# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---
- name: Baseline security compliance
  hosts: all
  remote_user: debian
  become: true
  pre_tasks:
    - name: Ensure all VMs are reachable
      ansible.builtin.ping:
  collections:
    - devsec.hardening
  roles:
    - devsec.hardening.os_hardening
    - ssh_hardening
  vars:
    - ssh_allow_tcp_forwarding: no
    - ssh_allow_agent_forwarding: false
    - ssh_x11_forwarding: false
    - ssh_server_password_login: false
    - os_filesystem_whitelist: vfat
    - sysctl_overwrite:
        - net.ipv6.conf.default.autoconf: 0
        - net.ipv6.conf.all.autoconf: 0
        - net.ipv6.conf.all.router_solicitations: 0
        - net.bridge.bridge-nf-call-iptables: 1
        - net.bridge.bridge-nf-call-ip6tables: 1
        - net.ipv4.ip_forward: 1
        - fs.protected_symlinks: 1
        - fs.protected_hardlinks: 1