Enhance Ansible playbooks and documentation for Debian and Proxmox management. Add new playbooks for Debian hardening, maintenance, SSH key rotation, and Proxmox cluster setup. Update README.md with quick start instructions for Debian and Proxmox operations. Modify group_vars to include Argo CD application settings, improving deployment flexibility and clarity.

ansible/roles/debian_baseline_hardening/defaults/main.yml

@@ -0,0 +1,39 @@
+---
+# Update apt metadata only when stale (seconds)
+debian_baseline_apt_cache_valid_time: 3600
+
+# Core host hardening packages
+debian_baseline_packages:
+  - unattended-upgrades
+  - apt-listchanges
+  - fail2ban
+  - needrestart
+  - sudo
+  - ca-certificates
+
+# SSH hardening controls
+debian_baseline_ssh_permit_root_login: "no"
+debian_baseline_ssh_password_authentication: "no"
+debian_baseline_ssh_pubkey_authentication: "yes"
+debian_baseline_ssh_x11_forwarding: "no"
+debian_baseline_ssh_max_auth_tries: 3
+debian_baseline_ssh_client_alive_interval: 300
+debian_baseline_ssh_client_alive_count_max: 2
+debian_baseline_ssh_allow_users: []
+
+# unattended-upgrades controls
+debian_baseline_enable_unattended_upgrades: true
+debian_baseline_unattended_auto_upgrade: "1"
+debian_baseline_unattended_update_lists: "1"
+
+# Kernel and network hardening sysctls
+debian_baseline_sysctl_settings:
+  net.ipv4.conf.all.accept_redirects: "0"
+  net.ipv4.conf.default.accept_redirects: "0"
+  net.ipv4.conf.all.send_redirects: "0"
+  net.ipv4.conf.default.send_redirects: "0"
+  net.ipv4.conf.all.log_martians: "1"
+  net.ipv4.conf.default.log_martians: "1"
+  net.ipv4.tcp_syncookies: "1"
+  net.ipv6.conf.all.accept_redirects: "0"
+  net.ipv6.conf.default.accept_redirects: "0"

ansible/roles/debian_baseline_hardening/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+
+- name: Reload sysctl
+  ansible.builtin.command:
+    argv:
+      - sysctl
+      - --system
+  changed_when: true

ansible/roles/debian_baseline_hardening/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Refresh apt cache
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: "{{ debian_baseline_apt_cache_valid_time }}"
+
+- name: Install baseline hardening packages
+  ansible.builtin.apt:
+    name: "{{ debian_baseline_packages }}"
+    state: present
+
+- name: Configure unattended-upgrades auto settings
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    mode: "0644"
+    content: |
+      APT::Periodic::Update-Package-Lists "{{ debian_baseline_unattended_update_lists }}";
+      APT::Periodic::Unattended-Upgrade "{{ debian_baseline_unattended_auto_upgrade }}";
+  when: debian_baseline_enable_unattended_upgrades | bool
+
+- name: Configure SSH hardening options
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/99-hardening.conf
+    mode: "0644"
+    content: |
+      PermitRootLogin {{ debian_baseline_ssh_permit_root_login }}
+      PasswordAuthentication {{ debian_baseline_ssh_password_authentication }}
+      PubkeyAuthentication {{ debian_baseline_ssh_pubkey_authentication }}
+      X11Forwarding {{ debian_baseline_ssh_x11_forwarding }}
+      MaxAuthTries {{ debian_baseline_ssh_max_auth_tries }}
+      ClientAliveInterval {{ debian_baseline_ssh_client_alive_interval }}
+      ClientAliveCountMax {{ debian_baseline_ssh_client_alive_count_max }}
+      {% if debian_baseline_ssh_allow_users | length > 0 %}
+      AllowUsers {{ debian_baseline_ssh_allow_users | join(' ') }}
+      {% endif %}
+  notify: Restart ssh
+
+- name: Configure baseline sysctls
+  ansible.builtin.copy:
+    dest: /etc/sysctl.d/99-hardening.conf
+    mode: "0644"
+    content: |
+      {% for key, value in debian_baseline_sysctl_settings.items() %}
+      {{ key }} = {{ value }}
+      {% endfor %}
+  notify: Reload sysctl
+
+- name: Ensure fail2ban service is enabled
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: started