--- - name: set time zone file: src: /usr/share/zoneinfo/Etc/UTC dest: /etc/localtime state: link - name: install packages apt: name: - etckeeper - logwatch - unattended-upgrades - needrestart - htop - unzip - rkhunter - iotop - sudo - tmux - rsync state: present - name: configure ssh kex and ciphers lineinfile: dest: /etc/ssh/sshd_config line: "{{item}}" regexp: "{{item.split()[0]}}.*" state: present notify: restart sshd loop: - "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" - "HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com" - "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr" - "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" - name: disable ssh v1 lineinfile: dest: /etc/ssh/sshd_config line: "Protocol 2" regexp: "^Protocol" state: present notify: restart sshd - name: disable ssh root password login lineinfile: dest: /etc/ssh/sshd_config line: "PermitRootLogin without-password" regexp: "^PermitRootLogin" state: present notify: restart sshd - name: disable ssh root check in rkhunter lineinfile: dest: /etc/rkhunter.conf line: "{{item}}" state: present with_items: - 'ALLOW_SSH_ROOT_USER=without-password' - 'ALLOWHIDDENDIR=/etc/.git' - 'ALLOWHIDDENFILE=/etc/.gitignore' - 'ALLOWHIDDENFILE=/etc/.etckeeper' - 'ALLOWDEVFILE=/dev/shm/rhm.*' - name: copy roots dotprofile copy: src: root.profile dest: /root/.profile - name: create terminfo directory file: name: /etc/terminfo/x state: directory - name: copy termite terminfo copy: src: xterm-termite dest: /etc/terminfo/x/xterm-termite - name: enable services systemd: name: "{{item}}" enabled: yes state: started with_items: - unattended-upgrades