--- - name: Configure SSH settings hosts: all become: true tasks: - name: Install SSH ansible.builtin.apt: name: openssh-server state: present - name: Create SSH directory for user pleb ansible.builtin.file: path: /home/pleb/.ssh state: directory owner: pleb group: pleb mode: '0700' - name: Add SSH public key ansible.posix.authorized_key: user: pleb state: present key: "{{ lookup('file', '/home/pleb/.ssh/bikiniBottom.pub') }}" - name: Configure SSH daemon settings ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '{{ item.regexp }}' line: '{{ item.line }}' state: present insertafter: EOF loop: - { regexp: '^#Port', line: 'Port 22' } - { regexp: '^#PermitRootLogin', line: 'PermitRootLogin no' } - { regexp: '^#PasswordAuthentication', line: 'PasswordAuthentication no' } - { regexp: '^#ChallengeResponseAuthentication', line: 'ChallengeResponseAuthentication no' } - { regexp: '^#UsePAM', line: 'UsePAM yes' } - { regexp: '^#AllowUsers', line: 'AllowUsers pleb' } - { regexp: '^#MaxAuthTries', line: 'MaxAuthTries 5' } notify: restart ssh handlers: - name: restart ssh ansible.builtin.systemd: name: ssh state: restarted enabled: true - name: Configure Fail2Ban settings hosts: all become: true tasks: - name: Install Fail2Ban ansible.builtin.apt: name: fail2ban state: present update_cache: true - name: Create log file ansible.builtin.file: path: /var/log/auth.log state: touch owner: root group: root mode: '0644' modification_time: preserve access_time: preserve notify: restart fail2ban - name: Configure Fail2Ban for SSH ansible.builtin.copy: dest: /etc/fail2ban/jail.local content: | [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600 mode: '0644' notify: restart fail2ban handlers: - name: restart fail2ban ansible.builtin.systemd: name: fail2ban state: restarted enabled: true