78 lines
2.1 KiB
YAML
78 lines
2.1 KiB
YAML
---
|
|
- name: set time zone
|
|
file:
|
|
src: /usr/share/zoneinfo/Etc/UTC
|
|
dest: /etc/localtime
|
|
state: link
|
|
- name: install packages
|
|
apt:
|
|
name:
|
|
- etckeeper
|
|
- logwatch
|
|
- unattended-upgrades
|
|
- needrestart
|
|
- htop
|
|
- unzip
|
|
- rkhunter
|
|
- iotop
|
|
- sudo
|
|
- tmux
|
|
- rsync
|
|
state: present
|
|
- name: configure ssh kex and ciphers
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "{{item}}"
|
|
regexp: "{{item.split()[0]}}.*"
|
|
state: present
|
|
notify: restart sshd
|
|
loop:
|
|
- "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
|
|
- "HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com"
|
|
- "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr"
|
|
- "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
|
|
- name: disable ssh v1
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "Protocol 2"
|
|
regexp: "^Protocol"
|
|
state: present
|
|
notify: restart sshd
|
|
- name: disable ssh root password login
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "PermitRootLogin without-password"
|
|
regexp: "^PermitRootLogin"
|
|
state: present
|
|
notify: restart sshd
|
|
- name: disable ssh root check in rkhunter
|
|
lineinfile:
|
|
dest: /etc/rkhunter.conf
|
|
line: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- 'ALLOW_SSH_ROOT_USER=without-password'
|
|
- 'ALLOWHIDDENDIR=/etc/.git'
|
|
- 'ALLOWHIDDENFILE=/etc/.gitignore'
|
|
- 'ALLOWHIDDENFILE=/etc/.etckeeper'
|
|
- 'ALLOWDEVFILE=/dev/shm/rhm.*'
|
|
- name: copy roots dotprofile
|
|
copy:
|
|
src: root.profile
|
|
dest: /root/.profile
|
|
- name: create terminfo directory
|
|
file:
|
|
name: /etc/terminfo/x
|
|
state: directory
|
|
- name: copy termite terminfo
|
|
copy:
|
|
src: xterm-termite
|
|
dest: /etc/terminfo/x/xterm-termite
|
|
- name: enable services
|
|
systemd:
|
|
name: "{{item}}"
|
|
enabled: yes
|
|
state: started
|
|
with_items:
|
|
- unattended-upgrades
|