Files @ 626eadba53b7
Branch filter:

Location: majic-ansible-roles/docs/rolereference.rst - annotation

626eadba53b7 6.5 KiB text/prs.fallenstein.rst Show Source Show as Raw Download as Raw
branko
MAR-2: Added the 'common' role for some basic server set-up.
c377c1d24d7c
c377c1d24d7c
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
626eadba53b7
626eadba53b7
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
cc12c282bb3d
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
Role Reference
==============


Preseed
-------

The ``preseed`` role can be used for generating simple preseed files for Debian
Wheezy installations.

The generated preseed files allow simplified installation, with a single root
partition. A number of common parameters can be provided.


Parameters
~~~~~~~~~~

**preseed_directory** (mandatory)
    Destination directory where the preseed files should be stored.

**preseed_servers** (mandatory)
  List of servers for which a preseed file should be created. Each item in
  this list defines options for a single server. The options are as follows:

  **name** (string, mandatory)
    Name associated with the server. This name is used in the preseed
    configuration filename.

  **language** (string, mandatory)
    Language.

  **country** (string, mandatory)
    Country.

  **locale** (string, mandatory)
    Locale.

  **keymap** (string, mandatory)
    Keymap.

  **network_interface** (string, mandatory)
    Name of network interface (for example *eth0*) that should be
    configured.

  **network_auto** (boolean, mandatory)
    Specifies whether the network configuration should be automatic (using
    DHCP) or manual. If manual configuration is selected a number of
    additional options needs to be specified.

  **network_ip** (string, mandatory if **network_auto** if *False*)
    IP address for the server network interface.

  **network_netmask** (string, mandatory if **network_auto** if *False*)
    Netmask for the server network interface.

  **network_gateway** (string, mandatory if **network_auto** if *False*)
    Default gateway for the server.

  **network_dns** (string, mandatory if **network_auto** if *False*)
    Comma-separated list of DNS servers.

  **network_hostname** (string, mandatory if **network_auto** if *False*)
    Server hostname.

  **network_domain** (string, mandatory if **network_auto** if *False*)
    Server domain.

  **mirror_hostname** (string, mandatory)
    Resolvable hostname of FQDN where the Debian apt repositories can be
    found. Only HTTP mirrors are supported.

  **mirror_directory** (string, mandatory)
    Directory under which the Debian apt repositories can be found on the
    specified mirror.

  **mirror_proxy** (string, optional, default is *None*)
    An HTTP proxy that should be used for accessing the Debian apt
    repositories.

  **root_password** (string, mandatory)
    Initial password that should be set for the server during the
    installation.

  **timezone** (string, mandatory)
    Timezone that should be used when calculating server time. It is assumed
    that the local hardware clock is set to UTC.


Examples
~~~~~~~~

Here is an example configuration for a preseed file for two servers, one with
automatic and one with manual network configuration:

.. code-block:: yaml

  ---

  preseed_directory: /var/www/preseed/

  preseed_servers:
    - name: test1.example.com
      language: en
      country: SE
      locale: en_US.UTF-8
      keymap: us
      network_interface: eth0
      network_auto: yes
      mirror_hostname: ftp.se.debian.org
      mirror_directory: /debian
      mirror_proxy: http://proxy.example.com/
      root_password: testserver
      timezone: Europe/Stockholm
    - name: test2.example.com
      language: en
      country: SE
      locale: en_US.UTF-8
      keymap: us
      network_interface: eth0
      network_auto: no
      network_ip: 10.0.0.10
      network_netmask: 255.255.255.0
      network_gateway: 10.0.0.1
      network_dns: 10.0.0.2,10.0.0.3
      network_hostname: test1
      network_domain: example.com
      mirror_hostname: ftp.se.debian.org
      mirror_proxy: http://proxy.example.com/
      mirror_directory: /debian
      root_password: testserver
      timezone: Europe/Stockholm


Common
------

The ``common`` role can be used for applying a common configuration and
hardening across all servers, no matter what services they provide.

The role implements the following:

* Sets-up umask for all logins to ``0027``.
* Installs sudo.
* Installs additional base packages, as configured.
* Creates additional operating system groups, as configured.
* Creates additional operating system users, as configured.
* Hardens the SSH server by disabling remote ``root`` logins and password-based
  authentication.


Parameters
~~~~~~~~~~

**os_users** (list, optional)
  A list of operating system users that should be set-up on a server. Each item
  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)
    Name of the operating system user that should be created. User's default
    group will have the same name as the user.

  **uid** (number, mandatory)
    UID for the operating system user. User's default group will have a GID
    identical to the user's UID.

  **additional_groups** (string, mandatory)
    Comma-separated list of additional groups that a user should belong to. If
    no additional groups should be appended to user's list of groups, set it to
    empty string.

  **authorized_keys** (list, mandatory)
    List of SSH public keys that should be deployed to user's authorized_keys
    truststore. If no authorized keys should be deployed, set it to empty list
    (``[]``).

  **password** (string, mandatory)
    Encrypted password that should be set for the user.

**os_groups** (list, optional)
  A list of operating system groups that should be set-up on a server. Each item
  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)
    Name of the operating system group that should be created.

  **gid** (number, mandatory)
    GID for the operating system group.

**common_packages** (list, optional)
  List of additional operating system packages that should be installed on the
  server. Each element of the list should be a simple string denoting the name
  of the package.


Examples
~~~~~~~~

Here is an example configuration for setting-up some common users, groups, and
packages on all servers:

.. code-block:: yaml

  ---

  os_users:
    - name: admin
      uid: 1000
      additional_groups: sudo
      authorized_keys:
        - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"
      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'
    - name: john
      uid: 1001
      additional_groups: ""
      authorized_keys: []
      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

  os_groups:
    - name: localusers
      gid: 2500

  common_packages:
    - emacs23-nox
    - screen
    - debconf-utils