Introduces a single, idempotent baseline role to supersede the overlapping day0-baseline and common roles. Capabilities are feature-flagged so they can be toggled per-host: - packages (common + OS-family + per-host extras) - timezone + locale - chrony time sync against sundial - baseline users (jarvis admin account with SSH key + NOPASSWD sudo) - SSH hardening via /etc/ssh/sshd_config.d/ drop-in - unattended security upgrades (Debian family) - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf - journald retention caps - branded MOTD Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder for future distros via the ansible_os_family pattern. The legacy day0-baseline and common roles remain in place for now and will be removed during the playbook cleanup sweep, alongside the existing playbook naming inconsistencies.
20 lines
984 B
Django/Jinja
20 lines
984 B
Django/Jinja
# {{ ansible_managed }}
|
|
# mk-labs SSH hardening drop-in
|
|
# Managed by Ansible - linux-baseline role
|
|
|
|
PermitRootLogin {{ baseline_ssh_permit_root_login }}
|
|
PasswordAuthentication {{ baseline_ssh_password_authentication }}
|
|
PubkeyAuthentication {{ baseline_ssh_pubkey_authentication }}
|
|
PermitEmptyPasswords {{ baseline_ssh_permit_empty_passwords }}
|
|
X11Forwarding {{ baseline_ssh_x11_forwarding }}
|
|
|
|
ClientAliveInterval {{ baseline_ssh_client_alive_interval }}
|
|
ClientAliveCountMax {{ baseline_ssh_client_alive_count_max }}
|
|
MaxAuthTries {{ baseline_ssh_max_auth_tries }}
|
|
LoginGraceTime {{ baseline_ssh_login_grace_time }}
|
|
|
|
# Prefer modern key exchange and ciphers
|
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|