Tyler King
6058e62348
Go-based network automation with YANG models, gRPC, Ansible, Terraform, and Kubernetes integration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
59 lines
1.3 KiB
YAML
59 lines
1.3 KiB
YAML
---
|
|
- name: Update apt cache
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Install base packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- ufw
|
|
- fail2ban
|
|
- unattended-upgrades
|
|
- wireguard-tools
|
|
- jq
|
|
- curl
|
|
state: present
|
|
|
|
- name: Configure SSH hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
loop:
|
|
- {regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no'}
|
|
- {regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no'}
|
|
- {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
|
|
notify: restart sshd
|
|
|
|
- name: Enable UFW with default deny
|
|
community.general.ufw:
|
|
state: enabled
|
|
default: deny
|
|
direction: incoming
|
|
|
|
- name: Allow SSH
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "22"
|
|
proto: tcp
|
|
|
|
- name: Allow WireGuard
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ kedge_wg_port }}"
|
|
proto: udp
|
|
|
|
- name: Allow Kedge metrics
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ kedge_metrics_port }}"
|
|
proto: tcp
|
|
src: "10.0.0.0/8"
|
|
|
|
- name: Enable fail2ban
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
enabled: true
|
|
state: started
|