---
- name: Configure sysctl
  template:
    src: sysctl.d/local.conf.j2
    dest: /etc/sysctl.d/local.conf
    mode: 0644

# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
  file:
    path: "{{ item }}"
    mode: u-s,g-s
  loop:
    - /usr/lib/openssh/sshkeysign  # Not used
    - /usr/bin/gpasswd  # No group auth
    - /usr/bin/passwd  # Only root should change passwd
    - /usr/bin/expiry  # With re2o
    - /usr/bin/newgrp  # No group auth
    - /usr/bin/chage  # With re2o
    - /usr/bin/chsh  # With re2o
    - /usr/bin/chfn  # With re2o
    - /bin/mount  # Only root should mount
    - /bin/umount  # Only root should umount
  ignore_errors: true  # Sometimes file won't exist

# Only SSH keys to log on root
- name: Prohibit root SSH with password
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^{{ item.0 }}'
    insertafter: '^#{{ item.0 }}'
    line: '{{ item.0 }} {{ item.1 }}'
  loop:
    - ["PermitRootLogin", "prohibit-password"]
    - ["AllowAgentForwarding", "no"]
    - ["X11Forwarding", "no"]
    - ["TCPKeepAlive", "yes"]
  notify: Restart sshd service

# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
  apt:
    name: fail2ban
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Configure fail2ban
  ini_file:
    path: /etc/fail2ban/jail.d/local.conf
    section: "{{ item.section }}"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    state: present
    mode: 0644
  notify: Restart fail2ban service
  loop:
    - section: sshd
      option: ignoreip
      value: 10.128.0.254  # Whitelist bastion

    - section: sshd
      option: enabled
      value: "true"

    - section: sshd
      option: bantime
      value: 600

    - section: sshd
      option: findtime
      value: 600

    - section: sshd
      option: maxretry
      value: 5

# See altered packages and configurations with `debsums -ca`
- name: Install debsums
  apt:
    name: debsums
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded