Merge "[doc] Document deployment host security hardening"

deploy-guide/source/run-playbooks.rst

@@ -132,3 +132,10 @@ Run the playbooks to install OpenStack
 
    Confirm satisfactory completion with zero items unreachable or
    failed.
+
+.. note::
+
+   You can also consider applying a hardening role for the deployment host
+   to improve security. For more details, see the
+   `Apply ansible-hardening <https://docs.openstack.org/openstack-ansible/latest/user/security/hardening.html>`_.
+

doc/source/user/security/hardening.rst

@@ -27,3 +27,38 @@ For more information about the security configurations, see the
 `security hardening role`_ documentation.
 
 .. _security hardening role: https://docs.openstack.org/ansible-hardening/latest/
+
+Deployment Host Hardening
+-------------------------
+
+You can extend security hardening to the deployment host by defining the
+``security_host_group`` variable in your ``openstack_user_variables`` file.
+Include ``localhost`` along with your other hosts, like this:
+
+.. code-block:: yaml
+
+   security_host_group: localhost, hosts
+
+Then apply the hardening with:
+
+.. code-block:: shell-session
+
+   openstack-ansible openstack.osa.security_hardening
+
+Or alternatively, you can also supply this variable as extra variable
+during runtime, for example:
+
+.. code-block:: shell-session
+
+   openstack-ansible openstack.osa.security_hardening -e security_host_group=localhost
+
+.. warning::
+
+   After applying security hardening, root login via password will be
+   disabled. Make sure you configure SSH key authentication or set up
+   a non-root user with sudo privileges before applying the changes,
+   otherwise you may lose access to the host.
+
+Including the deployment host can be useful to reduce its attack surface
+and ensure that the host running OpenStack-Ansible follows the same security
+best practices as your other nodes.