---
# Update apt metadata only when stale (seconds)
debian_baseline_apt_cache_valid_time: 3600

# Core host hardening packages
debian_baseline_packages:
  - unattended-upgrades
  - apt-listchanges
  - fail2ban
  - needrestart
  - sudo
  - ca-certificates

# SSH hardening controls
debian_baseline_ssh_permit_root_login: "no"
debian_baseline_ssh_password_authentication: "no"
debian_baseline_ssh_pubkey_authentication: "yes"
debian_baseline_ssh_x11_forwarding: "no"
debian_baseline_ssh_max_auth_tries: 3
debian_baseline_ssh_client_alive_interval: 300
debian_baseline_ssh_client_alive_count_max: 2
debian_baseline_ssh_allow_users: []

# unattended-upgrades controls
debian_baseline_enable_unattended_upgrades: true
debian_baseline_unattended_auto_upgrade: "1"
debian_baseline_unattended_update_lists: "1"

# Kernel and network hardening sysctls
debian_baseline_sysctl_settings:
  net.ipv4.conf.all.accept_redirects: "0"
  net.ipv4.conf.default.accept_redirects: "0"
  net.ipv4.conf.all.send_redirects: "0"
  net.ipv4.conf.default.send_redirects: "0"
  net.ipv4.conf.all.log_martians: "1"
  net.ipv4.conf.default.log_martians: "1"
  net.ipv4.tcp_syncookies: "1"
  net.ipv6.conf.all.accept_redirects: "0"
  net.ipv6.conf.default.accept_redirects: "0"