Why “hardening” is not a role
I see many developers writing an Ansible role for
hardening. Although these roles can absolutely be useful, here is why I think there is a better way.
Roles are (not always, but frequently) product centric. Think of role names like:
A role for hardening you system has the potential to cover all kinds of topics that are covered in the product specific roles.
Besides that, in my opinion a role should be:
- Cover on function
A good indicator of a role that’s too big is having multiple task files in
So my suggestion to not use a
harden role, but rather have each role that you compose a system out of, use secure defaults.