base und sysupgrade role, some hardening

roles/linux/base/tasks/hardening.yml

@@ -0,0 +1,32 @@
+---
+- name: disabling core dump
+  lineinfile:
+    path: /etc/security/limits.conf
+    line: "* hard core 0"
+
+- name: default umask
+  lineinfile:
+    path: /etc/login.defs
+    line: UMASK 027
+    regexp: ^UMASK.*
+
+- name: put myself to /etc/hosts
+  lineinfile:
+    path: /etc/hosts
+    line: "127.0.0.1 {{ ansible_hostname }}"
+
+- name: SSH config
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "{{ item.conf }}"
+    regexp: "{{ item.regexp }}"
+  notify: restart sshd
+  loop:
+    - { conf: "Compression no", regexp: \#?Compression.* }
+    - { conf: "MaxAuthTries 3", regexp: \#?MaxAuthTries.* }
+
+- name: sysctl
+  copy:
+    dest: /etc/sysctl.d/50-hardening.conf
+    src: files/sysctl-50-hardening.conf
+  notify: restart sysctl

roles/linux/base/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# base config
+- name: basic tools
+  package:
+    state: present
+    name: htop
+
+# cloud-init
+- name: stop cloud-init
+  service:
+    name: cloud-init
+    state: stopped
+
+- name: disable cloud-init
+  service:
+    name: cloud-init
+    enabled: false
+
+# legal
+- name: copy SSH disclaimer
+  copy:
+    src: files/issue.net
+    dest: /etc/issue.net
+    mode: u=rw,g=r,o=r
+    owner: root
+    group: root
+  notify: restart sshd
+
+- name: set SSH Banner
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: Banner /etc/issue.net
+    regexp: \#?Banner.*
+    state: present
+  notify: restart sshd
+
+- name: link local banner to SSH banner
+  file:
+    src: /etc/issue.net
+    path: /etc/issue
+    state: hard
+    force: yes
+
+- include_tasks: hardening.yml