github.com/konstruktoid/ansible-role-hardening.git
dest: "{{ lookup('env', 'HOME') }}/.ansible/roles/konstruktoid.hardening"
version: 'v3.0.0'
delegate_to: localhost
run_once: true
- name: Include the hardening role
ansible.builtin.include_role:
name: konstruktoid.hardening
vars:
# noqa: var-naming[no-role-prefix]
automatic_updates: "{{ AUTO_UPDATES_OPTIONS }}"
logind: "{{ LOGIND_HARDENING }}"
auditd_action_mail_acct: "{{ AUDITD_ACTION_MAIL_ACCT }}"
manage_ufw: "{{ MANAGE_UFW }}"
ufw_outgoing_traffic: "{{ UFW_OUTGOING_TRAFFIC }}"
disable_wireless: "{{ DISABLE_WIRELESS }}"
reboot_ubuntu: "{{ REBOOT_UBUNTU }}"
session_timeout: "{{ SESSION_TIMEOUT | default(900) }}"
sshd_admin_net: "{{ SSHD_ADMIN_NET }}"
sshd_allow_users: "{{ SSH_USERLIST | map(attribute='username') | list }}"
sshd_allow_groups: "{{ SSH_USERLIST | map(attribute='username') | list }}"
sshd_login_grace_time: "{{ SSHD_LOGIN_GRACE_TIME }}"
sshd_max_auth_tries: "{{ SSHD_MAX_AUTH_TRIES }}"
suid_sgid_permissions: "{{ SUID_SGID_PERMISSIONS }}"
sshd_allow_tcp_forwarding: "{{ SSHD_ALLOW_TCP_FORWARDING | default(false) }}"
sshd_client_alive_interval: "{{ SSHD_TIMEOUT_SECS | default(600) }}"