aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--company.example/ad-vars/FreeBSD.yml4
-rw-r--r--company.example/pubkeys/lcroce.pubkey1
-rw-r--r--company/ad-templates/krb5.conf.CentOS (renamed from company.example/ad-templates/krb5.conf.CentOS)0
-rw-r--r--company/ad-templates/krb5.conf.FreeBSD (renamed from company.example/ad-templates/krb5.conf.FreeBSD)0
-rw-r--r--company/ad-templates/krb5.conf.Ubuntu (renamed from company.example/ad-templates/krb5.conf.Ubuntu)0
-rw-r--r--company/ad-templates/sssd.conf.CentOS (renamed from company.example/ad-templates/sssd.conf.CentOS)6
-rw-r--r--company/ad-templates/sssd.conf.FreeBSD (renamed from company.example/ad-templates/sssd.conf.FreeBSD)6
-rw-r--r--company/ad-templates/sssd.conf.Ubuntu (renamed from company.example/ad-templates/sssd.conf.Ubuntu)6
-rw-r--r--company/ad-vars/FreeBSD.yml4
-rw-r--r--company/ad-vars/default.yml (renamed from company.example/ad-vars/default.yml)0
-rw-r--r--company/fail2ban-files/filter.d/20_bju-blns.filter (renamed from company.example/fail2ban-files/filter.d/20_example-blns.filter)0
-rw-r--r--company/fail2ban-files/filter.d/30_bju-max3.filter (renamed from company.example/fail2ban-files/filter.d/30_example-max3.filter)0
-rw-r--r--company/fail2ban-files/filter.d/60_sshd.filter (renamed from company.example/fail2ban-files/filter.d/60_sshd.filter)0
-rw-r--r--company/fail2ban-files/jail.d/00_default.jail (renamed from company.example/fail2ban-files/jail.d/00_default.jail)0
-rw-r--r--company/fail2ban-files/jail.d/20_bju-blns.jail (renamed from company.example/fail2ban-files/jail.d/20_example-blns.jail)0
-rw-r--r--company/fail2ban-files/jail.d/30_bju-max3.jail (renamed from company.example/fail2ban-files/jail.d/30_example-max3.jail)0
-rw-r--r--company/fail2ban-files/jail.d/60_sshd.jail (renamed from company.example/fail2ban-files/jail.d/60_sshd.jail)0
-rw-r--r--company/pubkeys/bgirton.pubkeys (renamed from company.example/pubkeys/alice.pubkeys)2
-rw-r--r--company/pubkeys/lcroce.pubkey1
-rw-r--r--company/resolv_conf-templates/resolv.conf (renamed from company.example/resolv_conf-templates/resolv.conf)0
-rw-r--r--hosts (renamed from hosts.example)0
-rwxr-xr-xinc/scrub.py109
-rw-r--r--inc/scrub.txt23
-rw-r--r--master.yml (renamed from master.yml.example)2
-rw-r--r--roles/ad/hosts/default.yml4
-rw-r--r--test.yml12
26 files changed, 164 insertions, 16 deletions
diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml
deleted file mode 100644
index 7ff821f..0000000
--- a/company.example/ad-vars/FreeBSD.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-sssd_dir: /usr/local/etc/sssd
-ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users: Alice, alice, alice-local
diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey
deleted file mode 100644
index fc39667..0000000
--- a/company.example/pubkeys/lcroce.pubkey
+++ /dev/null
@@ -1 +0,0 @@
-FOO 2016-09-22 08:49 this is the contents of bob.pubkey
diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company/ad-templates/krb5.conf.CentOS
index 74570ae..74570ae 100644
--- a/company.example/ad-templates/krb5.conf.CentOS
+++ b/company/ad-templates/krb5.conf.CentOS
diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company/ad-templates/krb5.conf.FreeBSD
index e6b8a3a..e6b8a3a 100644
--- a/company.example/ad-templates/krb5.conf.FreeBSD
+++ b/company/ad-templates/krb5.conf.FreeBSD
diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company/ad-templates/krb5.conf.Ubuntu
index 6a4c23b..6a4c23b 100644
--- a/company.example/ad-templates/krb5.conf.Ubuntu
+++ b/company/ad-templates/krb5.conf.Ubuntu
diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company/ad-templates/sssd.conf.CentOS
index 8678bd2..dafb287 100644
--- a/company.example/ad-templates/sssd.conf.CentOS
+++ b/company/ad-templates/sssd.conf.CentOS
@@ -8,7 +8,7 @@
autofs_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
+ldap_search_base = dc=example,dc=com
krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
id_provider = ldap
auth_provider = krb5
@@ -35,8 +35,8 @@ ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
case_sensitive = true
ad_gpo_access_control = disabled
[autofs]
diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company/ad-templates/sssd.conf.FreeBSD
index 4b6a816..9add0ed 100644
--- a/company.example/ad-templates/sssd.conf.FreeBSD
+++ b/company/ad-templates/sssd.conf.FreeBSD
@@ -8,7 +8,7 @@
autofs_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
+ldap_search_base = dc=example,dc=com
krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
id_provider = ldap
auth_provider = krb5
@@ -35,7 +35,7 @@ ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
case_sensitive = true
ad_gpo_access_control = disabled
diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company/ad-templates/sssd.conf.Ubuntu
index a37f7b5..7b7dae3 100644
--- a/company.example/ad-templates/sssd.conf.Ubuntu
+++ b/company/ad-templates/sssd.conf.Ubuntu
@@ -8,7 +8,7 @@
autofs_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
+ldap_search_base = dc=example,dc=com
krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
id_provider = ldap
auth_provider = krb5
@@ -35,8 +35,8 @@ ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
case_sensitive = true
ad_gpo_access_control = disabled
[autofs]
diff --git a/company/ad-vars/FreeBSD.yml b/company/ad-vars/FreeBSD.yml
new file mode 100644
index 0000000..77e2a9c
--- /dev/null
+++ b/company/ad-vars/FreeBSD.yml
@@ -0,0 +1,4 @@
+---
+sssd_dir: /usr/local/etc/sssd
+ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users: bgstack15, bgstack15, bgstack15-local
diff --git a/company.example/ad-vars/default.yml b/company/ad-vars/default.yml
index cb65db8..cb65db8 100644
--- a/company.example/ad-vars/default.yml
+++ b/company/ad-vars/default.yml
diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company/fail2ban-files/filter.d/20_bju-blns.filter
index c39cefa..c39cefa 100644
--- a/company.example/fail2ban-files/filter.d/20_example-blns.filter
+++ b/company/fail2ban-files/filter.d/20_bju-blns.filter
diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company/fail2ban-files/filter.d/30_bju-max3.filter
index af692af..af692af 100644
--- a/company.example/fail2ban-files/filter.d/30_example-max3.filter
+++ b/company/fail2ban-files/filter.d/30_bju-max3.filter
diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company/fail2ban-files/filter.d/60_sshd.filter
index 33b8ba8..33b8ba8 100644
--- a/company.example/fail2ban-files/filter.d/60_sshd.filter
+++ b/company/fail2ban-files/filter.d/60_sshd.filter
diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company/fail2ban-files/jail.d/00_default.jail
index 71cd3e8..71cd3e8 100644
--- a/company.example/fail2ban-files/jail.d/00_default.jail
+++ b/company/fail2ban-files/jail.d/00_default.jail
diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company/fail2ban-files/jail.d/20_bju-blns.jail
index eb1d1c9..eb1d1c9 100644
--- a/company.example/fail2ban-files/jail.d/20_example-blns.jail
+++ b/company/fail2ban-files/jail.d/20_bju-blns.jail
diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company/fail2ban-files/jail.d/30_bju-max3.jail
index 6ca7781..6ca7781 100644
--- a/company.example/fail2ban-files/jail.d/30_example-max3.jail
+++ b/company/fail2ban-files/jail.d/30_bju-max3.jail
diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company/fail2ban-files/jail.d/60_sshd.jail
index aeb2751..aeb2751 100644
--- a/company.example/fail2ban-files/jail.d/60_sshd.jail
+++ b/company/fail2ban-files/jail.d/60_sshd.jail
diff --git a/company.example/pubkeys/alice.pubkeys b/company/pubkeys/bgirton.pubkeys
index 6d807a6..85abeb0 100644
--- a/company.example/pubkeys/alice.pubkeys
+++ b/company/pubkeys/bgirton.pubkeys
@@ -1,3 +1,3 @@
# version 3.0
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or bgstack15@aluminum.example.com
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722
diff --git a/company/pubkeys/lcroce.pubkey b/company/pubkeys/lcroce.pubkey
new file mode 100644
index 0000000..8ed442d
--- /dev/null
+++ b/company/pubkeys/lcroce.pubkey
@@ -0,0 +1 @@
+FOO 2016-09-22 08:49 this is the contents of user16.pubkey
diff --git a/company.example/resolv_conf-templates/resolv.conf b/company/resolv_conf-templates/resolv.conf
index 7a647b0..7a647b0 100644
--- a/company.example/resolv_conf-templates/resolv.conf
+++ b/company/resolv_conf-templates/resolv.conf
diff --git a/hosts.example b/hosts
index d48fb17..d48fb17 100644
--- a/hosts.example
+++ b/hosts
diff --git a/inc/scrub.py b/inc/scrub.py
new file mode 100755
index 0000000..a0e9c70
--- /dev/null
+++ b/inc/scrub.py
@@ -0,0 +1,109 @@
+#!/bin/env python3
+# Filename: scrub.py
+# Location: Various
+# Author: bgstack15@gmail.com
+# Startdate: 2016-09-28
+# Title: Script that Simultaneously Copies and Scrubs a Directory
+# Purpose: Prepare projects for publication by removing private information like usernames and hostnames
+# Package: Various
+# History:
+# Usage:
+# Store this file with any package that gets published. Adjust scrub.txt in local directory.
+# # First line: source directory Second line: target directory. WILL BE OVERWRITTEN!
+# /etc/ansible
+# /home/bjones/ansible.clean
+# # Rest of the lines are "OLD WORD" "NEW WORD"
+# bjones bgstack15
+# rsmith rmstack15
+# Reference:
+# http://stackoverflow.com/questions/79968/split-a-string-by-spaces-preserving-quoted-substrings-in-python/524796#524796
+# http://stackoverflow.com/questions/6706953/python-using-subprocess-to-call-sed#6707003
+# http://stackoverflow.com/questions/6584871/remove-last-character-if-its-a-backslash/6584893#6584893
+# http://stackoverflow.com/questions/2212643/python-recursive-folder-read/2212728#2212728
+# parallel lists: http://stackoverflow.com/questions/1663807/how-can-i-iterate-through-two-lists-in-parallel-in-python
+# Improve:
+# Add option to specify scrub file
+# Add exclude option to scrub file, such as .git and so on
+# Accept CLI options like source, destination, even exclusions?
+# Also change filenames
+import re, shlex, os, sys, shutil
+from pathlib import Path
+
+# scrubpy version
+scrubpyversion = "2016-09-29b"
+
+# Define functions
+
+def removeComments(string):
+ #string = re.sub(re.compile("/\*.*?\*/",re.DOTALL ) ,"", string)
+ #string = re.sub(re.compile("//.*?\n" ) ,"" ,string)
+ pattern = r"(\".*?\"|\'.*?\')|(/\*.*?\*/|(//|#)[^\r\n]*$)"
+ regex = re.compile(pattern, re.MULTILINE|re.DOTALL)
+ def _replacer(match):
+ if match.group(2) is not None:
+ return ""
+ else:
+ return match.group(1)
+ return regex.sub(_replacer, string)
+
+# Main code
+stringfile = open('scrub.txt','r')
+count=0
+thisdir=""
+newdir=""
+oldstrings=[]
+newstrings=[]
+
+while True:
+ x = stringfile.readline().rstrip()
+ count += 1
+ if not x: break
+ x = removeComments(x)
+ #print("x=" + x)
+ y = shlex.split (x)
+ if len(y) >= 1:
+ if thisdir == "":
+ thisdir = y[0]
+ elif newdir == "":
+ newdir = y[0]
+ if len(y) >= 2:
+ #print("y[0]=" + y[0] + "\t and y[1]=" + y[1])
+ oldstrings.append(y[0])
+ newstrings.append(y[1])
+
+# After the file is done
+stringfile.close()
+#newdir = thisdir.rstrip('\/') + ".scrubbed/"
+
+if False:
+ print("\nthisdir=" + thisdir)
+ print("newdir=" + newdir + '\n')
+ print("oldstrings are:")
+ print(oldstrings)
+ print("newstrings are:")
+ print(newstrings)
+
+# Clean scrubbed directory
+try:
+ shutil.rmtree(newdir)
+except:
+ foo=1
+
+shutil.copytree(thisdir,newdir,symlinks=True)
+
+# Execute substitutions
+for rootfolder, subdirs, files in os.walk(thisdir):
+ for filename in files:
+ sourcepath = os.path.join(rootfolder, filename)
+ with open( sourcepath, "r" ) as source:
+ if not ".swp" in source.name and not ".git" in source.name:
+ destdir = rootfolder.replace(thisdir.rstrip('\/'),newdir.rstrip('\/'))
+ destfile = os.path.join(destdir, filename)
+ #print("sourcefile=" + source.name)
+ #print("destfile=" + destfile + '\n')
+ with open( destfile, "w") as target:
+ data = source.read()
+ for oldword, newword in zip(oldstrings, newstrings):
+ data = data.replace(oldword,newword)
+ changed = data
+ target.write(changed)
diff --git a/inc/scrub.txt b/inc/scrub.txt
new file mode 100644
index 0000000..13922bb
--- /dev/null
+++ b/inc/scrub.txt
@@ -0,0 +1,23 @@
+# First line: source directory Second line: target directory. WILL BE OVERWRITTEN!
+/etc/ansible
+/home/bgstack15/ansible.clean
+# Rest of the lines are "OLD WORD" "NEW WORD"
+bgstack15 bgstack15
+bgstack15 bgstack15
+bgstack15 bgstack15
+user16 user16
+user16 user16
+user16 user16
+example example
+EXAMPLE EXAMPLE
+".com" ".com"
+"dc=com" "dc=com"
+"DC=com" "DC=com"
+".COM" ".COM"
+"203.0." "203.0."
+one one
+two two
+three three
+four four
+five five
+six six
diff --git a/master.yml.example b/master.yml
index 1ed4fda..064767e 100644
--- a/master.yml.example
+++ b/master.yml
@@ -9,7 +9,7 @@
- ssh_keys
vars:
ssh_key_files:
- - { user: 'alice', file: '../../../company/pubkeys/alice.pubkeys' }
+ - { user: 'bgstack15', file: '../../../company/pubkeys/bgstack15.pubkeys' }
- name: Webservers
hosts: webservers
diff --git a/roles/ad/hosts/default.yml b/roles/ad/hosts/default.yml
new file mode 100644
index 0000000..d7bc1a7
--- /dev/null
+++ b/roles/ad/hosts/default.yml
@@ -0,0 +1,4 @@
+# This file exists to ensure the directory is generated if ever packed in a tarball or something.
+# This directory, hosts/, may be used for specific hosts to get specific variables
+---
+ad_access_filter: SHOULD NEVER SEE THIS
diff --git a/test.yml b/test.yml
new file mode 100644
index 0000000..f4608f9
--- /dev/null
+++ b/test.yml
@@ -0,0 +1,12 @@
+---
+- name: Test playbook for sudo
+ hosts: test
+ remote_user: root
+ roles:
+ - sudo
+ vars:
+ sudo_strings
+ - { priority: 40, name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' }
+ - { priority: 41, name: 'a', content: 'ADMINS ALL=(ALL) ALL' }
+ sudo_files
+ - { file: '../../../company/sudo-files/40_bgstack15' }
bgstack15