# Default registry # bootstrap_user: root # sudo configuration # using geerlingguy security # https://galaxy.ansible.com/grog/sudo #sudo_default_sudoers: yes #sudo_list: # - name: tits # sudo: # hosts: ALL # as: ALL:ALL # commands: ALL # nopasswd: yes # For ssh security # https://galaxy.ansible.com/dev-sec/ssh-hardening #network_ipv6_enable: true #ssh_server_ports: ['45985'] #ssh_permit_root_login: no # TODO uncommenting that makes it bug # Fail2ban # https://galaxy.ansible.com/oefenweb/fail2ban #fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/ #fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/ #fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/ #fail2ban_services: # # In older versions of Fail2Ban this is called ssh # - name: sshd # port: 45985 # maxretry: 3 # bantime: -1 # # - name: wplogin # # port: http,https # # filter: wplogin # # logpath: /var/lib/docker/containers/*/*-json.log # # banaction: docker-action # # maxretry: 5 # # findtime: 120 # # bantime: 86400 # # https://galaxy.ansible.com/robertdebock/fail2ban # For Firewall # https://galaxy.ansible.com/geerlingguy/firewall firewall_state: started firewall_enabled_at_boot: true firewall_log_dropped_packets: true firewall_allowed_tcp_ports: - "45985" - "22529" - "80" - "443" - "53" - "5000" firewall_allowed_udp_ports: - "53" # For rootkit protection # https://galaxy.ansible.com/mablanco/antirootkits antirootkits_mail_from: contact@jean-cloud.org antirootkits_mail_to: contact@jean-cloud.org antirootkits_log_expire: 90 # TODO wtf is /home/docker ? shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ? shelldetector_cron_hour: '4' shelldetector_cron_minute: '00' # NTP # https://galaxy.ansible.com/geerlingguy/ntp ntp_timezone: Europe/Paris ntp_daemon: ntp