95 lines
2.7 KiB
YAML
95 lines
2.7 KiB
YAML
|
---
|
||
|
- name: Set up security defaults
|
||
|
hosts: health
|
||
|
become: yes
|
||
|
become_user: root
|
||
|
vars:
|
||
|
open_ports:
|
||
|
- ssh
|
||
|
- http
|
||
|
- https
|
||
|
tasks:
|
||
|
- name: Disable insecure SSH authentication methods
|
||
|
copy:
|
||
|
dest: /etc/ssh/sshd_config.d/disable-insecure-logins.conf
|
||
|
content: |
|
||
|
PermitRootLogin no
|
||
|
PasswordAuthentication no
|
||
|
PubkeyAuthentication yes
|
||
|
notify: Restart SSH
|
||
|
|
||
|
- name: Update the apt cache
|
||
|
apt:
|
||
|
update_cache: yes
|
||
|
|
||
|
- name: Install fail2ban firewall with default settings
|
||
|
apt:
|
||
|
name: fail2ban
|
||
|
|
||
|
- name: Install ufw firewall
|
||
|
apt:
|
||
|
name: ufw
|
||
|
|
||
|
- name: Configure ufw firewall to allow SSH connections on port 22
|
||
|
community.general.ufw:
|
||
|
rule: allow
|
||
|
port: "{{ item }}"
|
||
|
loop: "{{ open_ports }}"
|
||
|
|
||
|
- name: Configure ufw firewall to deny access to ChatGPT-User's IP range
|
||
|
community.general.ufw:
|
||
|
rule: deny
|
||
|
src: 23.98.142.176/28
|
||
|
comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)
|
||
|
|
||
|
- name: Load GPTBot IP ranges
|
||
|
uri:
|
||
|
url: https://openai.com/gptbot.json
|
||
|
register: gptbot_info
|
||
|
|
||
|
- name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
|
||
|
community.general.ufw:
|
||
|
rule: deny
|
||
|
src: "{{ item }}"
|
||
|
comment: GPTBot (https://platform.openai.com/docs/gptbot)
|
||
|
loop: "{{ gptbot_info['json'] |
|
||
|
community.general.json_query('prefixes[*].ipv4Prefix') }}"
|
||
|
|
||
|
- name: Enable ufw firewall with all other ports closed by default
|
||
|
community.general.ufw:
|
||
|
state: enabled
|
||
|
policy: deny
|
||
|
|
||
|
- name: Install unattended-upgrades
|
||
|
apt:
|
||
|
name: unattended-upgrades
|
||
|
|
||
|
- name: Enable unattended-upgrades to auto-upgrade our system
|
||
|
copy:
|
||
|
content: |
|
||
|
APT::Periodic::Update-Package-Lists "1";
|
||
|
APT::Periodic::Unattended-Upgrade "1";
|
||
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||
|
|
||
|
- name: Configure unattended-upgrades to auto-reboot our server when necessary
|
||
|
lineinfile:
|
||
|
regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
|
||
|
line: Unattended-Upgrade::Automatic-Reboot "true";
|
||
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||
|
|
||
|
- name: Configure the system timezone to be US Pacific time
|
||
|
community.general.timezone:
|
||
|
name: America/Los_Angeles
|
||
|
|
||
|
- name: Configure unattended-upgrades to delay necessary reboots to 3am
|
||
|
lineinfile:
|
||
|
regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
|
||
|
line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
|
||
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||
|
|
||
|
handlers:
|
||
|
- name: Restart SSH
|
||
|
systemd_service:
|
||
|
name: ssh
|
||
|
state: restarted
|