mash-playbook/docs/services/system.md

5 KiB

System-related configuration

This Ansible playbook can install and configure various system-related things for you. All the sections below relate to the host OS instead of the managed containers.

swap

To enable swap management (also read more in the Swap article in the Arch Linux Wiki), add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_swap_enabled: true

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################

A swap file will be created in /var/swap (configured using the system_swap_path variable) and enabled in your /etc/fstab file.

By default, the swap file will have 1GB size, but you can set the system_swap_size variable in megabytes, example (4gb):

system_swap_size: 4096

Warning: changing system_swap_size subsequently will not recreate the SWAP file with the new size. You will need to disable swap, re-run the playbook (to make it clean up), then enable it again with the new size.

ssh

Warning

: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers, you should use it with caution and verify everything before you apply the changes!

To enable ssh server config and authorized/unauthorized keys management, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_ssh_enabled: true

system_security_ssh_port: 22

system_security_ssh_authorizedkeys_host: [] # list of authorized public keys
system_security_ssh_unauthorizedkeys_host: [] # list of unauthorized/revoked public keys

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################

The default configuration is good enough as-is, but we strongly suggest you to verify everything before applying any changes!, otherwise you may lock yourself out of the server.

With this configuration, the default /etc/ssh/sshd_config file on your server will be replaced by a new one, managed by the ssh role (see its templates/etc/ssh/sshd_config.j2 file).

There are various configuration options - check the defaults and adjust them to your needs.

fail2ban

To enable fail2ban installation, management and integration with SSHd, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# system                                                               #
#                                                                      #
########################################################################

system_security_fail2ban_enabled: true

system_security_fail2ban_sshd_port: 22
# If you enabled playbook-managed ssh as described above,
# you can replace the line above with the following:
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"

########################################################################
#                                                                      #
# /system                                                              #
#                                                                      #
########################################################################