feat(ansible): add linux-baseline role and day0_linux_baseline playbook

Introduces a single, idempotent baseline role to supersede the
overlapping day0-baseline and common roles. Capabilities are
feature-flagged so they can be toggled per-host:

  - packages (common + OS-family + per-host extras)
  - timezone + locale
  - chrony time sync against sundial
  - baseline users (jarvis admin account with SSH key + NOPASSWD sudo)
  - SSH hardening via /etc/ssh/sshd_config.d/ drop-in
  - unattended security upgrades (Debian family)
  - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf
  - journald retention caps
  - branded MOTD

Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder
for future distros via the ansible_os_family pattern.

The legacy day0-baseline and common roles remain in place for now and
will be removed during the playbook cleanup sweep, alongside the
existing playbook naming inconsistencies.
This commit is contained in:
Hermes Agent service account
2026-05-29 20:40:04 -05:00
parent 1dfa7889ab
commit 91b5817e5f
25 changed files with 741 additions and 0 deletions

View File

@@ -0,0 +1,26 @@
// {{ ansible_managed }}
// mk-labs unattended-upgrades policy
Unattended-Upgrade::Allowed-Origins {
{% if baseline_unattended_security_only %}
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
{% else %}
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
{% endif %}
};
Unattended-Upgrade::Package-Blacklist { };
Unattended-Upgrade::DevRelease "auto";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "{{ baseline_unattended_auto_reboot | string | lower }}";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "{{ baseline_unattended_auto_reboot_time }}";
Unattended-Upgrade::SyslogEnable "true";

View File

@@ -0,0 +1,5 @@
# {{ ansible_managed }}
# mk-labs sysctl baseline
{% for key, value in baseline_sysctl.items() %}
{{ key }} = {{ value }}
{% endfor %}

View File

@@ -0,0 +1,28 @@
# {{ ansible_managed }}
# Managed by Ansible - linux-baseline role
# Local edits will be overwritten.
# Primary NTP source: mk-labs internal NTP server (sundial)
server {{ baseline_ntp_server }} iburst prefer
# Fallback: public NTP pool
pool {{ baseline_ntp_fallback_pool }} iburst maxsources 2
driftfile /var/lib/chrony/chrony.drift
# Step the clock if the adjustment is >1s on the first 3 corrections
makestep 1.0 3
# Sync RTC from system clock
rtcsync
# Allow chronyd to use the keyfile for hardware refclock
{% if ansible_os_family == "Debian" %}
keyfile /etc/chrony/chrony.keys
{% else %}
keyfile /etc/chrony.keys
{% endif %}
# Log selective events
logdir /var/log/chrony
log measurements statistics tracking

View File

@@ -0,0 +1,8 @@
# {{ ansible_managed }}
# mk-labs journald retention policy
[Journal]
SystemMaxUse={{ baseline_journald_max_use }}
MaxRetentionSec={{ baseline_journald_max_retention }}
Storage=persistent
Compress=yes
ForwardToSyslog=no

View File

@@ -0,0 +1,11 @@
╔═══════════════════════════════════════════════════════════════╗
║ ║
║ {{ baseline_motd_banner }} - {{ inventory_hostname }}{{ ' ' * (50 - (baseline_motd_banner | length) - (inventory_hostname | length)) }}║
║ ║
║ {{ ansible_distribution }} {{ ansible_distribution_version }} ({{ ansible_kernel }}){{ ' ' * (53 - (ansible_distribution | length) - (ansible_distribution_version | length) - (ansible_kernel | length)) }}║
║ ║
║ Managed by Ansible. Local changes will be overwritten. ║
║ ║
╚═══════════════════════════════════════════════════════════════╝

View File

@@ -0,0 +1,19 @@
# {{ ansible_managed }}
# mk-labs SSH hardening drop-in
# Managed by Ansible - linux-baseline role
PermitRootLogin {{ baseline_ssh_permit_root_login }}
PasswordAuthentication {{ baseline_ssh_password_authentication }}
PubkeyAuthentication {{ baseline_ssh_pubkey_authentication }}
PermitEmptyPasswords {{ baseline_ssh_permit_empty_passwords }}
X11Forwarding {{ baseline_ssh_x11_forwarding }}
ClientAliveInterval {{ baseline_ssh_client_alive_interval }}
ClientAliveCountMax {{ baseline_ssh_client_alive_count_max }}
MaxAuthTries {{ baseline_ssh_max_auth_tries }}
LoginGraceTime {{ baseline_ssh_login_grace_time }}
# Prefer modern key exchange and ciphers
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com