d
/
bs_nix
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
bs_nix/ansible/pkg-ssh-firewall.yml

99 lines
2.1 KiB
YAML
Raw Permalink Blame History

- hosts: '{{ target }}'
gather_facts: false
become: true
remote_user: root
any_errors_fatal: yes
tasks:
- name: stop firewalld
service:
name: firewalld
state: stopped
- name: dnf install epel
dnf:
name: "epel-release"
state: latest
- name: dnf update
dnf:
name: "*"
state: latest
- name: dnf install
dnf:
name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils']
state: latest
update_cache: True
- name: configure sshd
lineinfile:
path: "/etc/ssh/sshd_config"
regexp: "^(#)?{{item.key}}"
line: "{{item.key}} {{item.value}}"
state: present
validate: "/usr/sbin/sshd -t -f %s"
loop:
- { key: "PermitRootLogin", value: "no" }
- { key: "PasswordAuthentication", value: "no" }
- { key: "Port", value: "77" }
- name: configure sshd match
blockinfile:
path: "/etc/ssh/sshd_config"
state: present
validate: "/usr/sbin/sshd -t -f %s"
block: |
Match Address 129.97.75.0/24
PermitRootLogin without-password
PasswordAuthentication yes
- name: configure selinux
seport:
ports: 77
proto: tcp
setype: ssh_port_t
state: present
- name: start selinux
ansible.posix.selinux:
policy: targeted
state: enforcing
- name: allow ssh port in firewalld
ansible.posix.firewalld:
port: 77/tcp
permanent: yes
state: enabled
offline: yes
- name: disallow cockpit in firewalld
ansible.posix.firewalld:
service: cockpit
permanent: yes
state: disabled
offline: yes
- name: disallow dhcpv6-client in firewalld
ansible.posix.firewalld:
service: dhcpv6-client
permanent: yes
state: disabled
offline: yes
- name: disallow default ssh port
ansible.posix.firewalld:
service: ssh
permanent: yes
state: disabled
offline: yes
- name: start firewalld
service:
name: firewalld
state: started
enabled: yes
- name: reload sshd
service:
name: sshd
state: reloaded
Reference in New Issue View Git Blame Copy Permalink