From 4db266d0ec2f78079c8ff271cdb2e78230d3b090 Mon Sep 17 00:00:00 2001
From: B Stack <bgstack15@gmail.com>
Date: Thu, 29 Sep 2016 16:01:25 -0400
Subject: major overhaul

---
 company.example/ad-templates/krb5.conf.CentOS      |  35 -------
 company.example/ad-templates/krb5.conf.FreeBSD     |  37 -------
 company.example/ad-templates/krb5.conf.Ubuntu      |  35 -------
 company.example/ad-templates/sssd.conf.CentOS      |  42 --------
 company.example/ad-templates/sssd.conf.FreeBSD     |  41 --------
 company.example/ad-templates/sssd.conf.Ubuntu      |  42 --------
 company.example/ad-vars/FreeBSD.yml                |   4 -
 company.example/ad-vars/default.yml                |   3 -
 .../fail2ban-files/filter.d/20_example-blns.filter |  32 ------
 .../fail2ban-files/filter.d/30_example-max3.filter |  13 ---
 .../fail2ban-files/filter.d/60_sshd.filter         |  31 ------
 .../fail2ban-files/jail.d/00_default.jail          |  10 --
 .../fail2ban-files/jail.d/20_example-blns.jail     |  21 ----
 .../fail2ban-files/jail.d/30_example-max3.jail     |  21 ----
 company.example/fail2ban-files/jail.d/60_sshd.jail |  16 ---
 company.example/pubkeys/alice.pubkeys              |   3 -
 company.example/pubkeys/lcroce.pubkey              |   1 -
 company.example/resolv_conf-templates/resolv.conf  |   8 --
 company/ad-templates/krb5.conf.CentOS              |  35 +++++++
 company/ad-templates/krb5.conf.FreeBSD             |  37 +++++++
 company/ad-templates/krb5.conf.Ubuntu              |  35 +++++++
 company/ad-templates/sssd.conf.CentOS              |  42 ++++++++
 company/ad-templates/sssd.conf.FreeBSD             |  41 ++++++++
 company/ad-templates/sssd.conf.Ubuntu              |  42 ++++++++
 company/ad-vars/FreeBSD.yml                        |   4 +
 company/ad-vars/default.yml                        |   3 +
 company/fail2ban-files/filter.d/20_bju-blns.filter |  32 ++++++
 company/fail2ban-files/filter.d/30_bju-max3.filter |  13 +++
 company/fail2ban-files/filter.d/60_sshd.filter     |  31 ++++++
 company/fail2ban-files/jail.d/00_default.jail      |  10 ++
 company/fail2ban-files/jail.d/20_bju-blns.jail     |  21 ++++
 company/fail2ban-files/jail.d/30_bju-max3.jail     |  21 ++++
 company/fail2ban-files/jail.d/60_sshd.jail         |  16 +++
 company/pubkeys/bgirton.pubkeys                    |   3 +
 company/pubkeys/lcroce.pubkey                      |   1 +
 company/resolv_conf-templates/resolv.conf          |   8 ++
 hosts                                              |  30 ++++++
 hosts.example                                      |  30 ------
 inc/scrub.py                                       | 109 +++++++++++++++++++++
 inc/scrub.txt                                      |  23 +++++
 master.yml                                         |  18 ++++
 master.yml.example                                 |  18 ----
 roles/ad/hosts/default.yml                         |   4 +
 test.yml                                           |  12 +++
 44 files changed, 591 insertions(+), 443 deletions(-)
 delete mode 100644 company.example/ad-templates/krb5.conf.CentOS
 delete mode 100644 company.example/ad-templates/krb5.conf.FreeBSD
 delete mode 100644 company.example/ad-templates/krb5.conf.Ubuntu
 delete mode 100644 company.example/ad-templates/sssd.conf.CentOS
 delete mode 100644 company.example/ad-templates/sssd.conf.FreeBSD
 delete mode 100644 company.example/ad-templates/sssd.conf.Ubuntu
 delete mode 100644 company.example/ad-vars/FreeBSD.yml
 delete mode 100644 company.example/ad-vars/default.yml
 delete mode 100644 company.example/fail2ban-files/filter.d/20_example-blns.filter
 delete mode 100644 company.example/fail2ban-files/filter.d/30_example-max3.filter
 delete mode 100644 company.example/fail2ban-files/filter.d/60_sshd.filter
 delete mode 100644 company.example/fail2ban-files/jail.d/00_default.jail
 delete mode 100644 company.example/fail2ban-files/jail.d/20_example-blns.jail
 delete mode 100644 company.example/fail2ban-files/jail.d/30_example-max3.jail
 delete mode 100644 company.example/fail2ban-files/jail.d/60_sshd.jail
 delete mode 100644 company.example/pubkeys/alice.pubkeys
 delete mode 100644 company.example/pubkeys/lcroce.pubkey
 delete mode 100644 company.example/resolv_conf-templates/resolv.conf
 create mode 100644 company/ad-templates/krb5.conf.CentOS
 create mode 100644 company/ad-templates/krb5.conf.FreeBSD
 create mode 100644 company/ad-templates/krb5.conf.Ubuntu
 create mode 100644 company/ad-templates/sssd.conf.CentOS
 create mode 100644 company/ad-templates/sssd.conf.FreeBSD
 create mode 100644 company/ad-templates/sssd.conf.Ubuntu
 create mode 100644 company/ad-vars/FreeBSD.yml
 create mode 100644 company/ad-vars/default.yml
 create mode 100644 company/fail2ban-files/filter.d/20_bju-blns.filter
 create mode 100644 company/fail2ban-files/filter.d/30_bju-max3.filter
 create mode 100644 company/fail2ban-files/filter.d/60_sshd.filter
 create mode 100644 company/fail2ban-files/jail.d/00_default.jail
 create mode 100644 company/fail2ban-files/jail.d/20_bju-blns.jail
 create mode 100644 company/fail2ban-files/jail.d/30_bju-max3.jail
 create mode 100644 company/fail2ban-files/jail.d/60_sshd.jail
 create mode 100644 company/pubkeys/bgirton.pubkeys
 create mode 100644 company/pubkeys/lcroce.pubkey
 create mode 100644 company/resolv_conf-templates/resolv.conf
 create mode 100644 hosts
 delete mode 100644 hosts.example
 create mode 100755 inc/scrub.py
 create mode 100644 inc/scrub.txt
 create mode 100644 master.yml
 delete mode 100644 master.yml.example
 create mode 100644 roles/ad/hosts/default.yml
 create mode 100644 test.yml

diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company.example/ad-templates/krb5.conf.CentOS
deleted file mode 100644
index 74570ae..0000000
--- a/company.example/ad-templates/krb5.conf.CentOS
+++ /dev/null
@@ -1,35 +0,0 @@
-# Ansible controlled filename: /etc/krb5.conf
-# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- dns_lookup_realm = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- rdns = false
- default_ccache_name = KEYRING:persistent:%{uid}
-
- default_realm = EXAMPLE.COM
-[realms]
- EXAMPLE.COM = {
-  kdc = dc1.example.com
-  kdc = dc2.example.com
-  kdc = dc3.example.com
-  kdc = dc4.example.com
-  admin_server = dc1.example.com
-  admin_server = dc2.example.com
-  admin_server = dc3.example.com
-  admin_server = dc4.example.com
- }
-
-[domain_realm]
-example.com = EXAMPLE.COM
- .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company.example/ad-templates/krb5.conf.FreeBSD
deleted file mode 100644
index e6b8a3a..0000000
--- a/company.example/ad-templates/krb5.conf.FreeBSD
+++ /dev/null
@@ -1,37 +0,0 @@
-# Ansible controlled filename: /etc/krb5.conf
-# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- dns_lookup_realm = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- rdns = false
- default_ccache_name = FILE:/tmp/krb5cc_%u
- proxiable = true
- ccache_type = 4
-
- default_realm = EXAMPLE.COM
-[realms]
- EXAMPLE.COM = {
-  kdc = dc1.example.com
-  kdc = dc2.example.com
-  kdc = dc3.example.com
-  kdc = dc4.example.com
-  admin_server = dc1.example.com
-  admin_server = dc2.example.com
-  admin_server = dc3.example.com
-  admin_server = dc4.example.com
- }
-
-[domain_realm]
-example.com = EXAMPLE.COM
- .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company.example/ad-templates/krb5.conf.Ubuntu
deleted file mode 100644
index 6a4c23b..0000000
--- a/company.example/ad-templates/krb5.conf.Ubuntu
+++ /dev/null
@@ -1,35 +0,0 @@
-# Ansible controlled filename: /etc/krb5.conf
-# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- dns_lookup_realm = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- rdns = false
- default_ccache_name = KEYRING:persistent:%{uid}
-
- default_realm = EXAMPLE.COM
-[realms]
- EXAMPLE.COM = {
-  kdc = dc1.example.com
-  kdc = dc2.example.com
-  kdc = dc3.example.com
-  kdc = dc4.example.com
-  admin_server = dc1.example.com
-  admin_server = dc2.example.com
-  admin_server = dc3.example.com
-  admin_server = dc4.example.com
- }
-
-[domain_realm]
-example.com = EXAMPLE.COM
- .example.com = EXAMPLE.COM
diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company.example/ad-templates/sssd.conf.CentOS
deleted file mode 100644
index 8678bd2..0000000
--- a/company.example/ad-templates/sssd.conf.CentOS
+++ /dev/null
@@ -1,42 +0,0 @@
-# Ansible-controlled filename: /etc/sssd/sssd.conf
-# Source: ansible sssd.conf.CentOS
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[domain/default]
-autofs_provider = ldap
-cache_credentials = True
-krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
-krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-id_provider = ldap
-auth_provider = krb5
-chpass_provider = krb5
-krb5_store_password_if_offline = True
-ldap_uri = ldap://example.com
-krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-ldap_tls_cacertdir = /etc/openldap/cacerts
-
-[sssd]
-domains = default, example.com
-config_file_version = 2
-services = nss, pam, autofs
-
-[domain/example.com]
-ad_domain = example.com
-krb5_realm = EXAMPLE.COM
-realmd_tags = manages-system joined-with-samba
-cache_credentials = True
-id_provider = ad
-krb5_store_password_if_offline = True
-default_shell = /bin/bash
-ldap_id_mapping = False
-use_fully_qualified_names = False
-fallback_homedir = /home/%d/%u
-access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
-case_sensitive = true
-ad_gpo_access_control = disabled
-[autofs]
diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company.example/ad-templates/sssd.conf.FreeBSD
deleted file mode 100644
index 4b6a816..0000000
--- a/company.example/ad-templates/sssd.conf.FreeBSD
+++ /dev/null
@@ -1,41 +0,0 @@
-# Ansible-controlled filename: /etc/sssd/sssd.conf
-# Source: ansible sssd.conf.FreeBSD
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[domain/default]
-autofs_provider = ldap
-cache_credentials = True
-krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
-krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-id_provider = ldap
-auth_provider = krb5
-chpass_provider = krb5
-krb5_store_password_if_offline = True
-ldap_uri = ldap://example.com
-krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-ldap_tls_cacertdir = /etc/openldap/cacerts
-
-[sssd]
-domains = default, example.com
-config_file_version = 2
-services = nss, pam
-
-[domain/example.com]
-ad_domain = example.com
-krb5_realm = EXAMPLE.COM
-realmd_tags = manages-system joined-with-samba
-cache_credentials = True
-id_provider = ad
-krb5_store_password_if_offline = True
-default_shell = /bin/bash
-ldap_id_mapping = False
-use_fully_qualified_names = False
-fallback_homedir = /home/%d/%u
-access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
-case_sensitive = true
-ad_gpo_access_control = disabled
diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company.example/ad-templates/sssd.conf.Ubuntu
deleted file mode 100644
index a37f7b5..0000000
--- a/company.example/ad-templates/sssd.conf.Ubuntu
+++ /dev/null
@@ -1,42 +0,0 @@
-# Ansible-controlled filename: /etc/sssd/sssd.conf
-# Source: ansible sssd.conf.Ubuntu
-# Date: 2016-03-04
-# Reference: Building the Centos 7 Template.docx
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[domain/default]
-autofs_provider = ldap
-cache_credentials = True
-krb5_realm = EXAMPLE.COM
-ldap_search_base = dc=example,dc=edu
-krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-id_provider = ldap
-auth_provider = krb5
-chpass_provider = krb5
-krb5_store_password_if_offline = True
-ldap_uri = ldap://example.com
-krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
-ldap_tls_cacertdir = /etc/openldap/cacerts
-
-[sssd]
-domains = default, example.com
-config_file_version = 2
-services = nss, pam, autofs
-
-[domain/example.com]
-ad_domain = example.com
-krb5_realm = EXAMPLE.COM
-realmd_tags = manages-system joined-with-samba
-cache_credentials = True
-id_provider = ad
-krb5_store_password_if_offline = True
-default_shell = /bin/bash
-ldap_id_mapping = False
-use_fully_qualified_names = False
-fallback_homedir = /home/%d/%u
-access_provider = ad
-ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users = Alice, alice, Bob, bob
-case_sensitive = true
-ad_gpo_access_control = disabled
-[autofs]
diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml
deleted file mode 100644
index 7ff821f..0000000
--- a/company.example/ad-vars/FreeBSD.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-sssd_dir: /usr/local/etc/sssd
-ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*))
-simple_allow_users: Alice, alice, alice-local
diff --git a/company.example/ad-vars/default.yml b/company.example/ad-vars/default.yml
deleted file mode 100644
index cb65db8..0000000
--- a/company.example/ad-vars/default.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-sssd_dir: /etc/sssd
-krb5_conf_dir: /etc
diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company.example/fail2ban-files/filter.d/20_example-blns.filter
deleted file mode 100644
index c39cefa..0000000
--- a/company.example/fail2ban-files/filter.d/20_example-blns.filter
+++ /dev/null
@@ -1,32 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter
-# Source: ansible bgstack15-fail2ban/files/example-blns.filter
-# Date: 2016-04-19
-# Reference: 
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[Definition]
-failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$
-            ^.*<HOST>.*(GET|POST).*/etc/group.*$
-            ^.*<HOST>.*(GET|POST).*/etc/hosts.*$
-            ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$
-            ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$
-            ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$
-            ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$
-            ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$
-            ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$
-            ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$
-            ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$
-            ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$
-            ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$
-            ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$
-            ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$
-            ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$
-            ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$
-            ^.*<HOST>.*(GET|POST).*muieblackcat.*$
-            ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$
-            ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
-            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
-            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
-            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
-
-ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company.example/fail2ban-files/filter.d/30_example-max3.filter
deleted file mode 100644
index af692af..0000000
--- a/company.example/fail2ban-files/filter.d/30_example-max3.filter
+++ /dev/null
@@ -1,13 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter
-# Source: ansible bgstack15-fail2ban/files/example-max3.filter
-# Date: 2016-07-12
-# Reference: example-blns.filter
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[Definition]
-failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
-            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
-            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
-            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
-
-ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company.example/fail2ban-files/filter.d/60_sshd.filter
deleted file mode 100644
index 33b8ba8..0000000
--- a/company.example/fail2ban-files/filter.d/60_sshd.filter
+++ /dev/null
@@ -1,31 +0,0 @@
-# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter
-# Source: ansible bgstack15-fail2ban/files/sshd.filter
-# Date: 2016-06-23
-# Reference: Ubuntu 16.04 fail2ban package sshd filter
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[INCLUDES]
-before = common.conf
-
-[Definition]
-_daemon = sshd
-failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
-            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
-            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
-            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
-            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
-            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
-            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
-            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
-            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
-            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
-            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
-            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
-            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
-            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
-ignoreregex =
-[Init]
-maxlines = 10
-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company.example/fail2ban-files/jail.d/00_default.jail
deleted file mode 100644
index 71cd3e8..0000000
--- a/company.example/fail2ban-files/jail.d/00_default.jail
+++ /dev/null
@@ -1,10 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter
-# Source: ansible bgstack15-fail2ban/files/00_default.conf
-# Date: 2016-06-23
-# Reference: 
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[DEFAULT]
-ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24
-# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24
-
diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company.example/fail2ban-files/jail.d/20_example-blns.jail
deleted file mode 100644
index eb1d1c9..0000000
--- a/company.example/fail2ban-files/jail.d/20_example-blns.jail
+++ /dev/null
@@ -1,21 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail
-# Source: ansible bgstack15-fail2ban/files/example-blns.jail
-# Date: 2016-04-19
-# Reference: 
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[example-blns]
-enabled  = true
-action   = iptables-allports
-          sendmail[name=exampleblns, dest=linuxadmin@example.com]
-filter   = 20_example-blns
-logpath = /var/log/httpd/access_log
-          /var/log/httpd/error_log
-          /var/log/httpd/ssl_access_log
-          /var/log/httpd/ssl_error_log
-          /var/log/apache2/access_log
-          /var/log/apache2/error_log
-          /var/log/apache2/ssl_access_log
-          /var/log/apache2/ssl_error_log
-maxretry = 1
-bantime  = 86400
diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company.example/fail2ban-files/jail.d/30_example-max3.jail
deleted file mode 100644
index 6ca7781..0000000
--- a/company.example/fail2ban-files/jail.d/30_example-max3.jail
+++ /dev/null
@@ -1,21 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail
-# Source: ansible bgstack15-fail2ban/files/example-max3.jail
-# Date: 2016-07-12
-# Reference: example-blns.jail
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[example-max3]
-enabled  = true
-action   = iptables-allports
-          sendmail[name=examplemax3, dest=linuxadmin@example.com]
-filter   = 30_example-max3
-logpath = /var/log/httpd/access_log
-          /var/log/httpd/error_log
-          /var/log/httpd/ssl_access_log
-          /var/log/httpd/ssl_error_log
-          /var/log/apache2/access_log
-          /var/log/apache2/error_log
-          /var/log/apache2/ssl_access_log
-          /var/log/apache2/ssl_error_log
-maxretry = 3
-bantime  = 86400
diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company.example/fail2ban-files/jail.d/60_sshd.jail
deleted file mode 100644
index aeb2751..0000000
--- a/company.example/fail2ban-files/jail.d/60_sshd.jail
+++ /dev/null
@@ -1,16 +0,0 @@
-# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail
-# Source: ansible bgstack15-fail2ban/files/sshd.jail
-# Date: 2016-06-23
-# Reference: Ubuntu 16.04 fail2ban package sshd jail
-# NOTE: This file is managed via Ansible: manual changes will be lost
-
-[ssh-iptables]
-
-enabled  = true
-filter   = sshd
-action   = iptables[name=SSH, port=ssh, protocol=tcp]
-           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
-logpath  = %(sshd_log)s
-maxretry = 5
-
-ignoreip = 203.0.193.232/24
diff --git a/company.example/pubkeys/alice.pubkeys b/company.example/pubkeys/alice.pubkeys
deleted file mode 100644
index 6d807a6..0000000
--- a/company.example/pubkeys/alice.pubkeys
+++ /dev/null
@@ -1,3 +0,0 @@
-# version 3.0
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com
-ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722
diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey
deleted file mode 100644
index fc39667..0000000
--- a/company.example/pubkeys/lcroce.pubkey
+++ /dev/null
@@ -1 +0,0 @@
-FOO 2016-09-22 08:49 this is the contents of bob.pubkey
diff --git a/company.example/resolv_conf-templates/resolv.conf b/company.example/resolv_conf-templates/resolv.conf
deleted file mode 100644
index 7a647b0..0000000
--- a/company.example/resolv_conf-templates/resolv.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# File managed by ansible
-
-search example.com
-nameserver 10.1.16.1
-nameserver 10.2.16.1
-nameserver 10.1.16.2
-nameserver 10.2.16.2
-options timeout:3 rotate
diff --git a/company/ad-templates/krb5.conf.CentOS b/company/ad-templates/krb5.conf.CentOS
new file mode 100644
index 0000000..74570ae
--- /dev/null
+++ b/company/ad-templates/krb5.conf.CentOS
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company/ad-templates/krb5.conf.FreeBSD b/company/ad-templates/krb5.conf.FreeBSD
new file mode 100644
index 0000000..e6b8a3a
--- /dev/null
+++ b/company/ad-templates/krb5.conf.FreeBSD
@@ -0,0 +1,37 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = FILE:/tmp/krb5cc_%u
+ proxiable = true
+ ccache_type = 4
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company/ad-templates/krb5.conf.Ubuntu b/company/ad-templates/krb5.conf.Ubuntu
new file mode 100644
index 0000000..6a4c23b
--- /dev/null
+++ b/company/ad-templates/krb5.conf.Ubuntu
@@ -0,0 +1,35 @@
+# Ansible controlled filename: /etc/krb5.conf
+# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+ default_realm = EXAMPLE.COM
+[realms]
+ EXAMPLE.COM = {
+  kdc = dc1.example.com
+  kdc = dc2.example.com
+  kdc = dc3.example.com
+  kdc = dc4.example.com
+  admin_server = dc1.example.com
+  admin_server = dc2.example.com
+  admin_server = dc3.example.com
+  admin_server = dc4.example.com
+ }
+
+[domain_realm]
+example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
diff --git a/company/ad-templates/sssd.conf.CentOS b/company/ad-templates/sssd.conf.CentOS
new file mode 100644
index 0000000..dafb287
--- /dev/null
+++ b/company/ad-templates/sssd.conf.CentOS
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.CentOS
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=com
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company/ad-templates/sssd.conf.FreeBSD b/company/ad-templates/sssd.conf.FreeBSD
new file mode 100644
index 0000000..9add0ed
--- /dev/null
+++ b/company/ad-templates/sssd.conf.FreeBSD
@@ -0,0 +1,41 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.FreeBSD
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=com
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
+case_sensitive = true
+ad_gpo_access_control = disabled
diff --git a/company/ad-templates/sssd.conf.Ubuntu b/company/ad-templates/sssd.conf.Ubuntu
new file mode 100644
index 0000000..7b7dae3
--- /dev/null
+++ b/company/ad-templates/sssd.conf.Ubuntu
@@ -0,0 +1,42 @@
+# Ansible-controlled filename: /etc/sssd/sssd.conf
+# Source: ansible sssd.conf.Ubuntu
+# Date: 2016-03-04
+# Reference: Building the Centos 7 Template.docx
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[domain/default]
+autofs_provider = ldap
+cache_credentials = True
+krb5_realm = EXAMPLE.COM
+ldap_search_base = dc=example,dc=com
+krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+krb5_store_password_if_offline = True
+ldap_uri = ldap://example.com
+krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com
+ldap_tls_cacertdir = /etc/openldap/cacerts
+
+[sssd]
+domains = default, example.com
+config_file_version = 2
+services = nss, pam, autofs
+
+[domain/example.com]
+ad_domain = example.com
+krb5_realm = EXAMPLE.COM
+realmd_tags = manages-system joined-with-samba
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = False
+use_fully_qualified_names = False
+fallback_homedir = /home/%d/%u
+access_provider = ad
+ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users = bgstack15, bgstack15, user16, user16
+case_sensitive = true
+ad_gpo_access_control = disabled
+[autofs]
diff --git a/company/ad-vars/FreeBSD.yml b/company/ad-vars/FreeBSD.yml
new file mode 100644
index 0000000..77e2a9c
--- /dev/null
+++ b/company/ad-vars/FreeBSD.yml
@@ -0,0 +1,4 @@
+---
+sssd_dir: /usr/local/etc/sssd
+ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*))
+simple_allow_users: bgstack15, bgstack15, bgstack15-local
diff --git a/company/ad-vars/default.yml b/company/ad-vars/default.yml
new file mode 100644
index 0000000..cb65db8
--- /dev/null
+++ b/company/ad-vars/default.yml
@@ -0,0 +1,3 @@
+---
+sssd_dir: /etc/sssd
+krb5_conf_dir: /etc
diff --git a/company/fail2ban-files/filter.d/20_bju-blns.filter b/company/fail2ban-files/filter.d/20_bju-blns.filter
new file mode 100644
index 0000000..c39cefa
--- /dev/null
+++ b/company/fail2ban-files/filter.d/20_bju-blns.filter
@@ -0,0 +1,32 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter
+# Source: ansible bgstack15-fail2ban/files/example-blns.filter
+# Date: 2016-04-19
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$
+            ^.*<HOST>.*(GET|POST).*/etc/group.*$
+            ^.*<HOST>.*(GET|POST).*/etc/hosts.*$
+            ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$
+            ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$
+            ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$
+            ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$
+            ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$
+            ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$
+            ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$
+            ^.*<HOST>.*(GET|POST).*muieblackcat.*$
+            ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$
+            ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company/fail2ban-files/filter.d/30_bju-max3.filter b/company/fail2ban-files/filter.d/30_bju-max3.filter
new file mode 100644
index 0000000..af692af
--- /dev/null
+++ b/company/fail2ban-files/filter.d/30_bju-max3.filter
@@ -0,0 +1,13 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter
+# Source: ansible bgstack15-fail2ban/files/example-max3.filter
+# Date: 2016-07-12
+# Reference: example-blns.filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company/fail2ban-files/filter.d/60_sshd.filter b/company/fail2ban-files/filter.d/60_sshd.filter
new file mode 100644
index 0000000..33b8ba8
--- /dev/null
+++ b/company/fail2ban-files/filter.d/60_sshd.filter
@@ -0,0 +1,31 @@
+# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter
+# Source: ansible bgstack15-fail2ban/files/sshd.filter
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = sshd
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
+ignoreregex =
+[Init]
+maxlines = 10
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
diff --git a/company/fail2ban-files/jail.d/00_default.jail b/company/fail2ban-files/jail.d/00_default.jail
new file mode 100644
index 0000000..71cd3e8
--- /dev/null
+++ b/company/fail2ban-files/jail.d/00_default.jail
@@ -0,0 +1,10 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter
+# Source: ansible bgstack15-fail2ban/files/00_default.conf
+# Date: 2016-06-23
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[DEFAULT]
+ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24
+# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24
+
diff --git a/company/fail2ban-files/jail.d/20_bju-blns.jail b/company/fail2ban-files/jail.d/20_bju-blns.jail
new file mode 100644
index 0000000..eb1d1c9
--- /dev/null
+++ b/company/fail2ban-files/jail.d/20_bju-blns.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail
+# Source: ansible bgstack15-fail2ban/files/example-blns.jail
+# Date: 2016-04-19
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-blns]
+enabled  = true
+action   = iptables-allports
+          sendmail[name=exampleblns, dest=linuxadmin@example.com]
+filter   = 20_example-blns
+logpath = /var/log/httpd/access_log
+          /var/log/httpd/error_log
+          /var/log/httpd/ssl_access_log
+          /var/log/httpd/ssl_error_log
+          /var/log/apache2/access_log
+          /var/log/apache2/error_log
+          /var/log/apache2/ssl_access_log
+          /var/log/apache2/ssl_error_log
+maxretry = 1
+bantime  = 86400
diff --git a/company/fail2ban-files/jail.d/30_bju-max3.jail b/company/fail2ban-files/jail.d/30_bju-max3.jail
new file mode 100644
index 0000000..6ca7781
--- /dev/null
+++ b/company/fail2ban-files/jail.d/30_bju-max3.jail
@@ -0,0 +1,21 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail
+# Source: ansible bgstack15-fail2ban/files/example-max3.jail
+# Date: 2016-07-12
+# Reference: example-blns.jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[example-max3]
+enabled  = true
+action   = iptables-allports
+          sendmail[name=examplemax3, dest=linuxadmin@example.com]
+filter   = 30_example-max3
+logpath = /var/log/httpd/access_log
+          /var/log/httpd/error_log
+          /var/log/httpd/ssl_access_log
+          /var/log/httpd/ssl_error_log
+          /var/log/apache2/access_log
+          /var/log/apache2/error_log
+          /var/log/apache2/ssl_access_log
+          /var/log/apache2/ssl_error_log
+maxretry = 3
+bantime  = 86400
diff --git a/company/fail2ban-files/jail.d/60_sshd.jail b/company/fail2ban-files/jail.d/60_sshd.jail
new file mode 100644
index 0000000..aeb2751
--- /dev/null
+++ b/company/fail2ban-files/jail.d/60_sshd.jail
@@ -0,0 +1,16 @@
+# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail
+# Source: ansible bgstack15-fail2ban/files/sshd.jail
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd jail
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[ssh-iptables]
+
+enabled  = true
+filter   = sshd
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
+logpath  = %(sshd_log)s
+maxretry = 5
+
+ignoreip = 203.0.193.232/24
diff --git a/company/pubkeys/bgirton.pubkeys b/company/pubkeys/bgirton.pubkeys
new file mode 100644
index 0000000..85abeb0
--- /dev/null
+++ b/company/pubkeys/bgirton.pubkeys
@@ -0,0 +1,3 @@
+# version 3.0
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or bgstack15@aluminum.example.com
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722
diff --git a/company/pubkeys/lcroce.pubkey b/company/pubkeys/lcroce.pubkey
new file mode 100644
index 0000000..8ed442d
--- /dev/null
+++ b/company/pubkeys/lcroce.pubkey
@@ -0,0 +1 @@
+FOO 2016-09-22 08:49 this is the contents of user16.pubkey
diff --git a/company/resolv_conf-templates/resolv.conf b/company/resolv_conf-templates/resolv.conf
new file mode 100644
index 0000000..7a647b0
--- /dev/null
+++ b/company/resolv_conf-templates/resolv.conf
@@ -0,0 +1,8 @@
+# File managed by ansible
+
+search example.com
+nameserver 10.1.16.1
+nameserver 10.2.16.1
+nameserver 10.1.16.2
+nameserver 10.2.16.2
+options timeout:3 rotate
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..d48fb17
--- /dev/null
+++ b/hosts
@@ -0,0 +1,30 @@
+# file: /etc/ansible/hosts
+
+one.example.com
+two.example.com
+three.example.com
+four.example.com
+five.example.com
+six.example.com
+
+[centos]
+one.example.com
+two.example.com
+three.example.com
+
+[ubuntu]
+four.example.com
+
+[freebsd:vars]
+ansible_python_interpreter=/usr/local/bin/python2.7
+
+[freebsd]
+five.example.com
+six.example.com
+
+[webservers]
+one.example.com
+
+[test]
+one.example.com
+six.example.com
diff --git a/hosts.example b/hosts.example
deleted file mode 100644
index d48fb17..0000000
--- a/hosts.example
+++ /dev/null
@@ -1,30 +0,0 @@
-# file: /etc/ansible/hosts
-
-one.example.com
-two.example.com
-three.example.com
-four.example.com
-five.example.com
-six.example.com
-
-[centos]
-one.example.com
-two.example.com
-three.example.com
-
-[ubuntu]
-four.example.com
-
-[freebsd:vars]
-ansible_python_interpreter=/usr/local/bin/python2.7
-
-[freebsd]
-five.example.com
-six.example.com
-
-[webservers]
-one.example.com
-
-[test]
-one.example.com
-six.example.com
diff --git a/inc/scrub.py b/inc/scrub.py
new file mode 100755
index 0000000..a0e9c70
--- /dev/null
+++ b/inc/scrub.py
@@ -0,0 +1,109 @@
+#!/bin/env python3
+# Filename: scrub.py
+# Location: Various
+# Author: bgstack15@gmail.com
+# Startdate: 2016-09-28
+# Title: Script that Simultaneously Copies and Scrubs a Directory
+# Purpose: Prepare projects for publication by removing private information like usernames and hostnames
+# Package: Various
+# History: 
+# Usage:
+#    Store this file with any package that gets published. Adjust scrub.txt in local directory.
+#  # First line: source directory      Second line: target directory. WILL BE OVERWRITTEN!
+#  /etc/ansible
+#  /home/bjones/ansible.clean
+#  # Rest of the lines are "OLD WORD" "NEW WORD"
+#  bjones bgstack15
+#  rsmith rmstack15
+# Reference:
+#    http://stackoverflow.com/questions/79968/split-a-string-by-spaces-preserving-quoted-substrings-in-python/524796#524796
+#    http://stackoverflow.com/questions/6706953/python-using-subprocess-to-call-sed#6707003
+#    http://stackoverflow.com/questions/6584871/remove-last-character-if-its-a-backslash/6584893#6584893
+#    http://stackoverflow.com/questions/2212643/python-recursive-folder-read/2212728#2212728
+#    parallel lists: http://stackoverflow.com/questions/1663807/how-can-i-iterate-through-two-lists-in-parallel-in-python
+# Improve:
+#    Add option to specify scrub file
+#    Add exclude option to scrub file, such as .git and so on
+#    Accept CLI options like source, destination, even exclusions?
+#    Also change filenames
+import re, shlex, os, sys, shutil
+from pathlib import Path
+
+# scrubpy version
+scrubpyversion = "2016-09-29b"
+
+# Define functions
+
+def removeComments(string):
+   #string = re.sub(re.compile("/\*.*?\*/",re.DOTALL ) ,"", string)
+   #string = re.sub(re.compile("//.*?\n" ) ,"" ,string)
+   pattern = r"(\".*?\"|\'.*?\')|(/\*.*?\*/|(//|#)[^\r\n]*$)"
+   regex = re.compile(pattern, re.MULTILINE|re.DOTALL)
+   def _replacer(match):
+      if match.group(2) is not None:
+         return ""
+      else:
+         return match.group(1)
+   return regex.sub(_replacer, string)
+
+# Main code
+stringfile = open('scrub.txt','r')
+count=0
+thisdir=""
+newdir=""
+oldstrings=[]
+newstrings=[]
+
+while True:
+   x = stringfile.readline().rstrip()
+   count += 1
+   if not x: break
+   x = removeComments(x)
+   #print("x=" + x)
+   y = shlex.split (x)
+   if len(y) >= 1:
+      if thisdir == "":
+         thisdir = y[0]
+      elif newdir == "":
+         newdir = y[0]
+   if len(y) >= 2: 
+      #print("y[0]=" + y[0] + "\t and y[1]=" + y[1])
+      oldstrings.append(y[0])
+      newstrings.append(y[1])
+
+# After the file is done
+stringfile.close()
+#newdir = thisdir.rstrip('\/') + ".scrubbed/"
+
+if False:
+   print("\nthisdir=" + thisdir)
+   print("newdir=" + newdir + '\n')
+   print("oldstrings are:")
+   print(oldstrings)
+   print("newstrings are:")
+   print(newstrings)
+
+# Clean scrubbed directory
+try:
+   shutil.rmtree(newdir)
+except:
+   foo=1
+
+shutil.copytree(thisdir,newdir,symlinks=True)
+
+# Execute substitutions
+for rootfolder, subdirs, files in os.walk(thisdir):
+   for filename in files:
+      sourcepath = os.path.join(rootfolder, filename)
+      with open( sourcepath, "r" ) as source:
+         if not ".swp" in source.name and not ".git" in source.name:
+            destdir = rootfolder.replace(thisdir.rstrip('\/'),newdir.rstrip('\/'))
+            destfile = os.path.join(destdir, filename)
+            #print("sourcefile=" + source.name)
+            #print("destfile=" + destfile + '\n')
+            with open( destfile, "w") as target:
+               data = source.read()
+               for oldword, newword in zip(oldstrings, newstrings):
+                  data = data.replace(oldword,newword)
+               changed = data
+               target.write(changed)
diff --git a/inc/scrub.txt b/inc/scrub.txt
new file mode 100644
index 0000000..13922bb
--- /dev/null
+++ b/inc/scrub.txt
@@ -0,0 +1,23 @@
+# First line: source directory      Second line: target directory. WILL BE OVERWRITTEN!
+/etc/ansible
+/home/bgstack15/ansible.clean
+# Rest of the lines are "OLD WORD" "NEW WORD"
+bgstack15 bgstack15
+bgstack15 bgstack15
+bgstack15 bgstack15
+user16  user16
+user16  user16
+user16  user16
+example	example
+EXAMPLE	EXAMPLE
+".com"	".com"
+"dc=com"	"dc=com"
+"DC=com"	"DC=com"
+".COM"		".COM"
+"203.0."	"203.0."
+one	one
+two	 two
+three	three
+four	four
+five	five
+six	six
diff --git a/master.yml b/master.yml
new file mode 100644
index 0000000..064767e
--- /dev/null
+++ b/master.yml
@@ -0,0 +1,18 @@
+---
+- name: All hosts
+  hosts: all 
+  remote_user: root
+  roles:
+    - ad
+    - resolv_conf
+    - ssh
+    - ssh_keys
+  vars:
+    ssh_key_files:
+      - { user: 'bgstack15', file: '../../../company/pubkeys/bgstack15.pubkeys' }
+
+- name: Webservers
+  hosts: webservers
+  remote_user: root
+  roles:
+    - fail2ban
diff --git a/master.yml.example b/master.yml.example
deleted file mode 100644
index 1ed4fda..0000000
--- a/master.yml.example
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- name: All hosts
-  hosts: all 
-  remote_user: root
-  roles:
-    - ad
-    - resolv_conf
-    - ssh
-    - ssh_keys
-  vars:
-    ssh_key_files:
-      - { user: 'alice', file: '../../../company/pubkeys/alice.pubkeys' }
-
-- name: Webservers
-  hosts: webservers
-  remote_user: root
-  roles:
-    - fail2ban
diff --git a/roles/ad/hosts/default.yml b/roles/ad/hosts/default.yml
new file mode 100644
index 0000000..d7bc1a7
--- /dev/null
+++ b/roles/ad/hosts/default.yml
@@ -0,0 +1,4 @@
+# This file exists to ensure the directory is generated if ever packed in a tarball or something.
+# This directory, hosts/, may be used for specific hosts to get specific variables
+---
+ad_access_filter: SHOULD NEVER SEE THIS
diff --git a/test.yml b/test.yml
new file mode 100644
index 0000000..f4608f9
--- /dev/null
+++ b/test.yml
@@ -0,0 +1,12 @@
+---
+- name: Test playbook for sudo
+  hosts: test
+  remote_user: root
+  roles:
+    - sudo
+  vars:
+    sudo_strings
+      - { priority: 40, name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' }
+      - { priority: 41, name: 'a', content: 'ADMINS ALL=(ALL)  ALL' }
+    sudo_files
+      - { file: '../../../company/sudo-files/40_bgstack15' }
-- 
cgit