Introduces a single, idempotent baseline role to supersede the overlapping day0-baseline and common roles. Capabilities are feature-flagged so they can be toggled per-host: - packages (common + OS-family + per-host extras) - timezone + locale - chrony time sync against sundial - baseline users (jarvis admin account with SSH key + NOPASSWD sudo) - SSH hardening via /etc/ssh/sshd_config.d/ drop-in - unattended security upgrades (Debian family) - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf - journald retention caps - branded MOTD Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder for future distros via the ansible_os_family pattern. The legacy day0-baseline and common roles remain in place for now and will be removed during the playbook cleanup sweep, alongside the existing playbook naming inconsistencies.
121 lines
4.4 KiB
YAML
121 lines
4.4 KiB
YAML
---
|
|
# ============================================================================
|
|
# linux-baseline role defaults
|
|
# ============================================================================
|
|
# This role applies an idempotent baseline to any Linux host in mk-labs.
|
|
# Ubuntu is the first-class target; other distributions plug in via
|
|
# vars/<ansible_os_family>.yml.
|
|
# ============================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Feature flags - each capability can be toggled independently
|
|
# ---------------------------------------------------------------------------
|
|
baseline_features:
|
|
packages: true
|
|
timezone: true
|
|
time_sync: true
|
|
ssh_hardening: true
|
|
users: true
|
|
unattended_upgrades: true
|
|
sysctl: true
|
|
journald: true
|
|
motd: true
|
|
# Off by default: a full apt/dnf upgrade is intrusive. Use the dedicated
|
|
# day2 update playbook for that. Security patches are handled by
|
|
# unattended-upgrades.
|
|
full_upgrade: false
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Locale & time
|
|
# ---------------------------------------------------------------------------
|
|
baseline_timezone: America/Chicago
|
|
baseline_locale: en_US.UTF-8
|
|
baseline_ntp_server: sundial.local.mk-labs.cloud
|
|
baseline_ntp_fallback_pool: 2.pool.ntp.org
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Packages
|
|
# ---------------------------------------------------------------------------
|
|
# Distribution-agnostic baseline. Distro-specific additions are merged in
|
|
# from vars/<family>.yml at runtime.
|
|
baseline_packages_common:
|
|
- curl
|
|
- wget
|
|
- vim
|
|
- htop
|
|
- git
|
|
- jq
|
|
- unzip
|
|
- rsync
|
|
- ca-certificates
|
|
- gnupg
|
|
- net-tools
|
|
- dnsutils
|
|
- acl
|
|
- tree
|
|
- tmux
|
|
|
|
# Per-host opt-in extras. Set in host_vars or group_vars.
|
|
baseline_packages_extra: []
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Baseline users
|
|
# ---------------------------------------------------------------------------
|
|
# 'jarvis' is the universal admin / automation account that this role
|
|
# provisions on every host. Service users (e.g. 'cast' for podman
|
|
# workloads) are created by their respective application roles, not here.
|
|
baseline_users:
|
|
- name: jarvis
|
|
comment: "JARVIS automation account"
|
|
shell: /bin/bash
|
|
groups: "{{ baseline_sudo_group }}"
|
|
sudo_nopasswd: true
|
|
ssh_authorized_keys:
|
|
- "{{ jarvis_ssh_public_key }}"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# SSH hardening
|
|
# ---------------------------------------------------------------------------
|
|
# Delivered as a drop-in under /etc/ssh/sshd_config.d/ rather than editing
|
|
# the main config file. Safer to re-apply, easier to remove.
|
|
baseline_ssh_permit_root_login: "no"
|
|
baseline_ssh_password_authentication: "no"
|
|
baseline_ssh_pubkey_authentication: "yes"
|
|
baseline_ssh_permit_empty_passwords: "no"
|
|
baseline_ssh_x11_forwarding: "no"
|
|
baseline_ssh_client_alive_interval: 300
|
|
baseline_ssh_client_alive_count_max: 2
|
|
baseline_ssh_max_auth_tries: 4
|
|
baseline_ssh_login_grace_time: 30
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Unattended security upgrades (apt / dnf-automatic)
|
|
# ---------------------------------------------------------------------------
|
|
baseline_unattended_security_only: true
|
|
baseline_unattended_auto_reboot: false
|
|
baseline_unattended_auto_reboot_time: "03:00"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# sysctl
|
|
# ---------------------------------------------------------------------------
|
|
# Light hand here. The kernel defaults are generally sensible; we tune
|
|
# only what consistently bites us in a homelab.
|
|
baseline_sysctl:
|
|
vm.swappiness: 10
|
|
fs.inotify.max_user_watches: 524288
|
|
fs.inotify.max_user_instances: 512
|
|
net.ipv4.tcp_keepalive_time: 600
|
|
net.ipv4.tcp_keepalive_intvl: 60
|
|
net.ipv4.tcp_keepalive_probes: 6
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# journald retention caps
|
|
# ---------------------------------------------------------------------------
|
|
baseline_journald_max_use: "1G"
|
|
baseline_journald_max_retention: "30day"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# MOTD branding
|
|
# ---------------------------------------------------------------------------
|
|
baseline_motd_banner: "mk-labs"
|