├── .gitignore ├── LICENSE ├── README.md ├── hosts.example ├── instructions.md ├── playbook.yml ├── roles ├── dokploy │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml ├── fail2ban │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml ├── packages │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml ├── ssh │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml ├── ufw │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml └── user │ ├── README.md │ ├── defaults │ └── main.yml │ ├── handlers │ └── main.yml │ ├── meta │ └── main.yml │ ├── tasks │ └── main.yml │ ├── tests │ ├── inventory │ └── test.yml │ └── vars │ └── main.yml └── scripts └── security.sh /.gitignore: -------------------------------------------------------------------------------- 1 | hosts 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Jacob Tipp 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A minimal ansible playbook that deploys dokploy nodes. 2 | -------------------------------------------------------------------------------- /hosts.example: -------------------------------------------------------------------------------- 1 | [servers] 2 | vps ansible_host=vps-3940229.vps.ovh.us ansible_port=22 3 | -------------------------------------------------------------------------------- /instructions.md: -------------------------------------------------------------------------------- 1 | # Instructions 2 | 3 | ## ansible install 4 | Follow install [guide](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip) 5 | 6 | ## ssh into your vps using provider credentials 7 | `ssh root@` replace root with whichever username was provided by your provider 8 | exit after logging in 9 | 10 | ## ssh 11 | `ansible-playbook -i hosts playbook.yml -l vps -u root -k --ask-become-pass` replace root with whichever username was provided by your provider 12 | 13 | This playbook will change your default ssh port from 22 to 2275, be sure to update your hosts file with the new port after the playbook finishes. 14 | 15 | `server ansible_host= ansible_port=2275` 16 | 17 | 18 | You should now be able to run the playbook using this command 19 | 20 | `ansible-playbook -i hosts playbook.yml -l server -u ` 21 | -------------------------------------------------------------------------------- /playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: true 4 | roles: 5 | - packages 6 | - ssh 7 | - fail2ban 8 | - user 9 | - ufw 10 | - dokploy 11 | 12 | vars: 13 | user_name: admin # replace with your username 14 | user_password: mysecretpassword # replace with your password 15 | -------------------------------------------------------------------------------- /roles/dokploy/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/dokploy/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for dokploy 3 | -------------------------------------------------------------------------------- /roles/dokploy/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for dokploy 3 | -------------------------------------------------------------------------------- /roles/dokploy/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/dokploy/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks/main.yml 3 | 4 | - name: Install Dokploy 5 | ansible.builtin.shell: 6 | cmd: curl -sSL https://dokploy.com/install.sh | sh 7 | -------------------------------------------------------------------------------- /roles/dokploy/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/dokploy/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - dokploy 6 | -------------------------------------------------------------------------------- /roles/dokploy/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for dokploy 3 | -------------------------------------------------------------------------------- /roles/fail2ban/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/fail2ban/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for fail2ban 3 | -------------------------------------------------------------------------------- /roles/fail2ban/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for fail2ban 3 | -------------------------------------------------------------------------------- /roles/fail2ban/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/fail2ban/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install fail2ban 3 | apt: 4 | name: fail2ban 5 | state: latest 6 | update_cache: yes 7 | 8 | - name: Ensure fail2ban is enabled and started 9 | systemd: 10 | name: fail2ban 11 | enabled: yes 12 | state: started 13 | 14 | - name: Create a custom fail2ban jail for SSH 15 | copy: 16 | dest: /etc/fail2ban/jail.d/ssh.local 17 | content: | 18 | [sshd] 19 | enabled = true 20 | port = ssh 21 | filter = sshd 22 | logpath = /var/log/auth.log 23 | maxretry = 3 24 | bantime = 600 25 | findtime = 600 26 | owner: root 27 | group: root 28 | mode: 0644 29 | 30 | - name: Restart fail2ban to apply new configuration 31 | systemd: 32 | name: fail2ban 33 | state: restarted 34 | -------------------------------------------------------------------------------- /roles/fail2ban/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/fail2ban/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - fail2ban 6 | -------------------------------------------------------------------------------- /roles/fail2ban/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for fail2ban 3 | -------------------------------------------------------------------------------- /roles/packages/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/packages/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for packages 3 | -------------------------------------------------------------------------------- /roles/packages/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for packages 3 | -------------------------------------------------------------------------------- /roles/packages/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/packages/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install aptitude 3 | apt: 4 | name: aptitude 5 | state: latest 6 | update_cache: true 7 | 8 | - name: Update apt and install required system packages 9 | apt: 10 | pkg: 11 | - curl 12 | - vim 13 | - git 14 | - ufw 15 | - tmux 16 | - net-tools 17 | state: latest 18 | update_cache: true 19 | -------------------------------------------------------------------------------- /roles/packages/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/packages/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - packages 6 | -------------------------------------------------------------------------------- /roles/packages/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for packages 3 | -------------------------------------------------------------------------------- /roles/ssh/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/ssh/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for ssh 3 | -------------------------------------------------------------------------------- /roles/ssh/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ssh 3 | -------------------------------------------------------------------------------- /roles/ssh/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/ssh/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # Secure SSH settings 2 | # Secure SSH settings for pubkey-only authentication 3 | - name: Replace /etc/ssh/sshd_config with secure pubkey-only configuration 4 | copy: 5 | dest: /etc/ssh/sshd_config 6 | content: | 7 | # SSHD Configuration - Secure for Pubkey Only 8 | PermitRootLogin no 9 | PasswordAuthentication no 10 | PubkeyAuthentication yes 11 | ChallengeResponseAuthentication no 12 | UsePAM yes 13 | X11Forwarding no 14 | AllowTcpForwarding no 15 | PermitEmptyPasswords no 16 | ClientAliveInterval 300 17 | ClientAliveCountMax 2 18 | owner: root 19 | group: root 20 | mode: "0600" 21 | backup: yes 22 | notify: Restart SSH 23 | -------------------------------------------------------------------------------- /roles/ssh/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/ssh/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - ssh 6 | -------------------------------------------------------------------------------- /roles/ssh/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for ssh 3 | -------------------------------------------------------------------------------- /roles/ufw/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/ufw/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for ufw 3 | -------------------------------------------------------------------------------- /roles/ufw/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ufw 3 | -------------------------------------------------------------------------------- /roles/ufw/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/ufw/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: UFW - Reset UFW rules (optional step) 3 | community.general.ufw: 4 | state: reset 5 | tags: ufw_rules 6 | 7 | - name: UFW - Set default policy to deny 8 | community.general.ufw: 9 | default: deny 10 | tags: ufw_rules 11 | 12 | - name: UFW - Allow SSH Server 13 | community.general.ufw: 14 | rule: allow 15 | port: 22 16 | proto: tcp 17 | tags: ufw_rules 18 | 19 | - name: UFW - Allow HTTP Server 20 | community.general.ufw: 21 | rule: allow 22 | port: 80 23 | proto: tcp 24 | tags: ufw_rules 25 | 26 | - name: UFW - Allow HTTPS Server 27 | community.general.ufw: 28 | rule: allow 29 | port: 443 30 | proto: tcp 31 | tags: ufw_rules 32 | 33 | - name: UFW - Enable UFW 34 | community.general.ufw: 35 | state: enabled 36 | tags: ufw_rules 37 | -------------------------------------------------------------------------------- /roles/ufw/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/ufw/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - ufw 6 | -------------------------------------------------------------------------------- /roles/ufw/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for ufw 3 | -------------------------------------------------------------------------------- /roles/user/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/user/defaults/main.yml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /roles/user/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for user 3 | 4 | - name: Restart SSH 5 | service: 6 | name: ssh 7 | state: restarted 8 | -------------------------------------------------------------------------------- /roles/user/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/user/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Add a new user 3 | user: 4 | name: "{{ user_name }}" 5 | password: "{{ user_password | password_hash('sha512') }}" 6 | shell: /bin/bash 7 | 8 | - name: Ensure the SSH directory exists for the new user 9 | file: 10 | path: "/home/{{ user_name }}/.ssh" 11 | state: directory 12 | owner: "{{ user_name }}" 13 | group: "{{ user_name }}" 14 | mode: "0700" 15 | 16 | - name: Add SSH key to authorized_keys 17 | authorized_key: 18 | user: "{{ user_name }}" 19 | state: present 20 | key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" 21 | 22 | - name: Grant sudo privileges to the new user 23 | copy: 24 | content: "{{ user_name }} ALL=(ALL) NOPASSWD:ALL" 25 | dest: /etc/sudoers.d/user_name" 26 | owner: root 27 | group: root 28 | mode: 0440 29 | 30 | # Copy the security script to the target machine 31 | - name: Copy security script to target machine 32 | copy: 33 | src: "{{ playbook_dir }}/scripts/security.sh" # Relative to the playbook.yml 34 | dest: /root/security.sh 35 | owner: root 36 | group: root 37 | mode: 0755 38 | 39 | # Ensure the SSH security functions script is executable 40 | - name: Ensure the script is executable 41 | file: 42 | path: /root//security.sh 43 | owner: root 44 | group: root 45 | mode: 0755 46 | 47 | # Source the SSH functions script in user's .bashrc 48 | - name: Source the SSH functions script in user's .bashrc 49 | lineinfile: 50 | path: /root/.bashrc 51 | line: "source /root/security.sh" 52 | create: yes 53 | state: present 54 | owner: root 55 | group: root 56 | -------------------------------------------------------------------------------- /roles/user/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/user/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - user 6 | -------------------------------------------------------------------------------- /roles/user/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for user 3 | -------------------------------------------------------------------------------- /scripts/security.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Function to check for successful SSH logins 4 | check_successful_ssh_logins() { 5 | echo "Checking successful SSH logins..." 6 | grep 'sshd.*Accepted' /var/log/auth.log | awk '{print $1, $2, $3, $9, $11}' # Date, User, IP Address 7 | } 8 | 9 | # Function to check for failed SSH login attempts 10 | check_failed_ssh_logins() { 11 | echo "Checking failed SSH login attempts..." 12 | grep 'sshd.*Failed' /var/log/auth.log | awk '{print $1, $2, $3, $9, $11}' # Date, User, IP Address 13 | } 14 | 15 | # Function to block an IP address using UFW (Uncomplicated Firewall) 16 | block_ip() { 17 | local ip=$1 18 | echo "Blocking IP: $ip" 19 | ufw deny from $ip 20 | } 21 | 22 | # Function to unblock an IP address using UFW 23 | unblock_ip() { 24 | local ip=$1 25 | echo "Unblocking IP: $ip" 26 | ufw delete deny from $ip 27 | } 28 | 29 | # Function to display the UFW status and see if the IP is blocked 30 | check_blocked_ips() { 31 | echo "Checking blocked IPs using UFW..." 32 | ufw status | grep 'DENY' 33 | } 34 | 35 | # Function to restart the SSH service 36 | restart_ssh_service() { 37 | echo "Restarting SSH service..." 38 | systemctl restart sshd 39 | } 40 | 41 | # Function to show the last login details for users 42 | show_last_logins() { 43 | echo "Showing last login information for users..." 44 | last -i | head -n 20 45 | } 46 | 47 | # Function to check for any SSH brute-force attempts by monitoring auth logs 48 | monitor_bruteforce_attempts() { 49 | echo "Checking for SSH brute-force attempts in auth.log..." 50 | grep -i "failed" /var/log/auth.log | awk '{print $1, $2, $3, $9, $11}' | sort | uniq -c | sort -n 51 | } 52 | 53 | # Function to check UFW status and ensure SSH is allowed 54 | check_ufw_status() { 55 | echo "Checking UFW status..." 56 | ufw status 57 | } 58 | 59 | # Function to restart the machine (if needed after applying changes) 60 | restart_machine() { 61 | echo "Restarting the machine to apply changes..." 62 | shutdown -r now 63 | } 64 | 65 | # List all current SSH connections 66 | # 67 | # This function lists all current SSH connections using the ss command (similar to netstat). 68 | list_all_ssh_connections() { 69 | ss -atp | grep ssh 70 | } 71 | 72 | # Watch SSH login attempts in real-time 73 | # 74 | # This function runs tail -f on the auth.log file, which displays the last 75 | # lines of the log file and then waits for new lines to be appended to the 76 | # file, updating the display in real-time. 77 | watch_ssh() { 78 | tail -f /var/log/auth.log 79 | } 80 | --------------------------------------------------------------------------------