Tips-Of-Mine/Ansible-Minecraft-Server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test other version
Some checks failed
Ansible Minecraft CI/CD Pipeline / Ansible Lint Check (push) Successful in 58s
Details
Ansible Minecraft CI/CD Pipeline / Project Structure Validation (push) Failing after 3s
Details
Ansible Minecraft CI/CD Pipeline / Security Scan (push) Successful in 4s
Details
Ansible Minecraft CI/CD Pipeline / Deploy to Staging (push) Has been skipped
Details
Ansible Minecraft CI/CD Pipeline / Deploy to Production (push) Has been skipped
Details
Ansible Minecraft CI/CD Pipeline / Backup System Check (push) Has been skipped
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-08-26 21:59:21 +02:00
parent b2459a2dc0
commit 7a2ccb537b
98 changed files with 2830 additions and 1291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/01-server_hardening/tasks/01-update-system.yml
View File

@@ -1,8 +1,9 @@
---
- name: Update apt cache for Debian/Ubuntu
apt:
update_cache: yes
cache_valid_time: 3600
- name: Update apt cache and upgrade system packages (Debian/Ubuntu)
ansible.builtin.apt:
update_cache: true
upgrade: dist
autoremove: true
autoclean: true
when: ansible_os_family == "Debian"
tags:
- system-update
register: system_update_result

10
roles/01-server_hardening/tasks/02-configure-ssh.yml → roles/01-server_hardening/tasks/02-ssh-hardening.yml
View File

@@ -1,12 +1,10 @@
---
- name: Configure SSH daemon
template:
ansible.builtin.template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
backup: yes
mode: "0600"
owner: root
group: root
notify: restart sshd
tags:
- ssh-config
mode: '0644'
backup: true
notify: "restart ssh service"

7
roles/01-server_hardening/tasks/03-configure-firewall.yml
View File

@@ -1,7 +0,0 @@
---
- name: Install UFW firewall
package:
name: ufw
state: present
tags:
- firewall-install

32
roles/01-server_hardening/tasks/03-firewall-setup.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: Install UFW
ansible.builtin.apt:
name: ufw
state: present
when: firewall_enabled | bool
- name: Reset UFW rules
community.general.ufw:
state: reset
when: firewall_enabled | bool
- name: Allow SSH port
community.general.ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
when: firewall_enabled | bool
- name: Allow Minecraft port
community.general.ufw:
rule: allow
port: "25565"
proto: tcp
when: firewall_enabled | bool
- name: Enable UFW
community.general.ufw:
state: enabled
policy: deny
when: firewall_enabled | bool
notify: "reload firewall"

23
roles/01-server_hardening/tasks/04-fail2ban-setup.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Install fail2ban
ansible.builtin.apt:
name: fail2ban
state: present
when: fail2ban_enabled | bool
- name: Configure fail2ban jail
ansible.builtin.template:
src: fail2ban-jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: '0644'
when: fail2ban_enabled | bool
notify: "restart fail2ban service"
- name: Start and enable fail2ban
ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
when: fail2ban_enabled | bool

8
roles/01-server_hardening/tasks/04-install-fail2ban.yml
View File

@@ -1,8 +0,0 @@
---
- name: Install fail2ban
package:
name: fail2ban
state: present
when: fail2ban_enabled
tags:
- fail2ban-install

12
roles/01-server_hardening/tasks/05-additional-hardening.yml
View File

@@ -1,12 +0,0 @@
---
- name: Disable unused services
systemd:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- bluetooth
- cups
ignore_errors: yes
tags:
- disable-services

20
roles/01-server_hardening/tasks/05-additional-security.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Install security packages
ansible.builtin.apt:
name:
- unattended-upgrades
- logwatch
- rkhunter
- chkrootkit
state: present
- name: Configure automatic security updates
ansible.builtin.copy:
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
group: root
mode: '0644'

17
roles/01-server_hardening/tasks/06-ssh-keys-management.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Create ansible user if not exists
ansible.builtin.user:
name: ansible
groups: sudo
shell: /bin/bash
create_home: true
state: present
- name: Add authorized keys for admin users
ansible.posix.authorized_key:
user: ansible
key: "{{ item.key }}"
comment: "{{ item.comment | default('') }}"
state: present
loop: "{{ admin_users }}"
when: admin_users is defined and admin_users | length > 0

36
roles/01-server_hardening/tasks/main.yml
View File

@@ -1,30 +1,18 @@
---
- name: Include system update tasks
include_tasks: 01-update-system.yml
tags:
- hardening
- system-update
ansible.builtin.include_tasks: 01-system-update.yml
- name: Include SSH configuration tasks
include_tasks: 02-configure-ssh.yml
tags:
- hardening
- ssh
- name: Include SSH hardening tasks
ansible.builtin.include_tasks: 02-ssh-hardening.yml
- name: Include firewall configuration tasks
include_tasks: 03-configure-firewall.yml
tags:
- hardening
- firewall
- name: Include firewall setup tasks
ansible.builtin.include_tasks: 03-firewall-setup.yml
- name: Include fail2ban installation tasks
include_tasks: 04-install-fail2ban.yml
tags:
- hardening
- fail2ban
- name: Include fail2ban setup tasks
ansible.builtin.include_tasks: 04-fail2ban-setup.yml
- name: Include additional hardening tasks
include_tasks: 05-additional-hardening.yml
tags:
- hardening
- additional
- name: Include additional security tasks
ansible.builtin.include_tasks: 05-additional-security.yml
- name: Include SSH keys management tasks
ansible.builtin.include_tasks: 06-ssh-keys-management.yml