add missing config

progmaticltd · Sep 27, 2023 · 22fec23 · 22fec23
1 parent da580ec
commit 22fec23
Show file tree

Hide file tree

Showing 8 changed files with 1,579 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,8 +2,14 @@
 ##############################################################################
 
 # Ignore everything on the config folder, except sample and default files
-config/*
-!config/defaults/*
+
+# Your default configuration
+config/hosts.yml
+config/system.yml
+
+# Your other sites configuration
+config/hosts-*.yml
+config/system-*.yml
 
 # Ignore ansible error files
 *.retry
@@ -46,7 +52,3 @@ common/ansible.cfg
 # before the first boot, at the same level
 !preseed/misc/readme.md
 preseed/misc/*
-
-# Ignores your system configuration and your public key
-preseed/config/*
-!preseed/config/*-example.yml
diff --git a/config/ansible-lint.yml b/config/ansible-lint.yml
@@ -0,0 +1,39 @@
+---
+
+# This is a temporary ansible-lint file, to be able to start from a clean base.
+# We may uncomment some of the warnings once we find a proper way to fix them
+
+# It is currently used by the CI environment (Jenkins) and the pre-commit hook
+
+# Some files cannot be found by ansible lint, when using include_tasks.
+# See https://github.com/ansible/ansible-lint/issues/507
+# These files are excluded for now
+
+# The current disabled warnings are:
+
+exclude_paths: [ ]
+
+parseable: true
+
+quiet: true
+
+rulesdir: [ ]
+
+warn_list:
+  - '106'     # Role name (some roles have ‘-’ in their name)
+  - '207'     # Nested jinja pattern (experimental, does not work)
+  - '208'     # Files permissions unset or incorrect
+
+skip_list:
+  - 'no-handler'                # We sometimes restart services directly
+  - 'command-instead-of-shell'  # shell commands are used for now
+  - 'yaml[line-length]'         # TODO: Set a maximum line length somewhere (e.g. 120)
+  - 'yaml[brackets]'            # For spaces after opening and before closing brackets
+  - 'jinja[spacing]'            # This warning appears when using multiline blocks (e.g. '>-')
+  - 'role-name'                 # What's wrong with hyphen in names ‽
+
+tags: [ ]
+
+use_default_rules: true
+
+verbosity: 1
diff --git a/config/defaults/common-security.yml b/config/defaults/common-security.yml
@@ -0,0 +1,94 @@
+---
+
+###############################################################################
+# Extra security values
+security_default:
+  auto_update: true                             # Install security updates automatically, using unattended-upgrades
+  ssh_disable_root_access_with_password: true   # Force SSH authentication to use public / private key for root
+  ssh_disable_root_access: false                # At the end of the installation, completely disable remote
+                                                # root access via SSH and force the use of sudo for the administrators
+  lock_root_password: true                      # Disable console root access by locking root password.
+  ssh_disable_users_access_with_password: false # Force SSH authentication to use public / private key for all users
+  alerts_email:
+    - 'admin@{{ network.domain }}'
+
+  # Automatically reboot the system when needed after an upgrade
+  auto_reboot:
+    active: true
+    time: 00:00
+
+  # Auto ban parameters
+  # autoban is a lighter alternative of fail2ban, based on nftables advanced features.
+  autoban:
+    active: true
+    rate: 10/minute
+    period: 2h
+
+  # The size of the Diffie-Hellman parameters to use for DHE ciphers.
+  # Predifined values from the RFC7919 will be used wherever possible.
+  # Possible values are: 2048, 4096.
+  dhparam_size: 2048
+  # TLS configuration parameters according to the "Intermediate" configuration
+  # recommended by Mozilla.
+  # https://wiki.mozilla.org/Security/Server_Side_TLS
+  tls:
+    openssl_ciphers:
+      - ECDHE-ECDSA-AES128-GCM-SHA256
+      - ECDHE-RSA-AES128-GCM-SHA256
+      - ECDHE-ECDSA-AES256-GCM-SHA384
+      - ECDHE-RSA-AES256-GCM-SHA384
+      - ECDHE-ECDSA-CHACHA20-POLY1305
+      - ECDHE-RSA-CHACHA20-POLY1305
+      - DHE-RSA-AES128-GCM-SHA256
+      - DHE-RSA-AES256-GCM-SHA384
+    # Protocol versions listed from oldest to newest
+    versions:
+      - 'TLSv1.2'
+      - 'TLSv1.3'
+    unused_versions:
+      - 'SSLv2'
+      - 'SSLv3'
+      - 'TLSv1'
+      - 'TLSv1.1'
+    ocsp_staple: true
+    server_preferred_order: false
+
+
+###############################################################################
+# Default password policies for users
+passwords_default:
+  min_length: 8
+  max_age: 31536000        # 365 days max
+  max_failure: 5
+  expire_warning: 604800   # one week
+  require_nonalpha: true
+
+  # Keep track of the passwords you have used before
+  # If you do not want, set this value to 0
+  # Passwords are stored using salted SHA512, safe enough
+  remember: 12
+
+  # Password quality module
+  quality:
+    enforce: true
+    params:
+      - name: retry
+        value: 5
+      - name: minlen
+        value: 8
+      - name: minclass
+        value: 3
+      - name: maxrepeat
+        value: 3
+      - name: maxclassrepeat
+        value: 4
+      - name: lcredit
+        value: 1
+      - name: ucredit
+        value: 1
+      - name: ocredit
+        value: 3
+      - name: dcredit
+        value: 1
+      - name: difok
+        value: 3