Initial file upload

author: B Stack <bgstack15@gmail.com> 2016-09-23 10:27:15 -0400
committer: B Stack <bgstack15@gmail.com> 2016-09-23 10:27:15 -0400
commit: 5e8a7ac51e486044c8d14694e5f51173dd63f628 (patch)
tree: 586bba6cab996f95a39f6a4620e457cf5924d770 /roles
parent: Initial file upload (diff)
download: ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.gz
ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.bz2
ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.zip
37 files changed, 1027 insertions, 0 deletions
diff --git a/roles/ad/handlers/main.yml b/roles/ad/handlers/main.yml
new file mode 100644
index 0000000..db92053
--- /dev/null
+++ b/roles/ad/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: sssd restart
+  service: name=sssd state=restarted
diff --git a/roles/ad/main.yml b/roles/ad/main.yml
new file mode 100644
index 0000000..af79d33
--- /dev/null
+++ b/roles/ad/main.yml
@@ -0,0 +1,9 @@
+---
+- hosts: all
+  vars_files:
+    - vars/default.yml
+    - hosts/default.yml
+  tasks:
+    - include: tasks/main.yml
+  handlers:
+    - handlers/main.yml
diff --git a/roles/ad/tasks/main.yml b/roles/ad/tasks/main.yml
new file mode 100644
index 0000000..a8275e5
--- /dev/null
+++ b/roles/ad/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: ad get vars
+  include_vars: default.yml 
+
+- name: ad get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+- name: ad get host-specific vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - files:
+      - '../hosts/{{ ansible_fqdn }}.yml'
+      skip: true
+
+- name: sssd conf
+  template: src="sssd.conf.{{ ansible_distribution }}" dest="{{ sssd_dir }}/sssd.conf"
+  notify:
+    - sssd restart
+
+- name: sssd ad_access_filter
+  lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^ad_access_filter = .*$" line="ad_access_filter = {{ ad_access_filter }}"
+  when: ad_access_filter is defined
+  notify:
+    - sssd restart
+
+- name: sssd simple_allow_users
+  lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^simple_allow_users = .*$" line="simple_allow_users = {{ simple_allow_users }}"
+  when: simple_allow_users is defined
+  notify:
+    - sssd restart
+
+- name: sssd start
+  service: name=sssd state=started
+
+- name: kerberos conf
+  template: src="krb5.conf.{{ ansible_distribution }}" dest="{{ krb5_conf_dir }}/krb5.conf"
diff --git a/roles/ad/templates b/roles/ad/templates
new file mode 120000
index 0000000..714ffa6
--- /dev/null
+++ b/roles/ad/templates
@@ -0,0 +1 @@
+../../company/ad-templates
+\ No newline at end of file
diff --git a/roles/ad/vars b/roles/ad/vars
new file mode 120000
index 0000000..b461d44
--- /dev/null
+++ b/roles/ad/vars
@@ -0,0 +1 @@
+../../company/ad-vars
+\ No newline at end of file
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
new file mode 100644
index 0000000..c3a16b1
--- /dev/null
+++ b/roles/fail2ban/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+fail2ban_filterd_path: roles/fail2ban/files/filter.d/
+fail2ban_jaild_path: roles/fail2ban/files/jail.d/
diff --git a/roles/fail2ban/files b/roles/fail2ban/files
new file mode 120000
index 0000000..9e0759b
--- /dev/null
+++ b/roles/fail2ban/files
@@ -0,0 +1 @@
+../../company/fail2ban-files
+\ No newline at end of file
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
new file mode 100644
index 0000000..420d8e8
--- /dev/null
+++ b/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: fail2ban restart
+  service: name=fail2ban state=restarted
diff --git a/roles/fail2ban/main.yml b/roles/fail2ban/main.yml
new file mode 100644
index 0000000..703571e
--- /dev/null
+++ b/roles/fail2ban/main.yml
@@ -0,0 +1,6 @@
+---
+- hosts: all
+  tasks:
+    - include: tasks/main.yml
+  handlers:
+    - handlers/main.yml
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..d60e427
--- /dev/null
+++ b/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: fail2ban copy filter
+  copy:
+    src: "{{ fail2ban_filterd_path }}"
+    dest: /etc/fail2ban/filter.d/
+    owner: root
+    group: root
+    mode: 0644
+  when: fail2ban_filterd_path is defined
+  notify: fail2ban restart
+
+- name: fail2ban copy jails
+  copy:
+    src: "{{ fail2ban_jaild_path }}"
+    dest: /etc/fail2ban/jail.d/
+    owner: root
+    group: root
+    mode: 0644
+  when: fail2ban_jaild_path is defined
+  notify: fail2ban restart
diff --git a/roles/resolv_conf/main.yml b/roles/resolv_conf/main.yml
new file mode 100644
index 0000000..430c387
--- /dev/null
+++ b/roles/resolv_conf/main.yml
@@ -0,0 +1,6 @@
+---
+- hosts: all
+  vars_files:
+    - vars/default.yml
+  tasks:
+    - include: tasks/main.yml
diff --git a/roles/resolv_conf/tasks/main.yml b/roles/resolv_conf/tasks/main.yml
new file mode 100644
index 0000000..563b9cc
--- /dev/null
+++ b/roles/resolv_conf/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: resolv_conf get vars
+  include_vars: default.yml
+
+- name: resolv_conf get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+- name: resolv_conf file
+  template: src='{{ item }}' dest='{{ resolv_file }}' owner=root group='{{ resolv_group }}' mode=0644
+  with_first_found:
+    - files:
+      - 'resolv.conf.{{ ansible_distribution }}'
+      - resolv.conf
diff --git a/roles/resolv_conf/templates b/roles/resolv_conf/templates
new file mode 120000
index 0000000..a18a05a
--- /dev/null
+++ b/roles/resolv_conf/templates
@@ -0,0 +1 @@
+../../company/resolv_conf-templates
+\ No newline at end of file
diff --git a/roles/resolv_conf/vars/FreeBSD.yml b/roles/resolv_conf/vars/FreeBSD.yml
new file mode 100644
index 0000000..04e253e
--- /dev/null
+++ b/roles/resolv_conf/vars/FreeBSD.yml
@@ -0,0 +1,2 @@
+---
+resolv_group: wheel
diff --git a/roles/resolv_conf/vars/default.yml b/roles/resolv_conf/vars/default.yml
new file mode 100644
index 0000000..24396bd
--- /dev/null
+++ b/roles/resolv_conf/vars/default.yml
@@ -0,0 +1,3 @@
+---
+resolv_file: /etc/resolv.conf
+resolv_group: root
diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..3dee0ef
--- /dev/null
+++ b/roles/ssh/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: ssh restart
+  service: name='{{ ssh_service }}' state=restarted
diff --git a/roles/ssh/main.yml b/roles/ssh/main.yml
new file mode 100644
index 0000000..af79d33
--- /dev/null
+++ b/roles/ssh/main.yml
@@ -0,0 +1,9 @@
+---
+- hosts: all
+  vars_files:
+    - vars/default.yml
+    - hosts/default.yml
+  tasks:
+    - include: tasks/main.yml
+  handlers:
+    - handlers/main.yml
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..a526b4e
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: ssh get vars
+  include_vars: default.yml
+
+- name: ssh get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+- name: ssh get host-specific vars
+  include_vars: '{{ item }}'
+  with_first_found:
+   - files:
+     - '../hosts/{{ ansible_fqdn }}.yml'
+     skip: true
+
+- name: ssh_config conf
+  template: src='{{ item }}' dest='{{ ssh_config_file }}' owner=root group='{{ ssh_group }}' mode=0644
+  with_first_found:
+    - files:
+      - '../hosts/ssh_config.{{ ansible_fqdn }}'
+      - 'ssh_config.{{ ansible_distribution }}'
+      - ssh_config
+  notify:
+    - ssh restart
+
+- name: sshd_config conf
+  template: src='{{ item }}' dest='{{ sshd_config_file }}' owner=root group='{{ ssh_group }}' mode=0644
+  with_first_found:
+    - files:
+      - '../hosts/sshd_config.{{ ansible_fqdn }}'
+      - 'sshd_config.{{ ansible_distribution }}'
+      - sshd_config
+  notify:
+    - ssh restart
diff --git a/roles/ssh/templates/ssh_config b/roles/ssh/templates/ssh_config
new file mode 100644
index 0000000..4a0fb82
--- /dev/null
+++ b/roles/ssh/templates/ssh_config
@@ -0,0 +1,66 @@
+#	$OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+#   Protocol 2,1
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#
+# Uncomment this if you want to use .local domain
+# Host *.local
+#   CheckHostIP no
+
+Host *
+	GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+# Send locale-related environment variables
+	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+	SendEnv XMODIFIERS
diff --git a/roles/ssh/templates/ssh_config.FreeBSD b/roles/ssh/templates/ssh_config.FreeBSD
new file mode 100644
index 0000000..9ece121
--- /dev/null
+++ b/roles/ssh/templates/ssh_config.FreeBSD
@@ -0,0 +1,53 @@
+#	$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+#	$FreeBSD: releng/10.3/crypto/openssh/ssh_config 296853 2016-03-14 13:05:13Z des $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   BatchMode no
+#   CheckHostIP no
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Protocol 2
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   VerifyHostKeyDNS yes
+#   VersionAddendum FreeBSD-20160310
diff --git a/roles/ssh/templates/ssh_config.Ubuntu b/roles/ssh/templates/ssh_config.Ubuntu
new file mode 100644
index 0000000..188ae90
--- /dev/null
+++ b/roles/ssh/templates/ssh_config.Ubuntu
@@ -0,0 +1,56 @@
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Protocol 2
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+	GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/roles/ssh/templates/sshd_config b/roles/ssh/templates/sshd_config
new file mode 100644
index 0000000..e3810ca
--- /dev/null
+++ b/roles/ssh/templates/sshd_config
@@ -0,0 +1,153 @@
+#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
diff --git a/roles/ssh/templates/sshd_config.FreeBSD b/roles/ssh/templates/sshd_config.FreeBSD
new file mode 100644
index 0000000..c8dbbf0
--- /dev/null
+++ b/roles/ssh/templates/sshd_config.FreeBSD
@@ -0,0 +1,136 @@
+#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+#	$FreeBSD: releng/10.3/crypto/openssh/sshd_config 296853 2016-03-14 13:05:13Z des $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable PAM authentication
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+# Set this to 'no' to disable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum FreeBSD-20160310
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
diff --git a/roles/ssh/templates/sshd_config.Ubuntu b/roles/ssh/templates/sshd_config.Ubuntu
new file mode 100644
index 0000000..7ef30d5
--- /dev/null
+++ b/roles/ssh/templates/sshd_config.Ubuntu
@@ -0,0 +1,88 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/roles/ssh/vars/FreeBSD.yml b/roles/ssh/vars/FreeBSD.yml
new file mode 100644
index 0000000..24f9a0f
--- /dev/null
+++ b/roles/ssh/vars/FreeBSD.yml
@@ -0,0 +1,2 @@
+---
+ssh_group: wheel
diff --git a/roles/ssh/vars/Ubuntu.yml b/roles/ssh/vars/Ubuntu.yml
new file mode 100644
index 0000000..3bc4f03
--- /dev/null
+++ b/roles/ssh/vars/Ubuntu.yml
@@ -0,0 +1,2 @@
+---
+ssh_service: 'ssh'
diff --git a/roles/ssh/vars/default.yml b/roles/ssh/vars/default.yml
new file mode 100644
index 0000000..01eca41
--- /dev/null
+++ b/roles/ssh/vars/default.yml
@@ -0,0 +1,5 @@
+---
+sshd_config_file: /etc/ssh/sshd_config
+ssh_config_file: /etc/ssh/ssh_config
+ssh_group: root
+ssh_service: 'sshd'
diff --git a/roles/ssh_keys/main.yml b/roles/ssh_keys/main.yml
new file mode 100644
index 0000000..9022768
--- /dev/null
+++ b/roles/ssh_keys/main.yml
@@ -0,0 +1,8 @@
+---
+- hosts: all
+  vars_files:
+    - vars/default.yml
+  tasks:
+    - include: tasks/main.yml
+  handlers:
+    - handlers/main.yml
diff --git a/roles/ssh_keys/tasks/main.yml b/roles/ssh_keys/tasks/main.yml
new file mode 100644
index 0000000..89d8d89
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+#  with_fileglob:
+#    - '*.pubkey'
+#    - '*.pubkeys'
+#  register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_strings }}'
+  register: "s"
+  when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_files }}'
+  register: "r"
+  when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+#  with_flattened:
+#    - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+  template:
+    src: "roles/ssh_keys/files/{{ item.item.file }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+  with_items:
+    - '{{ r.results }}'
+  when:
+    - item.stat.exists is defined
+    - '{{ item.stat.exists }}'
+    - r is defined
+
+- name: ssh_keys deploy keys from strings
+  lineinfile:
+    line: '{{ item.item.string }}'
+    regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+    create: yes
+    state: present
+  with_items:
+    - '{{ s.results }}'
+  when:
+    - item.stat.exists is defined
+    - '{{ item.stat.exists }}'
+    - s is defined
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.01 b/roles/ssh_keys/tasks/main.yml.2016-09-22.01
new file mode 100644
index 0000000..b9536c4
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.01
@@ -0,0 +1,26 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+- stat: path='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh'
+  register: files_stat
+  with_fileglob:
+    - '*.pubkey'
+    - '*.pubkeys'
+
+- debug: var='{{ item.stat.exists }}'
+  with_items: '{{ files_stat.results }}'
+
+- name: ssh_keys deploy keys
+  template: src='{{ item }}' dest='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh/authorized_keys' mode=0600 owner='{{ item | basename | regex_replace('\.pubkeys?$',"") }}'
+  with_fileglob:
+    - '*.pubkey'
+    - '*.pubkeys'
+  #when: item2.stat.exists
+  #with_items: '{{ files_stat.results }}'
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.02 b/roles/ssh_keys/tasks/main.yml.2016-09-22.02
new file mode 100644
index 0000000..17f6d66
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.02
@@ -0,0 +1,28 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+  with_fileglob:
+    - '*.pubkey'
+    - '*.pubkeys'
+  register: users_to_check
+
+- debug: msg="{{ item.stdout_lines }}"
+  with_items:
+    - '{{ users_to_check.results }}'
+
+#- debug: var='{{ item.stdout_lines }}'
+#  with_items:
+#    - '{{ users_to_check.items }}'
+
+#- name: ssh_keys deploy keys
+#  template: src='{{ item.stdout_lines }}.pubkey' dest='{{ master_home_dir }}/{{ item.stdout_lines }}/.ssh/authorized_keys' mode=0600 owner='{{ item.stdout_lines }}'
+#  with_items: 
+#    - '{{ users_to_check.results }}'
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.03 b/roles/ssh_keys/tasks/main.yml.2016-09-22.03
new file mode 100644
index 0000000..3729179
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.03
@@ -0,0 +1,40 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+#  with_fileglob:
+#    - '*.pubkey'
+#    - '*.pubkeys'
+#  register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_files }}'
+  register: "r"
+
+#- debug: msg='{{ item.stat.exists }}'
+#  with_flattened:
+#    - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+  template:
+    src: "roles/ssh_keys/files/{{ item.item.file }}"
+    dest: '{{ master_home_dir}}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+  with_items:
+    - '{{ r.results }}'
+  when:
+    - '{{ item.stat.exists }}'
+
+- name: ssh_keys deploy keys from 
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.04 b/roles/ssh_keys/tasks/main.yml.2016-09-22.04
new file mode 100644
index 0000000..c9f33a9
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.04
@@ -0,0 +1,61 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+#  with_fileglob:
+#    - '*.pubkey'
+#    - '*.pubkeys'
+#  register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_strings }}'
+  register: "s"
+  when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_files }}'
+  register: "r"
+  when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+#  with_flattened:
+#    - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+  template:
+    src: "roles/ssh_keys/files/{{ item.item.file }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+  with_items:
+    - '{{ r.results }}'
+  when:
+    - '{{ item.stat.exists }}'
+    - r is defined
+
+- name: ssh_keys deploy keys from strings
+  lineinfile:
+    line: '{{ item.item.string }}'
+    regexp: "{{ item.item.string | regex_replace('^(.{20}).*$','\\1') }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+    create: yes
+    state: present
+  with_items:
+    - '{{ s.results }}'
+  when:
+    - '{{ item.stat.exists }}'
+    - s is defined
diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.05 b/roles/ssh_keys/tasks/main.yml.2016-09-22.05
new file mode 100644
index 0000000..6d82cd0
--- /dev/null
+++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.05
@@ -0,0 +1,61 @@
+---
+- name: ssh_keys get vars
+  include_vars: default.yml
+
+- name: ssh_keys get OS vars
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_distribution }}.yml'
+    - default.yml
+
+#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}"
+#  with_fileglob:
+#    - '*.pubkey'
+#    - '*.pubkeys'
+#  register: users_to_check
+
+#- debug: var=ssh_key_strings
+#- debug: var=ssh_key_files
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_strings }}'
+  register: "s"
+  when: ssh_key_strings is defined
+
+- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh'
+  with_items:
+    - '{{ ssh_key_files }}'
+  register: "r"
+  when: ssh_key_files is defined
+
+#- debug: msg='{{ item.stat.exists }}'
+#  with_flattened:
+#    - '{{ r.results }}'
+
+- name: ssh_keys deploy keys from files
+  template:
+    src: "roles/ssh_keys/files/{{ item.item.file }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+  with_items:
+    - '{{ r.results }}'
+  when:
+    - '{{ item.stat.exists }}'
+    - r is defined
+
+- name: ssh_keys deploy keys from strings
+  lineinfile:
+    line: '{{ item.item.string }}'
+    regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}"
+    dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys'
+    mode: 0600
+    owner: '{{ item.item.user }}'
+    create: yes
+    state: present
+  with_items:
+    - '{{ s.results }}'
+  when:
+    - '{{ item.stat.exists }}'
+    - s is defined
diff --git a/roles/ssh_keys/tests/test.yml b/roles/ssh_keys/tests/test.yml
new file mode 100644
index 0000000..3397909
--- /dev/null
+++ b/roles/ssh_keys/tests/test.yml
@@ -0,0 +1,13 @@
+---
+- name: Test ssh_keys
+  hosts: test
+  remote_user: root
+  roles:
+    - ssh_keys
+  vars:
+#    ssh_key_strings:
+#      - { user: 'jdoe', string: 'a public key here' }
+#      - { user: 'alice', string: 'public key here' }
+#    ssh_key_files:
+#      - { user: 'jdoe', file: '../../../company/pubkeys/jdoe.pubkeys' }
+#      - { user: 'alice', file: '../../../company/pubkeys/alice.pubkey' }
diff --git a/roles/ssh_keys/vars/AIX.yml b/roles/ssh_keys/vars/AIX.yml
new file mode 100644
index 0000000..22f4611
--- /dev/null
+++ b/roles/ssh_keys/vars/AIX.yml
@@ -0,0 +1,2 @@
+---
+master_home_dir: /home/users
diff --git a/roles/ssh_keys/vars/default.yml b/roles/ssh_keys/vars/default.yml
new file mode 100644
index 0000000..f9662af
--- /dev/null
+++ b/roles/ssh_keys/vars/default.yml
@@ -0,0 +1,2 @@
+---
+master_home_dir: /home
author	B Stack <bgstack15@gmail.com>	2016-09-23 10:27:15 -0400
committer	B Stack <bgstack15@gmail.com>	2016-09-23 10:27:15 -0400
commit	5e8a7ac51e486044c8d14694e5f51173dd63f628 (patch)
tree	586bba6cab996f95a39f6a4620e457cf5924d770 /roles
parent	Initial file upload (diff)
download	ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.gz ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.tar.bz2 ansible01-5e8a7ac51e486044c8d14694e5f51173dd63f628.zip