114 lines
2.8 KiB
YAML
Executable File
114 lines
2.8 KiB
YAML
Executable File
# Default registry
|
||
#
|
||
bootstrap_user: root
|
||
|
||
# For jean-cloud docker services
|
||
new_nginx_conf_path: '/data/proxy/new-sites-enabled'
|
||
new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
|
||
blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'
|
||
|
||
remote_docker_login_registry: registry.jean-cloud.net
|
||
|
||
# sudo configuration
|
||
# using geerlingguy security
|
||
# https://galaxy.ansible.com/grog/sudo
|
||
#sudo_default_sudoers: yes
|
||
#sudo_list:
|
||
# - name: tits
|
||
# sudo:
|
||
# hosts: ALL
|
||
# as: ALL:ALL
|
||
# commands: ALL
|
||
# nopasswd: yes
|
||
|
||
# Security geerlingguy
|
||
security_ssh_port: 45985
|
||
# IMPORTANT following values should be quoted. You can lock yourself out.
|
||
security_ssh_password_authentication: "no"
|
||
security_ssh_permit_root_login: "yes"
|
||
security_ssh_usedns: "no"
|
||
security_ssh_permit_empty_password: "no"
|
||
security_ssh_challenge_response_auth: "no"
|
||
security_ssh_gss_api_authentication: "no"
|
||
security_ssh_x11_forwarding: "no"
|
||
|
||
# Auto upgrades
|
||
security_autoupdate_enabled: true
|
||
|
||
# f2b
|
||
security_fail2ban_enabled: false
|
||
|
||
#locales
|
||
locales_default:
|
||
lang: en_US.UTF-8
|
||
lc_all: en_US.UTF-8
|
||
|
||
|
||
# For unattended upgrade configuration
|
||
unattended_upgrades_mail: contact@jean-cloud.org
|
||
|
||
# For ssh security
|
||
# https://galaxy.ansible.com/dev-sec/ssh-hardening
|
||
#network_ipv6_enable: true
|
||
#ssh_server_ports: ['45985']
|
||
#ssh_permit_root_login: no # TODO uncommenting that makes it bug
|
||
|
||
# Fail2ban
|
||
# https://galaxy.ansible.com/oefenweb/fail2ban
|
||
#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/
|
||
#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/
|
||
#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/
|
||
#fail2ban_services:
|
||
# # In older versions of Fail2Ban this is called ssh
|
||
# - name: sshd
|
||
# port: 45985
|
||
# maxretry: 3
|
||
# bantime: -1
|
||
# # - name: wplogin
|
||
# # port: http,https
|
||
# # filter: wplogin
|
||
# # logpath: /var/lib/docker/containers/*/*-json.log
|
||
# # banaction: docker-action
|
||
# # maxretry: 5
|
||
# # findtime: 120
|
||
# # bantime: 86400
|
||
#
|
||
# https://galaxy.ansible.com/robertdebock/fail2ban
|
||
|
||
|
||
# For Firewall
|
||
# https://galaxy.ansible.com/geerlingguy/firewall
|
||
firewall_state: started
|
||
firewall_enabled_at_boot: true
|
||
firewall_log_dropped_packets: true
|
||
firewall_allowed_tcp_ports:
|
||
- "45985"
|
||
- "22529"
|
||
- "80"
|
||
- "443"
|
||
- "53"
|
||
- "5000"
|
||
firewall_allowed_udp_ports:
|
||
- "53"
|
||
|
||
# For rootkit protection
|
||
# https://galaxy.ansible.com/mablanco/antirootkits
|
||
antirootkits_mail_from: contact@jean-cloud.org
|
||
antirootkits_mail_to: contact@jean-cloud.org
|
||
antirootkits_log_expire: 90
|
||
# TODO wtf is /home/docker ?
|
||
shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ?
|
||
shelldetector_cron_hour: '4'
|
||
shelldetector_cron_minute: '00'
|
||
|
||
|
||
# Timezone
|
||
# https://galaxy.ansible.com/oefenweb/timezone
|
||
timezone_zone: Europe/Paris
|
||
|
||
# NTP
|
||
# https://galaxy.ansible.com/geerlingguy/ntp
|
||
ntp_timezone: Europe/Paris
|
||
ntp_daemon: ntp
|
||
|