iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/ansible/roles/hardening/tasks/main.yml
Murat ÖZDEMİR bbeaf97815 Implement: Administrative user, keyboard layout, and Ansible variable refactor 
This commit introduces several core configurations and structural improvements:

*   **User Management:** Creates a new `iklim` administrative user with a securely hashed password, enabled by `python3-passlib`.
*   **System Configuration:** Sets the system keyboard layout to Turkish Q (`trq`).
*   **Security Hardening:** Refines firewall rules for SSH using a rich rule and ensures `journald` log limits file creation.
*   **Ansible Variable Management:** Restructures `group_vars` by consolidating global variables into `group_vars/all/vars.yml` and sensitive data into a dedicated `group_vars/all/vault.yml`.
*   **Ansible Compatibility:** Adds `!unsafe` to a `docker info` shell command to prevent future warnings.
2026-05-11 19:00:31 +03:00

81 lines
2.1 KiB
YAML
Raw Permalink Blame History

---
- name: Disable SELinux
ansible.posix.selinux:
state: disabled
register: selinux_status
- name: Reboot if SELinux changed
ansible.builtin.reboot:
when: selinux_status.changed
- name: Configure SSH Hardening
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
loop:
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
- { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
notify: Restart sshd
- name: Install dnf-automatic
ansible.builtin.dnf:
name: dnf-automatic
state: present
- name: Enable dnf-automatic timer
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: yes
- name: Configure fail2ban jail
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
notify: Restart fail2ban
- name: Ensure firewalld is running
ansible.builtin.service:
name: firewalld
state: started
enabled: yes
- name: Allow SSH in firewalld from admin CIDRs
ansible.posix.firewalld:
rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
zone: drop
state: enabled
permanent: yes
immediate: yes
loop: "{{ admin_allowed_cidrs.split(' ') }}"
- name: Configure firewalld default zone
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
changed_when: false
- name: Create iklim user
ansible.builtin.user:
name: iklim
password: "{{ iklim_password | password_hash('sha512') }}"
groups: wheel
append: yes
shell: /bin/bash
create_home: yes
state: present
- name: Configure journald log limits
ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: yes
loop:
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
notify: Restart journald
Reference in New Issue View Git Blame Copy Permalink