docs: add READMEs to roles and add index of all roles

2024-11-10 06:24:17 +00:00 · 2021-03-31 10:04:34 +02:00 · 2021-03-31 10:04:34 +02:00 · 42744e0f25
commit 42744e0f25
parent 1aa29f98d1
4 changed files with 51 additions and 17 deletions
--- a/README.md
+++ b/README.md
@ -1,21 +1,9 @@
 # Ansible Collection - famedly.base

-User Provisioning
-============================
+- [roles/dns](roles/dns/README.md) for setting DNS records with ansible, currently only cloudflare as a backend is supported
+- [roles/hostname](roles/hostname/README.md) for setting `/etc/hostname` and `/etc/hosts`
+- [roles/redis](roles/redis/README.md) to deploy redis in a docker container
+- [roles/ssh](roles/ssh/README.md) for SSH hardening
+- [roles/user](roles/user/README.md) for creating user accounts with SSH keys deployed

-This role is provisioning access of the staff to the servers this is run on

-Role Variables
--------------
-
-The defaults/main.yml file contains a list of users in this format:
-```
-users:
-  - name: username
-    root: true|false
-    ssh:
-      - key: ssh key
-        active: true|false
-```
-
-Users is a list of users, ssh is a list of ssh keys.
--- a/roles/redis/README.md
+++ b/roles/redis/README.md
@ -0,0 +1,13 @@
+# Redis role
+
+This role can be used to deploy redis in a docker container, and can be used
+as a easy drop-in when an application needs a redis DB for caching/...
+
+## Usage
+
+The role supports prefixing all paths/users/containers with `redis_prefix`, so
+the role can easily be used multiple times for different usage cases.
+
+For securing redis additionally, a `redis_secret` can be configured. Keep in mind
+that redis recommends very long secrets, as redis itself has no brute-force-
+protection.
--- a/roles/ssh/README.md
+++ b/roles/ssh/README.md
@ -0,0 +1,14 @@
+# SSH hardening
+
+This role is used for basic hardening of a SSH daemon. It features
+common basic hardening features like disabling root login, requiring
+pubkey authentication and disabling some unsafe-ish, rarely used features.
+
+## Features
+
+- `PasswordAuthentication no` which makes BF-attempts harder
+- `ChallengeResponseAuthentication no` because we don't use it
+- `PubkeyAuthentication yes` because only key-based auth is allowed
+- `PermitRootLogin no` as it can pose a security threat
+- `ClientAliveInterval 300` to disconnect all idle sessions after 300s=5m
+- `Protocol 2` because SSHv1 has security issues and should not be used as fallback
--- a/roles/user/README.md
+++ b/roles/user/README.md
@ -0,0 +1,19 @@
+User Provisioning
+============================
+
+This role is provisioning access of the staff to the servers this is run on
+
+Role Variables
+--------------
+
+The defaults/main.yml file contains a list of users in this format:
+```
+users:
+  - name: username
+    root: true|false
+    ssh:
+      - key: ssh key
+        active: true|false
+```
+
+Users is a list of users, ssh is a list of ssh keys.