ansible.cfg

@@ -1,6 +1,5 @@
 [defaults]
 nocows = true
-interpreter_python = auto_silent
 inventory = inventory.yml
 remote_user = root
 

roles/alpine/tasks/main.yml

@@ -26,12 +26,6 @@
   hostname:
     name: '{{ dns_name }}'
 
-- name: Set up resolv.conf
-  template:
-    dest: /etc/resolv.conf
-    src: resolv.conf.j2
-    mode: 0644
-
 - name: Configure hosts
   template:
     dest: /etc/hosts

roles/proxmox-backup/tasks/main.yml

@@ -58,6 +58,18 @@
     mode: 0644
   notify: reload interfaces
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - name: Run SSH instance in management VRF
   when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
   block:

roles/proxmox-backup/templates/nftables.conf.j2

@@ -19,10 +19,6 @@ table inet filter {
             packet-too-big, parameter-problem, time-exceeded,
         } accept comment "accept some ICMPv6"
 
-        iif mgmt0 ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type {
-            nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert
-        } accept comment "accept IPv6 neighbor discovery"
-
         # BGP / BFD sessions
         iif lan0 ip6 saddr fe80::/64 accept
         iif lan1 ip6 saddr fe80::/64 accept

templates/resolv.conf.j2

@@ -1,4 +1,4 @@
 search {{ domain }}
-{% for server in dns6 %}
+{% for server in dns %}
 nameserver {{ server }}
 {% endfor %}