---
# Bash prompt and shell history settings
#
bash_customize_skel_bashrc: false
bash_etc_skel_file: /etc/skel/.bashrc
bash_custom_skel_bashrc_file: files/skel_bashrc.sh
bash_customize_root_bashrc: false
bash_custom_root_bashrc_file: files/root_bashrc.sh
bash_root_bashrc_file: /root/.bashrc
bash_customize_root_history_settings: false
bash_custom_history_directory: /var/log/users_root_history
bash_custom_history_settings_file: files/root_bashrc_history.sh

idmap_verbosity: 0
idmap_conf_options:
  - { section: General, option: Domain, value: "{{ domain_name }}", state: present }
  - { section: General, option: Verbosity, value: "{{ idmap_verbosity }}", state: present }

# autofs mount points
autofs_client_mountpoint: false
autofs_conf_options:
  - { section: autofs, option: master_map_name, value: /etc/auto.master, state: present }
  - { section: autofs, option: timeout, value: "300", state: present }
  - { section: autofs, option: negative_timeout, value: "60", state: present }
  - { section: autofs, option: mount_nfs_default_protocol, value: "4", state: present }
  - { section: autofs, option: logging, value: none, state: present }
  - { section: amd, option: dismount_interval, value: "300", state: present }

autofs_packages_deb:
  - autofs

autofs_packages_el:
  - autofs

# path: without the initial /
autofs_maps: []
# - map_name: 'data'
#   mountpoint_prefix: '/'
#   path: 'data'
#   nfs_server: 'nfs.example.com'
#   remote_export: '/export'
#   is_home: false
#   force_ownership: false
#   owner_uid: 1000
#   owner_gid: 1000
#   permissions: "0750"

nfs_server_enabled: false
nfs_server_ganesha_enabled: "{{ nfs_server_enabled }}"

nfs_server_kernel_el_pkgs:
  - nfs-utils
  - nfs4-acl-tools

nfs_server_kernel_deb_pkgs:
  - nfs-kernel-server
  - nfs4-acl-tools
  - nfstrace
  - nfswatch

nfs_server_exports: []
# name, id, path, options, clients
# (*) indicate an optional parameter
# - name: export_filename
#   id: 1
#   path: /export
#   options: 'rw,sync,fsid=1,root_squash,no_wdelay'
#   clients:
#     - host1
#     - hostN

nfs_ganesha_conf_files:
  - ganesha.conf

nfs_server_ganesha_el_repos:
  - centos-release-nfs-ganesha28
  - centos-release-ceph-nautilus
nfs_server_ganesha_el_pkgs:
  - nfs-utils
  - nfs4-acl-tools
  - nfs-ganesha
  - nfs-ganesha-vfs
  - librados2

nfs_server_ganesha_deb_pkgs:
  - nfs-ganesha
  - nfs-ganesha-vfs
  - nfs-ganesha-xfs

# Protocols = 3,4,9P;
nfs_server_ganesha_server_protocols: "4"
nfs_server_ganesha_path_pseudo: false
nfs_server_ganesha_mdcache: false
nfs_server_ganesha_mdcache_hwmark: 100000
nfs_server_ganesha_exports: []
# name, id, path, pseudo_path, access_type (RW, RO), protocols (global), squash (true,false), disable_actl (true,false), sectype, fsal (VFS, XFS), clients
# (*) indicate an optional parameter
# - name: export_filename
#   id: 1
#   path: /export
#   pseudo: /nfs_export
#   access_type(*): 'RW'
#   protocols(*): '{{ nfs_server_ganesha_server_protocols }}'
#   squash(*): 'root_squash'
#   disable_acl(*): 'false'
#   sectype(*): 'sys'
#   nfs_commit(*): 'false'
#   delegations(*): 'none'
#   fsal: 'VFS'
#   clients:
#     - host1
#     - hostN

# tmpreaper
tmpreaper_install: false
tmpreaper_use_ctime: true
tmpreaper_protect_extra: ""
tmpreaper_dirs: /tmp/.
tmpreaper_extra_dirs: ""
tmpreaper_delay: "256"
tmpreaper_additional_options: ""
tmpreaper_time: 7d

#
# SSHD Configuration
#
# OpenSSH versions by distribution:
#   Ubuntu 20.04 (Focal): 8.2    | Ubuntu 22.04 (Jammy): 8.9  | Ubuntu 24.04 (Noble): 9.6
#   Debian 11 (Bullseye): 8.4    | Debian 12 (Bookworm): 9.2
#   EL 8: 8.0                    | EL 9: 8.7                  | EL 10: 9.8
#
sshd_install_config: true
sshd_port: 22
sshd_config_dir: /etc/ssh
sshd_config_file: sshd_config

# Basic authentication settings
sshd_password_authentication: "no"
sshd_permit_empty_passwords: "no"
# "no", "yes", "prohibit-password", or "without-password" (legacy alias for prohibit-password)
sshd_permit_root_login: prohibit-password
sshd_strict_mode: "yes"
sshd_pubkey_authentication: "yes"
sshd_max_auth_tries: 6
sshd_max_sessions: 10

# Login timing
sshd_login_grace_time: 120

# PAM settings
# If set to no, the locked users cannot log in. adduser creates users without password as locked
sshd_use_pam: "yes"
# PAM service name (OpenSSH 9.8+, Portable OpenSSH only)
# Allows selecting PAM service name at runtime. Defaults to "sshd" if not set.
sshd_pam_service_name: ""

# Keyboard-interactive authentication (formerly ChallengeResponseAuthentication)
# Use "yes" only if you are using s/key, OTP, or similar
# Note: ChallengeResponseAuthentication was renamed to KbdInteractiveAuthentication in OpenSSH 8.7
sshd_kbd_interactive_authentication: "no"

# Tunneling and forwarding
sshd_permit_tunnel: "no"
sshd_x11_forwarding: "no"
sshd_x11_display_offset: 10
sshd_agent_forwarding: "yes"
sshd_tcp_forwarding: "no"
sshd_permit_user_environment: "no"
sshd_gateway_ports: "no"

# GSSAPI options
sshd_gssapi_authentication: "no"
sshd_gssapi_cleanup_credentials: "yes"

# Logging
sshd_syslog_facility: AUTH
sshd_log_level: INFO

# Connection settings
sshd_tcp_keep_alive: "yes"
sshd_client_alive_interval: 0
sshd_client_alive_count_max: 3
# MaxStartups: start:rate:full - connections refused above 'full', rate% dropped between start and full
sshd_max_startups: 10:30:100

# Display settings
sshd_print_motd: "no"
sshd_print_last_log: "yes"
# Usually /etc/issue.net, or "none" to disable
sshd_banner_path: none

# Environment
sshd_acceptenv: LANG LC_*

# Host-based authentication (generally disabled for security)
sshd_hostbased_authentication: "no"
sshd_ignore_rhosts: "yes"
sshd_ignore_user_known_hosts: "no"

# DNS (set to "no" for faster connections when DNS is slow)
sshd_use_dns: "no"

#
# Version-specific options (OpenSSH 8.2+)
# These are only included when supported by the distribution's OpenSSH version
#

# Include additional configuration files (OpenSSH 8.2+)
# Set to true to include /etc/ssh/sshd_config.d/*.conf
sshd_include_config_d: true

# Per-source rate limiting (OpenSSH 8.5+)
# Maximum unauthenticated connections per source IP
sshd_per_source_max_startups: ""
# CIDR block size for grouping source IPs (IPv4, e.g., 24 for /24)
sshd_per_source_net_block_size: ""

#
# Version-specific options (OpenSSH 9.x+)
#

# Minimum RSA key size in bits (OpenSSH 9.1+)
# Recommended: 2048 or 3072 for better security
sshd_required_rsa_size: ""

# Channel timeout (OpenSSH 9.2+)
# Close channels after inactivity, e.g., "session:*=30m" or "x11-connection=5m"
sshd_channel_timeout: ""

# Unused connection timeout (OpenSSH 9.2+)
# Close connections with no open channels after this time
sshd_unused_connection_timeout: ""

# Penalty-based rate limiting (OpenSSH 9.8+)
# Configures penalty thresholds and durations for connection rate limiting
# Format: "crash:N refuseconnection:N noauth:N grace-exceeded:N max:M min:S"
sshd_per_source_penalties: ""
# List of addresses/networks exempt from penalties, e.g., "192.168.1.0/24,10.0.0.0/8"
sshd_per_source_penalty_exempt_list: ""

#
# Host keys - automatically configured based on distribution
# Override these only if you have custom key paths
#
sshd_host_keys:
  - /etc/ssh/ssh_host_rsa_key
  - /etc/ssh/ssh_host_ecdsa_key
  - /etc/ssh/ssh_host_ed25519_key

#
# Ciphers, MACs, and Key Exchange algorithms
# Leave empty to use distribution defaults (recommended)
# Only set these if you need to restrict to specific algorithms
#
sshd_ciphers: ""
sshd_macs: ""
sshd_kex_algorithms: ""
sshd_host_key_algorithms: ""

#
# SFTP configuration
#
sshd_enable_sftp_subsystem: true
sshd_enable_sftp_jail: false
sshd_sftp_chroot_match_group: filetransfer
sshd_sftp_chroot_directory: "%h"
sshd_sftp_force_command: internal-sftp

#
# Additional Match blocks (advanced)
# List of match blocks, each with: criteria, and options (list of key: value)
#
sshd_match_blocks: []
# Example:
# sshd_match_blocks:
#   - criteria: "User admin"
#     options:
#       - PasswordAuthentication: "yes"
#       - AllowTcpForwarding: "yes"
#   - criteria: "Address 10.0.0.0/8"
#     options:
#       - PermitRootLogin: "yes"

#
# Fail2ban Configuration (Debian/Ubuntu)
#
fail2ban_enabled: true
# ban time in seconds. 86400 == 1 day
f2b_ban_time: 86400
f2b_findtime: 600
f2b_maxretry: 5
f2b_ddos_findtime: 120
f2b_ddos_maxretry: 200
f2b_default_backend: auto
f2b_usedns: warn
f2b_dest_email: sysadmin@{{ domain_name }}
f2b_sender_email: sysadmin@{{ domain_name }}
f2b_default_banaction: iptables-multiport
# Default action: ban. Not send email
f2b_default_action: action_
f2b_default_iptableschain: INPUT
f2b_ssh_enabled: true
f2b_ssh_ddos_enabled: true
f2b_apache_ddos_enabled: false
f2b_apache_auth_enabled: false
f2b_apache_noscript_enabled: false
f2b_apache_overflow_enabled: false
f2b_php_url_fopen: false
f2b_nginx_auth_enabled: false
f2b_nginx_ddos_enabled: false
f2b_vsftpd_enabled: false
f2b_vsftpd_logpath: /var/log/vsftpd.log
f2b_recidive_enabled: true
# 604800: one week
f2b_recidive_findtime: 604800
# 14515200: 24 weeks
f2b_recidive_ban_time: 14515200

f2b_packages_deb:
  - fail2ban
  - iptables

#
# Fail2ban Configuration (EL/RedHat)
#
fail2ban_logtarget: SYSLOG
fail2ban_bantime: 600000
fail2ban_findtime: 4800
fail2ban_maxretry: 2
fail2ban_sshd_enabled: true
fail2ban_sshd_ddos_enabled: true
fail2ban_nginx_auth_enabled: false
fail2ban_apache_auth_enabled: false
fail2ban_php_url_fopen_enabled: false
fail2ban_vsftpd_enabled: false

f2b_packages_el:
  - fail2ban
  - fail2ban-server
  - fail2ban-systemd
  - fail2ban-firewalld
  - fail2ban-sendmail

#
# MOTD Configuration
#
motd_setup: true
motd_additional_text: "\nThis host runs services\n"

deb_motd_packages:
  - update-notifier-common
  - landscape-common

#
# Cloud-init Configuration
#
cloud_init_disable_netconfig: false
cloud_init_remove_pkg: true

#
# Dell Server Utilities
#
dell_utilities_installer_url: http://linux.dell.com/repo/hardware/dsu/bootstrap.cgi
dell_utilities_base_dir: /opt/dell_dsu
dell_utilities_packages:
  - dell-system-update
  - srvadmin-all
  - syscfg

dell_utilities_raid_packages:
  - raidcfg

#
# Tuned Setup (EL)
#
centos_tuned_enabled: true
centos_host_tuned_profile: virtual-host
centos_guest_tuned_profile: virtual-guest
centos_tuned_profile: "{{ centos_guest_tuned_profile }}"