---
# System Hardening Role - Default Variables

# SSH Configuration
ssh_port: 22
ssh_permit_root_login: "no"
ssh_password_authentication: "no"
ssh_pubkey_authentication: "yes"
ssh_challenge_response_auth: "no"
ssh_x11_forwarding: "no"
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_client_alive_count_max: 2
ssh_allowed_users: []  # List of users allowed to SSH
ssh_listen_address: "0.0.0.0"

# Strong SSH ciphers and algorithms
ssh_ciphers:
  - "chacha20-poly1305@openssh.com"
  - "aes256-gcm@openssh.com"
  - "aes128-gcm@openssh.com"
ssh_macs:
  - "hmac-sha2-512-etm@openssh.com"
  - "hmac-sha2-256-etm@openssh.com"
ssh_kex_algorithms:
  - "curve25519-sha256"
  - "curve25519-sha256@libssh.org"
  - "diffie-hellman-group-exchange-sha256"

# System packages
hardening_install_packages:
  - ufw
  - fail2ban
  - unattended-upgrades
  - apt-listchanges
  - auditd
  - aide
  - rkhunter
  - lynis

hardening_remove_packages:
  - telnet
  - rsh-client
  - rsh-redone-client

# Automatic security updates
unattended_upgrades_enabled: true
unattended_upgrades_auto_reboot: false
unattended_upgrades_auto_reboot_time: "03:00"

# Fail2ban configuration
fail2ban_enabled: true
fail2ban_bantime: 3600
fail2ban_findtime: 600
fail2ban_maxretry: 5
fail2ban_destemail: "root@localhost"

# Sysctl hardening
sysctl_config:
  # IP Forwarding (required for VPN)
  net.ipv4.ip_forward: 1
  
  # Disable IPv6 (optional, set to 0 to enable)
  net.ipv6.conf.all.disable_ipv6: 1
  net.ipv6.conf.default.disable_ipv6: 1
  
  # Protect against SYN flood attacks
  net.ipv4.tcp_syncookies: 1
  net.ipv4.tcp_syn_retries: 2
  net.ipv4.tcp_synack_retries: 2
  net.ipv4.tcp_max_syn_backlog: 4096
  
  # Protect against IP spoofing
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1
  
  # Ignore ICMP redirects
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.default.accept_redirects: 0
  net.ipv4.conf.all.secure_redirects: 0
  net.ipv4.conf.default.secure_redirects: 0
  
  # Do not send ICMP redirects
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0
  
  # Ignore ICMP ping requests
  net.ipv4.icmp_echo_ignore_all: 0
  net.ipv4.icmp_echo_ignore_broadcasts: 1
  
  # Ignore bogus ICMP error responses
  net.ipv4.icmp_ignore_bogus_error_responses: 1
  
  # Log martian packets
  net.ipv4.conf.all.log_martians: 1
  net.ipv4.conf.default.log_martians: 1
  
  # Disable source packet routing
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.default.accept_source_route: 0
  
  # Increase system file descriptor limit
  fs.file-max: 65535
  
  # Protect against time-wait assassination
  net.ipv4.tcp_rfc1337: 1
  
  # Kernel hardening
  kernel.dmesg_restrict: 1
  kernel.kptr_restrict: 2
  kernel.yama.ptrace_scope: 1

# Auditd configuration
auditd_enabled: true
auditd_rules:
  - "-w /etc/passwd -p wa -k identity"
  - "-w /etc/group -p wa -k identity"
  - "-w /etc/shadow -p wa -k identity"
  - "-w /etc/sudoers -p wa -k actions"
  - "-w /var/log/auth.log -p wa -k auth"
  - "-w /var/log/faillog -p wa -k logins"
  - "-w /etc/ssh/sshd_config -p wa -k sshd"

# Timezone
system_timezone: "UTC"

# Hostname
system_hostname: ""  # Leave empty to keep current hostname