mash-playbook/docs/services/system.md

# System-related configuration

This Ansible playbook can install and configure various system-related things for you.
All the sections below relate to the host OS instead of the managed containers.

### swap

To enable [swap](https://en.wikipedia.org/wiki/Memory_paging) management (also read more in the [Swap](https://wiki.archlinux.org/title/Swap) article in the [Arch Linux Wiki](https://wiki.archlinux.org/)), add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:

```yaml
########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_swap_enabled: true

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################
```

A swap file will be created in `/var/swap` (configured using the `system_swap_path` variable) and enabled in your `/etc/fstab` file.

By default, the swap file will have the following size:

- on systems with `<= 2GB` of RAM, swap file size = `total RAM * 2`
- on systems with `> 2GB` of RAM, swap file size = `1GB`

To avoid these calculations and set your own size explicitly, set the `system_swap_size` variable in megabytes, example (4gb):

```yaml
system_swap_size: 4096
```

### ssh

> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,
> you should use it with caution and verify everything before you apply the changes!

To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:

```yaml
########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_ssh_enabled: true

system_security_ssh_port: 22

system_security_ssh_authorizedkeys: [] # list of authorized public keys
system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################
```

The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server.

With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).

There are various configuration options - check the defaults and adjust them to your needs.

### fail2ban

To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:

```yaml
########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_fail2ban_enabled: true

system_security_fail2ban_sshd_port: 22
# If you enabled playbook-managed ssh as described above,
# you can replace the line above with the following:
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################
```
add system/swap role 2023-03-18 12:24:46 +01:00			`# System-related configuration`

			`This Ansible playbook can install and configure various system-related things for you.`
Add additional swap explanations in system.md 2023-03-18 15:02:11 +01:00			`All the sections below relate to the host OS instead of the managed containers.`
add system/swap role 2023-03-18 12:24:46 +01:00
			`### swap`

Add additional swap explanations in system.md 2023-03-18 15:02:11 +01:00			To enable [swap](https://en.wikipedia.org/wiki/Memory_paging) management (also read more in the [Swap](https://wiki.archlinux.org/title/Swap) article in the [Arch Linux Wiki](https://wiki.archlinux.org/)), add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
add system/swap role 2023-03-18 12:24:46 +01:00
			```yaml
			`########################################################################`
			`# #`
			`# system #`
			`# #`
			`########################################################################`

			`system_swap_enabled: true`

			`########################################################################`
			`# #`
			`# /system #`
			`# #`
			`########################################################################`
			```

Add additional swap explanations in system.md 2023-03-18 15:02:11 +01:00			A swap file will be created in `/var/swap` (configured using the `system_swap_path` variable) and enabled in your `/etc/fstab` file.

			`By default, the swap file will have the following size:`

			- on systems with `<= 2GB` of RAM, swap file size = `total RAM * 2`
			- on systems with `> 2GB` of RAM, swap file size = `1GB`

			To avoid these calculations and set your own size explicitly, set the `system_swap_size` variable in megabytes, example (4gb):
add system/swap role 2023-03-18 12:24:46 +01:00
			```yaml
			`system_swap_size: 4096`
			```
add sshd management 2023-03-18 20:50:27 +01:00
			`### ssh`

			`> Warning: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,`
			`> you should use it with caution and verify everything before you apply the changes!`

			To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:

			```yaml
			`########################################################################`
			`# #`
			`# system #`
			`# #`
			`########################################################################`

			`system_security_ssh_enabled: true`
Update system.md 2023-03-19 07:25:33 +01:00
			`system_security_ssh_port: 22`

add sshd management 2023-03-18 20:50:27 +01:00			`system_security_ssh_authorizedkeys: [] # list of authorized public keys`
			`system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys`

			`########################################################################`
			`# #`
			`# /system #`
			`# #`
			`########################################################################`
			```

Update system.md 2023-03-19 07:25:33 +01:00			`The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to verify everything before applying any changes!, otherwise you may lock yourself out of the server.`
add sshd management 2023-03-18 20:50:27 +01:00
Update system.md 2023-03-19 07:25:33 +01:00			With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).

			`There are various configuration options - check the defaults and adjust them to your needs.`
add fail2ban 2023-03-18 21:04:44 +01:00
			`### fail2ban`

			To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:

			```yaml
			`########################################################################`
			`# #`
			`# system #`
			`# #`
			`########################################################################`

			`system_security_fail2ban_enabled: true`
Update system.md 2023-03-19 07:25:33 +01:00
add fail2ban 2023-03-18 21:04:44 +01:00			`system_security_fail2ban_sshd_port: 22`
Update system.md 2023-03-19 07:25:33 +01:00			`# If you enabled playbook-managed ssh as described above,`
add fail2ban 2023-03-18 21:04:44 +01:00			`# you can replace the line above with the following:`
			`# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"`

			`########################################################################`
			`# #`
			`# /system #`
			`# #`
			`########################################################################`
			```