# https://www.raspberrypi.org/documentation/configuration/security.md - hosts: attitude-adjuster become: yes tasks: - name: disable ssh password logins lineinfile: path: /etc/ssh/sshd_config regexp: '^(#\s*)?{{ item }} ' line: "{{ item }} no" notify: reload ssh with_items: - ChallengeResponseAuthentication - PasswordAuthentication - UsePAM - name: disable pi user user: name: pi password: ! - name: install ufw and fail2ban package: name: "{{ item }}" state: present with_items: - ufw - fail2ban - name: allow access to dns, http, and https ufw: rule: allow name: "{{ item }}" with_items: - DNS - WWW Full - name: limit ssh access ufw: rule: limit name: OpenSSH - name: enable ufw ufw: state: enabled - name: create jail.local copy: content: | [sshd] enabled = true dest: /etc/fail2ban/jail.local notify: reload fail2ban handlers: - name: reload ssh service: name: ssh state: reloaded - name: reload fail2ban service: name: fail2ban state: reloaded