-
Notifications
You must be signed in to change notification settings - Fork 24
/
main.yml
395 lines (378 loc) · 20 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
##### COMMON/GENERAL SYSTEM SETTINGS #####
##### HOSTNAME #####
# yes/no: update hostname using ansible inventory name
setup_hostname: yes
##### DNS RESOLVER #####
# update DNS nameserver settings (resolv.conf) (yes/no)
setup_dns: no
# list of DNS nameservers IP addresses
# Example:
# dns_nameservers:
# - "1.1.1.1"
# - "1.0.0.1"
dns_nameservers: []
##### HOSTS FILE #####
# update hosts file (yes/no)
setup_hosts_file: yes
# list of hosts to add/remove from the hosts file
# Example:
# hosts_file_entries:
# - ip_address: "10.0.0.1"
# hostname: "srv01.example.org"
# state: present # optional, absent/present, default present
# - ip_address: "10.0.0.2"
# hostname: "srv02.example.org mail.example.org"
# - ip_address: "1.2.3.4"
# state: absent
hosts_file_entries: []
##### SYSCTL/KERNEL CONFIGURATION #####
# update sysctl settings (yes/no)
setup_sysctl: yes
# Enable/disable packet forwarding between network interfaces (routing) (yes/no)
sysctl_allow_forwarding: no
# answer ICMP pings (yes/no)
sysctl_answer_ping: no
# "swappiness" setting. 100: swap/reclaim RAM aggressively. 0: do not swap unless necessary
sysctl_vm_swappiness: '10'
# "VFS cache pressure" setting. 100+ : prefer caching memory pages over disk cache
sysctl_vm_vfs_cache_pressure: '150'
# yes/no: enable/disable creation of core dumps on kernel crashes
# These are usually not needed and may contain sensitive information
kernel_enable_core_dump: no
# no/yes: configure /proc mountpoint to hide processes from other users
# setting this to yes will likely break monitoring/process diagnostic tools (ps, htop, netdata...)
kernel_proc_hidepid: no
# list of kernel modules to prevent from being loaded
kernel_modules_blacklist:
- dccp # CIS 3.4.1 Ensure DCCP is disabled
- sctp # CIS 3.4.2 Ensure SCTP is disabled
- rds # CIS 3.4.3 Ensure RDS is disabled
- tipc # 3.4.4 Ensure TIPC is disabled
- firewire-ohci # disable IEEE 1394 (FireWire) Support
- firewire-core # disable IEEE 1394 (FireWire) Support
- cpia2 # CPiA2 cameras
- floppy # floppy drives
- n_hdlc # HDLC line discipline
- pcspkr # PC speaker/beep
- thunderbolt # thunderbolt devices
- cramfs # CIS 1.1.1.5 mounting of squashfs filesystems is disabled
- freevxfs # CIS 1.1.1.1 mounting of freevxfs filesystems is disabled
- hfs # CIS 1.1.1.3 mounting of hfs filesystems is disabled
- hfsplus # CIS 1.1.1.4 mounting of hfsplus filesystems is disabled
- jffs2 # CIS 1.1.1.2 mounting of jffs2 filesystems is disabled
- udf # CIS 1.1.1.6 mounting of udf filesystems is disabled
# - soundcore # audio input/output
# - usb-midi # USB MIDI
# - usb-storage # CIS 1.1.10 disable USB storage - prevents usage of USB mass storage
# - bluetooth # bluetooth support, STIG V-38682
# - bnep # bluetooth support, STIG V-38682
# - btusb # bluetooth support, STIG V-38682
# - net-pf-31 # bluetooth support, STIG V-38682
# - uvcvideo # UVC video devices
# - v4l2_common # V4L2 video devices
# - vfat # 1.1.1.7 mounting of FAT filesystems is limited - prevents EFI boot
# - squashfs # CIS 1.1.1.5 mounting of squashfs filesystems is disabled
### PACKAGE MANAGEMENT ###
# yes/no: setup APT sources (security, backports) and automatic security upgrades
setup_apt: yes
# yes/no: enable contrib non-free and non-free-firmware software sections in debian APT repositories
apt_enable_nonfree: no
# clean downloaded package archives (apt clean) every n-days (0=disable)
apt_clean_days: 7
# yes/no: automatically remove (purge) configuration files of removed packages, nightly
apt_purge_nightly: yes
# automatic upgrades: allow unattended upgrades from the following sources (see 50unattended-upgrades.j2)
# these settings have no effect if corresponding repositories are not enabled/configured
apt_unattended_upgrades_origins_patterns:
- "origin=Debian,codename=${distro_codename},label=Debian" # Debian stable
- "origin=Debian,codename=${distro_codename}-updates" # Debian stable point release
- "origin=Debian,codename=${distro_codename}-proposed-updates" # Debian stable proposed updates
- "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" # Debian security
- "origin=Debian Backports,codename=${distro_codename}-backports,label=Debian Backports" # Debian backports
- "origin=Netdata,label=Netdata" # nodiscc.xsrv.monitoring_netdata
- "origin=Jellyfin,site=repo.jellyfin.org" # nodiscc.xsrv.jellyfin
- "o=Freight,a=stable,site=packages.graylog2.org" # nodiscc.xsrv.graylog
- "o=mongodb,a=jammy,site=repo.mongodb.org" # nodiscc.xsrv.graylog
- "o=elastic,a=stable,site=artifacts.elastic.co" # nodiscc.xsrv.graylog
- "o=Prosody,a=stable,site=packages.prosody.im" # nodiscc.xsrv.jitsi
- "o=jitsi.org,a=stable,site=download.jitsi.org,label=Jitsi Debian packages repository" # nodiscc.xsrv.jitsi
- "o=matrix.org,site=packages.matrix.org" # nodiscc.xsrv.matrix
- "o=Proxmox,site=download.proxmox.com" # nodiscc.toolbox.proxmox
- "o=Docker,site=download.docker.com" # nodiscc.toolbox.docker
# yes/no: setup apt-listbugs
apt_listbugs: no
# what to do when apt-listbugs finds a bug in a package about to be installed (force-no (default), force-yes/force-default)
# force-no: abort the installation/upgrade as soon as bugs are found, unless bugs are listed in apt_listbugs_ignore_list
# force-yes/force-default: accept to continue with the installation/upgrade even when bugs are found
apt_listbugs_action: "force-no"
# Debian bug numbers/packages to ignore for apt-listbugs (don't let these bugs block package installation)
apt_listbugs_ignore_list:
- 909750 # https://bugs.debian.org/909750 - reason: FHS violation, not critical
- 933001 # https://bugs.debian.org/933001 - reason: plymouth is not installed
- 933749 # https://bugs.debian.org/933749 - reason: disk space not a problem on most hosts
- 935042 # https://bugs.debian.org/935042 - reason: skip-upgrade-test=yes set in monitoring role
- 967010 # https://bugs.debian.org/967010 - reason: not reproducible
- 935182 # https://bugs.debian.org/935182 - reason: only affects files on samba shares in specific setups
- 928963 # https://bugs.debian.org/928963 - reason: only affects sparc64, powerpc64, and s390x architectures
- 967010 # https://bugs.debian.org/967010 - reason: not reproducible
- 918012 # https://bugs.debian.org/918012 - reason: only affects debian 9
- 969072 # https://bugs.debian.org/969072 - reason: only happens during groff build, not when running the command
- 987570 # https://bugs.debian.org/987570 - reason: packaging bug, no impact
- 922981 # https://bugs.debian.org/922981 - reason: impact limited to new certificates, patch pending upload
- 929685 # https://bugs.debian.org/929685 - packaging bug, no impact
- 991449 # https://bugs.debian.org/991449 - not using bsd-mailx
- 994510 # https://bugs.debian.org/994510 - only affects i386 architecture
- 1000826 # https://bugs.debian.org/1000826 - only affects python 3.10
- 1003150 # https://bugs.debian.org/1003150 - distutils already installed
- 1000796 # https://bugs.debian.org/1000796 - no impact on common use cases
- 993716 # https://bugs.debian.org/993716 - IPv6 is disabled
- 945001 # https://bugs.debian.org/945001 - only affects hosts with multiple OS in grub
- 948318 # https://bugs.debian.org/948318 - old lbc6 versions are automatically removed
- 998516 # https://bugs.debian.org/998516 - only affects bridged interfaces, workaround in bug report
- 990026 # https://bugs.debian.org/990026 - MAILTO not used in cron jobs
- 1004111 # https://bugs.debian.org/1004111 - unconfirmed, unattended-upgrades failure will trigger an error report by mail
- 1003012 # https://bugs.debian.org/1003012 - fixed in point release
- 995387 # https://bugs.debian.org/994971 - only affects #994971/nvidia-driver not in use
- 992045 # https://bugs.debian.org/992045 - fixed in debian-security, local only, high RAM usage noticeable by monitoring
- 968368 # https://bugs.debian.org/968368 - option bond-master not in use
- 990428 # https://bugs.debian.org/990428 - option bond-slaves not in use
- 984574 # https://bugs.debian.org/984574 - fixed in point release, workaround in bug report
- 998008 # https://bugs.debian.org/998008 - NIS not in use
- 993578 # https://bugs.debian.org/993578 - fixed in point release, gpgconf --check-programs not used
- 990318 # https://bugs.debian.org/990318 - no impact, incomplete removal of python2
- 995115 # https://bugs.debian.org/995115 - unconfirmed, workaround is to comment out DPkg::Pre-Install-Pkgs in /etc/apt/apt.conf.d/10apt-listbugs
- 991936 # https://bugs.debian.org/991936 - fixed in point release, no workaround available
- 1016102 # https://bugs.debian.org/1016102 - edge case
- 1001276 # https://bugs.debian.org/1001276 - kFreeBSD only
- 975931 # https://bugs.debian.org/975931 - armhf only
- 1008005 # https://bugs.debian.org/1008005 - no impact when installation of recommended packages is disabled
- 1002047 # https://bugs.debian.org/1002047 - no impact when base option is present in configuration file
- 895823 # https://bugs.debian.org/895823 - only happens after purging dovecot
- 1009872 # https://bugs.debian.org/1009872 - only happens when /etc/ssl/certs/ssl-cert-snakeoil* were deleted manually
- 1019564 # https://bugs.debian.org/1019564 - unreproducible
- 1019855 # https://bugs.debian.org/1019855 - only affects 4th gen Intel Core CPUs
- 1023812 # https://bugs.debian.org/1019855 - packaging bug without impact
- 916596 # https://bugs.debian.org/916596 - not reproducible on a fresh debian installation
- 1028638 # https://bugs.debian.org/1028638 - unreproducible
- 1031336 # https://bugs.debian.org/1031336 - only affects debian sid
- 1029342 # https://bugs.debian.org/1029342 - packaging bug without impact
- 983393 # https://bugs.debian.org/983393 - ignored in bullseye, fixed in unstable
- 1035483 # https://bugs.debian.org/1035483 - minor bug leading to false positive/debsums incorrectly detecting missing file
- 993714 # https://bugs.debian.org/993714 - minor bug leading to false positive/debsums incorrectly detecting missing file
- 1037258 # https://bugs.debian.org/1037258 - unreproducible
- 1038422 # https://bugs.debian.org/1038422 - unreproducible
- 1033167 # https://bugs.debian.org/1033167 - packaging bug, no impact
- 1014503 # https://bugs.debian.org/1014503 - fixed, patch pending upload
- 1035820 # https://bugs.debian.org/1035820 - packaging bug, no impact
- 1036641 # https://bugs.debian.org/1036641 - packaging bug, no impact
- 1039668 # https://bugs.debian.org/1039668 - no impact unless chromium-browser is installed
- 1037478 # https://bugs.debian.org/1037478 - unreproducible
- 1038603 # https://bugs.debian.org/1038603 - unreproducible, specific to some GCC-based build processes
- 1030129 # https://bugs.debian.org/1030129 - unreproducible
- 1041547 # https://bugs.debian.org/1041547 - no impact unless madin deliberately sets an empty root password
- 1023748 # https://bugs.debian.org/1023748 - only affects java 20, debian 12 has java 17
- 1039472 # https://bugs.debian.org/1039472 - fixed, patch pending upload
- 1043415 # https://bugs.debian.org/1043415 - not applicable to upstream/packagecloud packages
- 1051003 # https://bugs.debian.org/1051003 - only affects pam_shield
- 1030284 # https://bugs.debian.org/1030284 - only affects arm64 architecture
- 1057715 # https://bugs.debian.org/1057715 - only affects i386 architecture
- 1061776 # https://bugs.debian.org/1061776 - only affects ssh jail on systems without rsyslog
- 1037437 # https://bugs.debian.org/1037437 - only affects ssh jail on systems without rsyslog
- 770171 # https://bugs.debian.org/770171 - only affects ssh jail on systems without rsyslog
- 862348 # https://bugs.debian.org/862348 - only affects ssh jail on systems without rsyslog
- 1058777 # https://bugs.debian.org/1058777 - licensing problem, fix available
### DATE/TIME ###
# yes/no: setup ntp time service
setup_datetime: yes
# timezone name (if commented out, timezone will not be changed)
# timezone: "Etc/UTC"
##### SSH SERVER #####
# setup/harden SSH server (yes/no)
setup_ssh: yes
# List of public SSH key files to authorize on the server for the ansible user
# Example: ['data/public_keys/john.pub', 'data/public_keys/jane.pub']
# Removing a key here does not remove it on the server!
ssh_authorized_keys: []
# a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []
# sshd and SFTP server log levels, respectively (QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3)
ssh_log_level: "VERBOSE"
ssh_sftp_loglevel: "INFO"
# allow clients to set locale/language-related environment variables (yes/no)
ssh_accept_locale_env: no
# types of SSH TCP forwarding to allow (no, local, remote, all - QUOTED)
# remote/all is required to use the host as a jumpbox
ssh_allow_tcp_forwarding: "no"
# enable/disable root SSH logins (yes/no/prohibit-password/forced-commands-only - QUOTED)
ssh_permit_root_login: "no"
# enable/disable SSH password authentication (yes, no - QUOTED)
ssh_password_authentication: "no"
##### FIREWALL #####
# setup firewall (yes/no)
setup_firewall: yes
# log rejected/dropped packets (all/unicast/broadcast/multicast/off)
firewalld_log_denied: all
# Firewalld zones
# Example:
# firewalld_zone_sources:
# - zone: internal # add 192.168.0.0/16 and 10.0.0.0/8 to the internal zone
# sources: # list of IP addresses or networks (CIDR)
# - 192.168.0.0/16
# - 10.0.0.0/8
# state: enabled # optional, enabled/disabled, default enabled
# permanent: yes # optional, yes/no, default yes
# immediate: yes # optional, yes/no, default yes
# - zone: internal # remove 172.16.0.0/12 from the internal zone
# sources:
# - 172.16.0.0/12
# state: disabled
# - zone: drop # drop all traffic coming from these addresses
# sources:
# - 10.11.12.13/24
# - 15.8.4.6
# - zone: ldap-clients # custom zone, incoming traffic from specific hosts
# sources:
# - 192.168.1.2
# - 192.168.1.3
# - zone: delete-this-zone
# delete: yes # set delete: yes to completely delete the zone
firewalld_zone_sources:
- zone: internal # add all RFC1918 addresses to the internal zone
sources:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
# Services to allow in firewalld zones
# Example:
# firewalld_zone_services:
# - zone: public # firewall zone to configure
# services: # list of services to add/remove from the zone
# - ssh
# state: disabled # optional, enabled/disabled, default enabled, set to disabled to remove a rule
# permanent: yes # optional, yes/no, default yes
# immediate: yes # optional, yes/no, default yes
# - zone: internal
# services:
# - dns # allow DNS from the internal zone
# - zone: ldap-clients # allow traffic for a specific service from a zone
# services:
# - ldap
# - ldaps
firewalld_zone_services:
- zone: public
services:
- ssh # allow SSH from anywhere
- zone: internal
services:
- ssh # allow SSH from internal zone
- zone: public
services:
- dhcpv6-client # remove dhcpv6-client rule from the default public zone
state: disabled
# additional firewalld configuration - https://docs.ansible.com/ansible/latest/collections/ansible/posix/firewalld_module.html
firewalld: []
### FAIL2BAN ###
# setup fail2ban bruteforce detection/prevention system (yes/no)
setup_fail2ban: yes
# list of IPs to never ban - 127.0.0.1 is always whitelisted
fail2ban_ignoreip:
- '10.0.0.0/8'
- '192.168.0.0/16'
- '172.16.0.0/12'
# fail2ban default ban duration (in seconds or time abbreviation format)
fail2ban_default_bantime: "1year"
# fail2ban: default interval (in seconds or time abbreviation format) before counting failures towards a ban
fail2ban_default_findtime: "10min"
# fail2ban default number of failures that have to occur in the last findtime to ban the IP
fail2ban_default_maxretry: 3
### LINUX USERS ###
# setup user accounts/PAM configuration (yes/no)
setup_users: yes
# Additional user accounts to create.
# Supports these parameters from the user (https://docs.ansible.com/ansible/latest/modules/user_module.html) module:
# name, password, comment, create_home, home, groups, append, generate_ssh_key, update_password
# In addition these optional parameters are supported:
# ssh_authorized_keys: list of public key files to authorize on this account
# sudo_nopasswd_commands: list of commands the user should be able to run with sudo without password
# Example:
# linux_users:
# - name: "remotebackup"
# groups: [ "ssh-access", "sudo" ]
# comment: "limited user account for remote backups"
# ssh_authorized_keys: ['data/public_keys/[email protected]']
# home: "/home/remotebackup"
# sudo_nopasswd_commands: ['/usr/bin/rsync']
# - name: "my-sftp-account"
# home: "/var/lib/sftp/my-sftp-account"
# comment: "SFTP-only account"
# ssh_authorized_keys: [ "data/public_keys/[email protected]", "data/public_keys/[email protected]" ]
# groups: [ 'ssh-access', 'sftponly' ]
# - name: "{{ ansible_user }}"
# groups: adm
# append: yes
# comment: "ansible user/allowed to read system logs"
# - name: bob
# groups: ['ssh-access', 'sudo']
# password: "{{ bob_ssh_password }}"
# comment: "SSH account for bob, root access via sudo"
linux_users: []
# allow ansible connecting user to run 'sudo rsync' without password (yes/no)
# Required to use the ansible synchronize module, and download files generated by the backup role
ansible_user_allow_sudo_rsync_nopasswd: yes
# kill user processes when an interactive user logs out (yes/no)
systemd_logind_kill_user_processes: yes
# do not kill processes on logout for these users
systemd_logind_kill_exclude_users: ['root']
# time after which idle interactive login sessions are automatically closed (minutes, set to 0 to disable)
systemd_logind_lock_after_idle_min: 0
# terminate interactive bash processes after this number of seconds if no input is received (set to 0 to disable)
bash_timeout: 900
### CRON TASK SCHEDULER ###
# (yes/no): setup cron permission restrictions/logging options
setup_cron: yes
# list of users allowed to use crontab for task scheduling
linux_users_crontab_allow: ['root']
# cron jobs log level (cumulative, https://manpages.debian.org/bookworm/cron/cron.8.en.html#OPTIONS)
cron_log_level: 7
### OUTGOING MAIL ###
# (yes/no) install outgoing system mail (msmtp)
setup_msmtp: no
# following msmtp_* variables are required is setup_msmtp: yes
# mail relay (SMTP server) address/port/username/password
msmtp_host: "smtp.CHANGEME.org"
msmtp_port: 587
msmtp_username: "CHANGEME"
msmtp_password: "CHANGEME"
# mail address to send administrator email to (multiple recipients can be added, separated by ', ')
msmtp_admin_email: "CHANGEME"
# (auto/[email protected]) sender address for outgoing mail
msmtp_from: 'auto'
# enable SMTP authentication (LOGIN) (yes/no)
msmtp_auth_enabled: yes
# yes/no: enable STARTTLS connection to the SMTP server
msmtp_tls_enabled: yes
# yes/no: enforce checking for valid server TLS certificates
msmtp_tls_certcheck: yes
# yes/no: use STARTTLS
msmtp_starttls: yes
# (optional) TLS certificate fingerprint of the SMTP server. use this to accept a self-signed certificate. get the server's certificate fingerprint with openssl s_client -connect $smtp_host:587 -starttls smtp < /dev/null 2>/dev/null |openssl x509 -fingerprint -noout
# msmtp_host_fingerprint: '11:22:33:44:55:66:77:88:99:00:13:37:AA:BB:CC:DD:EE:FF:AD:C2'
# the user to forward all local root mail to, if msmtp setup is disabled
mail_root_alias: "{{ ansible_user }}"
### PACKAGES ###
# additional packages to install (list)
packages_install:
- atool # single tool to manipulate all archives/compressed file formats
- less # a pager like 'more'
- tree # show filesystems as a tree
- rsync # fast/powerful file transfer utility
- locate # maintain and query an index of a directory tree
- man # view manual pages
- at # task scheduler - required for ansible at module/one-shot job scheduling
- bash-completion # completion for the bash shell
# packages to remove (list)
packages_remove:
- snapd
# - rpcbind # not an NFS server
# - nfs-common # not an NFS server
# - exim4-base # use a smarthost/msmtp