aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorB Stack <bgstack15@gmail.com>2016-09-23 10:27:15 -0400
committerB Stack <bgstack15@gmail.com>2016-09-23 10:27:15 -0400
commit5e8a7ac51e486044c8d14694e5f51173dd63f628 (patch)
tree586bba6cab996f95a39f6a4620e457cf5924d770
parentInitial file upload (diff)
downloadansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.gz
ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.bz2
ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.zip
Initial file upload
-rw-r--r--LICENSE24
-rw-r--r--ansible.cfg346
-rw-r--r--company.example/ad-templates/krb5.conf.CentOS35
-rw-r--r--company.example/ad-templates/krb5.conf.FreeBSD37
-rw-r--r--company.example/ad-templates/krb5.conf.Ubuntu35
-rw-r--r--company.example/ad-templates/sssd.conf.CentOS42
-rw-r--r--company.example/ad-templates/sssd.conf.FreeBSD41
-rw-r--r--company.example/ad-templates/sssd.conf.Ubuntu42
-rw-r--r--company.example/ad-vars/FreeBSD.yml4
-rw-r--r--company.example/ad-vars/default.yml3
-rw-r--r--company.example/fail2ban-files/filter.d/20_example-blns.filter32
-rw-r--r--company.example/fail2ban-files/filter.d/30_example-max3.filter13
-rw-r--r--company.example/fail2ban-files/filter.d/60_sshd.filter31
-rw-r--r--company.example/fail2ban-files/jail.d/00_default.jail10
-rw-r--r--company.example/fail2ban-files/jail.d/20_example-blns.jail21
-rw-r--r--company.example/fail2ban-files/jail.d/30_example-max3.jail21
-rw-r--r--company.example/fail2ban-files/jail.d/60_sshd.jail16
-rw-r--r--company.example/pubkeys/alice.pubkeys3
-rw-r--r--company.example/pubkeys/lcroce.pubkey1
-rw-r--r--company.example/resolv_conf-templates/resolv.conf8
-rw-r--r--hosts.example30
-rw-r--r--master.yml.example18
-rw-r--r--roles/ad/handlers/main.yml3
-rw-r--r--roles/ad/main.yml9
-rw-r--r--roles/ad/tasks/main.yml39
l---------roles/ad/templates1
l---------roles/ad/vars1
-rw-r--r--roles/fail2ban/defaults/main.yml3
l---------roles/fail2ban/files1
-rw-r--r--roles/fail2ban/handlers/main.yml3
-rw-r--r--roles/fail2ban/main.yml6
-rw-r--r--roles/fail2ban/tasks/main.yml20
-rw-r--r--roles/resolv_conf/main.yml6
-rw-r--r--roles/resolv_conf/tasks/main.yml16
l---------roles/resolv_conf/templates1
-rw-r--r--roles/resolv_conf/vars/FreeBSD.yml2
-rw-r--r--roles/resolv_conf/vars/default.yml3
-rw-r--r--roles/ssh/handlers/main.yml3
-rw-r--r--roles/ssh/main.yml9
-rw-r--r--roles/ssh/tasks/main.yml36
-rw-r--r--roles/ssh/templates/ssh_config66
-rw-r--r--roles/ssh/templates/ssh_config.FreeBSD53
-rw-r--r--roles/ssh/templates/ssh_config.Ubuntu56
-rw-r--r--roles/ssh/templates/sshd_config153
-rw-r--r--roles/ssh/templates/sshd_config.FreeBSD136
-rw-r--r--roles/ssh/templates/sshd_config.Ubuntu88
-rw-r--r--roles/ssh/vars/FreeBSD.yml2
-rw-r--r--roles/ssh/vars/Ubuntu.yml2
-rw-r--r--roles/ssh/vars/default.yml5
-rw-r--r--roles/ssh_keys/main.yml8
-rw-r--r--roles/ssh_keys/tasks/main.yml63
-rw-r--r--roles/ssh_keys/tasks/main.yml.2016-09-22.0126
-rw-r--r--roles/ssh_keys/tasks/main.yml.2016-09-22.0228
-rw-r--r--roles/ssh_keys/tasks/main.yml.2016-09-22.0340
-rw-r--r--roles/ssh_keys/tasks/main.yml.2016-09-22.0461
-rw-r--r--roles/ssh_keys/tasks/main.yml.2016-09-22.0561
-rw-r--r--roles/ssh_keys/tests/test.yml13
-rw-r--r--roles/ssh_keys/vars/AIX.yml2
-rw-r--r--roles/ssh_keys/vars/default.yml2
59 files changed, 1840 insertions, 0 deletions
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..cf1ab25
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org>
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..22e5582
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,346 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+
+# nearly all parameters can be overridden in ansible-playbook
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+
+# some basic default values...
+
+#inventory = /etc/ansible/hosts
+#library = /usr/share/my_modules/
+#remote_tmp = $HOME/.ansible/tmp
+#local_tmp = $HOME/.ansible/tmp
+#forks = 5
+#poll_interval = 15
+#sudo_user = root
+#ask_sudo_pass = True
+#ask_pass = True
+#transport = smart
+#remote_port = 22
+#module_lang = C
+#module_set_locale = True
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+#gathering = implicit
+
+# by default retrieve all facts subsets
+# all - gather all subsets
+# network - gather min and network facts
+# hardware - gather hardware facts (longest facts to retrieve)
+# virtual - gather min and virtual facts
+# facter - import facts from facter
+# ohai - import facts from ohai
+# You can combine them using comma (ex: network,virtual)
+# You can negate them using ! (ex: !hardware,!facter,!ohai)
+# A minimal set of facts is always gathered.
+#gather_subset = all
+
+# additional paths to search for roles in, colon separated
+#roles_path = /etc/ansible/roles
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+# change the default callback
+#stdout_callback = skippy
+# enable additional callbacks
+#callback_whitelist = timer, mail
+
+# Determine whether includes in tasks and handlers are "static" by
+# default. As of 2.0, includes are dynamic by default. Setting these
+# values to True will make includes behave more like they did in the
+# 1.x versions.
+#task_includes_static = True
+#handler_includes_static = True
+
+# change this for alternative sudo implementations
+#sudo_exe = sudo
+
+# What flags to pass to sudo
+# WARNING: leaving out the defaults might create unexpected behaviours
+#sudo_flags = -H -S -n
+
+# SSH timeout
+#timeout = 10
+
+# default user to use for playbooks if user is not specified
+# (/usr/bin/ansible will use current user as default)
+#remote_user = root
+
+# logging is off by default unless this path is defined
+# if so defined, consider logrotate
+#log_path = /var/log/ansible.log
+
+# default module name for /usr/bin/ansible
+#module_name = command
+
+# use this shell for commands executed under sudo
+# you may need to change this to bin/bash in rare instances
+# if sudo is constrained
+#executable = /bin/sh
+
+# if inventory variables overlap, does the higher precedence one win
+# or are hash values merged together? The default is 'replace' but
+# this can also be set to 'merge'.
+#hash_behaviour = replace
+
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
+# list any Jinja2 extensions to enable here:
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
+
+# if set, always use this private key file for authentication, same as
+# if passing --private-key to ansible or ansible-playbook
+#private_key_file = /path/to/file
+
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+#vault_password_file = /path/to/vault_password_file
+
+# format of string {{ ansible_managed }} available within Jinja2
+# templates indicates to users editing templates files will be replaced.
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+# This short version is better used in templates as it won't flag the file as changed every run.
+#ansible_managed = Ansible managed: {file} on {host}
+
+# by default, ansible-playbook will display "Skipping [host]" if it determines a task
+# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
+# messages. NOTE: the task header will still be shown regardless of whether or not the
+# task is skipped.
+#display_skipped_hosts = True
+
+# by default, if a task in a playbook does not include a name: field then
+# ansible-playbook will construct a header that includes the task's action but
+# not the task's args. This is a security feature because ansible cannot know
+# if the *module* considers an argument to be no_log at the time that the
+# header is printed. If your environment doesn't have a problem securing
+# stdout from ansible-playbook (or you have manually specified no_log in your
+# playbook on all of the tasks where you have secret information) then you can
+# safely set this to True to get more informative messages.
+#display_args_to_stdout = False
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
+# to revert the behavior to pre-1.3.
+#error_on_undefined_vars = False
+
+# by default (as of 1.6), Ansible may display warnings based on the configuration of the
+# system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
+# to disable these warnings, set the following value to False:
+#system_warnings = True
+
+# by default (as of 1.4), Ansible may display deprecation warnings for language
+# features that should no longer be used and will be removed in future versions.
+# to disable these warnings, set the following value to False:
+#deprecation_warnings = True
+
+# (as of 1.8), Ansible can optionally warn when usage of the shell and
+# command module appear to be simplified by using a default Ansible module
+# instead. These warnings can be silenced by adjusting the following
+# setting or adding warn=yes or warn=no to the end of the command line
+# parameter string. This will for example suggest using the git module
+# instead of shelling out to the git command.
+# command_warnings = False
+
+
+# set plugin path directories here, separate with colons
+#action_plugins = /usr/share/ansible/plugins/action
+#callback_plugins = /usr/share/ansible/plugins/callback
+#connection_plugins = /usr/share/ansible/plugins/connection
+#lookup_plugins = /usr/share/ansible/plugins/lookup
+#vars_plugins = /usr/share/ansible/plugins/vars
+#filter_plugins = /usr/share/ansible/plugins/filter
+#test_plugins = /usr/share/ansible/plugins/test
+#strategy_plugins = /usr/share/ansible/plugins/strategy
+
+# by default callbacks are not loaded for /bin/ansible, enable this if you
+# want, for example, a notification or logging callback to also apply to
+# /bin/ansible runs
+#bin_ansible_callbacks = False
+
+
+# don't like cows? that's unfortunate.
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
+#nocows = 1
+
+# set which cowsay stencil you'd like to use by default. When set to 'random',
+# a random stencil will be selected for each task. The selection will be filtered
+# against the `cow_whitelist` option below.
+#cow_selection = default
+#cow_selection = random
+
+# when using the 'random' option for cowsay, stencils will be restricted to this list.
+# it should be formatted as a comma-separated list with no spaces between names.
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
+# in python does not support them.
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
+# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
+# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
+
+# don't like colors either?
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
+#nocolor = 1
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored. This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+#fact_caching = memory
+
+
+# retry files
+# When a playbook fails by default a .retry file will be created in ~/
+# You can disable this feature by setting retry_files_enabled to False
+# and you can change the location of the files by setting retry_files_save_path
+
+#retry_files_enabled = False
+#retry_files_save_path = ~/.ansible-retry
+
+# squash actions
+# Ansible can optimise actions that call modules with list parameters
+# when looping. Instead of calling the module once per with_ item, the
+# module is called once with all items at once. Currently this only works
+# under limited circumstances, and only with parameters named 'name'.
+#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper
+
+# prevents logging of task data, off by default
+#no_log = False
+
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
+#no_target_syslog = False
+
+# controls whether Ansible will raise an error or warning if a task has no
+# choice but to create world readable temporary files to execute a module on
+# the remote machine. This option is False by default for security. Users may
+# turn this on to have behaviour more like Ansible prior to 2.1.x. See
+# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
+# for more secure ways to fix this than enabling this option.
+#allow_world_readable_tmpfiles = False
+
+# controls the compression level of variables sent to
+# worker processes. At the default of 0, no compression
+# is used. This value must be an integer from 0 to 9.
+#var_compression_level = 9
+
+# controls what compression method is used for new-style ansible modules when
+# they are sent to the remote system. The compression types depend on having
+# support compiled into both the controller's python and the client's python.
+# The names should match with the python Zipfile compression types:
+# * ZIP_STORED (no compression. available everywhere)
+# * ZIP_DEFLATED (uses zlib, the default)
+# These values may be set per host via the ansible_module_compression inventory
+# variable
+#module_compression = 'ZIP_DEFLATED'
+
+# This controls the cutoff point (in bytes) on --diff for files
+# set to 0 for unlimited (RAM may suffer!).
+#max_diff_size = 1048576
+
+[privilege_escalation]
+#become=True
+#become_method=sudo
+#become_user=root
+#become_ask_pass=False
+
+[paramiko_connection]
+
+# uncomment this line to cause the paramiko connection plugin to not record new host
+# keys encountered. Increases performance on new host additions. Setting works independently of the
+# host key checking setting above.
+#record_host_keys=False
+
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
+# line to disable this behaviour.
+#pty=False
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use
+# paramiko on older platforms rather than removing it
+#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+
+# The path to use for the ControlPath sockets. This defaults to
+# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
+# very long hostnames or very long path names (caused by long user names or
+# deeply nested home directories) this can exceed the character limit on
+# file socket names (108 characters for most platforms). In that case, you
+# may wish to shorten the string below.
+#
+# Example:
+# control_path = %(directory)s/%%h-%%r
+#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
+
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+#pipelining = False
+
+# if True, make ansible use scp if the connection type is ssh
+# (default is sftp)
+#scp_if_ssh = True
+
+# if False, sftp will not use batch mode to transfer files. This may cause some
+# types of file transfer failures impossible to catch however, and should
+# only be disabled if your sftp version has problems with batch mode
+#sftp_batch_mode = False
+
+[accelerate]
+#accelerate_port = 5099
+#accelerate_timeout = 30
+#accelerate_connect_timeout = 5.0
+
+# The daemon timeout is measured in minutes. This time is measured
+# from the last activity to the accelerate daemon.
+#accelerate_daemon_timeout = 30
+
+# If set to yes, accelerate_multi_key will allow multiple
+# private keys to be uploaded to it, though each user must
+# have access to the system via SSH to add a new key. The default
+# is "no".
+#accelerate_multi_key = yes
+
+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependent context.
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs
+
+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
+[colors]
+#highlight = white
+#verbose = blue
+#warn = bright purple
+#error = red
+#debug = dark gray
+#deprecate = purple
+#skip = cyan
+#unreachable = red
+#ok = green
+#changed = yellow
+#diff_add = green
+#diff_remove = red
+#diff_lines = cyan
diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company.example/ad-templates/krb5.conf.CentOS
new file mode 100644
index 0000000..74570ae
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.CentOS
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+ kdc = dc1.example.com
+ kdc = dc2.example.com
+ kdc = dc3.example.com
+ kdc = dc4.example.com
+ admin_server = dc1.example.com
+ admin_server = dc2.example.com
+ admin_server = dc3.example.com
+ admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company.example/ad-templates/krb5.conf.FreeBSD
new file mode 100644
index 0000000..e6b8a3a
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.FreeBSD
@@ -0,0 +1,37 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = FILE:/tmp/krb5cc_%u
+ proxiable = true
+ ccache_type = 4
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+ kdc = dc1.example.com
+ kdc = dc2.example.com
+ kdc = dc3.example.com
+ kdc = dc4.example.com
+ admin_server = dc1.example.com
+ admin_server = dc2.example.com
+ admin_server = dc3.example.com
+ admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company.example/ad-templates/krb5.conf.Ubuntu
new file mode 100644
index 0000000..6a4c23b
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.Ubuntu
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+ kdc = dc1.example.com
+ kdc = dc2.example.com
+ kdc = dc3.example.com
+ kdc = dc4.example.com
+ admin_server = dc1.example.com
+ admin_server = dc2.example.com
+ admin_server = dc3.example.com
+ admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company.example/ad-templates/sssd.conf.CentOS
new file mode 100644
index 0000000..8678bd2
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.CentOS
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company.example/ad-templates/sssd.conf.FreeBSD
new file mode 100644
index 0000000..4b6a816
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.FreeBSD
@@ -0,0 +1,41 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company.example/ad-templates/sssd.conf.Ubuntu
new file mode 100644
index 0000000..a37f7b5
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.Ubuntu
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml
new file mode 100644
index 0000000..7ff821f
--- /dev/null
+++ b/company.example/ad-vars/FreeBSD.yml
@@ -0,0 +1,4 @@
+---
+sssd_dir: /usr/local/etc/sssd
+ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users: Alice, alice, alice-local
diff --git a/company.example/ad-vars/default.yml b/company.example/ad-vars/default.yml
new file mode 100644
index 0000000..cb65db8
--- /dev/null
+++ b/company.example/ad-vars/default.yml
@@ -0,0 +1,3 @@
+---
+sssd_dir: /etc/sssd
+krb5_conf_dir: /etc
diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company.example/fail2ban-files/filter.d/20_example-blns.filter
new file mode 100644
index 0000000..c39cefa
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/20_example-blns.filter
@@ -0,0 +1,32 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter
+# Source: ansible bgstack15-fail2ban/files/example-blns.filter
+# Date: 2016-04-19
+# Reference:
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$
+ ^.*<HOST>.*(GET|POST).*/etc/group.*$
+ ^.*<HOST>.*(GET|POST).*/etc/hosts.*$
+ ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$
+ ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$
+ ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$
+ ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$
+ ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$
+ ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$
+ ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$
+ ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$
+ ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$
+ ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$
+ ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$
+ ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$
+ ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$
+ ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$
+ ^.*<HOST>.*(GET|POST).*muieblackcat.*$
+ ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$
+ ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+ ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+ ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+ ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company.example/fail2ban-files/filter.d/30_example-max3.filter
new file mode 100644
index 0000000..af692af
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/30_example-max3.filter
@@ -0,0 +1,13 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter
+# Source: ansible bgstack15-fail2ban/files/example-max3.filter
+# Date: 2016-07-12
+# Reference: example-blns.filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+ ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+ ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+ ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company.example/fail2ban-files/filter.d/60_sshd.filter
new file mode 100644
index 0000000..33b8ba8
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/60_sshd.filter
@@ -0,0 +1,31 @@
+# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter
+# Source: ansible bgstack15-fail2ban/files/sshd.filter
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = sshd
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
+ignoreregex =
+[Init]
+maxlines = 10
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company.example/fail2ban-files/jail.d/00_default.jail
new file mode 100644
index 0000000..71cd3e8
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/00_default.jail
@@ -0,0 +1,10 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter
+# Source: ansible bgstack15-fail2ban/files/00_default.conf
+# Date: 2016-06-23
+# Reference:
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[DEFAULT]
+ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24
+# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24
+
diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company.example/fail2ban-files/jail.d/20_example-blns.jail
new file mode 100644
index 0000000..eb1d1c9
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/20_example-blns.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail
+# Source: ansible bgstack15-fail2ban/files/example-blns.jail
+# Date: 2016-04-19
+# Reference:
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-blns]
+enabled = true
+action = iptables-allports
+ sendmail[name=exampleblns, dest=linuxadmin@example.com]
+filter = 20_example-blns
+logpath = /var/log/httpd/access_log
+ /var/log/httpd/error_log
+ /var/log/httpd/ssl_access_log
+ /var/log/httpd/ssl_error_log
+ /var/log/apache2/access_log
+ /var/log/apache2/error_log
+ /var/log/apache2/ssl_access_log
+ /var/log/apache2/ssl_error_log
+maxretry = 1
+bantime = 86400
diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company.example/fail2ban-files/jail.d/30_example-max3.jail
new file mode 100644
index 0000000..6ca7781
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/30_example-max3.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail
+# Source: ansible bgstack15-fail2ban/files/example-max3.jail
+# Date: 2016-07-12
+# Reference: example-blns.jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-max3]
+enabled = true
+action = iptables-allports
+ sendmail[name=examplemax3, dest=linuxadmin@example.com]
+filter = 30_example-max3
+logpath = /var/log/httpd/access_log
+ /var/log/httpd/error_log
+ /var/log/httpd/ssl_access_log
+ /var/log/httpd/ssl_error_log
+ /var/log/apache2/access_log
+ /var/log/apache2/error_log
+ /var/log/apache2/ssl_access_log
+ /var/log/apache2/ssl_error_log
+maxretry = 3
+bantime = 86400
diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company.example/fail2ban-files/jail.d/60_sshd.jail
new file mode 100644
index 0000000..aeb2751
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/60_sshd.jail
@@ -0,0 +1,16 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail
+# Source: ansible bgstack15-fail2ban/files/sshd.jail
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[ssh-iptables]
+
+enabled = true
+filter = sshd
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+ sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
+logpath = %(sshd_log)s
+maxretry = 5
+
+ignoreip = 203.0.193.232/24
diff --git a/company.example/pubkeys/alice.pubkeys b/company.example/pubkeys/alice.pubkeys
new file mode 100644
index 0000000..6d807a6
--- /dev/null
+++ b/company.example/pubkeys/alice.pubkeys
@@ -0,0 +1,3 @@
+# version 3.0
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722
diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey
new file mode 100644
index 0000000..fc39667
--- /dev/null
+++ b/company.example/pubkeys/lcroce.pubkey
@@ -0,0 +1 @@
+FOO 2016-09-22 08:49 this is the contents of bob.pubkey
diff --git a/company.example/resolv_conf-templates/resolv.conf b/company.example/resolv_conf-templates/resolv.conf
new file mode 100644
index 0000000..7a647b0
--- /dev/null
+++ b/company.example/resolv_conf-templates/resolv.conf
@@ -0,0 +1,8 @@
+# File managed by ansible
+
+search example.com
+nameserver 10.1.16.1
+nameserver 10.2.16.1
+nameserver 10.1.16.2
+nameserver 10.2.16.2
+options timeout:3 rotate
diff --git a/hosts.example b/hosts.example
new file mode 100644
index 0000000..d48fb17
--- /dev/null
+++ b/hosts.example
@@ -0,0 +1,30 @@
+# file: /etc/ansible/hosts
+
+one.example.com
+two.example.com
+three.example.com
+four.example.com
+five.example.com
+six.example.com
+
+[centos]
+one.example.com
+two.example.com
+three.example.com
+
+[ubuntu]
+four.example.com
+
+[freebsd:vars]
+ansible_python_interpreter=/usr/local/bin/python2.7
+
+[freebsd]
+five.example.com
+six.example.com
+
+[webservers]
+one.example.com
+
+[test]
+one.example.com
+six.example.com
diff --git a/master.yml.example b/master.yml.example
new file mode 100644
index 0000000..1ed4fda
--- /dev/null
+++ b/master.yml.example
@@ -0,0 +1,18 @@
+---
+- name: All hosts
+ hosts: all
+ remote_user: root
+ roles:
+ - ad
+ - resolv_conf
+ - ssh
+ - ssh_keys
+ vars:
+ ssh_key_files:
+ - { user: 'alice', file: '../../../company/pubkeys/alice.pubkeys' }
+
+- name: Webservers
+ hosts: webservers
+ remote_user: root
+ roles:
+ - fail2ban
diff --git a/roles/ad/handlers/main.yml b/roles/ad/handlers/main.yml
new file mode 100644
index 0000000..db92053
--- /dev/null
+++ b/roles/ad/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: sssd restart
+ service: name=sssd state=restarted
diff --git a/roles/ad/main.yml b/roles/ad/main.yml
new file mode 100644
index 0000000..af79d33
--- /dev/null
+++ b/roles/ad/main.yml
@@ -0,0 +1,9 @@
+---
+- hosts: all
+ vars_files:
+ - vars/default.yml
+ - hosts/default.yml
+ tasks:
+ - include: tasks/main.yml
+ handlers:
+ - handlers/main.yml
diff --git a/roles/ad/tasks/main.yml b/roles/ad/tasks/main.yml
new file mode 100644
index 0000000..a8275e5
--- /dev/null
+++ b/roles/ad/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: ad get vars
+ include_vars: default.yml
+
+- name: ad get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+- name: ad get host-specific vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - files:
+ - '../hosts/{{ ansible_fqdn }}.yml'
+ skip: true
+
+- name: sssd conf
+ template: src="sssd.conf.{{ ansible_distribution }}" dest="{{ sssd_dir }}/sssd.conf"
+ notify:
+ - sssd restart
+
+- name: sssd ad_access_filter
+ lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^ad_access_filter = .*$" line="ad_access_filter = {{ ad_access_filter }}"
+ when: ad_access_filter is defined
+ notify:
+ - sssd restart
+
+- name: sssd simple_allow_users
+ lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^simple_allow_users = .*$" line="simple_allow_users = {{ simple_allow_users }}"
+ when: simple_allow_users is defined
+ notify:
+ - sssd restart
+
+- name: sssd start
+ service: name=sssd state=started
+
+- name: kerberos conf
+ template: src="krb5.conf.{{ ansible_distribution }}" dest="{{ krb5_conf_dir }}/krb5.conf"
diff --git a/roles/ad/templates b/roles/ad/templates
new file mode 120000
index 0000000..714ffa6
--- /dev/null
+++ b/roles/ad/templates
@@ -0,0 +1 @@
+../../company/ad-templates \ No newline at end of file
diff --git a/roles/ad/vars b/roles/ad/vars
new file mode 120000
index 0000000..b461d44
--- /dev/null
+++ b/roles/ad/vars
@@ -0,0 +1 @@
+../../company/ad-vars \ No newline at end of file
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
new file mode 100644
index 0000000..c3a16b1
--- /dev/null
+++ b/roles/fail2ban/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+fail2ban_filterd_path: roles/fail2ban/files/filter.d/
+fail2ban_jaild_path: roles/fail2ban/files/jail.d/
diff --git a/roles/fail2ban/files b/roles/fail2ban/files
new file mode 120000
index 0000000..9e0759b
--- /dev/null
+++ b/roles/fail2ban/files
@@ -0,0 +1 @@
+../../company/fail2ban-files \ No newline at end of file
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
new file mode 100644
index 0000000..420d8e8
--- /dev/null
+++ b/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: fail2ban restart
+ service: name=fail2ban state=restarted
diff --git a/roles/fail2ban/main.yml b/roles/fail2ban/main.yml
new file mode 100644
index 0000000..703571e
--- /dev/null
+++ b/roles/fail2ban/main.yml
@@ -0,0 +1,6 @@
+---
+- hosts: all
+ tasks:
+ - include: tasks/main.yml
+ handlers:
+ - handlers/main.yml
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..d60e427
--- /dev/null
+++ b/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: fail2ban copy filter
+ copy:
+ src: "{{ fail2ban_filterd_path }}"
+ dest: /etc/fail2ban/filter.d/
+ owner: root
+ group: root
+ mode: 0644
+ when: fail2ban_filterd_path is defined
+ notify: fail2ban restart
+
+- name: fail2ban copy jails
+ copy:
+ src: "{{ fail2ban_jaild_path }}"
+ dest: /etc/fail2ban/jail.d/
+ owner: root
+ group: root
+ mode: 0644
+ when: fail2ban_jaild_path is defined
+ notify: fail2ban restart
diff --git a/roles/resolv_conf/main.yml b/roles/resolv_conf/main.yml
new file mode 100644
index 0000000..430c387
--- /dev/null
+++ b/roles/resolv_conf/main.yml
@@ -0,0 +1,6 @@
+---
+- hosts: all
+ vars_files:
+ - vars/default.yml
+ tasks:
+ - include: tasks/main.yml
diff --git a/roles/resolv_conf/tasks/main.yml b/roles/resolv_conf/tasks/main.yml
new file mode 100644
index 0000000..563b9cc
--- /dev/null
+++ b/roles/resolv_conf/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: resolv_conf get vars
+ include_vars: default.yml
+
+- name: resolv_conf get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+- name: resolv_conf file
+ template: src='{{ item }}' dest='{{ resolv_file }}' owner=root group='{{ resolv_group }}' mode=0644
+ with_first_found:
+ - files:
+ - 'resolv.conf.{{ ansible_distribution }}'
+ - resolv.conf
diff --git a/roles/resolv_conf/templates b/roles/resolv_conf/templates
new file mode 120000
index 0000000..a18a05a
--- /dev/null
+++ b/roles/resolv_conf/templates
@@ -0,0 +1 @@
+../../company/resolv_conf-templates \ No newline at end of file
diff --git a/roles/resolv_conf/vars/FreeBSD.yml b/roles/resolv_conf/vars/FreeBSD.yml
new file mode 100644
index 0000000..04e253e
--- /dev/null
+++ b/roles/resolv_conf/vars/FreeBSD.yml
@@ -0,0 +1,2 @@
+---
+resolv_group: wheel
diff --git a/roles/resolv_conf/vars/default.yml b/roles/resolv_conf/vars/default.yml
new file mode 100644
index 0000000..24396bd
--- /dev/null
+++ b/roles/resolv_conf/vars/default.yml
@@ -0,0 +1,3 @@
+---
+resolv_file: /etc/resolv.conf
+resolv_group: root
diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..3dee0ef
--- /dev/null
+++ b/roles/ssh/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: ssh restart
+ service: name='{{ ssh_service }}' state=restarted
diff --git a/roles/ssh/main.yml b/roles/ssh/main.yml
new file mode 100644
index 0000000..af79d33
--- /dev/null
+++ b/roles/ssh/main.yml
@@ -0,0 +1,9 @@
+---
+- hosts: all
+ vars_files:
+ - vars/default.yml
+ - hosts/default.yml
+ tasks:
+ - include: tasks/main.yml
+ handlers:
+ - handlers/main.yml
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..a526b4e
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: ssh get vars
+ include_vars: default.yml
+
+- name: ssh get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+- name: ssh get host-specific vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - files:
+ - '../hosts/{{ ansible_fqdn }}.yml'
+ skip: true
+
+- name: ssh_config conf
+ template: src='{{ item }}' dest='{{ ssh_config_file }}' owner=root group='{{ ssh_group }}' mode=0644
+ with_first_found:
+ - files:
+ - '../hosts/ssh_config.{{ ansible_fqdn }}'
+ - 'ssh_config.{{ ansible_distribution }}'
+ - ssh_config
+ notify:
+ - ssh restart
+
+- name: sshd_config conf
+ template: src='{{ item }}' dest='{{ sshd_config_file }}' owner=root group='{{ ssh_group }}' mode=0644
+ with_first_found:
+ - files:
+ - '../hosts/sshd_config.{{ ansible_fqdn }}'
+ - 'sshd_config.{{ ansible_distribution }}'
+ - sshd_config
+ notify:
+ - ssh restart
diff --git a/roles/ssh/templates/ssh_config b/roles/ssh/templates/ssh_config
new file mode 100644
index 0000000..4a0fb82
--- /dev/null
+++ b/roles/ssh/templates/ssh_config
@@ -0,0 +1,66 @@
+# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
+
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+# ForwardAgent no
+# ForwardX11 no
+# RhostsRSAAuthentication no
+# RSAAuthentication yes
+# PasswordAuthentication yes
+# HostbasedAuthentication no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
+# BatchMode no
+# CheckHostIP yes
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/identity
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# Port 22
+# Protocol 2,1
+# Cipher 3des
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+#
+# Uncomment this if you want to use .local domain
+# Host *.local
+# CheckHostIP no
+
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff --git a/roles/ssh/templates/ssh_config.FreeBSD b/roles/ssh/templates/ssh_config.FreeBSD
new file mode 100644
index 0000000..9ece121
--- /dev/null
+++ b/roles/ssh/templates/ssh_config.FreeBSD
@@ -0,0 +1,53 @@
+# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+# $FreeBSD: releng/10.3/crypto/openssh/ssh_config 296853 2016-03-14 13:05:13Z des $
+
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+# ForwardAgent no
+# ForwardX11 no
+# RhostsRSAAuthentication no
+# RSAAuthentication yes
+# PasswordAuthentication yes
+# HostbasedAuthentication no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# BatchMode no
+# CheckHostIP no
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/identity
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
+# Port 22
+# Protocol 2
+# Cipher 3des
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+# VerifyHostKeyDNS yes
+# VersionAddendum FreeBSD-20160310
diff --git a/roles/ssh/templates/ssh_config.Ubuntu b/roles/ssh/templates/ssh_config.Ubuntu
new file mode 100644
index 0000000..188ae90
--- /dev/null
+++ b/roles/ssh/templates/ssh_config.Ubuntu
@@ -0,0 +1,56 @@
+
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+# ForwardAgent no
+# ForwardX11 no
+# ForwardX11Trusted yes
+# RhostsRSAAuthentication no
+# RSAAuthentication yes
+# PasswordAuthentication yes
+# HostbasedAuthentication no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
+# BatchMode no
+# CheckHostIP yes
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/identity
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
+# Port 22
+# Protocol 2
+# Cipher 3des
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+ SendEnv LANG LC_*
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
+ GSSAPIDelegateCredentials no
diff --git a/roles/ssh/templates/sshd_config b/roles/ssh/templates/sshd_config
new file mode 100644
index 0000000..e3810ca
--- /dev/null
+++ b/roles/ssh/templates/sshd_config
@@ -0,0 +1,153 @@
+# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox # Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem sftp /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
diff --git a/roles/ssh/templates/sshd_config.FreeBSD b/roles/ssh/templates/sshd_config.FreeBSD
new file mode 100644
index 0000000..c8dbbf0
--- /dev/null
+++ b/roles/ssh/templates/sshd_config.FreeBSD
@@ -0,0 +1,136 @@
+# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+# $FreeBSD: releng/10.3/crypto/openssh/sshd_config 296853 2016-03-14 13:05:13Z des $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable PAM authentication
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+# Set this to 'no' to disable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum FreeBSD-20160310
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
diff --git a/roles/ssh/templates/sshd_config.Ubuntu b/roles/ssh/templates/sshd_config.Ubuntu
new file mode 100644
index 0000000..7ef30d5
--- /dev/null
+++ b/roles/ssh/templates/sshd_config.Ubuntu
@@ -0,0 +1,88 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/roles/ssh/vars/FreeBSD.yml b/roles/ssh/vars/FreeBSD.yml
new file mode 100644
index 0000000..24f9a0f
--- /dev/null
+++ b/roles/ssh/vars/FreeBSD.yml
@@ -0,0 +1,2 @@
+---
+ssh_group: wheel
diff --git a/roles/ssh/vars/Ubuntu.yml b/roles/ssh/vars/Ubuntu.yml
new file mode 100644
index 0000000..3bc4f03
--- /dev/null
+++ b/roles/ssh/vars/Ubuntu.yml
@@ -0,0 +1,2 @@
+---
+ssh_service: 'ssh'
diff --git a/roles/ssh/vars/default.yml b/roles/ssh/vars/default.yml
new file mode 100644
index 0000000..01eca41
--- /dev/null
+++ b/roles/ssh/vars/default.yml
@@ -0,0 +1,5 @@
+---
+sshd_config_file: /etc/ssh/sshd_config
+ssh_config_file: /etc/ssh/ssh_config
+ssh_group: root
+ssh_service: 'sshd'
diff --git a/roles/ssh_keys/main.yml b/roles/ssh_keys/main.yml
new file mode 100644
index 0000000..9022768
--- /dev/null
+++ b/roles/ssh_keys/main.yml
@@ -0,0 +1,8 @@
+---
+- hosts: all
+ vars_files:
+ - vars/default.yml
+ tasks:
+ - include: tasks/main.yml
+ handlers:
+ - handlers/main.yml
diff --git a/roles/ssh_keys/tasks/main.yml b/roles/ssh_keys/tasks/main.yml
new file mode 100644
index 0000000..89d8d89
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+# with_fileglob:
+# - '*.pubkey'
+# - '*.pubkeys'
+# register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_strings }}'
+ register: "s"
+ when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_files }}'
+ register: "r"
+ when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+# with_flattened:
+# - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+ template:
+ src: "roles/ssh_keys/files/{{ item.item.file }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ with_items:
+ - '{{ r.results }}'
+ when:
+ - item.stat.exists is defined
+ - '{{ item.stat.exists }}'
+ - r is defined
+
+- name: ssh_keys deploy keys from strings
+ lineinfile:
+ line: '{{ item.item.string }}'
+ regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ create: yes
+ state: present
+ with_items:
+ - '{{ s.results }}'
+ when:
+ - item.stat.exists is defined
+ - '{{ item.stat.exists }}'
+ - s is defined
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.01 b/roles/ssh_keys/tasks/main.yml.2016-09-22.01
new file mode 100644
index 0000000..b9536c4
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.01
@@ -0,0 +1,26 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+- stat: path='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh'
+ register: files_stat
+ with_fileglob:
+ - '*.pubkey'
+ - '*.pubkeys'
+
+- debug: var='{{ item.stat.exists }}'
+ with_items: '{{ files_stat.results }}'
+
+- name: ssh_keys deploy keys
+ template: src='{{ item }}' dest='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh/authorized_keys' mode=0600 owner='{{ item | basename | regex_replace('\.pubkeys?$',"") }}'
+ with_fileglob:
+ - '*.pubkey'
+ - '*.pubkeys'
+ #when: item2.stat.exists
+ #with_items: '{{ files_stat.results }}'
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.02 b/roles/ssh_keys/tasks/main.yml.2016-09-22.02
new file mode 100644
index 0000000..17f6d66
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.02
@@ -0,0 +1,28 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+ with_fileglob:
+ - '*.pubkey'
+ - '*.pubkeys'
+ register: users_to_check
+
+- debug: msg="{{ item.stdout_lines }}"
+ with_items:
+ - '{{ users_to_check.results }}'
+
+#- debug: var='{{ item.stdout_lines }}'
+# with_items:
+# - '{{ users_to_check.items }}'
+
+#- name: ssh_keys deploy keys
+# template: src='{{ item.stdout_lines }}.pubkey' dest='{{ master_home_dir }}/{{ item.stdout_lines }}/.ssh/authorized_keys' mode=0600 owner='{{ item.stdout_lines }}'
+# with_items:
+# - '{{ users_to_check.results }}'
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.03 b/roles/ssh_keys/tasks/main.yml.2016-09-22.03
new file mode 100644
index 0000000..3729179
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.03
@@ -0,0 +1,40 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+# with_fileglob:
+# - '*.pubkey'
+# - '*.pubkeys'
+# register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_files }}'
+ register: "r"
+
+#- debug: msg='{{ item.stat.exists }}'
+# with_flattened:
+# - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+ template:
+ src: "roles/ssh_keys/files/{{ item.item.file }}"
+ dest: '{{ master_home_dir}}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ with_items:
+ - '{{ r.results }}'
+ when:
+ - '{{ item.stat.exists }}'
+
+- name: ssh_keys deploy keys from
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.04 b/roles/ssh_keys/tasks/main.yml.2016-09-22.04
new file mode 100644
index 0000000..c9f33a9
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.04
@@ -0,0 +1,61 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+# with_fileglob:
+# - '*.pubkey'
+# - '*.pubkeys'
+# register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_strings }}'
+ register: "s"
+ when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_files }}'
+ register: "r"
+ when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+# with_flattened:
+# - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+ template:
+ src: "roles/ssh_keys/files/{{ item.item.file }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ with_items:
+ - '{{ r.results }}'
+ when:
+ - '{{ item.stat.exists }}'
+ - r is defined
+
+- name: ssh_keys deploy keys from strings
+ lineinfile:
+ line: '{{ item.item.string }}'
+ regexp: "{{ item.item.string | regex_replace('^(.{20}).*$','\\1') }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ create: yes
+ state: present
+ with_items:
+ - '{{ s.results }}'
+ when:
+ - '{{ item.stat.exists }}'
+ - s is defined
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.05 b/roles/ssh_keys/tasks/main.yml.2016-09-22.05
new file mode 100644
index 0000000..6d82cd0
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.05
@@ -0,0 +1,61 @@
+---
+- name: ssh_keys get vars
+ include_vars: default.yml
+
+- name: ssh_keys get OS vars
+ include_vars: '{{ item }}'
+ with_first_found:
+ - '{{ ansible_distribution }}.yml'
+ - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+# with_fileglob:
+# - '*.pubkey'
+# - '*.pubkeys'
+# register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_strings }}'
+ register: "s"
+ when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+ with_items:
+ - '{{ ssh_key_files }}'
+ register: "r"
+ when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+# with_flattened:
+# - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+ template:
+ src: "roles/ssh_keys/files/{{ item.item.file }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ with_items:
+ - '{{ r.results }}'
+ when:
+ - '{{ item.stat.exists }}'
+ - r is defined
+
+- name: ssh_keys deploy keys from strings
+ lineinfile:
+ line: '{{ item.item.string }}'
+ regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}"
+ dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+ mode: 0600
+ owner: '{{ item.item.user }}'
+ create: yes
+ state: present
+ with_items:
+ - '{{ s.results }}'
+ when:
+ - '{{ item.stat.exists }}'
+ - s is defined
diff --git a/roles/ssh_keys/tests/test.yml b/roles/ssh_keys/tests/test.yml
new file mode 100644
index 0000000..3397909
--- /dev/null
+++ b/roles/ssh_keys/tests/test.yml
@@ -0,0 +1,13 @@
+---
+- name: Test ssh_keys
+ hosts: test
+ remote_user: root
+ roles:
+ - ssh_keys
+ vars:
+# ssh_key_strings:
+# - { user: 'jdoe', string: 'a public key here' }
+# - { user: 'alice', string: 'public key here' }
+# ssh_key_files:
+# - { user: 'jdoe', file: '../../../company/pubkeys/jdoe.pubkeys' }
+# - { user: 'alice', file: '../../../company/pubkeys/alice.pubkey' }
diff --git a/roles/ssh_keys/vars/AIX.yml b/roles/ssh_keys/vars/AIX.yml
new file mode 100644
index 0000000..22f4611
--- /dev/null
+++ b/roles/ssh_keys/vars/AIX.yml
@@ -0,0 +1,2 @@
+---
+master_home_dir: /home/users
diff --git a/roles/ssh_keys/vars/default.yml b/roles/ssh_keys/vars/default.yml
new file mode 100644
index 0000000..f9662af
--- /dev/null
+++ b/roles/ssh_keys/vars/default.yml
@@ -0,0 +1,2 @@
+---
+master_home_dir: /home
bgstack15