f8cd37ac8c
Includes: API (Express/TypeScript), Astro site, Python workers, document generators, FCC compliance tools, Canada CRTC formation, Ansible infrastructure, and deployment scripts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
46 lines
859 B
Django/Jinja
46 lines
859 B
Django/Jinja
# {{ ansible_managed }}
|
|
# Hardened SSH configuration for Performance West
|
|
|
|
Port {{ ssh_port }}
|
|
AddressFamily inet
|
|
ListenAddress 0.0.0.0
|
|
|
|
# Authentication
|
|
PermitRootLogin no
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
UsePAM yes
|
|
|
|
# Only allow the deploy user
|
|
AllowUsers {{ deploy_user }}
|
|
|
|
# Disable unused auth methods
|
|
GSSAPIAuthentication no
|
|
KerberosAuthentication no
|
|
HostbasedAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# Session settings
|
|
MaxAuthTries 3
|
|
MaxSessions 5
|
|
LoginGraceTime 30
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
|
|
# Disable forwarding (not needed for this server)
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
|
|
# Misc
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Use internal sftp
|
|
Subsystem sftp internal-sftp
|