75 lines
1.7 KiB
YAML
75 lines
1.7 KiB
YAML
hostname: gpu-01.alexpires.local
|
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
|
|
|
# Users
|
|
login_users:
|
|
- username: "{{ ansible_user }}"
|
|
comment: "Managed by Ansible"
|
|
sudoer: true
|
|
sudoer_root_only: true
|
|
sudoer_no_password: true
|
|
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
|
password_disabled: true
|
|
- username: operator
|
|
comment: "Managed by Ansible"
|
|
sudoer: true
|
|
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
|
|
password_expiration: false
|
|
|
|
# SSH Connection and security
|
|
sshd_port: 22
|
|
ssh_allowed_networks:
|
|
- "0.0.0.0/0"
|
|
sshd_admin_net: "0.0.0.0/0"
|
|
sshd_allow_groups: "{{ ansible_user }} users"
|
|
sshd_permit_root_login: "no"
|
|
sshd_password_authentication: "no"
|
|
sshd_allow_tcp_forwarding: "yes"
|
|
|
|
# Due to an issue increase the number of max auth tries
|
|
sshd_max_auth_tries: 10
|
|
|
|
packages_blocklist: []
|
|
|
|
# Firewall ports
|
|
ufw_enable: true
|
|
fw_allowed_ports:
|
|
- { rule: "allow", port: "22", proto: "tcp" }
|
|
- { rule: "allow", port: "11434", proto: "tcp" }
|
|
|
|
ufw_outgoing_traffic:
|
|
- 22 # SSH
|
|
- 53 # DNS
|
|
- 80 # HTTP
|
|
- 123 # NTP
|
|
- 443 # HTTPS
|
|
- 853 # DNS over TLS
|
|
|
|
ufw_default_forward_policy: "ACCEPT"
|
|
|
|
ipv4_sysctl_settings:
|
|
net.ipv4.ip_forward: 1
|
|
|
|
disable_ipv6: true
|
|
|
|
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
|
|
custom_hosts_acls: true
|
|
|
|
# This fixes polkit issues with sudoers file (CIS hardening)
|
|
hide_pid: 0
|
|
|
|
# aide
|
|
install_aide: false
|
|
|
|
# Unattended upgrades
|
|
unattended_reboot: true
|
|
unattended_reboot_time: "04:30"
|
|
|
|
# Duo Security
|
|
duo_users: ["*", "!provision"]
|
|
duo_api_hostname: api-7cda1654.duosecurity.com
|
|
|
|
# podman services settings
|
|
ollama_home: "/mnt/data/ollama"
|
|
kokora_home: "/mnt/data/kokoro"
|