From 8fd7f719148db44c90f9a073e1b8aa513d92dc70 Mon Sep 17 00:00:00 2001
From: Rob Watson <rob@netflux.io>
Date: Sat, 26 Apr 2025 16:39:03 +0200
Subject: [PATCH] feat(ansible): add system basics

---
 ansible/inventory.ini      |  2 +-
 ansible/system_basics.yaml | 85 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 ansible/system_basics.yaml

diff --git a/ansible/inventory.ini b/ansible/inventory.ini
index 3bb4618..10b34a8 100644
--- a/ansible/inventory.ini
+++ b/ansible/inventory.ini
@@ -1,2 +1,2 @@
 [ovh]
-ovh1 ansible_host=5.39.72.167 ansible_user=ubuntu
+ovh1 ansible_host=5.39.72.167 ansible_port=7511 ansible_user=ubuntu
diff --git a/ansible/system_basics.yaml b/ansible/system_basics.yaml
new file mode 100644
index 0000000..612ebf9
--- /dev/null
+++ b/ansible/system_basics.yaml
@@ -0,0 +1,85 @@
+---
+- hosts: all
+  become: true
+  tasks:
+  - name: Update apt cache
+    apt:
+      update_cache: yes
+    changed_when: false
+
+  - name: Install required packages
+    apt:
+      name:
+      - fail2ban
+      - iptables
+      state: present
+
+  - name: Ensure SSH port is set to 7511 in /etc/ssh/sshd_config
+    lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: '^#?Port '
+      line: 'Port 7511'
+      state: present
+      backup: yes
+    notify: Restart SSH
+
+  - name: Check if ssh.socket unit exists
+    stat:
+      path: /usr/lib/systemd/system/ssh.socket
+    register: ssh_socket_unit
+
+  - name: Set ListenStream to 7511 in ssh.socket
+    lineinfile:
+      path: /usr/lib/systemd/system/ssh.socket
+      regexp: '^ListenStream='
+      line: 'ListenStream=7511'
+      backup: yes
+    when: ssh_socket_unit.stat.exists
+    notify: Reload systemd and restart ssh.socket
+
+  - name: Test sshd configuration
+    command: sshd -t
+    changed_when: false
+
+  - name: Create iptables rules file
+    copy:
+      dest: /etc/iptables.rules
+      content: |
+        *filter
+        :INPUT DROP [0:0]
+        :FORWARD DROP [0:0]
+        :OUTPUT ACCEPT [0:0]
+        -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+        -A INPUT -p tcp --dport 80 -j ACCEPT
+        -A INPUT -p tcp --dport 443 -j ACCEPT
+        -A INPUT -p tcp --dport 7511 -j ACCEPT
+        -A INPUT -i lo -j ACCEPT
+        COMMIT
+
+  - name: Apply iptables rules
+    shell: iptables-restore < /etc/iptables.rules
+    changed_when: false
+
+  - name: Ensure iptables rules are loaded on boot (Debian/Ubuntu)
+    copy:
+      dest: /etc/network/if-pre-up.d/iptablesload
+      content: |
+        #!/bin/sh
+        iptables-restore < /etc/iptables.rules
+      mode: '0755'
+
+  - name: Ensure fail2ban is started and enabled
+    service:
+      name: fail2ban
+      state: started
+      enabled: yes
+
+  handlers:
+    - name: Reload systemd and restart ssh.socket
+      shell: |
+        systemctl daemon-reload
+        systemctl restart ssh.socket
+    - name: Restart SSH
+      service:
+        name: ssh
+        state: restarted