Search Results

Purpose of this Page This page captures the rationale behind every non-obvious design choice in the ssh-baseline role. Each entry follows the pattern: What we did → Why → Trade-off accepted. Where possible, comments inside the role itself reference these dec...

When to Use This Runbook Follow this runbook when adding a new Ubuntu host to the SSH baseline. The procedure assumes: The host runs Ubuntu 22.04 or 24.04 LTS (the role's supported versions) The host has a real hostname (not ubuntu or localhost) The host ca...

Variable Source Hierarchy Variables resolve in standard Ansible precedence order. The role uses three layers: Role defaults — roles/ssh-baseline/defaults/main.yml (lowest precedence; the safe baseline) Group vars — inventory/group_vars/all/main.yml (organis...

Overview The role integrates Ubuntu hosts with Active Directory via SSSD using realm join. Once joined, AD users authenticate via Kerberos (with their AD password), are authorised via AD group membership, and have their SSH public keys retrieved from the sshP...

Scope Duo MFA is enforced in two places: SSH login (v2.3+) — via PAM keyboard-interactive after publickey auth sudo (v2.4+) — via PAM at the auth phase, with AD password as the post-Duo factor The role uses Duo Security's official duo-unix package, not Ub...

What This Page Covers This page walks through every directive in roles/ssh-baseline/templates/sshd_hardening.conf.j2 and explains how it lands on the target host. The deployed file is /etc/ssh/sshd_config.d/10-pbr-hardening.conf. The hardening is aligned wit...

Playbooks Overview The repository contains four playbooks under playbooks/: PlaybookPurposeChanges target? preflight.ymlVerify readiness; no changesNo ssh-baseline.ymlRun preflight then apply the baseline roleYes verify.ymlPost-deployment validationNo te...

Known Limitations & Accepted Risks LXC auditd compliance gap Affected hosts: pbr-graylog-kl1, pbr-thingsboard-kl1 Issue: auditd cannot run inside LXC containers. The kernel audit netlink interface is isolated from container namespaces. Forcing auditd to sta...

Key Concepts: Manifests and Legs In CustomLinc, a manifest represents the overall service (e.g. the 11:00 Bel-Lak-Gem / 15:05 Gem-Lak-Bel service). It appears as a green highlighted row in the Manifests view. Within each manifest, individual legs represent eac...

Overview Use this procedure to change the capacity for general and single-journey passengers. This affects the four main legs: Belgrave–Lakeside, Lakeside–Gembrook, Gembrook–Lakeside, and Lakeside–Belgrave. Do not manually edit these individual legs — changin...

Overview Use this procedure to change the capacity for the Belgrave – Gembrook Allocation (Return) product — the full return journey product, typically set to 56 seats. This procedure includes an extra step: you must also update the Allocation Group to match t...