Add and configure OS hardening role

This role was run but is commented out as rerunning it shouldn't add much whilst also being a time hog.
2024-04-09 17:49:51 +02:00 · 2024-04-09 17:49:51 +02:00 · ce995083c6
commit ce995083c6
parent 7a42119d1a
4 changed files with 25 additions and 1 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -2,6 +2,16 @@
 - name: Install raspberry pi
  become: true
  hosts: raspberry_pis
+  # roles:
+    # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
+    # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
+    # - devsec.hardening.os_hardening
+  vars:
+    # devsec.hardening.os_hardening vars:
+    os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
+    os_cron_enabled: false # Cron isn't needed for the installation.
+    sysctl_overwrite:
+      vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
  tasks:
    # Disable warning on updating latest packages, it should be safe enough for this system.
    - name: Update all packages to their latest version # noqa: package-latest