feat: linux and ssh baseline hardening

Makefile

@@ -9,6 +9,7 @@ endef
 
 define configure_base
 	ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/playbook.yml
+	ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/harden.yml
 endef
 
 define configure_loadbalance
@@ -104,6 +105,5 @@ test.loadbalance: ## Test loadbalancer installation
 test.libreddit: ## Test libreddit installation
 	$(call test_libreddit)
 
-
 help: ## Prints help for targets with comments
 	@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

ansible/harden.yml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Baseline security compliance
+  hosts: all
+  remote_user: atm
+  become: true
+  pre_tasks:
+    - name: Ensure all VMs are reachable
+      ansible.builtin.ping:
+  collections:
+    - devsec.hardening
+  roles:
+    - devsec.hardening.os_hardening
+    - ssh_hardening
+  vars:
+    - ssh_allow_tcp_forwarding: no
+    - ssh_allow_agent_forwarding: false
+    - ssh_x11_forwarding: false
+    - ssh_server_password_login: false
+    - os_filesystem_whitelist: vfat
+    - sysctl_overwrite:
+        - net.ipv6.conf.default.autoconf: 0
+        - net.ipv6.conf.all.autoconf: 0
+        - net.ipv6.conf.all.router_solicitations: 0
+        - fs.protected_symlinks: 1
+        - fs.protected_hardlinks: 1