---
## This is an Ansible Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.
## Run this playbook as a root because it requires various configuration changes and Installation.
- hosts: servers
  gather_facts: false
  vars_files:
    - vars.yml     ## files where varaible should be mentioned which are using in this playbook.
  tasks:
  - name: Installing Python-apt  ## This will install ansible dependencies for aptitude module
    apt:
      name=python-apt
      state=present

  - name: Installing aptitude
    apt:
      name=aptitude        ## install aptitude module
      state=present

  - name: Update cache
    apt:
      upgrade=yes             ## update apt cache
      update_cache=yes
      # cache_valid_time=86400  # One day

  - name: Adding additional user    ## this will add a system user and create its ssh keys
    user:
      name='{{ name }}'
      comment="This is a super user"
      groups=sudo
      password='{{ password }}'
      generate_ssh_key=yes

  - name: Adding Authorized key to the above user   ## adding your user ssh public key to server's authorized user
    authorized_key:
      user='{{ name }}'
      key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
      state=present

  - name: Giving user {{ name }} sudo with NOPASSWD privilege     ## this task could be avoided for better security.
    lineinfile:
      dest=/etc/sudoers
      regexp='^%sudo'
      line='{{ N0PASSWDLINE }}'           ##
      state=present

  - name: Open a Port for ssh   ## this will open another port for ssh
    ufw:
      port='{{ port }}'
      rule=allow

  - name: Making Server to Reboot when out of memory 1    ## this will reboot the server when server get out of memory.
    lineinfile:
      dest='/etc/sysctl.conf'
      insertbefore=BOF
      line={{ item }}
      state=present
    with_items:
        - 'vm.panic_on_oom=1'
        - 'kernel.panic=10'


  - name: Installing Fail2ban    ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need.
    apt:
      name=fail2ban
      state=present

  - name: Enable fail2ban
    service:
      name=fail2ban
      state=started
      enabled=yes
    
  - name: Chnage ssh port   ## changing ssh port
    lineinfile:
      dest=/etc/ssh/sshd_config
      regexp="^Port\s"
      line="Port {{ port }}"
      state=present

  - name: Set hostname
    hostname:
      name=srv1.aquevix.com

  - name: Close default Port for ssh   ## this will open another port for ssh
    ufw:
      port=22
      rule=deny

## after running the playbook. Restart your server to make changes working.