new version

roles/01-server_hardening/tasks/01-update-system.yml

@@ -1,6 +1,7 @@
 ---
-- name: Update apt cache for Debian/Ubuntu
+- name: Mise à jour du cache des paquets (Debian/Ubuntu)
   ansible.builtin.apt:
     update_cache: yes
     cache_valid_time: 3600
-  when: ansible_os_family == "Debian"
+  when: ansible_os_family == "Debian"
+  tags: [system-update]

roles/01-server_hardening/tasks/02-install-packages.yml

@@ -1,14 +0,0 @@
----
-- name: Upgrade all packages
-  ansible.builtin.apt:
-    upgrade: dist
-    autoremove: yes
-    autoclean: yes
-  when: ansible_os_family == "Debian"
-  register: system_upgraded
-
-- name: Install security packages
-  ansible.builtin.apt:
-    name: "{{ security_packages }}"
-    state: present
-  when: ansible_os_family == "Debian"

roles/01-server_hardening/tasks/02-install-security-packages.yml

@@ -0,0 +1,7 @@
+---
+- name: Installation des paquets de sécurité
+  ansible.builtin.apt:
+    name: "{{ hardening_packages }}"
+    state: present
+  when: ansible_os_family == "Debian"
+  notify: restart fail2ban

roles/01-server_hardening/tasks/03-configure-ssh.yml

@@ -1,11 +1,10 @@
 ---
-- name: Configure SSH daemon
+- name: Configuration SSH sécurisée
   ansible.builtin.template:
     src: sshd_config.j2
-    dest: "{{ ssh_config_file }}"
+    dest: "{{ ssh_config_path }}"
     owner: root
     group: root
-    mode: '0600'
+    mode: '0644'
     backup: yes
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart ssh service
+  notify: restart ssh

roles/01-server_hardening/tasks/04-configure-firewall.yml

@@ -1,27 +1,9 @@
 ---
-- name: Install UFW firewall
-  ansible.builtin.apt:
-    name: ufw
-    state: present
-  when: ansible_os_family == "Debian"
-
-- name: Configure UFW defaults
+- name: Configuration UFW - politique par défaut
   community.general.ufw:
     direction: "{{ item.direction }}"
     policy: "{{ item.policy }}"
-  loop:
-    - { direction: 'incoming', policy: 'deny' }
-    - { direction: 'outgoing', policy: 'allow' }
-  notify: reload firewall
-
-- name: Allow TCP ports
-  community.general.ufw:
-    rule: allow
-    port: "{{ item }}"
-    proto: tcp
-  loop: "{{ firewall_allowed_tcp_ports }}"
-  notify: reload firewall
-
-- name: Enable UFW
-  community.general.ufw:
-    state: enabled
+  with_items:
+    - { direction: 'incoming', policy: "{{ ufw_default_incoming }}" }
+    - { direction: 'outgoing', policy: "{{ ufw_default_outgoing }}" }
+  notify: enable ufw

roles/01-server_hardening/tasks/05-configure-fail2ban.yml

@@ -1,23 +1,9 @@
 ---
-- name: Install fail2ban
-  ansible.builtin.apt:
-    name: fail2ban
-    state: present
-  when: ansible_os_family == "Debian"
-
-- name: Configure fail2ban jail
+- name: Configuration Fail2Ban
   ansible.builtin.template:
-    src: fail2ban.jail.local.j2
-    dest: "{{ fail2ban_config_dir }}/jail.local"
+    src: fail2ban-jail.local.j2
+    dest: "{{ fail2ban_config_path }}"
     owner: root
     group: root
     mode: '0644'
-    backup: yes
-  notify: restart fail2ban service
-
-- name: Ensure fail2ban is started and enabled
-  ansible.builtin.systemd:
-    name: fail2ban
-    state: started
-    enabled: yes
-    daemon_reload: yes
+  notify: restart fail2ban

roles/01-server_hardening/tasks/06-manage-ssh-keys.yml

@@ -1,17 +1,8 @@
 ---
-- name: Create .ssh directory for ansible user
-  ansible.builtin.file:
-    path: /home/ansible/.ssh
-    state: directory
-    owner: ansible
-    group: ansible
-    mode: '0700'
-
-- name: Add SSH keys for administrators
+- name: Ajout des clés SSH pour les administrateurs
   ansible.posix.authorized_key:
-    user: ansible
+    user: "{{ item.user }}"
     state: present
     key: "{{ item.key }}"
-    comment: "{{ item.name }}"
-  loop: "{{ admin_ssh_keys | default([]) }}"
-  when: admin_ssh_keys is defined
+    comment: "{{ item.comment | default('Admin key') }}"
+  with_items: "{{ admin_ssh_keys | default([]) }}"

roles/01-server_hardening/tasks/07-additional-security.yml

@@ -1,9 +0,0 @@
----
-- name: Configure kernel parameters for security
-  ansible.posix.sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    reload: yes
-  loop: "{{ hardening_sysctl_settings }}"
-  notify: reload sysctl settings

roles/01-server_hardening/tasks/main.yml

@@ -1,23 +1,21 @@
 ---
-- name: restart ssh
-  ansible.builtin.systemd:
-    name: sshd
-    state: restarted
-    daemon_reload: true
-  listen: restart ssh service
+# Tâches principales du durcissement serveur
+- import_tasks: 01-update-system.yml
+  tags: [hardening, system-update]
 
-- name: restart fail2ban
-  ansible.builtin.systemd:
-    name: fail2ban
-    state: restarted
-    daemon_reload: true
-  listen: restart fail2ban service
+- import_tasks: 02-install-security-packages.yml
+  tags: [hardening, packages]
 
-- name: reload ufw
-  community.general.ufw:
-    state: reloaded
-  listen: reload firewall
+- import_tasks: 03-configure-ssh.yml
+  tags: [hardening, ssh]
 
-- name: reload sysctl
-  ansible.builtin.command: sysctl -p
-  listen: reload sysctl settings
+- import_tasks: 04-configure-firewall.yml
+  tags: [hardening, firewall]
+  when: firewall_enabled | default(true)
+
+- import_tasks: 05-configure-fail2ban.yml
+  tags: [hardening, fail2ban]
+  when: fail2ban_enabled | default(true)
+
+- import_tasks: 06-manage-ssh-keys.yml
+  tags: [hardening, ssh-keys]