49 lines
1.1 KiB
YAML
49 lines
1.1 KiB
YAML
- name: Install the Uncomplicated Firewall
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Install Fail2ban
|
|
ansible.builtin.apt:
|
|
name: fail2ban
|
|
state: present
|
|
|
|
- name: Deny incoming traffic by default
|
|
community.general.ufw:
|
|
default: deny
|
|
direction: incoming
|
|
|
|
- name: Allow outgoing traffic by default
|
|
community.general.ufw:
|
|
default: allow
|
|
direction: outgoing
|
|
|
|
- name: Allow OpenSSH with rate limiting
|
|
community.general.ufw:
|
|
name: ssh
|
|
rule: limit
|
|
|
|
- name: Remove Fail2ban defaults-debian.conf
|
|
ansible.builtin.file:
|
|
path: /etc/fail2ban/jail.d/defaults-debian.conf
|
|
state: absent
|
|
|
|
- name: Install OpenSSH's Fail2ban jail
|
|
ansible.builtin.template:
|
|
src: fail2ban-ssh.conf.j2
|
|
dest: /etc/fail2ban/jail.d/sshd.conf
|
|
mode: "640"
|
|
notify: restart_fail2ban
|
|
|
|
- name: Install Fail2ban IP allow list
|
|
ansible.builtin.template:
|
|
src: fail2ban-allowlist.conf.j2
|
|
dest: /etc/fail2ban/jail.d/allowlist.conf
|
|
mode: "640"
|
|
when: fail2ban_ignoreip is defined
|
|
notify: restart_fail2ban
|
|
|
|
- name: Enable firewall
|
|
community.general.ufw:
|
|
state: enabled
|