jean-cloud-services/provisioning/group_vars/servers.yml
2023-04-24 12:11:09 +02:00

114 lines
2.8 KiB
YAML
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Default registry
#
bootstrap_user: root
# For jean-cloud docker services
new_nginx_conf_path: '/data/proxy/new-sites-enabled'
new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'
remote_docker_login_registry: registry.jean-cloud.net
# sudo configuration
# using geerlingguy security
# https://galaxy.ansible.com/grog/sudo
#sudo_default_sudoers: yes
#sudo_list:
# - name: tits
# sudo:
# hosts: ALL
# as: ALL:ALL
# commands: ALL
# nopasswd: yes
# Security geerlingguy
security_ssh_port: 45985
# IMPORTANT following values should be quoted. You can lock yourself out.
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "yes"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
# Auto upgrades
security_autoupdate_enabled: true
# f2b
security_fail2ban_enabled: false
#locales
locales_default:
lang: en_US.UTF-8
lc_all: en_US.UTF-8
# For unattended upgrade configuration
unattended_upgrades_mail: contact@jean-cloud.org
# For ssh security
# https://galaxy.ansible.com/dev-sec/ssh-hardening
#network_ipv6_enable: true
#ssh_server_ports: ['45985']
#ssh_permit_root_login: no # TODO uncommenting that makes it bug
# Fail2ban
# https://galaxy.ansible.com/oefenweb/fail2ban
#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/
#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/
#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/
#fail2ban_services:
# # In older versions of Fail2Ban this is called ssh
# - name: sshd
# port: 45985
# maxretry: 3
# bantime: -1
# # - name: wplogin
# # port: http,https
# # filter: wplogin
# # logpath: /var/lib/docker/containers/*/*-json.log
# # banaction: docker-action
# # maxretry: 5
# # findtime: 120
# # bantime: 86400
#
# https://galaxy.ansible.com/robertdebock/fail2ban
# For Firewall
# https://galaxy.ansible.com/geerlingguy/firewall
firewall_state: started
firewall_enabled_at_boot: true
firewall_log_dropped_packets: true
firewall_allowed_tcp_ports:
- "45985"
- "22529"
- "80"
- "443"
- "53"
- "5000"
firewall_allowed_udp_ports:
- "53"
# For rootkit protection
# https://galaxy.ansible.com/mablanco/antirootkits
antirootkits_mail_from: contact@jean-cloud.org
antirootkits_mail_to: contact@jean-cloud.org
antirootkits_log_expire: 90
# TODO wtf is /home/docker ?
shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ?
shelldetector_cron_hour: '4'
shelldetector_cron_minute: '00'
# Timezone
# https://galaxy.ansible.com/oefenweb/timezone
timezone_zone: Europe/Paris
# NTP
# https://galaxy.ansible.com/geerlingguy/ntp
ntp_timezone: Europe/Paris
ntp_daemon: ntp