ansible: Fix sysctl configuration.

Change-Id: Ic203c93995dcdfbb4d2c1278b346a0766b39f8a3

5 files changed, 57 insertions, 2 deletions

diff --git a/ansible/roles/common/files/sysctl.conf b/ansible/roles/common/files/sysctl.conf
index c9ee851..cb3d35a 100644
--- a/ansible/roles/common/files/sysctl.conf
+++ b/ansible/roles/common/files/sysctl.conf
@@ -26,3 +26,52 @@ net.ipv4.conf.all.rp_filter = 1
 # See http://lwn.net/Articles/277146/
 # Note: This may impact IPv6 TCP sessions too
 net.ipv4.tcp_syncookies = 1
+
+# Don't log Martian Packets (impossible addresses)
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
+
+# Ignore bogus ICMP errors
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.icmp_echo_ignore_all = 0
+
+# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
+# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
+# traffic to those sites.
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# This is host and not router
+net.ipv6.conf.default.router_solicitations = 0
+
+# Accept Router Preference in RA?
+net.ipv6.conf.default.accept_ra_rtr_pref = 0
+
+# Learn Prefix Information in Router Advertisement
+net.ipv6.conf.default.accept_ra_pinfo = 0
+
+# Setting controls whether the system will accept Hop Limit settings from
+# a router advertisement
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.default.autoconf = 0
+
+#how many neighbor solicitations to send out per address?
+net.ipv6.conf.default.dad_transmits = 0
+
+# How many global unicast IPv6 addresses can be assigned to each interface?
+net.ipv6.conf.default.max_addresses = 2
+
+# Send redirects, if router, but this is just server
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Enable ExecShield protection
+# This is not necessary in Ubuntu nor Debian, it is enabled by default.
+# kernel.exec-shield = 1
+kernel.randomize_va_space = 1
+
+# Allow more PIDs
+kernel.pid_max = 65536
diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml
index 3021bd9..12fdf6d 100644
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@@ -2,3 +2,4 @@
 - include: apache.yml
 - include: nginx.yml
 - include: uwsgi.yml
+- include: sysctl.yml
diff --git a/ansible/roles/common/handlers/sysctl.yml b/ansible/roles/common/handlers/sysctl.yml
new file mode 100644
index 0000000..c15073e
--- /dev/null
+++ b/ansible/roles/common/handlers/sysctl.yml
@@ -0,0 +1,3 @@
+---
+- name: reload-sysctl
+  command: /sbin/sysctl -p
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 32cb2ca..1b98de8 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -1,2 +1,2 @@
 ---
-- include: net-sysctl.yml
+- include: sysctl.yml
diff --git a/ansible/roles/common/tasks/net-sysctl.yml b/ansible/roles/common/tasks/sysctl.yml
index 30b9262..3604f28 100644
--- a/ansible/roles/common/tasks/net-sysctl.yml
+++ b/ansible/roles/common/tasks/sysctl.yml
@@ -1,7 +1,9 @@
 ---
-- name: Tweak kernel network configuration for performance
+- name: Tweak kernel configuration for performance
   copy: src=sysctl.conf
         dest=/etc/sysctl.conf
         owner=root
         group=root
         mode=0644
+  notify:
+    - reload-sysctl