moved tasks to subfolder

roles/bastionhost/tasks/system_setup/aide.yml

@@ -0,0 +1,42 @@
+---
+- name: system setup | aide | install aide package
+  tags: aide,hardening,system
+  package:
+    name: aide
+    state: present
+
+- name: system setup | aide | check if aide database exists
+  tags: aide,hardening,system
+  stat:
+    path: /var/lib/aide/aide.db
+  register: aide_db
+
+- name: system setup | aide | initialize aide database if it does not exist
+  tags: aide,hardening,system
+  block:
+    - name: system setup | aide | run aide --init (this may take a while)
+      command: aide --init
+      register: aide_init_result
+      changed_when: "'AIDE, version' in aide_init_result.stdout"
+      async: 1800 # Allow up to 30 minutes for initialization
+      poll: 15
+
+    - name: system setup | aide | copy new database to be the active one
+      copy:
+        src: /var/lib/aide/aide.db.new
+        dest: /var/lib/aide/aide.db
+        remote_src: true
+        owner: root
+        group: root
+        mode: '0600'
+      when: aide_init_result.changed
+  when: not aide_db.stat.exists
+
+- name: system setup | aide | schedule daily check
+  tags: aide,hardening,system
+  cron:
+    name: "AIDE daily check"
+    minute: "0"
+    hour: "5"
+    job: "/usr/bin/aide --check"
+    cron_file: aide_check # Creates /etc/cron.d/aide_check

roles/bastionhost/tasks/system_setup/firewall.yml

@@ -0,0 +1,27 @@
+---
+- name: system setup | firewall | install ufw
+  package:
+    name: ufw
+    state: present
+
+- name: system setup | firewall | deny all incoming traffic by default and enable firewall
+  community.general.ufw:
+    state: enabled
+    policy: deny
+
+- name: system setup | firewall | allow ssh from anywhere
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+    src: 'any'
+
+- name: system setup | firewall | allow monitoring traffic from internal networks
+  community.general.ufw:
+    rule: allow
+    proto: "{{ item.proto }}"
+    port: "{{ item.port | default(omit) }}"
+    src: '192.168.1.0/24' # Passe dies an dein internes Netzwerk an
+  loop:
+    - { proto: 'icmp', comment: 'Allow Ping' }
+    - { proto: 'udp', port: '161', comment: 'Allow SNMP' }

roles/bastionhost/tasks/system_setup/openssh_hardening.yml

@@ -0,0 +1,38 @@
+---
+- name: system setup | openssh | copy hardened sshd config for bastion
+  tags: openssh,ssh,system,settings
+  copy:
+    dest: /etc/ssh/sshd_config.d/hardened.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # This file is managed by Ansible for the bastion role
+      # It overwrites/complements settings from the base role.
+      LogLevel VERBOSE
+      MaxAuthTries 3
+      PubkeyAuthentication yes
+      AuthorizedKeysFile      .ssh/authorized_keys
+      PasswordAuthentication no
+      UsePAM yes
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      X11Forwarding no
+      PrintMotd no
+      
+      # Harden Ciphers and Algorithms
+      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+      HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+      PrintLastLog no
+      TCPKeepAlive yes
+      Subsystem       sftp    /usr/lib/ssh/sftp-server
+      AcceptEnv *
+      AllowUsers lowpriv sshjumpuser
+
+      Match User lowpriv,sshjumpuser
+              AllowAgentForwarding yes
+              AllowTcpForwarding yes
+  notify: [ "restart_sshd", "update aide database" ]

roles/bastionhost/tasks/system_setup/package_hardening.yml

@@ -0,0 +1,42 @@
+---
+- name: system setup | package hardening | remove unnecessary packages (Debian family)
+  tags: packages,hardening,system
+  package:
+    name:
+      # Daemons not needed on a bastion host
+      - apache2*
+      - nginx*
+      - lighttpd*
+      - samba*
+      - nfs-kernel-server
+      - bind9
+      - postfix
+      - cups*
+      - avahi-daemon
+      # Common utilities not required for a minimal system
+      - popularity-contest
+      - whoopsie
+      - command-not-found
+      # Games and fun stuff
+      - bsdgames
+      - fortune-mod
+    state: absent
+    purge: true # Also removes configuration files
+  notify: update aide database
+  when: ansible_os_family == "Debian"
+
+- name: system setup | package hardening | remove unnecessary packages (RedHat family)
+  tags: packages,hardening,system
+  package:
+    name:
+      - httpd*
+      - nginx*
+      - samba*
+      - nfs-utils
+      - named
+      - postfix
+      - cups*
+      - avahi
+    state: absent
+  notify: update aide database
+  when: ansible_os_family == "RedHat"

roles/bastionhost/tasks/system_setup/user_hardening.yml

@@ -0,0 +1,24 @@
+---
+- name: system setup | user hardening | remove unnecessary system accounts
+  tags: users,hardening,system
+  user:
+    name: "{{ item }}"
+    state: absent
+    remove: true # Also removes home directory and mail spool
+  loop:
+    # Legacy or unused service accounts
+    - lp
+    - sync
+    - shutdown
+    - halt
+    - mail
+    - news
+    - uucp
+    - proxy
+    - backup
+    - list
+    - irc
+    - gnats
+    - games
+  notify: update aide database
+  ignore_errors: true # Some users might not exist, which is fine