Introduces a single, idempotent baseline role to supersede the overlapping day0-baseline and common roles. Capabilities are feature-flagged so they can be toggled per-host: - packages (common + OS-family + per-host extras) - timezone + locale - chrony time sync against sundial - baseline users (jarvis admin account with SSH key + NOPASSWD sudo) - SSH hardening via /etc/ssh/sshd_config.d/ drop-in - unattended security upgrades (Debian family) - sysctl drop-in at /etc/sysctl.d/99-mk-labs.conf - journald retention caps - branded MOTD Ubuntu/Debian is first-class; vars/RedHat.yml provides a placeholder for future distros via the ansible_os_family pattern. The legacy day0-baseline and common roles remain in place for now and will be removed during the playbook cleanup sweep, alongside the existing playbook naming inconsistencies.
27 lines
1008 B
Django/Jinja
27 lines
1008 B
Django/Jinja
// {{ ansible_managed }}
|
|
// mk-labs unattended-upgrades policy
|
|
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
{% if baseline_unattended_security_only %}
|
|
"${distro_id}:${distro_codename}-security";
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
{% else %}
|
|
"${distro_id}:${distro_codename}";
|
|
"${distro_id}:${distro_codename}-security";
|
|
"${distro_id}:${distro_codename}-updates";
|
|
{% endif %}
|
|
};
|
|
|
|
Unattended-Upgrade::Package-Blacklist { };
|
|
Unattended-Upgrade::DevRelease "auto";
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
|
|
|
Unattended-Upgrade::Automatic-Reboot "{{ baseline_unattended_auto_reboot | string | lower }}";
|
|
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "{{ baseline_unattended_auto_reboot_time }}";
|
|
|
|
Unattended-Upgrade::SyslogEnable "true";
|