Skip to content
This repository has been archived by the owner on May 21, 2022. It is now read-only.

alxndr42/ansible-basics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

defaults

defaults

 
 

files

files

 
 

handlers

handlers

 
 

meta

meta

 
 

tasks

tasks

 
 

templates

templates

 
 

vars

vars

 
 

CHANGELOG.md

CHANGELOG.md

 
 

README.md

README.md

 
 

Repository files navigation

ansible-basics

Basic setup for Debian-based systems with systemd.

This role installs (among other things) an improved SSH configuration (i.e. public key login only, secure algorithms) and configures unattended upgrades. Security updates provided by the distribution will always be installed, non-security updates can optionally be allowed.

Role Variables

Please see defaults/main.yml for default values.

Variable Description
basics_autoupdate_blacklist List of packages that must not be automatically updated.
basics_autoupdate_mail Email address to send unattended upgrade errors to.
basics_autoupdate_non_security Install non-security updates provided by the distribution.
basics_autoupdate_origins Additional list of Origins-Pattern values.
basics_autoupdate_reboot Allow automatic reboots for unattended upgrades.
basics_autoupdate_update_calendar OnCalendar value for apt-daily.timer.
basics_autoupdate_update_delay RandomizedDelaySec value for apt-daily.timer.
basics_autoupdate_upgrade_calendar OnCalendar value for apt-daily-upgrade.timer.
basics_autoupdate_upgrade_delay RandomizedDelaySec value for apt-daily-upgrade.timer.
basics_history_disabled Disable persistent history in Bash etc.
basics_journald_maxfile journald.conf MaxFileSec override.
basics_journald_maxretention journald.conf MaxRetentionSec override.
basics_journald_storage journald.conf Storage override.
basics_microcode_updates Install CPU microcode updates.
basics_packages_install List of packages that are always installed.
basics_packages_remove List of packages that are always removed.
basics_services_disable List of services that are always disabled.
basics_ssh_listen Values of ListenAddress for sshd_config.
basics_ssh_match_blocks List of Match blocks for sshd_config (see below).
basics_ssh_port Value of Port for sshd_config.
basics_ssh_root_login Value of PermitRootLogin for sshd_config.
basics_ufw_allow List of UFW allow rules (see below).
basics_ufw_deny List of UFW deny rules (see below).
basics_ufw_ssh Allow SSH as the first UFW rule.
basics_ufw Configure and enable UFW.

SSH Match Blocks

Example Match block configuration:

basics_ssh_match_blocks:
  - match: User sftpuser
    options:
      - ForceCommand internal-sftp

Resulting entry in sshd_config:

Match User sftpuser
  ForceCommand internal-sftp

UFW Rules

Example UFW rules:

- port: "80,443"
  proto: tcp

- src: "192.168.0.42"
  src_port: 1234
  dst: "192.168.0.1"
  port: 53
  proto: udp
  interface: eth0
  direction: in

License

GNU General Public License v3 or later (GPLv3+)

About

Replaced by https://github.com/alxndr42/ansible-commons

Topics

security ansible debian ubuntu ansible-role hardening

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

19 tags

Languages