---
# Base Security Role Default Variables

# SSH Configuration
ssh_port: 22
ssh_permit_root_login: false
ssh_password_authentication: false
ssh_pubkey_authentication: true
ssh_challenge_response_authentication: false
ssh_gss_api_authentication: false
ssh_x11_forwarding: false
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_client_alive_count_max: 2
ssh_max_sessions: 2
ssh_tcp_keep_alive: true
ssh_compression: false
ssh_use_dns: false
ssh_permit_tunnel: false
ssh_permit_user_environment: false
ssh_banner: /etc/ssh/ssh_banner

# Allowed SSH users and groups
ssh_allowed_users: 
  - "{{ ansible_user }}"
  - deploy
ssh_allowed_groups:
  - sudo
  - adm

# SSH Key Management
ssh_authorized_keys_exclusive: true
ssh_host_key_algorithms:
  - ssh-ed25519
  - ecdsa-sha2-nistp521
  - ecdsa-sha2-nistp384
  - ecdsa-sha2-nistp256
  - rsa-sha2-512
  - rsa-sha2-256

# UFW Firewall Configuration
ufw_enabled: true
ufw_default_incoming: deny
ufw_default_outgoing: allow
ufw_default_forward: deny
ufw_logging: "on"
ufw_reset: false

# Default firewall rules
ufw_rules:
  - rule: allow
    port: "{{ ssh_port }}"
    proto: tcp
    comment: "SSH"
  - rule: allow
    port: "80"
    proto: tcp
    comment: "HTTP"
  - rule: allow
    port: "443"
    proto: tcp
    comment: "HTTPS"

# Fail2ban Configuration
fail2ban_enabled: "{{ fail2ban_enabled | default(true) }}"
fail2ban_loglevel: INFO
fail2ban_socket: /var/run/fail2ban/fail2ban.sock
fail2ban_pidfile: /var/run/fail2ban/fail2ban.pid

# Default Fail2ban jails
fail2ban_jails:
  - name: sshd
    enabled: true
    port: "{{ ssh_port }}"
    filter: sshd
    logpath: /var/log/auth.log
    maxretry: 3
    findtime: 600
    bantime: 1800
    backend: systemd

  - name: nginx-http-auth
    enabled: true
    port: http,https
    filter: nginx-http-auth
    logpath: /var/log/nginx/error.log
    maxretry: 3
    findtime: 600
    bantime: 1800

  - name: nginx-limit-req
    enabled: true
    port: http,https
    filter: nginx-limit-req
    logpath: /var/log/nginx/error.log
    maxretry: 5
    findtime: 600
    bantime: 1800

# System Security Settings
security_kernel_parameters:
  # Network security
  net.ipv4.tcp_syncookies: 1
  net.ipv4.ip_forward: 0
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.default.accept_redirects: 0
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.default.accept_source_route: 0
  net.ipv4.conf.all.log_martians: 1
  net.ipv4.conf.default.log_martians: 1
  net.ipv4.icmp_echo_ignore_broadcasts: 1
  net.ipv4.icmp_ignore_bogus_error_responses: 1
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1
  
  # IPv6 security
  net.ipv6.conf.all.accept_redirects: 0
  net.ipv6.conf.default.accept_redirects: 0
  net.ipv6.conf.all.accept_ra: 0
  net.ipv6.conf.default.accept_ra: 0
  
  # Kernel security
  kernel.randomize_va_space: 2
  kernel.kptr_restrict: 2
  kernel.dmesg_restrict: 1
  kernel.printk: "3 3 3 3"
  kernel.unprivileged_bpf_disabled: 1
  net.core.bpf_jit_harden: 2

# Package updates and security
security_packages:
  - fail2ban
  - ufw
  - unattended-upgrades
  - apt-listchanges
  - needrestart
  - rkhunter
  - chkrootkit
  - lynis

# Automatic security updates
unattended_upgrades_enabled: true
unattended_upgrades_automatic_reboot: false
unattended_upgrades_automatic_reboot_time: "06:00"
unattended_upgrades_origins_patterns:
  - origin=Ubuntu,archive=${distro_codename}-security
  - origin=Ubuntu,archive=${distro_codename}-updates

# System hardening
disable_unused_services:
  - rpcbind
  - nfs-common
  - portmap
  - xinetd
  - telnet
  - rsh-server
  - rsh-redone-server

# User and permission settings
security_umask: "027"
security_login_timeout: 300