Add iptables rules, git and sed for setup, disable root account and add ssh key and unpriviledge account

files/iptables-rules/rules.v4

@@ -0,0 +1,28 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [10:1692]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [2:162]
+:INPUT ACCEPT [1:110]
+:OUTPUT ACCEPT [1:110]
+:POSTROUTING ACCEPT [1:110]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [8:1024]
+:INPUT ACCEPT [8:1024]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [11:1802]
+:POSTROUTING ACCEPT [11:1802]
+-A OUTPUT -j TOS --set-tos 0x10/0xff
+-A OUTPUT -j DSCP --set-dscp 0x22
+COMMIT

files/ssh.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyzEllhePOhNp1R8QElQmISJad6nj0hVSTrfnufVLyWR8pWwIKoQasxhadiJHyFOb9TILzQLxKmxw++5FtzuHQnML0+Yp9T9QqtnIefsMZD1FXmU/6V09PcLYKo+EcFe5s9OHOhNqbRnTZZZZ6+W80m0lLjSDyuUP2hNxUJxrbwhPyhsTyS+0vMaxx0JsnQer+gI6iltQV4LjSmx/RsEOOIcEgUCCpnJnNd03DZFniZ7SS6QDAFYxKCGXBoQ5ZY9JQSI+6AGTfqCZFZNhZkJ7HHLR0qtN/opARQYtjmRUmA7Z7Jd9zSMpywoW56sMdv9LQojr2NWVZ8lPQkPSM77Mk0rKI9nT23Hfu9PG1autx+hOmRZyHse55AX6SsKvg6JNZsbC7Ofnd4rPHinBj2FT0fR6CvIJGhyYiak06wfJE54z4VnLxvBdfsOsgS2hbVoFHye7o3Zkf84FWCqBGFicydDY8iOHdZJNGSPRP7wqwfIWenbQqv5klvpZRWC4J9795lmOlG87vzavfqSFM6lWvM7YuITSmZvkN71+1PK17X735jB6QZNSZjffDCUMgQchBpclRGEzu7r5+7UnoLVKNfmFw4hIPzqGz4Yf5hh3ASZwYg+sPLJshTbB+RwhgSrY/2YO8djL8xmbhzuJUVhm+Fz0hCkvxR71hbJaoCY2sXQ== 1A4E6AED12A550CCDD65F90E8DE0E9DF1BDBBD80

handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Enable and restart iptables
+  systemd:
+        daemon_reload: yes
+        name: netfilter-persistent
+        state: restart

tasks/main.yml

@@ -2,6 +2,9 @@
   apt:
         install_recommends: no
         name:
+                - netfilter-persistent
+                - sed
+                - git
                 - zsh
                 - vim
                 - sudo
@@ -15,3 +18,40 @@
   apt:
         autoremove: yes
         autoclean: yes
+- name: Create unpriviledged user
+  user:
+        name: '{{ username }}'
+        password: "{{ password | password_hash('sha512') }}"
+        shell: /bin/zsh
+        groups: sudo
+        append: yes
+- name: Copy ssh key for unpriviledged user
+  authorized_key:
+        key: "{{lookup('file', '{{ role_path }}/files/ssh.pub')}}"
+        follow: yes
+        user: '{{ username }}'
+- name: Disable the root account
+  user:
+        name: root
+        password: '!'
+        password_lock: yes
+- name: Disable SSH login for root
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PermitRootLogin.*$"
+        replace: "PermitRootLogin no"
+- name: Disable SSH password authentication
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PasswordAuthentication.*$"
+        replace: "PasswordAuthentication no"
+- name: Reload SSH service
+  systemd:
+        name: ssh
+        state: reloaded
+- name: Set base iptables filter
+  copy:
+        src: '{{ role_path }}/files/iptables-rules/'
+        dest: '/etc/iptables/'
+  notify:
+        - Enable and restart iptables