Adding ansible section

ansible/roles/bastion/templates/auth.conf.j2

@@ -0,0 +1,2 @@
+#{{ ansible_managed }}
+auth,authpriv.* @{{ log_server }}

ansible/roles/bastion/templates/nftables.conf.j2

@@ -0,0 +1,32 @@
+#{{ ansible_managed }}
+
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+        chain input {
+                type filter hook input priority 0; policy drop;
+                iifname lo accept;
+
+                tcp dport 22 accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept
+        }
+        chain forward {
+                type filter hook forward priority 0; policy drop;
+        }
+        chain output {
+                type filter hook output priority 0; policy drop;
+
+                iifname lo accept;
+                tcp dport 22 accept;
+                tcp dport {80, 443, 9200} accept;
+                tcp dport {53, 123} accept;
+                udp dport {53, 123, 1514} accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept;
+        }
+}

ansible/roles/bastion/templates/sshd.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[DEFAULT]
+ignoreip = {{ fail2ban_ignore_ips }}
+findtime = 3600
+bantime = 86400
+maxretry = 3
+banaction = nftables-multiport
+banaction_allports = nftables-allports
+
+[sshd]
+enabled = true

ansible/roles/bastion/templates/sshd_config.j2

@@ -0,0 +1,95 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#LoginGraceTime 2m
+PermitRootLogin without-password
+#StrictModes yes
+#MaxAuthTries 3
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 300
+ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+{% for item in admin_users -%}
+Match User {{ item.username }}
+{% endfor %}
+{% for item in dev_users -%}
+Match User {{ item.username }}
+{% endfor %}