80 lines
1.8 KiB
YAML
Executable File
80 lines
1.8 KiB
YAML
Executable File
# Default registry
|
||
#
|
||
bootstrap_user: root
|
||
|
||
# sudo configuration
|
||
# using geerlingguy security
|
||
# https://galaxy.ansible.com/grog/sudo
|
||
#sudo_default_sudoers: yes
|
||
#sudo_list:
|
||
# - name: tits
|
||
# sudo:
|
||
# hosts: ALL
|
||
# as: ALL:ALL
|
||
# commands: ALL
|
||
# nopasswd: yes
|
||
|
||
|
||
|
||
# For ssh security
|
||
# https://galaxy.ansible.com/dev-sec/ssh-hardening
|
||
#network_ipv6_enable: true
|
||
#ssh_server_ports: ['45985']
|
||
#ssh_permit_root_login: no # TODO uncommenting that makes it bug
|
||
|
||
# Fail2ban
|
||
# https://galaxy.ansible.com/oefenweb/fail2ban
|
||
#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/
|
||
#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/
|
||
#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/
|
||
#fail2ban_services:
|
||
# # In older versions of Fail2Ban this is called ssh
|
||
# - name: sshd
|
||
# port: 45985
|
||
# maxretry: 3
|
||
# bantime: -1
|
||
# # - name: wplogin
|
||
# # port: http,https
|
||
# # filter: wplogin
|
||
# # logpath: /var/lib/docker/containers/*/*-json.log
|
||
# # banaction: docker-action
|
||
# # maxretry: 5
|
||
# # findtime: 120
|
||
# # bantime: 86400
|
||
#
|
||
# https://galaxy.ansible.com/robertdebock/fail2ban
|
||
|
||
|
||
# For Firewall
|
||
# https://galaxy.ansible.com/geerlingguy/firewall
|
||
firewall_state: started
|
||
firewall_enabled_at_boot: true
|
||
firewall_log_dropped_packets: true
|
||
firewall_allowed_tcp_ports:
|
||
- "45985"
|
||
- "22529"
|
||
- "80"
|
||
- "443"
|
||
- "53"
|
||
- "5000"
|
||
firewall_allowed_udp_ports:
|
||
- "53"
|
||
|
||
# For rootkit protection
|
||
# https://galaxy.ansible.com/mablanco/antirootkits
|
||
antirootkits_mail_from: contact@jean-cloud.org
|
||
antirootkits_mail_to: contact@jean-cloud.org
|
||
antirootkits_log_expire: 90
|
||
# TODO wtf is /home/docker ?
|
||
shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ?
|
||
shelldetector_cron_hour: '4'
|
||
shelldetector_cron_minute: '00'
|
||
|
||
|
||
|
||
# NTP
|
||
# https://galaxy.ansible.com/geerlingguy/ntp
|
||
ntp_timezone: Europe/Paris
|
||
ntp_daemon: ntp
|
||
|