171cbfbb32
Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
23 lines
859 B
YAML
23 lines
859 B
YAML
---
|
|
# SSH hardening configuration
|
|
|
|
- name: Configure SSH daemon
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
with_items:
|
|
- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin {{ common_ssh_permit_root_login }}' }
|
|
- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication {{ common_ssh_password_authentication }}' }
|
|
- { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication {{ common_ssh_pubkey_authentication }}' }
|
|
- { regexp: '^#?PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }
|
|
- { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }
|
|
- { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
|
|
notify: Restart SSH
|
|
|
|
- name: Ensure SSH is running and enabled
|
|
service:
|
|
name: ssh
|
|
state: started
|
|
enabled: yes
|