feat: vollst. Installations-Doku, Ansible-Rollen ausimplementiert, claude_workspace-Rolle
- docs/installation.md: Netinstall + Dualboot Schritt-für-Schritt (LUKS nur am Notebook) - docs/postinstall-ansible.md: Ablauf + restmanuelle Schritte - roles/base: APT-Sources mit non-free-firmware + Backports, Locale, Tastatur, Zeitzone, Grundpakete - roles/desktop_kde: Plasma 6 + SDDM (ohne Recommends, kompakt) - roles/hardening: SSH key-only, UFW, unattended-upgrades - roles/dev_tools: Node.js via NodeSource, Python, Perl, Git-Defaults - roles/workstation_apps: Firefox, Thunderbird, LibreOffice, Codecs, KeePassXC - roles/claude_workspace (NEU): Claude Code + ccusage, SSH-Key für Gitea, Workspace-Clone (recurse-submodules), ~/.claude/settings.json - site.yml: alle Rollen mit Tags
This commit is contained in:
5
ansible/roles/hardening/handlers/main.yml
Normal file
5
ansible/roles/hardening/handlers/main.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: restart sshd
|
||||
ansible.builtin.systemd:
|
||||
name: ssh
|
||||
state: restarted
|
||||
@@ -1,3 +1,48 @@
|
||||
---
|
||||
# SSH-Hardening, UFW, unattended-upgrades, fail2ban
|
||||
# TODO: implementieren — Skeleton-Datei
|
||||
- name: Security-Pakete
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- ufw
|
||||
- unattended-upgrades
|
||||
- apt-listchanges
|
||||
state: present
|
||||
|
||||
- name: SSH — Passwort-Login deaktivieren
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?\s*PasswordAuthentication\s'
|
||||
line: 'PasswordAuthentication no'
|
||||
validate: 'sshd -t -f %s'
|
||||
notify: restart sshd
|
||||
|
||||
- name: SSH — Root-Login deaktivieren
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?\s*PermitRootLogin\s'
|
||||
line: 'PermitRootLogin no'
|
||||
validate: 'sshd -t -f %s'
|
||||
notify: restart sshd
|
||||
|
||||
- name: UFW Default Policy (incoming deny)
|
||||
ansible.builtin.command: ufw default deny incoming
|
||||
register: ufw_default
|
||||
changed_when: "'Default incoming policy changed' in ufw_default.stdout"
|
||||
|
||||
- name: UFW — SSH erlauben
|
||||
ansible.builtin.command: ufw allow OpenSSH
|
||||
register: ufw_allow
|
||||
changed_when: "'Rule added' in ufw_allow.stdout or 'Rules updated' in ufw_allow.stdout"
|
||||
|
||||
- name: UFW aktivieren
|
||||
ansible.builtin.command: ufw --force enable
|
||||
register: ufw_enable
|
||||
changed_when: "'Firewall is active' in ufw_enable.stdout"
|
||||
|
||||
- name: unattended-upgrades konfigurieren
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
mode: '0644'
|
||||
content: |
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
|
||||
Reference in New Issue
Block a user