--- - name: Set up security defaults hosts: webserver become: yes become_user: root tasks: - name: Disable root SSH login lineinfile: dest: /etc/ssh/sshd_config regexp: ^#?PermitRootLogin line: PermitRootLogin no notify: - Restart sshd - name: Disable password-based SSH authentication lineinfile: dest: /etc/ssh/sshd_config regexp: ^#?PasswordAuthentication line: PasswordAuthentication no notify: - Restart sshd - name: Enable public-key SSH authentication lineinfile: dest: /etc/ssh/sshd_config regexp: ^#?PubkeyAuthentication line: PubkeyAuthentication yes notify: - Restart sshd - name: Update the apt cache apt: update_cache: yes - name: Install fail2ban firewall with default settings apt: name: fail2ban - name: Install ufw firewall apt: name: ufw - name: Configure ufw firewall to allow SSH connections on port 22 community.general.ufw: rule: allow port: "22" - name: Configure ufw firewall to allow HTTP connections on port 80 community.general.ufw: rule: allow port: "80" - name: Configure ufw firewall to allow HTTPS connections on port 443 community.general.ufw: rule: allow port: "443" - name: Configure ufw firewall to deny access to ChatGPT-User's IP range community.general.ufw: rule: deny src: 23.98.142.176/28 comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot) - name: Load GPTBot IP ranges uri: url: https://openai.com/gptbot.json register: gptbot_info - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges community.general.ufw: rule: deny src: "{{ item }}" comment: GPTBot (https://platform.openai.com/docs/gptbot) loop: "{{ gptbot_info['json'] | community.general.json_query('prefixes[*].ipv4Prefix') }}" - name: Enable ufw firewall with all other ports closed by default community.general.ufw: state: enabled policy: deny - name: Install unattended-upgrades apt: name: unattended-upgrades - name: Enable unattended-upgrades to auto-upgrade our system copy: content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; dest: /etc/apt/apt.conf.d/20auto-upgrades - name: Configure unattended-upgrades to auto-reboot our server when necessary lineinfile: regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$ line: Unattended-Upgrade::Automatic-Reboot "true"; dest: /etc/apt/apt.conf.d/50unattended-upgrades - name: Configure the system timezone to be US Pacific time community.general.timezone: name: America/Los_Angeles - name: Configure unattended-upgrades to delay necessary reboots to 3am lineinfile: regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$ line: Unattended-Upgrade::Automatic-Reboot-Time "03:00"; dest: /etc/apt/apt.conf.d/50unattended-upgrades handlers: - name: Restart sshd systemd: name: sshd state: restarted