home-stack-ansible/roles/bastion/tasks/main.yml

- name: Install fail2ban
  apt:
    name:
      - fail2ban

- name: Configure fail2ban
  copy:
    src: fail2ban/jail.local
    dest: /etc/fail2ban/jail.local
  notify: Restart fail2ban

- name: Disable ssh password authentication for all but user of ansible
  blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      Match User {{ ansible_user }}
          PasswordAuthentication yes
      Match all
          PasswordAuthentication no 
  notify: Restart sshd

- name: Configure sshd ClientAliveInterval
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?ClientAliveInterval'
    line: '#ClientAliveInterval 5m'
  notify: Restart sshd

- name: Configure sshd ClientAliveCountMax
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?ClientAliveCountMax'
    line: '#ClientAliveCountMax 3'
  notify: Restart sshd
add bastion fail2ban config 2021-12-17 23:17:18 +00:00			`- name: Install fail2ban`
			`apt:`
			`name:`
			`- fail2ban`

			`- name: Configure fail2ban`
			`copy:`
			`src: fail2ban/jail.local`
			`dest: /etc/fail2ban/jail.local`
			`notify: Restart fail2ban`

			`- name: Disable ssh password authentication for all but user of ansible`
			`blockinfile:`
			`path: /etc/ssh/sshd_config`
			`block: \|`
			`Match User {{ ansible_user }}`
			`PasswordAuthentication yes`
			`Match all`
			`PasswordAuthentication no`
			`notify: Restart sshd`

			`- name: Configure sshd ClientAliveInterval`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^#?ClientAliveInterval'`
switch k3s-w3 to a vm 2021-12-28 04:01:35 +00:00			`line: '#ClientAliveInterval 5m'`
add bastion fail2ban config 2021-12-17 23:17:18 +00:00			`notify: Restart sshd`

			`- name: Configure sshd ClientAliveCountMax`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^#?ClientAliveCountMax'`
switch k3s-w3 to a vm 2021-12-28 04:01:35 +00:00			`line: '#ClientAliveCountMax 3'`
add bastion fail2ban config 2021-12-17 23:17:18 +00:00			`notify: Restart sshd`