18 files changed, 395 insertions, 0 deletions

diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company.example/ad-templates/krb5.conf.CentOS
new file mode 100644
index 0000000..74570ae
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.CentOS
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company.example/ad-templates/krb5.conf.FreeBSD
new file mode 100644
index 0000000..e6b8a3a
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.FreeBSD
@@ -0,0 +1,37 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = FILE:/tmp/krb5cc_%u
+ proxiable = true
+ ccache_type = 4
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company.example/ad-templates/krb5.conf.Ubuntu
new file mode 100644
index 0000000..6a4c23b
--- /dev/null
+++ b/company.example/ad-templates/krb5.conf.Ubuntu
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company.example/ad-templates/sssd.conf.CentOS
new file mode 100644
index 0000000..8678bd2
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.CentOS
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company.example/ad-templates/sssd.conf.FreeBSD
new file mode 100644
index 0000000..4b6a816
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.FreeBSD
@@ -0,0 +1,41 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company.example/ad-templates/sssd.conf.Ubuntu
new file mode 100644
index 0000000..a37f7b5
--- /dev/null
+++ b/company.example/ad-templates/sssd.conf.Ubuntu
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=edu
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users = Alice, alice, Bob, bob
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml
new file mode 100644
index 0000000..7ff821f
--- /dev/null
+++ b/company.example/ad-vars/FreeBSD.yml
@@ -0,0 +1,4 @@
+---
+sssd_dir: /usr/local/etc/sssd
+ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
+simple_allow_users: Alice, alice, alice-local
diff --git a/company.example/ad-vars/default.yml b/company.example/ad-vars/default.yml
new file mode 100644
index 0000000..cb65db8
--- /dev/null
+++ b/company.example/ad-vars/default.yml
@@ -0,0 +1,3 @@
+---
+sssd_dir: /etc/sssd
+krb5_conf_dir: /etc
diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company.example/fail2ban-files/filter.d/20_example-blns.filter
new file mode 100644
index 0000000..c39cefa
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/20_example-blns.filter
@@ -0,0 +1,32 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter
+# Source: ansible bgstack15-fail2ban/files/example-blns.filter
+# Date: 2016-04-19
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$
+            ^.*<HOST>.*(GET|POST).*/etc/group.*$
+            ^.*<HOST>.*(GET|POST).*/etc/hosts.*$
+            ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$
+            ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$
+            ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$
+            ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$
+            ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$
+            ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$
+            ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$
+            ^.*<HOST>.*(GET|POST).*muieblackcat.*$
+            ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$
+            ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company.example/fail2ban-files/filter.d/30_example-max3.filter
new file mode 100644
index 0000000..af692af
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/30_example-max3.filter
@@ -0,0 +1,13 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter
+# Source: ansible bgstack15-fail2ban/files/example-max3.filter
+# Date: 2016-07-12
+# Reference: example-blns.filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company.example/fail2ban-files/filter.d/60_sshd.filter
new file mode 100644
index 0000000..33b8ba8
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/60_sshd.filter
@@ -0,0 +1,31 @@
+# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter
+# Source: ansible bgstack15-fail2ban/files/sshd.filter
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = sshd
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
+ignoreregex =
+[Init]
+maxlines = 10
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company.example/fail2ban-files/jail.d/00_default.jail
new file mode 100644
index 0000000..71cd3e8
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/00_default.jail
@@ -0,0 +1,10 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter
+# Source: ansible bgstack15-fail2ban/files/00_default.conf
+# Date: 2016-06-23
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[DEFAULT]
+ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24
+# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24
+
diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company.example/fail2ban-files/jail.d/20_example-blns.jail
new file mode 100644
index 0000000..eb1d1c9
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/20_example-blns.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail
+# Source: ansible bgstack15-fail2ban/files/example-blns.jail
+# Date: 2016-04-19
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-blns]
+enabled  = true
+action   = iptables-allports
+          sendmail[name=exampleblns, dest=linuxadmin@example.com]
+filter   = 20_example-blns
+logpath = /var/log/httpd/access_log
+          /var/log/httpd/error_log
+          /var/log/httpd/ssl_access_log
+          /var/log/httpd/ssl_error_log
+          /var/log/apache2/access_log
+          /var/log/apache2/error_log
+          /var/log/apache2/ssl_access_log
+          /var/log/apache2/ssl_error_log
+maxretry = 1
+bantime  = 86400
diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company.example/fail2ban-files/jail.d/30_example-max3.jail
new file mode 100644
index 0000000..6ca7781
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/30_example-max3.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail
+# Source: ansible bgstack15-fail2ban/files/example-max3.jail
+# Date: 2016-07-12
+# Reference: example-blns.jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-max3]
+enabled  = true
+action   = iptables-allports
+          sendmail[name=examplemax3, dest=linuxadmin@example.com]
+filter   = 30_example-max3
+logpath = /var/log/httpd/access_log
+          /var/log/httpd/error_log
+          /var/log/httpd/ssl_access_log
+          /var/log/httpd/ssl_error_log
+          /var/log/apache2/access_log
+          /var/log/apache2/error_log
+          /var/log/apache2/ssl_access_log
+          /var/log/apache2/ssl_error_log
+maxretry = 3
+bantime  = 86400
diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company.example/fail2ban-files/jail.d/60_sshd.jail
new file mode 100644
index 0000000..aeb2751
--- /dev/null
+++ b/company.example/fail2ban-files/jail.d/60_sshd.jail
@@ -0,0 +1,16 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail
+# Source: ansible bgstack15-fail2ban/files/sshd.jail
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[ssh-iptables]
+
+enabled  = true
+filter   = sshd
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
+logpath  = %(sshd_log)s
+maxretry = 5
+
+ignoreip = 203.0.193.232/24
diff --git a/company.example/pubkeys/alice.pubkeys b/company.example/pubkeys/alice.pubkeys
new file mode 100644
index 0000000..6d807a6
--- /dev/null
+++ b/company.example/pubkeys/alice.pubkeys
@@ -0,0 +1,3 @@
+# version 3.0
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722
diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey
new file mode 100644
index 0000000..fc39667
--- /dev/null
+++ b/company.example/pubkeys/lcroce.pubkey
@@ -0,0 +1 @@
+FOO 2016-09-22 08:49 this is the contents of bob.pubkey
diff --git a/company.example/resolv_conf-templates/resolv.conf b/company.example/resolv_conf-templates/resolv.conf
new file mode 100644
index 0000000..7a647b0
--- /dev/null
+++ b/company.example/resolv_conf-templates/resolv.conf
@@ -0,0 +1,8 @@
+# File managed by ansible
+
+search example.com
+nameserver 10.1.16.1
+nameserver 10.2.16.1
+nameserver 10.1.16.2
+nameserver 10.2.16.2
+options timeout:3 rotate