--- # tasks file for hardening-basic - ansible.builtin.debug: msg: "hardening-basic role" - name: Create directory structure ansible.builtin.file: path: '/etc/{{ item.path }}' state: directory mode: '{{ item.mode }}' with_community.general.filetree: '../templates/basic/etc/' when: item.state == 'directory' - name: Create and copy hardening files ansible.builtin.template: src: '{{ item.src }}' dest: '/etc/{{ item.path }}' with_community.general.filetree: '../templates/basic/etc/' when: item.state == 'file' - name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config when: 'hardening_sshd_enabled is true' block: - name: Create directory structure ansible.builtin.file: path: '/etc/{{ item.path }}' state: directory mode: '{{ item.mode }}' with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'directory' - name: Create and copy hardening files ansible.builtin.template: src: '{{ item.src }}' dest: '/etc/{{ item.path }}' with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'file' - name: Give 1700 permissions to .ssh folder ansible.builtin.file: path: /root/.ssh owner: root group: root mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" - name: Give 1600 permissions to .ssh/authorized_keys file ansible.builtin.file: path: /root/.ssh/authorized_keys owner: root group: root mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - name: Restart sshd when: "is_docker is not true" ansible.builtin.systemd: state: restarted name: sshd - name: Harden Service Manager (like Systemd) include_tasks: "harden_{{ ansible_service_mgr }}.yml"