Add playbook

ssh_config.yml

@@ -0,0 +1,81 @@
+---
+
+- name: Configure SSH settings
+  hosts: all
+  become: true
+  tasks:
+    
+    - name: Install SSH
+      ansible.builtin.apt:
+        name: openssh-server
+        state: present
+
+    - name: Create SSH directory for user pleb
+      ansible.builtin.file:
+        path: /home/pleb/.ssh
+        state: directory
+        owner: pleb
+        group: pleb
+        mode: '0700'
+
+    - name: Add SSH public key
+      ansible.posix.authorized_key:
+        user: pleb
+        state: present
+        key: "{{ lookup('file', '/home/pleb/.ssh/bikiniBottom.pub') }}"
+
+    - name: Configure SSH daemon settings
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '{{ item.regexp }}'
+        line: '{{ item.line }}'
+        state: present
+        insertafter: EOF
+      loop:
+        - { regexp: '^#Port', line: 'Port 22' }
+        - { regexp: '^#PermitRootLogin', line: 'PermitRootLogin no' }
+        - { regexp: '^#PasswordAuthentication', line: 'PasswordAuthentication no' }
+        - { regexp: '^#ChallengeResponseAuthentication', line: 'ChallengeResponseAuthentication no' }
+        - { regexp: '^#UsePAM', line: 'UsePAM yes' }
+        - { regexp: '^#AllowUsers', line: 'AllowUsers pleb' }
+        - { regexp: '^#MaxAuthTries', line: 'MaxAuthTries 5' }
+      notify: restart ssh
+
+  handlers:
+    - name: restart ssh
+      ansible.builtin.systemd:
+        name: ssh
+        state: restarted
+        enabled: true
+
+- name: Configure Fail2Ban settings
+  hosts: all
+  become: true
+  tasks:
+
+    - name: Install Fail2Ban
+      ansible.builtin.apt:
+        name: fail2ban
+        state: present
+        update_cache: true
+
+    - name: Configure Fail2Ban for SSH
+      ansible.builtin.copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+          [sshd]
+          enabled = true
+          port = 22
+          filter = sshd
+          logpath = /var/log/auth.log
+          maxretry = 5
+          bantime = 3600
+        mode: '0644'
+      notify: restart fail2ban
+
+  handlers:
+    - name: restart fail2ban
+      ansible.builtin.systemd:
+        name: fail2ban
+        state: restarted
+        enabled: true