duboiss/playbook.yaml

## playbook.yaml
---
- hosts: all
  become: true

  vars:
    timezone: Europe/Paris
    created_username: server
    ssh_port: 49999
    mysql_port: 50123
    txadmin_port: 48888
    fivem_port: 30120

  vars_prompt:
    - name: "ssh_key_passphrase"
      prompt: "Enter passphrase for the SSH key (if generated)"
      private: yes

  tasks:
    - name: Set timezone to "{{ timezone }}" (system and hardware clock)
      community.general.timezone:
        name: "{{ timezone }}"
      notify:
        - Restart crond

    - name: Setup passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%sudo'
        line: '%sudo ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'

    - name: User - Create a new regular user with sudo privileges
      user:
        name: "{{ created_username }}"
        state: present
        groups: sudo
        append: true
        create_home: true
        shell: /bin/bash

    - name: SSH - Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin no'
      notify:
        - Restart SSHD

    - name: SSH - Pubkey Auth Enable (ensure)
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PubkeyAuthentication'
        line: 'PubkeyAuthentication yes'
      notify:
        - Restart SSHD

    - name: SSH - Password Auth Disable (ensure)
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
      notify:
        - Restart SSHD

    - name: SSH - Lower the maximum number of authentication attempts
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?MaxAuthTries'
        line: 'MaxAuthTries 3'
      notify:
        - Restart SSHD

    - name: SSH - Lower the maximum number of simultaneous SSH sessions allowed for a user
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?MaxSessions'
        line: 'MaxSessions 2'
      notify:
        - Restart SSHD

    - name: SSH - Update SSH port
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?Port'
        line: "Port {{ ssh_port }}"
      notify:
        - Restart SSHD

    - name: SSH - Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}"

    - name: SSH - Generate ed25519 ssh key if necessary
      command: ssh-keygen -t ed25519 -f "/home/{{ created_username }}/.ssh/id_ed25519" -N "{{ ssh_key_passphrase }}" -q
      args:
        creates: "/home/{{ created_username }}/.ssh/id_ed25519.pub"

    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - fail2ban
          - git
          - nano
          - screen
          - ufw
        state: latest
        update_cache: true

    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: limit
        port: "{{ ssh_port }}"
        proto: tcp

    - name: UFW - Allow MySQL connections
      community.general.ufw:
        rule: allow
        port: "{{ mysql_port }}"
        proto: tcp

    - name: UFW - Allow TxAdmin connections
      community.general.ufw:
        rule: allow
        port: "{{ txadmin_port }}"
        proto: tcp

    - name: UFW - Allow FiveM UDP connections
      community.general.ufw:
        rule: allow
        port: "{{ fivem_port }}"
        proto: udp

    - name: UFW - Allow FiveM TCP connections
      community.general.ufw:
        rule: allow
        port: "{{ fivem_port }}"
        proto: tcp

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

  handlers:
    - name: Restart crond
      service:
        name: cron
        state: restarted

    - name: Restart SSHD
      service:
        name: sshd
        state: restarted
	---
	- hosts: all
	become: true

	vars:
	timezone: Europe/Paris
	created_username: server
	ssh_port: 49999
	mysql_port: 50123
	txadmin_port: 48888
	fivem_port: 30120

	vars_prompt:
	- name: "ssh_key_passphrase"
	prompt: "Enter passphrase for the SSH key (if generated)"
	private: yes

	tasks:
	- name: Set timezone to "{{ timezone }}" (system and hardware clock)
	community.general.timezone:
	name: "{{ timezone }}"
	notify:
	- Restart crond

	- name: Setup passwordless sudo
	lineinfile:
	path: /etc/sudoers
	state: present
	regexp: '^%sudo'
	line: '%sudo ALL=(ALL) NOPASSWD: ALL'
	validate: '/usr/sbin/visudo -cf %s'

	- name: User - Create a new regular user with sudo privileges
	user:
	name: "{{ created_username }}"
	state: present
	groups: sudo
	append: true
	create_home: true
	shell: /bin/bash

	- name: SSH - Disable password authentication for root
	lineinfile:
	path: /etc/ssh/sshd_config
	state: present
	regexp: '^#?PermitRootLogin'
	line: 'PermitRootLogin no'
	notify:
	- Restart SSHD

	- name: SSH - Pubkey Auth Enable (ensure)
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: '^#?PubkeyAuthentication'
	line: 'PubkeyAuthentication yes'
	notify:
	- Restart SSHD

	- name: SSH - Password Auth Disable (ensure)
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: '^#?PasswordAuthentication'
	line: 'PasswordAuthentication no'
	notify:
	- Restart SSHD

	- name: SSH - Lower the maximum number of authentication attempts
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: '^#?MaxAuthTries'
	line: 'MaxAuthTries 3'
	notify:
	- Restart SSHD

	- name: SSH - Lower the maximum number of simultaneous SSH sessions allowed for a user
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: '^#?MaxSessions'
	line: 'MaxSessions 2'
	notify:
	- Restart SSHD

	- name: SSH - Update SSH port
	lineinfile:
	path: /etc/ssh/sshd_config
	regexp: '^#?Port'
	line: "Port {{ ssh_port }}"
	notify:
	- Restart SSHD

	- name: SSH - Set authorized key for remote user
	ansible.posix.authorized_key:
	user: "{{ created_username }}"
	state: present
	key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}"

	- name: SSH - Generate ed25519 ssh key if necessary
	command: ssh-keygen -t ed25519 -f "/home/{{ created_username }}/.ssh/id_ed25519" -N "{{ ssh_key_passphrase }}" -q
	args:
	creates: "/home/{{ created_username }}/.ssh/id_ed25519.pub"

	- name: Update apt and install required system packages
	apt:
	pkg:
	- curl
	- fail2ban
	- git
	- nano
	- screen
	- ufw
	state: latest
	update_cache: true

	- name: UFW - Allow SSH connections
	community.general.ufw:
	rule: limit
	port: "{{ ssh_port }}"
	proto: tcp

	- name: UFW - Allow MySQL connections
	community.general.ufw:
	rule: allow
	port: "{{ mysql_port }}"
	proto: tcp

	- name: UFW - Allow TxAdmin connections
	community.general.ufw:
	rule: allow
	port: "{{ txadmin_port }}"
	proto: tcp

	- name: UFW - Allow FiveM UDP connections
	community.general.ufw:
	rule: allow
	port: "{{ fivem_port }}"
	proto: udp

	- name: UFW - Allow FiveM TCP connections
	community.general.ufw:
	rule: allow
	port: "{{ fivem_port }}"
	proto: tcp

	- name: UFW - Enable and deny by default
	community.general.ufw:
	state: enabled
	default: deny

	handlers:
	- name: Restart crond
	service:
	name: cron
	state: restarted

	- name: Restart SSHD
	service:
	name: sshd
	state: restarted