diff options
59 files changed, 1840 insertions, 0 deletions
@@ -0,0 +1,24 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to <http://unlicense.org> diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..22e5582 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,346 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] + +# some basic default values... + +#inventory = /etc/ansible/hosts +#library = /usr/share/my_modules/ +#remote_tmp = $HOME/.ansible/tmp +#local_tmp = $HOME/.ansible/tmp +#forks = 5 +#poll_interval = 15 +#sudo_user = root +#ask_sudo_pass = True +#ask_pass = True +#transport = smart +#remote_port = 22 +#module_lang = C +#module_set_locale = True + +# plays will gather facts by default, which contain information about +# the remote system. +# +# smart - gather by default, but don't regather if already gathered +# implicit - gather by default, turn off with gather_facts: False +# explicit - do not gather by default, must say gather_facts: True +#gathering = implicit + +# by default retrieve all facts subsets +# all - gather all subsets +# network - gather min and network facts +# hardware - gather hardware facts (longest facts to retrieve) +# virtual - gather min and virtual facts +# facter - import facts from facter +# ohai - import facts from ohai +# You can combine them using comma (ex: network,virtual) +# You can negate them using ! (ex: !hardware,!facter,!ohai) +# A minimal set of facts is always gathered. +#gather_subset = all + +# additional paths to search for roles in, colon separated +#roles_path = /etc/ansible/roles + +# uncomment this to disable SSH key host checking +#host_key_checking = False + +# change the default callback +#stdout_callback = skippy +# enable additional callbacks +#callback_whitelist = timer, mail + +# Determine whether includes in tasks and handlers are "static" by +# default. As of 2.0, includes are dynamic by default. Setting these +# values to True will make includes behave more like they did in the +# 1.x versions. +#task_includes_static = True +#handler_includes_static = True + +# change this for alternative sudo implementations +#sudo_exe = sudo + +# What flags to pass to sudo +# WARNING: leaving out the defaults might create unexpected behaviours +#sudo_flags = -H -S -n + +# SSH timeout +#timeout = 10 + +# default user to use for playbooks if user is not specified +# (/usr/bin/ansible will use current user as default) +#remote_user = root + +# logging is off by default unless this path is defined +# if so defined, consider logrotate +#log_path = /var/log/ansible.log + +# default module name for /usr/bin/ansible +#module_name = command + +# use this shell for commands executed under sudo +# you may need to change this to bin/bash in rare instances +# if sudo is constrained +#executable = /bin/sh + +# if inventory variables overlap, does the higher precedence one win +# or are hash values merged together? The default is 'replace' but +# this can also be set to 'merge'. +#hash_behaviour = replace + +# by default, variables from roles will be visible in the global variable +# scope. To prevent this, the following option can be enabled, and only +# tasks and handlers within the role will see the variables there +#private_role_vars = yes + +# list any Jinja2 extensions to enable here: +#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n + +# if set, always use this private key file for authentication, same as +# if passing --private-key to ansible or ansible-playbook +#private_key_file = /path/to/file + +# If set, configures the path to the Vault password file as an alternative to +# specifying --vault-password-file on the command line. +#vault_password_file = /path/to/vault_password_file + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. +#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} +# This short version is better used in templates as it won't flag the file as changed every run. +#ansible_managed = Ansible managed: {file} on {host} + +# by default, ansible-playbook will display "Skipping [host]" if it determines a task +# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" +# messages. NOTE: the task header will still be shown regardless of whether or not the +# task is skipped. +#display_skipped_hosts = True + +# by default, if a task in a playbook does not include a name: field then +# ansible-playbook will construct a header that includes the task's action but +# not the task's args. This is a security feature because ansible cannot know +# if the *module* considers an argument to be no_log at the time that the +# header is printed. If your environment doesn't have a problem securing +# stdout from ansible-playbook (or you have manually specified no_log in your +# playbook on all of the tasks where you have secret information) then you can +# safely set this to True to get more informative messages. +#display_args_to_stdout = False + +# by default (as of 1.3), Ansible will raise errors when attempting to dereference +# Jinja2 variables that are not set in templates or action lines. Uncomment this line +# to revert the behavior to pre-1.3. +#error_on_undefined_vars = False + +# by default (as of 1.6), Ansible may display warnings based on the configuration of the +# system running ansible itself. This may include warnings about 3rd party packages or +# other conditions that should be resolved if possible. +# to disable these warnings, set the following value to False: +#system_warnings = True + +# by default (as of 1.4), Ansible may display deprecation warnings for language +# features that should no longer be used and will be removed in future versions. +# to disable these warnings, set the following value to False: +#deprecation_warnings = True + +# (as of 1.8), Ansible can optionally warn when usage of the shell and +# command module appear to be simplified by using a default Ansible module +# instead. These warnings can be silenced by adjusting the following +# setting or adding warn=yes or warn=no to the end of the command line +# parameter string. This will for example suggest using the git module +# instead of shelling out to the git command. +# command_warnings = False + + +# set plugin path directories here, separate with colons +#action_plugins = /usr/share/ansible/plugins/action +#callback_plugins = /usr/share/ansible/plugins/callback +#connection_plugins = /usr/share/ansible/plugins/connection +#lookup_plugins = /usr/share/ansible/plugins/lookup +#vars_plugins = /usr/share/ansible/plugins/vars +#filter_plugins = /usr/share/ansible/plugins/filter +#test_plugins = /usr/share/ansible/plugins/test +#strategy_plugins = /usr/share/ansible/plugins/strategy + +# by default callbacks are not loaded for /bin/ansible, enable this if you +# want, for example, a notification or logging callback to also apply to +# /bin/ansible runs +#bin_ansible_callbacks = False + + +# don't like cows? that's unfortunate. +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 +#nocows = 1 + +# set which cowsay stencil you'd like to use by default. When set to 'random', +# a random stencil will be selected for each task. The selection will be filtered +# against the `cow_whitelist` option below. +#cow_selection = default +#cow_selection = random + +# when using the 'random' option for cowsay, stencils will be restricted to this list. +# it should be formatted as a comma-separated list with no spaces between names. +# NOTE: line continuations here are for formatting purposes only, as the INI parser +# in python does not support them. +#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ +# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ +# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www + +# don't like colors either? +# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 +#nocolor = 1 + +# if set to a persistent type (not 'memory', for example 'redis') fact values +# from previous runs in Ansible will be stored. This may be useful when +# wanting to use, for example, IP information from one group of servers +# without having to talk to them in the same playbook run to get their +# current IP information. +#fact_caching = memory + + +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path + +#retry_files_enabled = False +#retry_files_save_path = ~/.ansible-retry + +# squash actions +# Ansible can optimise actions that call modules with list parameters +# when looping. Instead of calling the module once per with_ item, the +# module is called once with all items at once. Currently this only works +# under limited circumstances, and only with parameters named 'name'. +#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper + +# prevents logging of task data, off by default +#no_log = False + +# prevents logging of tasks, but only on the targets, data is still logged on the master/controller +#no_target_syslog = False + +# controls whether Ansible will raise an error or warning if a task has no +# choice but to create world readable temporary files to execute a module on +# the remote machine. This option is False by default for security. Users may +# turn this on to have behaviour more like Ansible prior to 2.1.x. See +# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user +# for more secure ways to fix this than enabling this option. +#allow_world_readable_tmpfiles = False + +# controls the compression level of variables sent to +# worker processes. At the default of 0, no compression +# is used. This value must be an integer from 0 to 9. +#var_compression_level = 9 + +# controls what compression method is used for new-style ansible modules when +# they are sent to the remote system. The compression types depend on having +# support compiled into both the controller's python and the client's python. +# The names should match with the python Zipfile compression types: +# * ZIP_STORED (no compression. available everywhere) +# * ZIP_DEFLATED (uses zlib, the default) +# These values may be set per host via the ansible_module_compression inventory +# variable +#module_compression = 'ZIP_DEFLATED' + +# This controls the cutoff point (in bytes) on --diff for files +# set to 0 for unlimited (RAM may suffer!). +#max_diff_size = 1048576 + +[privilege_escalation] +#become=True +#become_method=sudo +#become_user=root +#become_ask_pass=False + +[paramiko_connection] + +# uncomment this line to cause the paramiko connection plugin to not record new host +# keys encountered. Increases performance on new host additions. Setting works independently of the +# host key checking setting above. +#record_host_keys=False + +# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this +# line to disable this behaviour. +#pty=False + +[ssh_connection] + +# ssh arguments to use +# Leaving off ControlPersist will result in poor performance, so use +# paramiko on older platforms rather than removing it +#ssh_args = -o ControlMaster=auto -o ControlPersist=60s + +# The path to use for the ControlPath sockets. This defaults to +# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with +# very long hostnames or very long path names (caused by long user names or +# deeply nested home directories) this can exceed the character limit on +# file socket names (108 characters for most platforms). In that case, you +# may wish to shorten the string below. +# +# Example: +# control_path = %(directory)s/%%h-%%r +#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r + +# Enabling pipelining reduces the number of SSH operations required to +# execute a module on the remote server. This can result in a significant +# performance improvement when enabled, however when using "sudo:" you must +# first disable 'requiretty' in /etc/sudoers +# +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = False + +# if True, make ansible use scp if the connection type is ssh +# (default is sftp) +#scp_if_ssh = True + +# if False, sftp will not use batch mode to transfer files. This may cause some +# types of file transfer failures impossible to catch however, and should +# only be disabled if your sftp version has problems with batch mode +#sftp_batch_mode = False + +[accelerate] +#accelerate_port = 5099 +#accelerate_timeout = 30 +#accelerate_connect_timeout = 5.0 + +# The daemon timeout is measured in minutes. This time is measured +# from the last activity to the accelerate daemon. +#accelerate_daemon_timeout = 30 + +# If set to yes, accelerate_multi_key will allow multiple +# private keys to be uploaded to it, though each user must +# have access to the system via SSH to add a new key. The default +# is "no". +#accelerate_multi_key = yes + +[selinux] +# file systems that require special treatment when dealing with security context +# the default behaviour that copies the existing context or uses the user default +# needs to be changed to use the file system dependent context. +#special_context_filesystems=nfs,vboxsf,fuse,ramfs + +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + +[colors] +#highlight = white +#verbose = blue +#warn = bright purple +#error = red +#debug = dark gray +#deprecate = purple +#skip = cyan +#unreachable = red +#ok = green +#changed = yellow +#diff_add = green +#diff_remove = red +#diff_lines = cyan diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company.example/ad-templates/krb5.conf.CentOS new file mode 100644 index 0000000..74570ae --- /dev/null +++ b/company.example/ad-templates/krb5.conf.CentOS @@ -0,0 +1,35 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = KEYRING:persistent:%{uid} + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company.example/ad-templates/krb5.conf.FreeBSD new file mode 100644 index 0000000..e6b8a3a --- /dev/null +++ b/company.example/ad-templates/krb5.conf.FreeBSD @@ -0,0 +1,37 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = FILE:/tmp/krb5cc_%u + proxiable = true + ccache_type = 4 + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company.example/ad-templates/krb5.conf.Ubuntu new file mode 100644 index 0000000..6a4c23b --- /dev/null +++ b/company.example/ad-templates/krb5.conf.Ubuntu @@ -0,0 +1,35 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = KEYRING:persistent:%{uid} + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company.example/ad-templates/sssd.conf.CentOS new file mode 100644 index 0000000..8678bd2 --- /dev/null +++ b/company.example/ad-templates/sssd.conf.CentOS @@ -0,0 +1,42 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.CentOS +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=edu +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam, autofs + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) +simple_allow_users = Alice, alice, Bob, bob +case_sensitive = true +ad_gpo_access_control = disabled +[autofs] diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company.example/ad-templates/sssd.conf.FreeBSD new file mode 100644 index 0000000..4b6a816 --- /dev/null +++ b/company.example/ad-templates/sssd.conf.FreeBSD @@ -0,0 +1,41 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.FreeBSD +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=edu +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) +simple_allow_users = Alice, alice, Bob, bob +case_sensitive = true +ad_gpo_access_control = disabled diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company.example/ad-templates/sssd.conf.Ubuntu new file mode 100644 index 0000000..a37f7b5 --- /dev/null +++ b/company.example/ad-templates/sssd.conf.Ubuntu @@ -0,0 +1,42 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.Ubuntu +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=edu +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam, autofs + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) +simple_allow_users = Alice, alice, Bob, bob +case_sensitive = true +ad_gpo_access_control = disabled +[autofs] diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml new file mode 100644 index 0000000..7ff821f --- /dev/null +++ b/company.example/ad-vars/FreeBSD.yml @@ -0,0 +1,4 @@ +--- +sssd_dir: /usr/local/etc/sssd +ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) +simple_allow_users: Alice, alice, alice-local diff --git a/company.example/ad-vars/default.yml b/company.example/ad-vars/default.yml new file mode 100644 index 0000000..cb65db8 --- /dev/null +++ b/company.example/ad-vars/default.yml @@ -0,0 +1,3 @@ +--- +sssd_dir: /etc/sssd +krb5_conf_dir: /etc diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company.example/fail2ban-files/filter.d/20_example-blns.filter new file mode 100644 index 0000000..c39cefa --- /dev/null +++ b/company.example/fail2ban-files/filter.d/20_example-blns.filter @@ -0,0 +1,32 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter +# Source: ansible bgstack15-fail2ban/files/example-blns.filter +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$ + ^.*<HOST>.*(GET|POST).*/etc/group.*$ + ^.*<HOST>.*(GET|POST).*/etc/hosts.*$ + ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$ + ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$ + ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$ + ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$ + ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$ + ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$ + ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$ + ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$ + ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$ + ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$ + ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$ + ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$ + ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$ + ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$ + ^.*<HOST>.*(GET|POST).*muieblackcat.*$ + ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$ + ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$ + ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company.example/fail2ban-files/filter.d/30_example-max3.filter new file mode 100644 index 0000000..af692af --- /dev/null +++ b/company.example/fail2ban-files/filter.d/30_example-max3.filter @@ -0,0 +1,13 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter +# Source: ansible bgstack15-fail2ban/files/example-max3.filter +# Date: 2016-07-12 +# Reference: example-blns.filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$ + ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company.example/fail2ban-files/filter.d/60_sshd.filter new file mode 100644 index 0000000..33b8ba8 --- /dev/null +++ b/company.example/fail2ban-files/filter.d/60_sshd.filter @@ -0,0 +1,31 @@ +# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter +# Source: ansible bgstack15-fail2ban/files/sshd.filter +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[INCLUDES] +before = common.conf + +[Definition] +_daemon = sshd +failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ + ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ + ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ + ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ + ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ + ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ + ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ + ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ +ignoreregex = +[Init] +maxlines = 10 +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company.example/fail2ban-files/jail.d/00_default.jail new file mode 100644 index 0000000..71cd3e8 --- /dev/null +++ b/company.example/fail2ban-files/jail.d/00_default.jail @@ -0,0 +1,10 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter +# Source: ansible bgstack15-fail2ban/files/00_default.conf +# Date: 2016-06-23 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[DEFAULT] +ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24 +# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24 + diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company.example/fail2ban-files/jail.d/20_example-blns.jail new file mode 100644 index 0000000..eb1d1c9 --- /dev/null +++ b/company.example/fail2ban-files/jail.d/20_example-blns.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail +# Source: ansible bgstack15-fail2ban/files/example-blns.jail +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-blns] +enabled = true +action = iptables-allports + sendmail[name=exampleblns, dest=linuxadmin@example.com] +filter = 20_example-blns +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 1 +bantime = 86400 diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company.example/fail2ban-files/jail.d/30_example-max3.jail new file mode 100644 index 0000000..6ca7781 --- /dev/null +++ b/company.example/fail2ban-files/jail.d/30_example-max3.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail +# Source: ansible bgstack15-fail2ban/files/example-max3.jail +# Date: 2016-07-12 +# Reference: example-blns.jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-max3] +enabled = true +action = iptables-allports + sendmail[name=examplemax3, dest=linuxadmin@example.com] +filter = 30_example-max3 +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 3 +bantime = 86400 diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company.example/fail2ban-files/jail.d/60_sshd.jail new file mode 100644 index 0000000..aeb2751 --- /dev/null +++ b/company.example/fail2ban-files/jail.d/60_sshd.jail @@ -0,0 +1,16 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail +# Source: ansible bgstack15-fail2ban/files/sshd.jail +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[ssh-iptables] + +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] +logpath = %(sshd_log)s +maxretry = 5 + +ignoreip = 203.0.193.232/24 diff --git a/company.example/pubkeys/alice.pubkeys b/company.example/pubkeys/alice.pubkeys new file mode 100644 index 0000000..6d807a6 --- /dev/null +++ b/company.example/pubkeys/alice.pubkeys @@ -0,0 +1,3 @@ +# version 3.0 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com +ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722 diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey new file mode 100644 index 0000000..fc39667 --- /dev/null +++ b/company.example/pubkeys/lcroce.pubkey @@ -0,0 +1 @@ +FOO 2016-09-22 08:49 this is the contents of bob.pubkey diff --git a/company.example/resolv_conf-templates/resolv.conf b/company.example/resolv_conf-templates/resolv.conf new file mode 100644 index 0000000..7a647b0 --- /dev/null +++ b/company.example/resolv_conf-templates/resolv.conf @@ -0,0 +1,8 @@ +# File managed by ansible + +search example.com +nameserver 10.1.16.1 +nameserver 10.2.16.1 +nameserver 10.1.16.2 +nameserver 10.2.16.2 +options timeout:3 rotate diff --git a/hosts.example b/hosts.example new file mode 100644 index 0000000..d48fb17 --- /dev/null +++ b/hosts.example @@ -0,0 +1,30 @@ +# file: /etc/ansible/hosts + +one.example.com +two.example.com +three.example.com +four.example.com +five.example.com +six.example.com + +[centos] +one.example.com +two.example.com +three.example.com + +[ubuntu] +four.example.com + +[freebsd:vars] +ansible_python_interpreter=/usr/local/bin/python2.7 + +[freebsd] +five.example.com +six.example.com + +[webservers] +one.example.com + +[test] +one.example.com +six.example.com diff --git a/master.yml.example b/master.yml.example new file mode 100644 index 0000000..1ed4fda --- /dev/null +++ b/master.yml.example @@ -0,0 +1,18 @@ +--- +- name: All hosts + hosts: all + remote_user: root + roles: + - ad + - resolv_conf + - ssh + - ssh_keys + vars: + ssh_key_files: + - { user: 'alice', file: '../../../company/pubkeys/alice.pubkeys' } + +- name: Webservers + hosts: webservers + remote_user: root + roles: + - fail2ban diff --git a/roles/ad/handlers/main.yml b/roles/ad/handlers/main.yml new file mode 100644 index 0000000..db92053 --- /dev/null +++ b/roles/ad/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: sssd restart + service: name=sssd state=restarted diff --git a/roles/ad/main.yml b/roles/ad/main.yml new file mode 100644 index 0000000..af79d33 --- /dev/null +++ b/roles/ad/main.yml @@ -0,0 +1,9 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + - hosts/default.yml + tasks: + - include: tasks/main.yml + handlers: + - handlers/main.yml diff --git a/roles/ad/tasks/main.yml b/roles/ad/tasks/main.yml new file mode 100644 index 0000000..a8275e5 --- /dev/null +++ b/roles/ad/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: ad get vars + include_vars: default.yml + +- name: ad get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- name: ad get host-specific vars + include_vars: '{{ item }}' + with_first_found: + - files: + - '../hosts/{{ ansible_fqdn }}.yml' + skip: true + +- name: sssd conf + template: src="sssd.conf.{{ ansible_distribution }}" dest="{{ sssd_dir }}/sssd.conf" + notify: + - sssd restart + +- name: sssd ad_access_filter + lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^ad_access_filter = .*$" line="ad_access_filter = {{ ad_access_filter }}" + when: ad_access_filter is defined + notify: + - sssd restart + +- name: sssd simple_allow_users + lineinfile: dest="{{ sssd_dir }}/sssd.conf" regexp="^simple_allow_users = .*$" line="simple_allow_users = {{ simple_allow_users }}" + when: simple_allow_users is defined + notify: + - sssd restart + +- name: sssd start + service: name=sssd state=started + +- name: kerberos conf + template: src="krb5.conf.{{ ansible_distribution }}" dest="{{ krb5_conf_dir }}/krb5.conf" diff --git a/roles/ad/templates b/roles/ad/templates new file mode 120000 index 0000000..714ffa6 --- /dev/null +++ b/roles/ad/templates @@ -0,0 +1 @@ +../../company/ad-templates
\ No newline at end of file diff --git a/roles/ad/vars b/roles/ad/vars new file mode 120000 index 0000000..b461d44 --- /dev/null +++ b/roles/ad/vars @@ -0,0 +1 @@ +../../company/ad-vars
\ No newline at end of file diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml new file mode 100644 index 0000000..c3a16b1 --- /dev/null +++ b/roles/fail2ban/defaults/main.yml @@ -0,0 +1,3 @@ +--- +fail2ban_filterd_path: roles/fail2ban/files/filter.d/ +fail2ban_jaild_path: roles/fail2ban/files/jail.d/ diff --git a/roles/fail2ban/files b/roles/fail2ban/files new file mode 120000 index 0000000..9e0759b --- /dev/null +++ b/roles/fail2ban/files @@ -0,0 +1 @@ +../../company/fail2ban-files
\ No newline at end of file diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..420d8e8 --- /dev/null +++ b/roles/fail2ban/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: fail2ban restart + service: name=fail2ban state=restarted diff --git a/roles/fail2ban/main.yml b/roles/fail2ban/main.yml new file mode 100644 index 0000000..703571e --- /dev/null +++ b/roles/fail2ban/main.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + tasks: + - include: tasks/main.yml + handlers: + - handlers/main.yml diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..d60e427 --- /dev/null +++ b/roles/fail2ban/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: fail2ban copy filter + copy: + src: "{{ fail2ban_filterd_path }}" + dest: /etc/fail2ban/filter.d/ + owner: root + group: root + mode: 0644 + when: fail2ban_filterd_path is defined + notify: fail2ban restart + +- name: fail2ban copy jails + copy: + src: "{{ fail2ban_jaild_path }}" + dest: /etc/fail2ban/jail.d/ + owner: root + group: root + mode: 0644 + when: fail2ban_jaild_path is defined + notify: fail2ban restart diff --git a/roles/resolv_conf/main.yml b/roles/resolv_conf/main.yml new file mode 100644 index 0000000..430c387 --- /dev/null +++ b/roles/resolv_conf/main.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + tasks: + - include: tasks/main.yml diff --git a/roles/resolv_conf/tasks/main.yml b/roles/resolv_conf/tasks/main.yml new file mode 100644 index 0000000..563b9cc --- /dev/null +++ b/roles/resolv_conf/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: resolv_conf get vars + include_vars: default.yml + +- name: resolv_conf get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- name: resolv_conf file + template: src='{{ item }}' dest='{{ resolv_file }}' owner=root group='{{ resolv_group }}' mode=0644 + with_first_found: + - files: + - 'resolv.conf.{{ ansible_distribution }}' + - resolv.conf diff --git a/roles/resolv_conf/templates b/roles/resolv_conf/templates new file mode 120000 index 0000000..a18a05a --- /dev/null +++ b/roles/resolv_conf/templates @@ -0,0 +1 @@ +../../company/resolv_conf-templates
\ No newline at end of file diff --git a/roles/resolv_conf/vars/FreeBSD.yml b/roles/resolv_conf/vars/FreeBSD.yml new file mode 100644 index 0000000..04e253e --- /dev/null +++ b/roles/resolv_conf/vars/FreeBSD.yml @@ -0,0 +1,2 @@ +--- +resolv_group: wheel diff --git a/roles/resolv_conf/vars/default.yml b/roles/resolv_conf/vars/default.yml new file mode 100644 index 0000000..24396bd --- /dev/null +++ b/roles/resolv_conf/vars/default.yml @@ -0,0 +1,3 @@ +--- +resolv_file: /etc/resolv.conf +resolv_group: root diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..3dee0ef --- /dev/null +++ b/roles/ssh/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: ssh restart + service: name='{{ ssh_service }}' state=restarted diff --git a/roles/ssh/main.yml b/roles/ssh/main.yml new file mode 100644 index 0000000..af79d33 --- /dev/null +++ b/roles/ssh/main.yml @@ -0,0 +1,9 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + - hosts/default.yml + tasks: + - include: tasks/main.yml + handlers: + - handlers/main.yml diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..a526b4e --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: ssh get vars + include_vars: default.yml + +- name: ssh get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- name: ssh get host-specific vars + include_vars: '{{ item }}' + with_first_found: + - files: + - '../hosts/{{ ansible_fqdn }}.yml' + skip: true + +- name: ssh_config conf + template: src='{{ item }}' dest='{{ ssh_config_file }}' owner=root group='{{ ssh_group }}' mode=0644 + with_first_found: + - files: + - '../hosts/ssh_config.{{ ansible_fqdn }}' + - 'ssh_config.{{ ansible_distribution }}' + - ssh_config + notify: + - ssh restart + +- name: sshd_config conf + template: src='{{ item }}' dest='{{ sshd_config_file }}' owner=root group='{{ ssh_group }}' mode=0644 + with_first_found: + - files: + - '../hosts/sshd_config.{{ ansible_fqdn }}' + - 'sshd_config.{{ ansible_distribution }}' + - sshd_config + notify: + - ssh restart diff --git a/roles/ssh/templates/ssh_config b/roles/ssh/templates/ssh_config new file mode 100644 index 0000000..4a0fb82 --- /dev/null +++ b/roles/ssh/templates/ssh_config @@ -0,0 +1,66 @@ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# +# Uncomment this if you want to use .local domain +# Host *.local +# CheckHostIP no + +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes +# Send locale-related environment variables + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS diff --git a/roles/ssh/templates/ssh_config.FreeBSD b/roles/ssh/templates/ssh_config.FreeBSD new file mode 100644 index 0000000..9ece121 --- /dev/null +++ b/roles/ssh/templates/ssh_config.FreeBSD @@ -0,0 +1,53 @@ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ +# $FreeBSD: releng/10.3/crypto/openssh/ssh_config 296853 2016-03-14 13:05:13Z des $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP no +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# VerifyHostKeyDNS yes +# VersionAddendum FreeBSD-20160310 diff --git a/roles/ssh/templates/ssh_config.Ubuntu b/roles/ssh/templates/ssh_config.Ubuntu new file mode 100644 index 0000000..188ae90 --- /dev/null +++ b/roles/ssh/templates/ssh_config.Ubuntu @@ -0,0 +1,56 @@ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no diff --git a/roles/ssh/templates/sshd_config b/roles/ssh/templates/sshd_config new file mode 100644 index 0000000..e3810ca --- /dev/null +++ b/roles/ssh/templates/sshd_config @@ -0,0 +1,153 @@ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication yes + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/ssh/templates/sshd_config.FreeBSD b/roles/ssh/templates/sshd_config.FreeBSD new file mode 100644 index 0000000..c8dbbf0 --- /dev/null +++ b/roles/ssh/templates/sshd_config.FreeBSD @@ -0,0 +1,136 @@ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ +# $FreeBSD: releng/10.3/crypto/openssh/sshd_config 296853 2016-03-14 13:05:13Z des $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable PAM authentication +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum FreeBSD-20160310 + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/ssh/templates/sshd_config.Ubuntu b/roles/ssh/templates/sshd_config.Ubuntu new file mode 100644 index 0000000..7ef30d5 --- /dev/null +++ b/roles/ssh/templates/sshd_config.Ubuntu @@ -0,0 +1,88 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin prohibit-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes diff --git a/roles/ssh/vars/FreeBSD.yml b/roles/ssh/vars/FreeBSD.yml new file mode 100644 index 0000000..24f9a0f --- /dev/null +++ b/roles/ssh/vars/FreeBSD.yml @@ -0,0 +1,2 @@ +--- +ssh_group: wheel diff --git a/roles/ssh/vars/Ubuntu.yml b/roles/ssh/vars/Ubuntu.yml new file mode 100644 index 0000000..3bc4f03 --- /dev/null +++ b/roles/ssh/vars/Ubuntu.yml @@ -0,0 +1,2 @@ +--- +ssh_service: 'ssh' diff --git a/roles/ssh/vars/default.yml b/roles/ssh/vars/default.yml new file mode 100644 index 0000000..01eca41 --- /dev/null +++ b/roles/ssh/vars/default.yml @@ -0,0 +1,5 @@ +--- +sshd_config_file: /etc/ssh/sshd_config +ssh_config_file: /etc/ssh/ssh_config +ssh_group: root +ssh_service: 'sshd' diff --git a/roles/ssh_keys/main.yml b/roles/ssh_keys/main.yml new file mode 100644 index 0000000..9022768 --- /dev/null +++ b/roles/ssh_keys/main.yml @@ -0,0 +1,8 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + tasks: + - include: tasks/main.yml + handlers: + - handlers/main.yml diff --git a/roles/ssh_keys/tasks/main.yml b/roles/ssh_keys/tasks/main.yml new file mode 100644 index 0000000..89d8d89 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml @@ -0,0 +1,63 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_strings }}' + register: "s" + when: ssh_key_strings is defined + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + when: ssh_key_files is defined + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - r is defined + +- name: ssh_keys deploy keys from strings + lineinfile: + line: '{{ item.item.string }}' + regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - s is defined diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.01 b/roles/ssh_keys/tasks/main.yml.2016-09-22.01 new file mode 100644 index 0000000..b9536c4 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.01 @@ -0,0 +1,26 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- stat: path='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh' + register: files_stat + with_fileglob: + - '*.pubkey' + - '*.pubkeys' + +- debug: var='{{ item.stat.exists }}' + with_items: '{{ files_stat.results }}' + +- name: ssh_keys deploy keys + template: src='{{ item }}' dest='{{ master_home_dir }}/{{ item | basename | regex_replace('\.pubkeys?$','') }}/.ssh/authorized_keys' mode=0600 owner='{{ item | basename | regex_replace('\.pubkeys?$',"") }}' + with_fileglob: + - '*.pubkey' + - '*.pubkeys' + #when: item2.stat.exists + #with_items: '{{ files_stat.results }}' diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.02 b/roles/ssh_keys/tasks/main.yml.2016-09-22.02 new file mode 100644 index 0000000..17f6d66 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.02 @@ -0,0 +1,28 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" + with_fileglob: + - '*.pubkey' + - '*.pubkeys' + register: users_to_check + +- debug: msg="{{ item.stdout_lines }}" + with_items: + - '{{ users_to_check.results }}' + +#- debug: var='{{ item.stdout_lines }}' +# with_items: +# - '{{ users_to_check.items }}' + +#- name: ssh_keys deploy keys +# template: src='{{ item.stdout_lines }}.pubkey' dest='{{ master_home_dir }}/{{ item.stdout_lines }}/.ssh/authorized_keys' mode=0600 owner='{{ item.stdout_lines }}' +# with_items: +# - '{{ users_to_check.results }}' diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.03 b/roles/ssh_keys/tasks/main.yml.2016-09-22.03 new file mode 100644 index 0000000..3729179 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.03 @@ -0,0 +1,40 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir}}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - '{{ item.stat.exists }}' + +- name: ssh_keys deploy keys from diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.04 b/roles/ssh_keys/tasks/main.yml.2016-09-22.04 new file mode 100644 index 0000000..c9f33a9 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.04 @@ -0,0 +1,61 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_strings }}' + register: "s" + when: ssh_key_strings is defined + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + when: ssh_key_files is defined + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - '{{ item.stat.exists }}' + - r is defined + +- name: ssh_keys deploy keys from strings + lineinfile: + line: '{{ item.item.string }}' + regexp: "{{ item.item.string | regex_replace('^(.{20}).*$','\\1') }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - '{{ item.stat.exists }}' + - s is defined diff --git a/roles/ssh_keys/tasks/main.yml.2016-09-22.05 b/roles/ssh_keys/tasks/main.yml.2016-09-22.05 new file mode 100644 index 0000000..6d82cd0 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-09-22.05 @@ -0,0 +1,61 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_strings }}' + register: "s" + when: ssh_key_strings is defined + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + when: ssh_key_files is defined + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - '{{ item.stat.exists }}' + - r is defined + +- name: ssh_keys deploy keys from strings + lineinfile: + line: '{{ item.item.string }}' + regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - '{{ item.stat.exists }}' + - s is defined diff --git a/roles/ssh_keys/tests/test.yml b/roles/ssh_keys/tests/test.yml new file mode 100644 index 0000000..3397909 --- /dev/null +++ b/roles/ssh_keys/tests/test.yml @@ -0,0 +1,13 @@ +--- +- name: Test ssh_keys + hosts: test + remote_user: root + roles: + - ssh_keys + vars: +# ssh_key_strings: +# - { user: 'jdoe', string: 'a public key here' } +# - { user: 'alice', string: 'public key here' } +# ssh_key_files: +# - { user: 'jdoe', file: '../../../company/pubkeys/jdoe.pubkeys' } +# - { user: 'alice', file: '../../../company/pubkeys/alice.pubkey' } diff --git a/roles/ssh_keys/vars/AIX.yml b/roles/ssh_keys/vars/AIX.yml new file mode 100644 index 0000000..22f4611 --- /dev/null +++ b/roles/ssh_keys/vars/AIX.yml @@ -0,0 +1,2 @@ +--- +master_home_dir: /home/users diff --git a/roles/ssh_keys/vars/default.yml b/roles/ssh_keys/vars/default.yml new file mode 100644 index 0000000..f9662af --- /dev/null +++ b/roles/ssh_keys/vars/default.yml @@ -0,0 +1,2 @@ +--- +master_home_dir: /home |