|
|
@@ -157,6 +157,10 @@
|
|
|
group: root
|
|
|
mode: '0644'
|
|
|
|
|
|
+ - name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"
|
|
|
+ command: systemd-detect-virt
|
|
|
+ register: systemd_detect_virt
|
|
|
+
|
|
|
# Set vm.swappiness to 1 in /etc/sysctl.conf
|
|
|
- name: "Set swappiness to zero in sysctl.conf"
|
|
|
sysctl:
|
|
|
@@ -165,7 +169,8 @@
|
|
|
state: present
|
|
|
reload: yes
|
|
|
sysctl_file: /etc/sysctl.conf
|
|
|
-
|
|
|
+ when: systemd_detect_virt.stdout != "lxc"
|
|
|
+
|
|
|
- name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4*1024*1024*1024/16384/2 = 4*32768 = 131072"
|
|
|
sysctl:
|
|
|
name: net.netfilter.nf_conntrack_max
|
|
|
@@ -174,6 +179,7 @@
|
|
|
reload: yes
|
|
|
sysctl_file: /etc/sysctl.conf
|
|
|
#source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html
|
|
|
+ when: systemd_detect_virt.stdout != "lxc"
|
|
|
|
|
|
- name: Disable IPv6 with sysctl
|
|
|
sysctl: name={{ item }} value=1 state=present reload=yes
|
|
|
@@ -181,6 +187,7 @@
|
|
|
- net.ipv6.conf.all.disable_ipv6
|
|
|
- net.ipv6.conf.default.disable_ipv6
|
|
|
- net.ipv6.conf.lo.disable_ipv6
|
|
|
+ when: systemd_detect_virt.stdout != "lxc"
|
|
|
|
|
|
- ansible.builtin.include_role:
|
|
|
name: ssh_hardening
|
