380 lines
10 KiB
YAML
380 lines
10 KiB
YAML
---
|
|
# Bash prompt and shell history settings
|
|
#
|
|
bash_customize_skel_bashrc: false
|
|
bash_etc_skel_file: /etc/skel/.bashrc
|
|
bash_custom_skel_bashrc_file: files/skel_bashrc.sh
|
|
bash_customize_root_bashrc: false
|
|
bash_custom_root_bashrc_file: files/root_bashrc.sh
|
|
bash_root_bashrc_file: /root/.bashrc
|
|
bash_customize_root_history_settings: false
|
|
bash_custom_history_directory: /var/log/users_root_history
|
|
bash_custom_history_settings_file: files/root_bashrc_history.sh
|
|
|
|
idmap_verbosity: 0
|
|
idmap_conf_options:
|
|
- { section: General, option: Domain, value: "{{ domain_name }}", state: present }
|
|
- { section: General, option: Verbosity, value: "{{ idmap_verbosity }}", state: present }
|
|
|
|
# autofs mount points
|
|
autofs_client_mountpoint: false
|
|
autofs_conf_options:
|
|
- { section: autofs, option: master_map_name, value: /etc/auto.master, state: present }
|
|
- { section: autofs, option: timeout, value: "300", state: present }
|
|
- { section: autofs, option: negative_timeout, value: "60", state: present }
|
|
- { section: autofs, option: mount_nfs_default_protocol, value: "4", state: present }
|
|
- { section: autofs, option: logging, value: none, state: present }
|
|
- { section: amd, option: dismount_interval, value: "300", state: present }
|
|
|
|
autofs_packages_deb:
|
|
- autofs
|
|
|
|
autofs_packages_el:
|
|
- autofs
|
|
|
|
# path: without the initial /
|
|
autofs_maps: []
|
|
# - map_name: 'data'
|
|
# mountpoint_prefix: '/'
|
|
# path: 'data'
|
|
# nfs_server: 'nfs.example.com'
|
|
# remote_export: '/export'
|
|
# is_home: false
|
|
# force_ownership: false
|
|
# owner_uid: 1000
|
|
# owner_gid: 1000
|
|
# permissions: "0750"
|
|
|
|
nfs_server_enabled: false
|
|
nfs_server_ganesha_enabled: "{{ nfs_server_enabled }}"
|
|
|
|
nfs_server_kernel_el_pkgs:
|
|
- nfs-utils
|
|
- nfs4-acl-tools
|
|
|
|
nfs_server_kernel_deb_pkgs:
|
|
- nfs-kernel-server
|
|
- nfs4-acl-tools
|
|
- nfstrace
|
|
- nfswatch
|
|
|
|
nfs_server_exports: []
|
|
# name, id, path, options, clients
|
|
# (*) indicate an optional parameter
|
|
# - name: export_filename
|
|
# id: 1
|
|
# path: /export
|
|
# options: 'rw,sync,fsid=1,root_squash,no_wdelay'
|
|
# clients:
|
|
# - host1
|
|
# - hostN
|
|
|
|
nfs_ganesha_conf_files:
|
|
- ganesha.conf
|
|
|
|
nfs_server_ganesha_el_repos:
|
|
- centos-release-nfs-ganesha28
|
|
- centos-release-ceph-nautilus
|
|
nfs_server_ganesha_el_pkgs:
|
|
- nfs-utils
|
|
- nfs4-acl-tools
|
|
- nfs-ganesha
|
|
- nfs-ganesha-vfs
|
|
- librados2
|
|
|
|
nfs_server_ganesha_deb_pkgs:
|
|
- nfs-ganesha
|
|
- nfs-ganesha-vfs
|
|
- nfs-ganesha-xfs
|
|
|
|
# Protocols = 3,4,9P;
|
|
nfs_server_ganesha_server_protocols: "4"
|
|
nfs_server_ganesha_path_pseudo: false
|
|
nfs_server_ganesha_mdcache: false
|
|
nfs_server_ganesha_mdcache_hwmark: 100000
|
|
nfs_server_ganesha_exports: []
|
|
# name, id, path, pseudo_path, access_type (RW, RO), protocols (global), squash (true,false), disable_actl (true,false), sectype, fsal (VFS, XFS), clients
|
|
# (*) indicate an optional parameter
|
|
# - name: export_filename
|
|
# id: 1
|
|
# path: /export
|
|
# pseudo: /nfs_export
|
|
# access_type(*): 'RW'
|
|
# protocols(*): '{{ nfs_server_ganesha_server_protocols }}'
|
|
# squash(*): 'root_squash'
|
|
# disable_acl(*): 'false'
|
|
# sectype(*): 'sys'
|
|
# nfs_commit(*): 'false'
|
|
# delegations(*): 'none'
|
|
# fsal: 'VFS'
|
|
# clients:
|
|
# - host1
|
|
# - hostN
|
|
|
|
# tmpreaper
|
|
tmpreaper_install: false
|
|
tmpreaper_use_ctime: true
|
|
tmpreaper_protect_extra: ""
|
|
tmpreaper_dirs: /tmp/.
|
|
tmpreaper_extra_dirs: ""
|
|
tmpreaper_delay: "256"
|
|
tmpreaper_additional_options: ""
|
|
tmpreaper_time: 7d
|
|
|
|
#
|
|
# SSHD Configuration
|
|
#
|
|
# OpenSSH versions by distribution:
|
|
# Ubuntu 20.04 (Focal): 8.2 | Ubuntu 22.04 (Jammy): 8.9 | Ubuntu 24.04 (Noble): 9.6
|
|
# Debian 11 (Bullseye): 8.4 | Debian 12 (Bookworm): 9.2
|
|
# EL 8: 8.0 | EL 9: 8.7 | EL 10: 9.8
|
|
#
|
|
sshd_install_config: true
|
|
sshd_port: 22
|
|
sshd_config_dir: /etc/ssh
|
|
sshd_config_file: sshd_config
|
|
|
|
# Basic authentication settings
|
|
sshd_password_authentication: "no"
|
|
sshd_permit_empty_passwords: "no"
|
|
# "no", "yes", "prohibit-password", or "without-password" (legacy alias for prohibit-password)
|
|
sshd_permit_root_login: prohibit-password
|
|
sshd_strict_mode: "yes"
|
|
sshd_pubkey_authentication: "yes"
|
|
sshd_max_auth_tries: 6
|
|
sshd_max_sessions: 10
|
|
|
|
# Login timing
|
|
sshd_login_grace_time: 120
|
|
|
|
# PAM settings
|
|
# If set to no, the locked users cannot log in. adduser creates users without password as locked
|
|
sshd_use_pam: "yes"
|
|
# PAM service name (OpenSSH 9.8+, Portable OpenSSH only)
|
|
# Allows selecting PAM service name at runtime. Defaults to "sshd" if not set.
|
|
sshd_pam_service_name: ""
|
|
|
|
# Keyboard-interactive authentication (formerly ChallengeResponseAuthentication)
|
|
# Use "yes" only if you are using s/key, OTP, or similar
|
|
# Note: ChallengeResponseAuthentication was renamed to KbdInteractiveAuthentication in OpenSSH 8.7
|
|
sshd_kbd_interactive_authentication: "no"
|
|
|
|
# Tunneling and forwarding
|
|
sshd_permit_tunnel: "no"
|
|
sshd_x11_forwarding: "no"
|
|
sshd_x11_display_offset: 10
|
|
sshd_agent_forwarding: "yes"
|
|
sshd_tcp_forwarding: "no"
|
|
sshd_permit_user_environment: "no"
|
|
sshd_gateway_ports: "no"
|
|
|
|
# GSSAPI options
|
|
sshd_gssapi_authentication: "no"
|
|
sshd_gssapi_cleanup_credentials: "yes"
|
|
|
|
# Logging
|
|
sshd_syslog_facility: AUTH
|
|
sshd_log_level: INFO
|
|
|
|
# Connection settings
|
|
sshd_tcp_keep_alive: "yes"
|
|
sshd_client_alive_interval: 0
|
|
sshd_client_alive_count_max: 3
|
|
# MaxStartups: start:rate:full - connections refused above 'full', rate% dropped between start and full
|
|
sshd_max_startups: 10:30:100
|
|
|
|
# Display settings
|
|
sshd_print_motd: "no"
|
|
sshd_print_last_log: "yes"
|
|
# Usually /etc/issue.net, or "none" to disable
|
|
sshd_banner_path: none
|
|
|
|
# Environment
|
|
sshd_acceptenv: LANG LC_*
|
|
|
|
# Host-based authentication (generally disabled for security)
|
|
sshd_hostbased_authentication: "no"
|
|
sshd_ignore_rhosts: "yes"
|
|
sshd_ignore_user_known_hosts: "no"
|
|
|
|
# DNS (set to "no" for faster connections when DNS is slow)
|
|
sshd_use_dns: "no"
|
|
|
|
#
|
|
# Version-specific options (OpenSSH 8.2+)
|
|
# These are only included when supported by the distribution's OpenSSH version
|
|
#
|
|
|
|
# Include additional configuration files (OpenSSH 8.2+)
|
|
# Set to true to include /etc/ssh/sshd_config.d/*.conf
|
|
sshd_include_config_d: true
|
|
|
|
# Per-source rate limiting (OpenSSH 8.5+)
|
|
# Maximum unauthenticated connections per source IP
|
|
sshd_per_source_max_startups: ""
|
|
# CIDR block size for grouping source IPs (IPv4, e.g., 24 for /24)
|
|
sshd_per_source_net_block_size: ""
|
|
|
|
#
|
|
# Version-specific options (OpenSSH 9.x+)
|
|
#
|
|
|
|
# Minimum RSA key size in bits (OpenSSH 9.1+)
|
|
# Recommended: 2048 or 3072 for better security
|
|
sshd_required_rsa_size: ""
|
|
|
|
# Channel timeout (OpenSSH 9.2+)
|
|
# Close channels after inactivity, e.g., "session:*=30m" or "x11-connection=5m"
|
|
sshd_channel_timeout: ""
|
|
|
|
# Unused connection timeout (OpenSSH 9.2+)
|
|
# Close connections with no open channels after this time
|
|
sshd_unused_connection_timeout: ""
|
|
|
|
# Penalty-based rate limiting (OpenSSH 9.8+)
|
|
# Configures penalty thresholds and durations for connection rate limiting
|
|
# Format: "crash:N refuseconnection:N noauth:N grace-exceeded:N max:M min:S"
|
|
sshd_per_source_penalties: ""
|
|
# List of addresses/networks exempt from penalties, e.g., "192.168.1.0/24,10.0.0.0/8"
|
|
sshd_per_source_penalty_exempt_list: ""
|
|
|
|
#
|
|
# Host keys - automatically configured based on distribution
|
|
# Override these only if you have custom key paths
|
|
#
|
|
sshd_host_keys:
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
|
|
#
|
|
# Ciphers, MACs, and Key Exchange algorithms
|
|
# Leave empty to use distribution defaults (recommended)
|
|
# Only set these if you need to restrict to specific algorithms
|
|
#
|
|
sshd_ciphers: ""
|
|
sshd_macs: ""
|
|
sshd_kex_algorithms: ""
|
|
sshd_host_key_algorithms: ""
|
|
|
|
#
|
|
# SFTP configuration
|
|
#
|
|
sshd_enable_sftp_subsystem: true
|
|
sshd_enable_sftp_jail: false
|
|
sshd_sftp_chroot_match_group: filetransfer
|
|
sshd_sftp_chroot_directory: "%h"
|
|
sshd_sftp_force_command: internal-sftp
|
|
|
|
#
|
|
# Additional Match blocks (advanced)
|
|
# List of match blocks, each with: criteria, and options (list of key: value)
|
|
#
|
|
sshd_match_blocks: []
|
|
# Example:
|
|
# sshd_match_blocks:
|
|
# - criteria: "User admin"
|
|
# options:
|
|
# - PasswordAuthentication: "yes"
|
|
# - AllowTcpForwarding: "yes"
|
|
# - criteria: "Address 10.0.0.0/8"
|
|
# options:
|
|
# - PermitRootLogin: "yes"
|
|
|
|
#
|
|
# Fail2ban Configuration (Debian/Ubuntu)
|
|
#
|
|
fail2ban_enabled: true
|
|
# ban time in seconds. 86400 == 1 day
|
|
f2b_ban_time: 86400
|
|
f2b_findtime: 600
|
|
f2b_maxretry: 5
|
|
f2b_ddos_findtime: 120
|
|
f2b_ddos_maxretry: 200
|
|
f2b_default_backend: auto
|
|
f2b_usedns: warn
|
|
f2b_dest_email: sysadmin@{{ domain_name }}
|
|
f2b_sender_email: sysadmin@{{ domain_name }}
|
|
f2b_default_banaction: iptables-multiport
|
|
# Default action: ban. Not send email
|
|
f2b_default_action: action_
|
|
f2b_default_iptableschain: INPUT
|
|
f2b_ssh_enabled: true
|
|
f2b_ssh_ddos_enabled: true
|
|
f2b_apache_ddos_enabled: false
|
|
f2b_apache_auth_enabled: false
|
|
f2b_apache_noscript_enabled: false
|
|
f2b_apache_overflow_enabled: false
|
|
f2b_php_url_fopen: false
|
|
f2b_nginx_auth_enabled: false
|
|
f2b_nginx_ddos_enabled: false
|
|
f2b_vsftpd_enabled: false
|
|
f2b_vsftpd_logpath: /var/log/vsftpd.log
|
|
f2b_recidive_enabled: true
|
|
# 604800: one week
|
|
f2b_recidive_findtime: 604800
|
|
# 14515200: 24 weeks
|
|
f2b_recidive_ban_time: 14515200
|
|
|
|
f2b_packages_deb:
|
|
- fail2ban
|
|
- iptables
|
|
|
|
#
|
|
# Fail2ban Configuration (EL/RedHat)
|
|
#
|
|
fail2ban_logtarget: SYSLOG
|
|
fail2ban_bantime: 600000
|
|
fail2ban_findtime: 4800
|
|
fail2ban_maxretry: 2
|
|
fail2ban_sshd_enabled: true
|
|
fail2ban_sshd_ddos_enabled: true
|
|
fail2ban_nginx_auth_enabled: false
|
|
fail2ban_apache_auth_enabled: false
|
|
fail2ban_php_url_fopen_enabled: false
|
|
fail2ban_vsftpd_enabled: false
|
|
|
|
f2b_packages_el:
|
|
- fail2ban
|
|
- fail2ban-server
|
|
- fail2ban-systemd
|
|
- fail2ban-firewalld
|
|
- fail2ban-sendmail
|
|
|
|
#
|
|
# MOTD Configuration
|
|
#
|
|
motd_setup: true
|
|
motd_additional_text: "\nThis host runs services\n"
|
|
|
|
deb_motd_packages:
|
|
- update-notifier-common
|
|
- landscape-common
|
|
|
|
#
|
|
# Cloud-init Configuration
|
|
#
|
|
cloud_init_disable_netconfig: false
|
|
cloud_init_remove_pkg: true
|
|
|
|
#
|
|
# Dell Server Utilities
|
|
#
|
|
dell_utilities_installer_url: http://linux.dell.com/repo/hardware/dsu/bootstrap.cgi
|
|
dell_utilities_base_dir: /opt/dell_dsu
|
|
dell_utilities_packages:
|
|
- dell-system-update
|
|
- srvadmin-all
|
|
- syscfg
|
|
|
|
dell_utilities_raid_packages:
|
|
- raidcfg
|
|
|
|
#
|
|
# Tuned Setup (EL)
|
|
#
|
|
centos_tuned_enabled: true
|
|
centos_host_tuned_profile: virtual-host
|
|
centos_guest_tuned_profile: virtual-guest
|
|
centos_tuned_profile: "{{ centos_guest_tuned_profile }}"
|