added ntfy alerts and removed sudo

roles/bastionhost/tasks/main.yml

@@ -14,6 +14,7 @@
   - import_tasks: system_setup/package_hardening.yml
   - import_tasks: system_setup/user_hardening.yml
   - import_tasks: system_setup/aide.yml
+  - import_tasls: system_setup/ntfy_alerts.yml
 
   rescue:
     - set_fact: task_failed=true

roles/bastionhost/tasks/system_setup/ntfy_alerts.yml

@@ -0,0 +1,22 @@
+---
+- name: system setup | ntfy alerts | install curl
+  tags: ntfy,hardening,system
+  package:
+    name: curl
+    state: present
+
+- name: system setup | ntfy alerts | create ssh login alert script
+  tags: ntfy,hardening,system
+  copy:
+    dest: /etc/ssh/sshrc
+    owner: root
+    group: root
+    mode: '0755'
+    content: |
+      #!/bin/sh
+      # Managed by Ansible
+      # Send SSH login alert to ntfy topic.
+      
+      MESSAGE="{{ ntfy_ssh_login_message }}"
+      
+      curl -s -d "$MESSAGE" "{{ ntfy_url }}" > /dev/null

roles/bastionhost/tasks/system_setup/package_hardening.yml

@@ -13,6 +13,7 @@
       - postfix
       - cups*
       - avahi-daemon
+      - sudo
       # Common utilities not required for a minimal system
       - popularity-contest
       - whoopsie
@@ -37,6 +38,7 @@
       - postfix
       - cups*
       - avahi
+      - sudo
     state: absent
   notify: Update_aide_database
   when: ansible_os_family == "RedHat"

roles/bastionhost/vars/main.yml

@@ -0,0 +1,4 @@
+---
+# Variables for ntfy alerts
+ntfy_url: "https://ntfy.sh/YOUR_TOPIC_HERE"
+ntfy_ssh_login_message: "SSH login on $(hostname) for user $USER from $(echo $SSH_CONNECTION | cut -d ' ' -f 1)"