ansible/roles/hardening/tasks/main.yml

---
- name: Security-Pakete
  ansible.builtin.apt:
    name:
      - ufw
      - unattended-upgrades
      - apt-listchanges
    state: present

- name: SSH — Passwort-Login deaktivieren
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?\s*PasswordAuthentication\s'
    line: 'PasswordAuthentication no'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: SSH — Root-Login deaktivieren
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?\s*PermitRootLogin\s'
    line: 'PermitRootLogin no'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: UFW Default Policy (incoming deny)
  ansible.builtin.command: ufw default deny incoming
  register: ufw_default
  changed_when: "'Default incoming policy changed' in ufw_default.stdout"

- name: UFW — SSH erlauben
  ansible.builtin.command: ufw allow OpenSSH
  register: ufw_allow
  changed_when: "'Rule added' in ufw_allow.stdout or 'Rules updated' in ufw_allow.stdout"

- name: UFW aktivieren
  ansible.builtin.command: ufw --force enable
  register: ufw_enable
  changed_when: "'Firewall is active' in ufw_enable.stdout"

- name: unattended-upgrades konfigurieren
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    mode: '0644'
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";
add: Distro-Entscheidung (Debian 13 + KDE), Ansible-Skelett, ADR 2026-05-17 21:33:03 +02:00			`---`
feat: vollst. Installations-Doku, Ansible-Rollen ausimplementiert, claude_workspace-Rolle - docs/installation.md: Netinstall + Dualboot Schritt-für-Schritt (LUKS nur am Notebook) - docs/postinstall-ansible.md: Ablauf + restmanuelle Schritte - roles/base: APT-Sources mit non-free-firmware + Backports, Locale, Tastatur, Zeitzone, Grundpakete - roles/desktop_kde: Plasma 6 + SDDM (ohne Recommends, kompakt) - roles/hardening: SSH key-only, UFW, unattended-upgrades - roles/dev_tools: Node.js via NodeSource, Python, Perl, Git-Defaults - roles/workstation_apps: Firefox, Thunderbird, LibreOffice, Codecs, KeePassXC - roles/claude_workspace (NEU): Claude Code + ccusage, SSH-Key für Gitea, Workspace-Clone (recurse-submodules), ~/.claude/settings.json - site.yml: alle Rollen mit Tags 2026-05-17 21:46:23 +02:00			`- name: Security-Pakete`
			`ansible.builtin.apt:`
			`name:`
			`- ufw`
			`- unattended-upgrades`
			`- apt-listchanges`
			`state: present`

			`- name: SSH — Passwort-Login deaktivieren`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^#?\s*PasswordAuthentication\s'`
			`line: 'PasswordAuthentication no'`
			`validate: 'sshd -t -f %s'`
			`notify: restart sshd`

			`- name: SSH — Root-Login deaktivieren`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^#?\s*PermitRootLogin\s'`
			`line: 'PermitRootLogin no'`
			`validate: 'sshd -t -f %s'`
			`notify: restart sshd`

			`- name: UFW Default Policy (incoming deny)`
			`ansible.builtin.command: ufw default deny incoming`
			`register: ufw_default`
			`changed_when: "'Default incoming policy changed' in ufw_default.stdout"`

			`- name: UFW — SSH erlauben`
			`ansible.builtin.command: ufw allow OpenSSH`
			`register: ufw_allow`
			`changed_when: "'Rule added' in ufw_allow.stdout or 'Rules updated' in ufw_allow.stdout"`

			`- name: UFW aktivieren`
			`ansible.builtin.command: ufw --force enable`
			`register: ufw_enable`
			`changed_when: "'Firewall is active' in ufw_enable.stdout"`

			`- name: unattended-upgrades konfigurieren`
			`ansible.builtin.copy:`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`mode: '0644'`
			`content: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`
			`APT::Periodic::AutocleanInterval "7";`