Jake Howard
a50a8d5385
But use it through firejail. Doesn't have cam support yet, but I can fix that later
70 lines
1.4 KiB
YAML
70 lines
1.4 KiB
YAML
- name: Install security-related packages
|
|
aur:
|
|
name: "{{ item }}"
|
|
become: true
|
|
become_user: aur_builder
|
|
when: item not in installed_packages.stdout_lines
|
|
loop:
|
|
- firejail
|
|
- keepassxc
|
|
- qomui
|
|
- wireguard-tools
|
|
- yubikey-personalization-gui
|
|
|
|
- name: Create .ssh directory
|
|
file:
|
|
state: directory
|
|
path: "{{ home }}/.ssh"
|
|
owner: "{{ user }}"
|
|
mode: 0700
|
|
directory_mode: 0700
|
|
|
|
- name: Install assh config
|
|
copy:
|
|
src: ./files/assh.yml
|
|
dest: "{{ home }}/.ssh/assh.yml"
|
|
mode: 0644
|
|
owner: "{{ user }}"
|
|
|
|
- name: Install Firewall
|
|
aur:
|
|
name: "{{ item }}"
|
|
become: true
|
|
become_user: aur_builder
|
|
when: item not in installed_packages.stdout_lines
|
|
loop:
|
|
- firewalld
|
|
|
|
- name: Enable firewalld
|
|
systemd:
|
|
name: firewalld
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Define firewall ports
|
|
set_fact:
|
|
requested_firewall_ports:
|
|
- 22/tcp # SSH
|
|
- 80/tcp # Web (crab)
|
|
|
|
- name: Get firewall ports
|
|
shell: firewall-cmd --list-ports
|
|
become: true
|
|
register: firewall_ports
|
|
|
|
- name: Open firewall ports
|
|
firewalld:
|
|
port: "{{ item }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
loop: "{{ requested_firewall_ports }}"
|
|
|
|
- name: Close firewall ports
|
|
firewalld:
|
|
port: "{{ item }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: disabled
|
|
when: item and item not in requested_firewall_ports
|
|
loop: "{{ firewall_ports.stdout.split(' ') }}"
|