spoljarevic/Ansible
spoljarevic/Ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Page: hardening
Pages
Arch Linux Bash Scripts to Ansible Home autostart checks configuration container containers converter deployment developement extractor hardening health installation kubernetes post install semaphoreui snippets installation snippets random snippets repos snippets wordpress
1 hardening
Luca Matteo Spoljarevic edited this page 2026-02-27 21:40:24 +01:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

hardening (configuration)

Location: configuration/hardening/

RHEL 10 baseline playbook: hardening, base packages, firewall, SSH, logging, backups, and optional TLS/monitoring. Marked in the playbook as NOT TESTED WRITTEN BY AI; review and test in a safe environment before production use.

What it does (overview)

  1. Base stack Installs common packages (curl, wget, vim, git, btop, cockpit, firewalld, fail2ban, rsync, etc.), web server (nginx or apache), PHP, database (MariaDB or PostgreSQL), Redis.
  2. Firewalld Enables firewalld, sets default zone, opens ports (SSH, 80, 443, Netdata, Cockpit, etc.).
  3. SSH hardening Custom port, no root login, no password auth, fail2ban jail.
  4. Users Creates admin user/group and passwordless sudo (change default password in vars).
  5. Disks Optional: mount unmounted block devices under /mnt and add fstab entries.
  6. TLS / Nginx Certbot (optional), self-signed cert fallback, security headers, example SSL vhost (requires template nginx_default_ssl.j2).
  7. Netdata Installs via official script and enables the service.
  8. Rsyslog Forwards logs to a remote syslog server (configure host/port in vars).
  9. Backups Daily cron job: rsync snapshot of /etc, /var/www, /home to a backup dir with retention.
  10. Sysctl Applies performance/security-related kernel parameters.

Files

File Purpose
osconfig.yml Single playbook containing all tasks and handlers.

Configuration

Edit the vars section at the top of osconfig.yml:

  • common_packages, web_server, php_packages, db_engine, redis_package
  • admin_user, admin_group
  • ssh_port, ssh_permit_root_login, ssh_password_authentication
  • firewall_allowed_ports
  • remote_syslog_host, remote_syslog_port
  • backup_src, backup_dest, backup_retention_days
  • sysctl_params

Replace the default admin password and any placeholder hostnames/URLs (e.g. logs.example.com, TLS common name).

How to run

ansible-playbook -i inventory.ini configuration/hardening/osconfig.yml -K

Ensure your inventory targets the correct RHEL 10 hosts. The playbook references a template nginx_default_ssl.j2 when web_server == 'nginx'; create it or adjust the task if you use that path.