openneo-health/setup-security.yml

---
- name: Set up security defaults
  hosts: health
  become: yes
  become_user: root
  vars:
    open_ports:
      - ssh
      - http
      - https
  tasks:
    - name: Disable insecure SSH authentication methods
      copy:
        dest: /etc/ssh/sshd_config.d/disable-insecure-logins.conf
        content: |
          PermitRootLogin no
          PasswordAuthentication no
          PubkeyAuthentication yes
      notify: Restart SSH

    - name: Update the apt cache
      apt:
        update_cache: yes

    - name: Install fail2ban firewall with default settings
      apt:
        name: fail2ban

    - name: Install ufw firewall
      apt:
        name: ufw

    - name: Configure ufw firewall to allow SSH connections on port 22
      community.general.ufw:
        rule: allow
        port: "{{ item }}"
      loop: "{{ open_ports }}"

    - name: Configure ufw firewall to deny access to ChatGPT-User's IP range
      community.general.ufw:
        rule: deny
        src: 23.98.142.176/28
        comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)

    - name: Load GPTBot IP ranges
      uri:
        url: https://openai.com/gptbot.json
      register: gptbot_info

    - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
      community.general.ufw:
        rule: deny
        src: "{{ item }}"
        comment: GPTBot (https://platform.openai.com/docs/gptbot)
      loop: "{{ gptbot_info['json'] |
        community.general.json_query('prefixes[*].ipv4Prefix') }}"

    - name: Enable ufw firewall with all other ports closed by default
      community.general.ufw:
        state: enabled
        policy: deny

    - name: Install unattended-upgrades
      apt:
        name: unattended-upgrades

    - name: Enable unattended-upgrades to auto-upgrade our system
      copy:
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
        dest: /etc/apt/apt.conf.d/20auto-upgrades

    - name: Configure unattended-upgrades to auto-reboot our server when necessary
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
        line: Unattended-Upgrade::Automatic-Reboot "true";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

    - name: Configure the system timezone to be US Pacific time
      community.general.timezone:
        name: America/Los_Angeles

    - name: Configure unattended-upgrades to delay necessary reboots to 3am
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
        line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

  handlers:
    - name: Restart SSH
      systemd_service:
        name: ssh
        state: restarted
Initial commit: It's working! :3 2024-02-28 13:15:31 -08:00			`---`
			`- name: Set up security defaults`
			`hosts: health`
			`become: yes`
			`become_user: root`
			`vars:`
			`open_ports:`
			`- ssh`
			`- http`
			`- https`
			`tasks:`
			`- name: Disable insecure SSH authentication methods`
			`copy:`
			`dest: /etc/ssh/sshd_config.d/disable-insecure-logins.conf`
			`content: \|`
			`PermitRootLogin no`
			`PasswordAuthentication no`
			`PubkeyAuthentication yes`
			`notify: Restart SSH`

			`- name: Update the apt cache`
			`apt:`
			`update_cache: yes`

			`- name: Install fail2ban firewall with default settings`
			`apt:`
			`name: fail2ban`

			`- name: Install ufw firewall`
			`apt:`
			`name: ufw`

			`- name: Configure ufw firewall to allow SSH connections on port 22`
			`community.general.ufw:`
			`rule: allow`
			`port: "{{ item }}"`
			`loop: "{{ open_ports }}"`

			`- name: Configure ufw firewall to deny access to ChatGPT-User's IP range`
			`community.general.ufw:`
			`rule: deny`
			`src: 23.98.142.176/28`
			`comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)`

			`- name: Load GPTBot IP ranges`
			`uri:`
			`url: https://openai.com/gptbot.json`
			`register: gptbot_info`

			`- name: Configure ufw firewall to deny access to each of GPTBot's IP ranges`
			`community.general.ufw:`
			`rule: deny`
			`src: "{{ item }}"`
			`comment: GPTBot (https://platform.openai.com/docs/gptbot)`
			`loop: "{{ gptbot_info['json'] \|`
			`community.general.json_query('prefixes[*].ipv4Prefix') }}"`

			`- name: Enable ufw firewall with all other ports closed by default`
			`community.general.ufw:`
			`state: enabled`
			`policy: deny`

			`- name: Install unattended-upgrades`
			`apt:`
			`name: unattended-upgrades`

			`- name: Enable unattended-upgrades to auto-upgrade our system`
			`copy:`
			`content: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`

			`- name: Configure unattended-upgrades to auto-reboot our server when necessary`
			`lineinfile:`
			`regex: ^(//\s)?Unattended-Upgrade::Automatic-Reboot ".";$`
			`line: Unattended-Upgrade::Automatic-Reboot "true";`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`

			`- name: Configure the system timezone to be US Pacific time`
			`community.general.timezone:`
			`name: America/Los_Angeles`

			`- name: Configure unattended-upgrades to delay necessary reboots to 3am`
			`lineinfile:`
			`regex: ^(//\s)?Unattended-Upgrade::Automatic-Reboot-Time ".";$`
			`line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`

			`handlers:`
			`- name: Restart SSH`
			`systemd_service:`
			`name: ssh`
			`state: restarted`