# Default registry
#
bootstrap_user: root

# For jean-cloud docker services
new_nginx_conf_path: '/data/proxy/new-sites-enabled'
new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'

remote_docker_login_registry: registry.jean-cloud.net

# sudo configuration
# using geerlingguy security
# https://galaxy.ansible.com/grog/sudo
#sudo_default_sudoers: yes
#sudo_list:
#  - name: tits
#    sudo:
#      hosts: ALL
#      as: ALL:ALL
#      commands: ALL
#      nopasswd: yes

# Security geerlingguy
security_ssh_port: 45985
# IMPORTANT following values should be quoted. You can lock yourself out.
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "yes"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"

# Auto upgrades
security_autoupdate_enabled: true

# f2b
security_fail2ban_enabled: false

#locales
locales_default:
  lang: en_US.UTF-8
  lc_all: en_US.UTF-8


# For unattended upgrade configuration
unattended_upgrades_mail: contact@jean-cloud.org

# For ssh security
# https://galaxy.ansible.com/dev-sec/ssh-hardening
#network_ipv6_enable: true
#ssh_server_ports: ['45985']
#ssh_permit_root_login: no # TODO uncommenting that makes it bug

# Fail2ban
# https://galaxy.ansible.com/oefenweb/fail2ban
#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/
#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/ 
#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/
#fail2ban_services:
#  # In older versions of Fail2Ban this is called ssh
#  - name: sshd
#    port: 45985
#    maxretry: 3
#    bantime: -1
#    #  - name: wplogin
#    #    port: http,https
#    #    filter: wplogin
#    #    logpath: /var/lib/docker/containers/*/*-json.log
#    #    banaction: docker-action
#    #    maxretry: 5
#    #    findtime: 120
#    #    bantime: 86400
#
# https://galaxy.ansible.com/robertdebock/fail2ban


# For Firewall
# https://galaxy.ansible.com/geerlingguy/firewall
firewall_state: started
firewall_enabled_at_boot: true
firewall_log_dropped_packets: true
firewall_allowed_tcp_ports:
  - "45985"
  - "22529"
  - "80"
  - "443"
  - "53"
  - "5000"
firewall_allowed_udp_ports:
  - "53"

# For rootkit protection
# https://galaxy.ansible.com/mablanco/antirootkits
antirootkits_mail_from: contact@jean-cloud.org
antirootkits_mail_to: contact@jean-cloud.org
antirootkits_log_expire: 90
# TODO wtf is /home/docker ?
shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ?
shelldetector_cron_hour: '4'
shelldetector_cron_minute: '00'


# Timezone
# https://galaxy.ansible.com/oefenweb/timezone
timezone_zone: Europe/Paris

# NTP
# https://galaxy.ansible.com/geerlingguy/ntp
ntp_timezone: Europe/Paris
ntp_daemon: ntp