- name: Install security-related packages apt: name: "{{ packages }}" state: present vars: packages: - whois - lynis - rkhunter tags: - dependencies - name: add stretch-backport for fail2ban with IPv6 support apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes tags: - dependencies when: ansible_distribution_version == '9' - name: Install newer fail2ban with IPv6 support apt: name: "fail2ban" state: present default_release: stretch-backports tags: - dependencies when: ansible_distribution_version == '9' - name: Install fail2ban apt: name: "fail2ban" state: present tags: - dependencies when: ansible_distribution_version == '10' - name: Copy fail2ban configuration into place template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local notify: restart fail2ban - name: Copy fail2ban dovecot configuration into place copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf notify: restart fail2ban - name: Ensure fail2ban is started service: name=fail2ban state=started - name: Update sshd config for PFS and more secure defaults template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config notify: restart ssh - name: Update ssh config for more secure defaults template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config