---
- name: Configure sysctl
  template:
    src: sysctl.d/local.conf.j2
    dest: /etc/sysctl.d/local.conf
    mode: 0644

# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
  file:
    path: "{{ item }}"
    mode: u-s,g-s
  loop:
    - /usr/lib/openssh/sshkeysign  # Not used
    - /usr/bin/gpasswd  # No group auth
    - /usr/bin/passwd  # Only root should change passwd
    - /usr/bin/expiry  # With re2o
    - /usr/bin/newgrp  # No group auth
    - /usr/bin/chage  # With re2o
    - /usr/bin/chsh  # With re2o
    - /usr/bin/chfn  # With re2o
    - /bin/mount  # Only root should mount
    - /bin/umount  # Only root should umount
  ignore_errors: true  # Sometimes file won't exist

# Only SSH keys to log on root
- name: Prohibit root SSH with password
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    insertafter: '^#PermitRootLogin'
    line: 'PermitRootLogin prohibit-password'
  notify: Restart sshd service

# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
  apt:
    name: fail2ban
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Configure fail2ban
  template:
    src: fail2ban/jail.d/local.conf.j2
    dest: /etc/fail2ban/jail.d/local.conf
    mode: 0644
  notify: Restart fail2ban service