3a0e231bf3
This one is also disabled since it's not super useful to run more than once. This role however doesn't report changes on reruns (as we've seen for the os_hardening role).
25 lines
1.3 KiB
YAML
25 lines
1.3 KiB
YAML
---
|
|
- name: Install raspberry pi
|
|
become: true
|
|
hosts: raspberry_pis
|
|
# roles:
|
|
# These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
|
|
# Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
|
|
# - devsec.hardening.os_hardening
|
|
# - devsec.hardening.ssh_hardening
|
|
vars:
|
|
# devsec.hardening.os_hardening vars:
|
|
os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
|
|
os_cron_enabled: false # Cron isn't needed for the installation.
|
|
sysctl_overwrite:
|
|
vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
|
|
# devsec.hardening.ssh_hardening vars:
|
|
ssh_allow_users: 'thomas'
|
|
ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
|
|
ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
|
|
tasks:
|
|
# Disable warning on updating latest packages, it should be safe enough for this system.
|
|
- name: Update all packages to their latest version # noqa: package-latest
|
|
ansible.builtin.apt:
|
|
name: "*"
|
|
state: latest
|