infra/roles/common/tasks/main.yml

---

- name: Configure hostname
  hostname:
    name: "{{ inventory_hostname_short }}"

- name: Configure mailname
  copy:
    content: "{{ inventory_hostname }}\n"
    dest: /etc/mailname
    owner: root
    group: root
    mode: 0644

- name: Configure FQDN
  lineinfile:
    path: /etc/hosts
    regexp: '^127\.0\.0\.1'
    line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
    owner: root
    group: root
    mode: 0644

- name: Install fail2ban
  apt:
    name: fail2ban
    state: present

- name: Configure fail2ban for nginx
  copy:
    content: |
      [nginx-botsearch]
      enabled  = true
      port     = http,https
      logpath  = %(nginx_error_log)s
      maxretry = 2      
    dest: /etc/fail2ban/jail.d/nginx.conf
    mode: 0x644
  notify: reload fail2ban

- name: Configure fail2ban bantime
  copy:
    content: |
      [DEFAULT]
      bantime  = 30d      
    dest: /etc/fail2ban/jail.d/mdk-bantime.conf
    mode: 0x644
  notify: reload fail2ban

- name: Setup nftables
  include_role: name=nftables
  tags: always
  vars:
    nftables_conf: |
        #!/usr/sbin/nft -f

        flush ruleset

        table inet filter {
            chain input {
                type filter hook input priority 0;
                iif lo accept
                ct state established,related accept
                tcp dport { ssh, http, https, 5201 } ct state new accept
                ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
                counter drop
            }
        }        

# From https://infosec.mozilla.org/guidelines/openssh
- name: SSHd hardening
  blockinfile:
    marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
    path: /etc/ssh/sshd_config
    state: present
    create: true
    block: |
      KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

      HostKey /etc/ssh/ssh_host_ed25519_key
      HostKey /etc/ssh/ssh_host_rsa_key
      HostKey /etc/ssh/ssh_host_ecdsa_key

      AuthenticationMethods publickey
      LogLevel VERBOSE      
  notify: restart sshd
  tags: ssh