2 files changed, 169 insertions, 140 deletions

diff --git a/roles/harden/tasks/harden.yaml b/roles/harden/tasks/harden.yaml
deleted file mode 100644
index fe1807a..0000000
--- a/roles/harden/tasks/harden.yaml
+++ /dev/null
@@ -1,139 +0,0 @@
-- name: remove snap and snapd
-  apt:
-    name:
-      - snap
-      - snapd
-    state: absent
-    purge: true
-
-- name: clean apt cache
-  apt:
-    autoclean: true
-
-- name: clear /etc/issue and /etc/motd
-  copy:
-    content: ""
-    dest: "{{ item }}"
-  loop:
-    - /etc/issue
-    - /etc/motd
-
-- name: check if /etc/update-motd.d directory exists
-  stat:
-    path: /etc/update-motd.d
-  register: motd_dir
-
-- name: find files in /etc/update-motd.d
-  find:
-    paths: /etc/update-motd.d
-    file_type: file
-  register: motd_files
-  when: motd_dir.stat.exists
-
-- name: remove execute permissions from all files in /etc/update-motd.d
-  file:
-    path: "{{ item.path }}"
-    mode: u-x,g-x,o-x
-  loop: "{{ motd_files.files }}"
-  when: motd_dir.stat.exists
-
-- name: enforce root-only cron/at
-  file:
-    path: "{{ item }}"
-    state: touch
-    owner: root
-    group: root
-    mode: '0600'
-  loop:
-    - /etc/cron.allow
-    - /etc/at.allow
-
-- name: remove deny files for cron and at
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/cron.deny
-    - /etc/at.deny
-
-- name: backup sshd_config
-  copy:
-    src: /etc/ssh/sshd_config
-    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
-    remote_src: true
-
-- name: harden sshd_config
-  copy:
-    dest: /etc/ssh/sshd_config
-    content: |
-      Port 22
-      Banner /etc/issue
-      UsePAM yes
-      Protocol 2
-      Subsystem sftp /usr/lib/openssh/sftp-server
-      LogLevel verbose
-      PrintMotd no
-      AcceptEnv LANG LC_*
-      MaxSessions 5
-      StrictModes yes
-      Compression no
-      MaxAuthTries 3
-      IgnoreRhosts yes
-      PrintLastLog yes
-      AddressFamily inet
-      X11Forwarding no
-      PermitRootLogin yes
-      AllowTcpForwarding no
-      ClientAliveInterval 1200
-      AllowAgentForwarding no
-      PermitEmptyPasswords no
-      ClientAliveCountMax 0
-      GSSAPIAuthentication no
-      KerberosAuthentication no
-      IgnoreUserKnownHosts yes
-      PermitUserEnvironment no
-      ChallengeResponseAuthentication no
-      MACs hmac-sha2-512,hmac-sha2-256
-      Ciphers aes128-ctr,aes192-ctr,aes256-ctr
-
-- name: regenerate SSH host keys
-  shell: |
-    rm -f /etc/ssh/ssh_host_*key*
-    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
-    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
-  args:
-    creates: /etc/ssh/ssh_host_ed25519_key
-  notify: restart ssh
-
-- name: enable unattended-upgrades
-  shell: dpkg-reconfigure --priority=low unattended-upgrades
-  args:
-    creates: /etc/apt/apt.conf.d/50unattended-upgrades
-  notify: restart unattended-upgrades
-
-- name: disable ipv6 in grub
-  lineinfile:
-    path: /etc/default/grub
-    regexp: '^GRUB_CMDLINE_LINUX='
-    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
-  notify: update grub
-
-- name: allow ssh port and enable ufw
-  ufw:
-    rule: allow
-    port: 22
-    proto: tcp
-  notify:
-    - enable ufw
-    - restart ufw
-
-- name: deploy custom fail2ban jail.local
-  template:
-    src: templates/jail.local.j2
-    dest: /etc/fail2ban/jail.local
-    owner: root
-    group: root
-    mode: '0644'
-  notify:
-    - restart fail2ban
-    - reload fail2ban
diff --git a/roles/harden/tasks/main.yaml b/roles/harden/tasks/main.yaml
index 95fdd29..b6a80a9 100644
--- a/roles/harden/tasks/main.yaml
+++ b/roles/harden/tasks/main.yaml
@@ -1 +1,169 @@
-- import_tasks: tasks/harden.yaml
+- name: remove snap and snapd
+  apt:
+    name:
+      - snap
+      - snapd
+    state: absent
+    purge: true
+
+- name: clean apt cache
+  apt:
+    autoclean: true
+
+- name: clear /etc/issue and /etc/motd
+  copy:
+    content: ""
+    dest: "{{ item }}"
+  loop:
+    - /etc/issue
+    - /etc/motd
+
+- name: check if /etc/update-motd.d directory exists
+  stat:
+    path: /etc/update-motd.d
+  register: motd_dir
+
+- name: find files in /etc/update-motd.d
+  find:
+    paths: /etc/update-motd.d
+    file_type: file
+  register: motd_files
+  when: motd_dir.stat.exists
+
+- name: remove execute permissions from all files in /etc/update-motd.d
+  file:
+    path: "{{ item.path }}"
+    mode: u-x,g-x,o-x
+  loop: "{{ motd_files.files }}"
+  when: motd_dir.stat.exists
+
+- name: enforce root-only cron/at
+  file:
+    path: "{{ item }}"
+    state: touch
+    owner: root
+    group: root
+    mode: '0600'
+  loop:
+    - /etc/cron.allow
+    - /etc/at.allow
+
+- name: remove deny files for cron and at
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron.deny
+    - /etc/at.deny
+
+- name: backup sshd_config
+  copy:
+    src: /etc/ssh/sshd_config
+    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
+    remote_src: true
+
+- name: harden sshd_config
+  copy:
+    dest: /etc/ssh/sshd_config
+    content: |
+      Port 22
+      Banner /etc/issue
+      UsePAM yes
+      Protocol 2
+      Subsystem sftp /usr/lib/openssh/sftp-server
+      LogLevel verbose
+      PrintMotd no
+      AcceptEnv LANG LC_*
+      MaxSessions 5
+      StrictModes yes
+      Compression no
+      MaxAuthTries 3
+      IgnoreRhosts yes
+      PrintLastLog yes
+      AddressFamily inet
+      X11Forwarding no
+      PermitRootLogin yes
+      AllowTcpForwarding no
+      ClientAliveInterval 1200
+      AllowAgentForwarding no
+      PermitEmptyPasswords no
+      ClientAliveCountMax 0
+      GSSAPIAuthentication no
+      KerberosAuthentication no
+      IgnoreUserKnownHosts yes
+      PermitUserEnvironment no
+      ChallengeResponseAuthentication no
+      MACs hmac-sha2-512,hmac-sha2-256
+      Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+
+- name: regenerate SSH host keys
+  shell: |
+    rm -f /etc/ssh/ssh_host_*key*
+    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+  args:
+    creates: /etc/ssh/ssh_host_ed25519_key
+
+- name: restart ssh
+  systemd:
+    name: ssh
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: enable unattended-upgrades
+  shell: dpkg-reconfigure --priority=low unattended-upgrades
+  args:
+    creates: /etc/apt/apt.conf.d/50unattended-upgrades
+
+- name: restart unattended-upgrades
+  systemd:
+    name: unattended-upgrades
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: disable ipv6 in grub
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX='
+    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
+
+- name: update grub
+  command: update-grub
+
+- name: allow ssh port and enable ufw
+  ufw:
+    rule: allow
+    port: 22
+    proto: tcp
+
+- name: enable ufw
+  ufw:
+    state: enabled
+    policy: deny
+
+- name: restart ufw
+  systemd:
+    name: ufw
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: deploy custom fail2ban jail.local
+  template:
+    src: templates/jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: reload fail2ban
+  command: fail2ban-client reload