- hosts: '{{ target }}' gather_facts: false become: true remote_user: root any_errors_fatal: yes tasks: - name: stop firewalld service: name: firewalld state: stopped - name: dnf install epel dnf: name: "epel-release" state: latest - name: dnf update dnf: name: "*" state: latest - name: dnf install dnf: name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils'] state: latest update_cache: True - name: configure sshd lineinfile: path: "/etc/ssh/sshd_config" regexp: "^(#)?{{item.key}}" line: "{{item.key}} {{item.value}}" state: present validate: "/usr/sbin/sshd -t -f %s" loop: - { key: "PermitRootLogin", value: "no" } - { key: "PasswordAuthentication", value: "no" } - { key: "Port", value: "77" } - name: configure sshd match blockinfile: path: "/etc/ssh/sshd_config" state: present validate: "/usr/sbin/sshd -t -f %s" block: | Match Address 129.97.75.0/24 PermitRootLogin without-password PasswordAuthentication yes - name: configure selinux seport: ports: 77 proto: tcp setype: ssh_port_t state: present - name: start selinux ansible.posix.selinux: policy: targeted state: enforcing - name: allow ssh port in firewalld ansible.posix.firewalld: port: 77/tcp permanent: yes state: enabled offline: yes - name: disallow cockpit in firewalld ansible.posix.firewalld: service: cockpit permanent: yes state: disabled offline: yes - name: disallow dhcpv6-client in firewalld ansible.posix.firewalld: service: dhcpv6-client permanent: yes state: disabled offline: yes - name: disallow default ssh port ansible.posix.firewalld: service: ssh permanent: yes state: disabled offline: yes - name: start firewalld service: name: firewalld state: started enabled: yes - name: reload sshd service: name: sshd state: reloaded