hostname: dev-01.lab.alexpires.me ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" # Users login_users: - username: "{{ ansible_user }}" comment: "Managed by Ansible" sudoer: true sudoer_root_only: true sudoer_no_password: true pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}" password_disabled: true - username: operator comment: "Managed by Ansible" sudoer: true pubkey: "{{ lookup('file', 'keys/operator.pub') }}" # SSH Connection and security sshd_port: 22 ssh_allowed_networks: - "10.5.5.5/32" # Wireguard VPN (Laptop) - "10.19.4.0/24" # local network sshd_admin_net: "10.19.4.0/24" # local network sshd_allow_groups: "{{ ansible_user }} users" sshd_permit_root_login: "no" sshd_password_authentication: "no" sshd_allow_tcp_forwarding: "yes" # Due to an issue increase the number of max auth tries sshd_max_auth_tries: 10 # Firewall ports ufw_enable: true fw_allowed_ports: - { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # SSH Access (VPN device) - { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # SSH Access (local network) - { rule: "allow", port: "16443", proto: "tcp", from: "10.5.5.5/32" } # Kubernetes API (Laptop) - { rule: "allow", port: "16443", proto: "tcp", from: "10.19.4.0/24" } # Kubernetes API (local network) - { rule: "allow", port: "139", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only) - { rule: "allow", port: "445", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only) - { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network only) - { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop) - { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.2/32" } # Ollama (Contabo VPN) - { rule: "allow", port: "9090", proto: "tcp", from: "10.5.5.2/32" } # Prometheus (Contabo VPN) - { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.2/32" } # HTTPS (Contabo VPN) - { rule: "allow", port: "53", proto: "udp", from: "10.19.4.0/24" } # DNS (local network) - { rule: "allow", port: "53", proto: "udp", from: "10.5.5.2/32" } # DNS (Contabo VPN) ufw_outgoing_traffic: - 9 # For Wake-on-LAN - 22 # SSH - 53 # DNS - 80 # HTTP - 123 # NTP - 443 # HTTPS - 465 # SMTPS - 853 # DNS over TLS - 10250 # Kubelet - 8880 # Kokoro-FastAPI - 11434 # Ollama - 16443 # Kubernetes API - 8188 # comfyui - 4443 - 9443 - 993 # IMAPS - 9090 # Prometheus ufw_default_forward_policy: "ACCEPT" ipv4_sysctl_settings: net.ipv4.ip_forward: 1 disable_ipv6: true # geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening) custom_hosts_acls: true # fail2ban fail2ban_jails: ssh: enabled: true port: "{{ sshd_port }}" filter: "sshd" logpath: "/var/log/auth.log" maxretry: 5 findtime: 600 bantime: 3600 # aide install_aide: true aide_exclude: - "!/var/lib/snapd" - "!/srv" misc_modules_blocklist: - bluetooth - bnep - btusb - can - cpia2 - firewire-core - floppy - ksmbd - n_hdlc - net-pf-31 - pcspkr - soundcore - thunderbolt - usb-midi - uvcvideo - v4l2_common # Unattended upgrades unattended_reboot: true unattended_reboot_time: "04:30" # Duo Security duo_users: ["*", "!provision"] duo_api_hostname: api-7cda1654.duosecurity.com # Kubernetes specific settings microk8s_allowed_hosts: - 10.19.4.0/24 - 10.5.5.5 microk8s_alt_names: "{{ hostname }}" microk8s_certmgr_letsencrypt_issuer_email: c.alexandre.pires@alexpires.me # HTTP-01 Let's encrypt issuer is disable in dev microk8s_certmgr_letsencrypt_http01: false # DNS-01 issuer is enabled in dev microk8s_certmgr_letsencrypt_dns01: true microk8s_cloudns_auth_id: "{{ lookup('env', 'CLOUDNS_AUTH_ID') }}" microk8s_cloudns_auth_password: "{{ lookup('env', 'CLOUDNS_PASSWORD') }}" microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}" microk8s_users: - username: operator enabled: true # podman services settings persistent_data: "/srv"