From fd1d2383fde835d5c05eac1003155dceb3ccfbde Mon Sep 17 00:00:00 2001
From: Sebastian Rust <srust@posteo.net>
Date: Sun, 8 Feb 2026 09:23:20 +0100
Subject: [PATCH] feat(bundle): switching to different hardening role

---
 bootstrap.yml    | 19 ++-----------------
 requirements.yml |  2 +-
 2 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/bootstrap.yml b/bootstrap.yml
index a57987b..7d32e32 100644
--- a/bootstrap.yml
+++ b/bootstrap.yml
@@ -31,27 +31,12 @@
     user_name: "operator"
     user_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElTjmqtmr7xPTDjmWz7bN9vw7HXZds8Hxc99qBEGN/Y jack@turing"
 
-    # SSH hardening defaults - secure by default
-    ssh_permit_root_login: "no"
-    ssh_server_password_login: false
-    ssh_client_password_login: false
-    ssh_allow_tcp_forwarding: "no"
-    ssh_allow_agent_forwarding: false
-    ssh_x11_forwarding: false
-    ssh_permit_tunnel: "no"
-    ssh_use_pam: true
-    ssh_print_motd: false
-    ssh_print_last_log: false
-    ssh_max_auth_retries: 2
-    ssh_client_alive_interval: 300
-    ssh_client_alive_count: 3
-
     # Include sshd_config.d for distro-specific configs
     sshd_custom_options:
       - "Include /etc/ssh/sshd_config.d/*"
 
     # Restrict SSH to created user (set to empty string to allow all users)
-    # ssh_allow_users: "{{ user_name }}"
+    ssh_allow_users: "{{ user_name }}"
 
   pre_tasks:
     - name: Update apt cache
@@ -71,7 +56,7 @@
     - role: users
       become: yes
 
-    - role: dev-sec.ssh-hardening
+    - role: devsec.hardening.ssh_hardening
       become: yes
 
   post_tasks:
diff --git a/requirements.yml b/requirements.yml
index a54a9a9..58931a6 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,4 +1,4 @@
 ---
 roles:
-  - name: dev-sec.ssh-hardening
+  - name: devsec.hardening.ssh_hardening
   
\ No newline at end of file