sovereign/roles/common/tasks/security.yml

- name: Install security-related packages
  apt:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
    - whois
    - lynis
    - rkhunter
  tags:
    - dependencies

- name: add stretch-backport for fail2ban with IPv6 support
  apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes
  tags:
    - dependencies
  when: ansible_distribution_version == '9'

- name: Install newer fail2ban with IPv6 support
  apt:
    name: "fail2ban"
    state: present
    default_release: stretch-backports
  tags:
    - dependencies
  when: ansible_distribution_version == '9'

- name: Install fail2ban
  apt:
    name: "fail2ban"
    state: present
  tags:
    - dependencies
  when: ansible_distribution_version == '10'

- name: Install fail2ban
  apt:
    name: "fail2ban"
    state: present
  tags:
    - dependencies
  when: ansible_distribution_version == '11'

- name: Copy fail2ban configuration into place
  template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
  notify: restart fail2ban

- name: Copy fail2ban dovecot configuration into place
  copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
  notify: restart fail2ban

- name: Ensure fail2ban is started
  service: name=fail2ban state=started

- name: Update sshd config for PFS and more secure defaults
  template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
  notify: restart ssh

- name: Update ssh config for more secure defaults
  template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config