Merge branch 'progmaticltd:main' into allow-apt-mirrors

Author: diffway

config/defaults/common-security.yml

@@ -23,6 +23,8 @@ security_default:
     active: true
     rate: 10/minute
     period: 2h
+  trusted:
+    period: 2h
 
   # The size of the Diffie-Hellman parameters to use for DHE ciphers.
   # Predifined values from the RFC7919 will be used wherever possible.
@@ -101,7 +103,7 @@ passwords_default:
 #
 # Credentials store to use
 creds_default:
-  store: password
+  store: ansible.builtin.password
   prefix: '../backup/{{ network.domain }}/'
   opts:
     create: ''   # no creation option for plain text passwords

config/defaults/version-large.yml

@@ -154,10 +154,17 @@ mail_default:
   sieve:
     debug: false
 
+  #############################################################################
+  # Mail protection settings
+  # - public: no protection, only use this if you know what you are doing.
+  # - autoban: automatically ban offender IPs, ala fail2ban (default).
+  # - private: authentication is only allowed from trusted networks.
+  protection:
+    type: autoban
+
   #############################################################################
   # Autoban is a lighter alternative to fail2ban, using nftables
   autoban:
-    active: true        #
     rate: 10/minute     # above this rate, connections are rejected
     period: 1d          # period for banning IPs
 

config/defaults/version-medium.yml

@@ -149,10 +149,17 @@ mail_default:
   sieve:
     debug: false
 
+  #############################################################################
+  # Mail protection settings
+  # - public: no protection, only use this if you know what you are doing.
+  # - autoban: automatically ban offender IPs, ala fail2ban (default).
+  # - private: authentication is only allowed from trusted networks.
+  protection:
+    type: autoban
+
   #############################################################################
   # Autoban is a lighter alternative to fail2ban, using nftables
   autoban:
-    active: true        #
     rate: 10/minute     # above this rate, connections are rejected
     period: 1d          # period for banning IPs
 

config/defaults/version-mini.yml

@@ -139,10 +139,17 @@ mail_default:
   sieve:
     debug: false
 
+  #############################################################################
+  # Mail protection settings
+  # - public: no protection, only use this if you know what you are doing.
+  # - autoban: automatically ban offender IPs, ala fail2ban (default).
+  # - private: authentication is only allowed from trusted networks.
+  protection:
+    type: autoban
+
   #############################################################################
   # Autoban is a lighter alternative to fail2ban, using nftables
   autoban:
-    active: true        #
     rate: 10/minute     # above this rate, connections are rejected
     period: 1d          # period for banning IPs
 

config/defaults/version-small.yml

@@ -148,10 +148,17 @@ mail_default:
   sieve:
     debug: false
 
+  #############################################################################
+  # Mail protection settings
+  # - public: no protection, only use this if you know what you are doing.
+  # - autoban: automatically ban offender IPs, ala fail2ban (default).
+  # - private: authentication is only allowed from trusted networks.
+  protection:
+    type: autoban
+
   #############################################################################
   # Autoban is a lighter alternative to fail2ban, using nftables
   autoban:
-    active: true        #
     rate: 10/minute     # above this rate, connections are rejected
     period: 1d          # period for banning IPs
 

config/samples/hosts.yml

@@ -7,6 +7,6 @@ all:
   hosts:
     homebox:
       ansible_host: homebox.example.home
-      ansible_user: root
+      ansible_user: hbinstall
       ansible_port: 22
       ansible_become: true

config/samples/minimal.yml

@@ -3,8 +3,8 @@
 ###############################################################################
 # Domain and hostname information
 network:
-  domain:        # your domain name
-  hostname:      # your hostname
+  domain:        # your domain name, e.g. arda.world
+  hostname:      # your hostname, middle-earth
   external_ip:   # first external IP address, IPv4 or IPv6
   backup_ip:     # if you have one, second external IP address, IPv4 or IPv6, otherwise, use ~
   bind_ip:       # If you are behind a NAT, the local IP address externally NAT'ed,

config/samples/system-minimal.yml

@@ -17,7 +17,7 @@ cases:
 In our case, we'll create a temporary user, called for instance `hbinstall`, for HomeBox install, and give them a random
 password:
 
-```txt
+```plain
 root@debian:~# adduser hbinstall
 Adding user `hbinstall' ...
 Adding new group `hbinstall' (1000) ...
@@ -41,7 +41,7 @@ Adding user `hbinstall' to group `users' ...
 
 Now, let's install _sudo_,...
 
-```txt
+```plain
 root@debian:~# apt install sudo
 Reading package lists... Done
 Building dependency tree... Done
@@ -64,7 +64,7 @@ Processing triggers for libc-bin (2.36-9+deb12u3) ...
 
 ..., and add the new user to the sudo and root groups:
 
-```txt
+```plain
 root@debian:~# adduser hbinstall sudo
 Adding user `hbinstall' to group `sudo' ...
 Done.

docs/10-prepare-your-target.md

@@ -10,7 +10,7 @@ here the creation of your private key.
 
 ### Copy your public key
 
-```txt
+```plain
 andre@hamilton> ssh-copy-id [email protected]
 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
@@ -26,7 +26,7 @@ and check to make sure that only the key(s) you wanted were added.
 
 Now, the connection should be automatic, i.e. without entering a password:
 
-```txt
+```plain
 andre@hamilton> ssh [email protected]
 Linux debian 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64
 
@@ -46,15 +46,15 @@ This is optional, but it will be more convenient to add ssh settings to connect
 name and an IP address. So, on the workstation, in your ssh configuration file `~/.ssh/config`, you can add the
 following block, for instance:
 
-```txt
+```plain
 Host homebox
     User hbinstall
 	HostName 192.168.33.95
 ```
 
 Yo can now establish the connection with _homebox_ more easily:
 
-```txt
+```plain
 ssh homebox
 […]
 Linux debian 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64
@@ -78,7 +78,7 @@ sudo apt install ansible
 
 ## Clone the repository
 
-```txt
+```plain
 git clone [email protected]:progmaticltd/homebox.git
 Cloning into 'homebox'...
 remote: Enumerating objects: 26137, done.