ilia
e897b1a027
Some checks failed
CI / lint-and-test (push) Successful in 1m16s
CI / ansible-validation (push) Successful in 5m49s
CI / secret-scanning (push) Successful in 1m33s
CI / dependency-scan (push) Successful in 2m48s
CI / sast-scan (push) Successful in 5m46s
CI / license-check (push) Successful in 1m11s
CI / vault-check (push) Failing after 5m25s
CI / playbook-test (push) Successful in 5m32s
CI / container-scan (push) Successful in 4m32s
CI / sonar-analysis (push) Successful in 6m53s
CI / workflow-summary (push) Successful in 1m6s
- Fix UFW firewall to allow outbound traffic (was blocking all outbound) - Add HOST parameter support to shell Makefile target - Fix all ansible-lint errors (trailing spaces, missing newlines, document starts) - Add changed_when: false to check commands - Fix variable naming (vault_devGPU -> vault_devgpu) - Update .ansible-lint config to exclude .gitea/ and allow strategy: free - Fix NodeSource repository GPG key handling in shell playbook - Add missing document starts to host_vars files - Clean up empty lines in datascience role files Reviewed-on: #2
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
---
|
|
# SSH server configuration
|
|
ssh_port: 22
|
|
ssh_listen_addresses: ['0.0.0.0']
|
|
# Security defaults - hardened by default
|
|
# Override in group_vars for dev/desktop machines if needed
|
|
ssh_permit_root_login: 'prohibit-password' # Allow root only with keys, not passwords
|
|
ssh_password_authentication: 'no' # Disable password auth by default (use keys)
|
|
ssh_pubkey_authentication: 'yes'
|
|
ssh_max_auth_tries: 3
|
|
ssh_client_alive_interval: 300
|
|
ssh_max_sessions: 10
|
|
ssh_allowed_users: [] # Restrict to specific users
|
|
ssh_allowed_groups: ['sudo']
|
|
|
|
# Security hardening
|
|
ssh_kex_algorithms:
|
|
- curve25519-sha256@libssh.org
|
|
- diffie-hellman-group16-sha512
|
|
ssh_ciphers:
|
|
- chacha20-poly1305@openssh.com
|
|
- aes256-gcm@openssh.com
|
|
ssh_macs:
|
|
- hmac-sha2-256-etm@openssh.com
|
|
- hmac-sha2-512-etm@openssh.com
|
|
|
|
# Additional security settings
|
|
ssh_protocol: 2
|
|
ssh_use_dns: 'no'
|
|
ssh_permit_empty_passwords: 'no'
|
|
ssh_challenge_response_auth: 'no'
|
|
ssh_gss_api_authentication: 'no'
|
|
ssh_x11_forwarding: 'no'
|
|
ssh_print_motd: 'no'
|
|
ssh_tcp_keep_alive: 'yes'
|
|
ssh_compression: 'no'
|
|
|
|
# Log level (QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3)
|
|
ssh_log_level: 'INFO'
|
|
|
|
# Maximum number of concurrent unauthenticated connections
|
|
ssh_max_startups: '10:30:100'
|
|
|
|
# Timeout for authentication
|
|
ssh_login_grace_time: '2m'
|