feat: base configuration automation

2023-11-08 00:00:00 +00:00 · 2023-11-08 00:00:00 +00:00 · e4770a7343
commit e4770a7343
70 changed files with 2489 additions and 0 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.d/encryption.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.d/encryption.conf.j2
@ -0,0 +1,4 @@
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com
+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.j2
@ -0,0 +1,24 @@
+AcceptEnv                       LANG LC_*
+AddressFamily                   inet
+AllowAgentForwarding            no
+ChallengeResponseAuthentication no
+ClientAliveCountMax             2
+ClientAliveInterval             300
+HostKey                         /etc/ssh/ssh_host_ed25519_key
+IgnoreRhosts                    yes
+LogLevel                        VERBOSE
+MaxAuthTries                    3
+MaxSessions                     3
+PermitEmptyPasswords            no
+PermitRootLogin                 no
+PrintMotd                       yes
+Protocol                        2
+PubkeyAuthentication            yes
+Port                            22
+TCPKeepAlive                    no
+UseDNS                          no
+UsePAM                          yes
+X11Forwarding                   no
+Subsystem       sftp            /usr/lib/openssh/sftp-server
+
+Include                         /etc/ssh/sshd_config.d/*.conf