99 lines
2.1 KiB
YAML
99 lines
2.1 KiB
YAML
- hosts: '{{ target }}'
|
|
gather_facts: false
|
|
become: true
|
|
remote_user: root
|
|
any_errors_fatal: yes
|
|
tasks:
|
|
- name: stop firewalld
|
|
service:
|
|
name: firewalld
|
|
state: stopped
|
|
|
|
- name: dnf install epel
|
|
dnf:
|
|
name: "epel-release"
|
|
state: latest
|
|
|
|
- name: dnf update
|
|
dnf:
|
|
name: "*"
|
|
state: latest
|
|
|
|
- name: dnf install
|
|
dnf:
|
|
name: ['git', 'vim', 'curl', 'yum-utils', 'policycoreutils-python-utils']
|
|
state: latest
|
|
update_cache: True
|
|
|
|
- name: configure sshd
|
|
lineinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
regexp: "^(#)?{{item.key}}"
|
|
line: "{{item.key}} {{item.value}}"
|
|
state: present
|
|
validate: "/usr/sbin/sshd -t -f %s"
|
|
loop:
|
|
- { key: "PermitRootLogin", value: "no" }
|
|
- { key: "PasswordAuthentication", value: "no" }
|
|
- { key: "Port", value: "77" }
|
|
|
|
- name: configure sshd match
|
|
blockinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
state: present
|
|
validate: "/usr/sbin/sshd -t -f %s"
|
|
block: |
|
|
Match Address 129.97.75.0/24
|
|
PermitRootLogin without-password
|
|
PasswordAuthentication yes
|
|
|
|
- name: configure selinux
|
|
seport:
|
|
ports: 77
|
|
proto: tcp
|
|
setype: ssh_port_t
|
|
state: present
|
|
|
|
- name: start selinux
|
|
ansible.posix.selinux:
|
|
policy: targeted
|
|
state: enforcing
|
|
|
|
- name: allow ssh port in firewalld
|
|
ansible.posix.firewalld:
|
|
port: 77/tcp
|
|
permanent: yes
|
|
state: enabled
|
|
offline: yes
|
|
|
|
- name: disallow cockpit in firewalld
|
|
ansible.posix.firewalld:
|
|
service: cockpit
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: disallow dhcpv6-client in firewalld
|
|
ansible.posix.firewalld:
|
|
service: dhcpv6-client
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: disallow default ssh port
|
|
ansible.posix.firewalld:
|
|
service: ssh
|
|
permanent: yes
|
|
state: disabled
|
|
offline: yes
|
|
|
|
- name: start firewalld
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: reload sshd
|
|
service:
|
|
name: sshd
|
|
state: reloaded |