From ce995083c6b15c6fe181a6533e975bf6600c25d2 Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Tue, 9 Apr 2024 17:49:51 +0200
Subject: [PATCH] Add and configure OS hardening role

This role was run but is commented out as rerunning it shouldn't add
much whilst also being a time hog.
---
 .vscode/settings.json |  3 +++
 README.md             |  7 ++++++-
 playbook.yml          | 10 ++++++++++
 requirements.yml      |  6 ++++++
 4 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 .vscode/settings.json
 create mode 100644 requirements.yml

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..e56e562
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "ansible.python.interpreterPath": "/home/thomas/python_venv/bin/python"
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index 8b932e4..22efb1c 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,12 @@ Contains the Infrastructure as Code files which are used for provisioning my in
 The files within this repository should be run on a computer with Ansible installed which is only supported on MacOS and Linux systems. For Windows it can be run within a WSL distro (see [this guide](https://code.visualstudio.com/docs/remote/wsl-tutorial) on how to set this up, make sure the repository is checked out on the WSL distribution itself).
 
 ### Ansible control node prerequisites
-Install Ansible ([see instructions](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)).
+1. Install Ansible ([see instructions](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)).
+2. Install Ansible Galaxy content:
+
+    ```bash
+    ansible-galaxy install -r requirements.yml
+    ```
 
 ### Environment prerequisites
 The Raspberry Pi IaC code contained within this repository provisions the Raspberry Pi itself but doesn't provision all surrounding infrastructure which is presumed to be managed by hand. The following relevant configuration is assumed:
diff --git a/playbook.yml b/playbook.yml
index d818bfd..d225158 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -2,6 +2,16 @@
 - name: Install raspberry pi
   become: true
   hosts: raspberry_pis
+  # roles:
+    # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
+    # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
+    # - devsec.hardening.os_hardening
+  vars:
+    # devsec.hardening.os_hardening vars:
+    os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
+    os_cron_enabled: false # Cron isn't needed for the installation.
+    sysctl_overwrite:
+      vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
   tasks:
     # Disable warning on updating latest packages, it should be safe enough for this system.
     - name: Update all packages to their latest version # noqa: package-latest
diff --git a/requirements.yml b/requirements.yml
new file mode 100644
index 0000000..a7fcc8e
--- /dev/null
+++ b/requirements.yml
@@ -0,0 +1,6 @@
+---
+collections:
+  # from Ansible Galaxy
+  # See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
+  - name: devsec.hardening
+    version: 9.0.1