added:

- set file permissions - setup sysctls - set root password from vault var - added doas + config
2024-11-18 18:33:33 +01:00
parent c8f169253d
commit 8e23c090d9
7 changed files with 112 additions and 16 deletions
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -7,6 +7,7 @@ image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
 packages:
  - cpdup
  - bash
+  - doas

 # used by bastille to build a base
 release: 14.1-RELEASE
@@ -36,3 +37,51 @@ storage:
      name: /home
    - mount: /var/cron/tabs
      name: /crontabs
+
+
+kernel:
+  sysctls:
+    security.bsd.see_other_uids: 0
+    security.bsd.see_other_gids: 0
+    security.bsd.see_jail_proc: 0
+    security.bsd.unprivileged_read_msgbuf: 0
+    security.bsd.unprivileged_proc_debug: 0
+    kern.randompid: 1
+    net.inet.ip.random_id: 1
+    hw.spec_store_bypass_disable: 1
+    kern.elf64.allow_wx: 0
+    kern.elf32.aslr.stack: 3
+    kern.elf32.aslr.pie_enable: 1
+    vfs.zfs.min_auto_ashift: 12
+    kern.securelevel: 2
+
+
+permissions:
+  - name: /home
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /usr/local/etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /root
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /var/cron/tabs
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -1,10 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-34666232626536653339373961383331363035343266633232643930663733386466663933356138
-6366653166656465373634306461643236333162383138380a626430626631626133373330646361
-31303163343637626130393237666333643965646431306134643039363233386235623463633862
-3334363233313532310a323965363364646362343937653534623930376461356633656135646533
-37343162333634373963366433393231626136353832613937343363623565303561663461333431
-30353831376134336663643534383535656638663931626665336638353432626330356561643439
-61303638336365636233353937626461643263383435353561303831363531653935386435316562
-35363833383732656261643765323432363430636564626166653263643632373731323637663165
-6437
+66323661356665373037316136353833646231623531323031306336613065326431643138336430
+3438323839633335333963306638323137333664366466310a623862636139366336393835353238
+38613934383631633134386564616233326234333637636162626632633762656366303036313539
+3365646662386263650a333636366132363662376362383737383233646531616632376234303062
+32366464613630396463326236643361386637616664663066326337663037663639613433316462
+33636665653930346265323237363238626463666163616439393332313639343863343764323639
+34353834393236643530346238323164656339653365393563383938316461393730333536343365
+63303865626534653237383634633937613039663761313038303461303837643066306161383661
+65326237366536306632633539656335373536336231303330386332646363333131393664656365
+36366539616230623338396434376565346435636331353963366438376437343233373735393730
+346162343166373762626664363866663536