From 626eadba53b744617f160126ef1358375053b2d3 2014-11-08 22:25:09 From: Branko Majic Date: 2014-11-08 22:25:09 Subject: [PATCH] MAR-2: Added the 'common' role for some basic server set-up. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index d280c2d72b84bb802eebd718157c8c95322ab056..c39387179e3ff88f2b49ba0a06faaa69c4ee6475 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -5,8 +5,8 @@ Role Reference Preseed ------- -This role can be used for generating simple preseed files for Debian Wheezy -installations. +The ``preseed`` role can be used for generating simple preseed files for Debian +Wheezy installations. The generated preseed files allow simplified installation, with a single root partition. A number of common parameters can be provided. @@ -129,3 +129,97 @@ automatic and one with manual network configuration: mirror_directory: /debian root_password: testserver timezone: Europe/Stockholm + + +Common +------ + +The ``common`` role can be used for applying a common configuration and +hardening across all servers, no matter what services they provide. + +The role implements the following: + +* Sets-up umask for all logins to ``0027``. +* Installs sudo. +* Installs additional base packages, as configured. +* Creates additional operating system groups, as configured. +* Creates additional operating system users, as configured. +* Hardens the SSH server by disabling remote ``root`` logins and password-based + authentication. + + +Parameters +~~~~~~~~~~ + +**os_users** (list, optional) + A list of operating system users that should be set-up on a server. Each item + is a dictionary with the following options describing the user parameters: + + **name** (string, mandatory) + Name of the operating system user that should be created. User's default + group will have the same name as the user. + + **uid** (number, mandatory) + UID for the operating system user. User's default group will have a GID + identical to the user's UID. + + **additional_groups** (string, mandatory) + Comma-separated list of additional groups that a user should belong to. If + no additional groups should be appended to user's list of groups, set it to + empty string. + + **authorized_keys** (list, mandatory) + List of SSH public keys that should be deployed to user's authorized_keys + truststore. If no authorized keys should be deployed, set it to empty list + (``[]``). + + **password** (string, mandatory) + Encrypted password that should be set for the user. + +**os_groups** (list, optional) + A list of operating system groups that should be set-up on a server. Each item + is a dictionary with the following options describing the group parameters: + + **name** (string, mandatory) + Name of the operating system group that should be created. + + **gid** (number, mandatory) + GID for the operating system group. + +**common_packages** (list, optional) + List of additional operating system packages that should be installed on the + server. Each element of the list should be a simple string denoting the name + of the package. + + +Examples +~~~~~~~~ + +Here is an example configuration for setting-up some common users, groups, and +packages on all servers: + +.. code-block:: yaml + + --- + + os_users: + - name: admin + uid: 1000 + additional_groups: sudo + authorized_keys: + - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}" + password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.' + - name: john + uid: 1001 + additional_groups: "" + authorized_keys: [] + password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.' + + os_groups: + - name: localusers + gid: 2500 + + common_packages: + - emacs23-nox + - screen + - debconf-utils diff --git a/roles/bootstrap/files/ansible_sudo b/roles/bootstrap/files/ansible_sudo new file mode 100644 index 0000000000000000000000000000000000000000..763a0bb6c2e7e56437f70919c6f8b9ac3637c3f7 --- /dev/null +++ b/roles/bootstrap/files/ansible_sudo @@ -0,0 +1 @@ +ansible ALL=(ALL:ALL) NOPASSWD:ALL diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..6e32bbd6d0016ec5ec80fe20ea0c00b910f16799 --- /dev/null +++ b/roles/bootstrap/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Install sudo + apt: name=sudo state=installed + +- name: Set-up the Ansible group + group: name=ansible system=yes + +- name: Set-up the Ansible user + user: name=ansible system=yes group=ansible shell=/bin/bash + +- name: Set-up authorized key for the Ansible user + authorized_key: user=ansible key="{{ lookup('file', ansible_key) }}" + +- name: Set-up password-less sudo for the ansible user + copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root \ No newline at end of file diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..535c0671596129840defe9996c05e5cc9ff0e4ea --- /dev/null +++ b/roles/common/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +packages: [] +os_users: [] +os_groups: [] \ No newline at end of file diff --git a/roles/common/files/pam_majic b/roles/common/files/pam_majic new file mode 100644 index 0000000000000000000000000000000000000000..69967cfbc93b54e3dc219101cf7a374c94cec975 --- /dev/null +++ b/roles/common/files/pam_majic @@ -0,0 +1,6 @@ +Name: Autentication rules for enabling the use of pam_umask +Default: yes +Priority: 256 +Session-Type: Additional +Session: + required pam_umask.so diff --git a/roles/common/files/pam_umask b/roles/common/files/pam_umask new file mode 100644 index 0000000000000000000000000000000000000000..69967cfbc93b54e3dc219101cf7a374c94cec975 --- /dev/null +++ b/roles/common/files/pam_umask @@ -0,0 +1,6 @@ +Name: Autentication rules for enabling the use of pam_umask +Default: yes +Priority: 256 +Session-Type: Additional +Session: + required pam_umask.so diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..9b8e3c3b5e694ce1eb2e282758bed22548870615 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Update PAM configuration + command: /bin/ls + command: /usr/sbin/pam-auth-update --package + +- name: Restart SSH + service: name=ssh state=restarted \ No newline at end of file diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..3ac66a613f50fdf118d5c86d966e8cb2453915e7 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: Deploy pam-auth-update configuration file for enabling pam_umask + copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root + notify: Update PAM configuration + +- name: Set login UMASK + lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027' + +- name: Set home directory mask + lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750' + +- name: Install sudo + apt: name=sudo state=present + +- name: Install common packages + apt: name="{{ item }}" state="present" + with_items: common_packages + +- name: Set-up operating system groups + group: name="{{ item.name }}" gid="{{ item.gid }}" state=present + with_items: os_groups + +- name: Set-up operating system user groups + group: name="{{ item.name }}" gid="{{ item.uid }}" state=present + with_items: os_users + +- name: Set-up operating system users + user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}" + groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present + password="{{ item.password }}" + with_items: os_users + +- name: Set-up authorised keys + authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}" + with_subelements: + - os_users + - authorized_keys + +- name: Disable remote logins for root + lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no" + notify: + - Restart SSH + +- name: Disable remote login authentication via password + lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no" + notify: + - Restart SSH \ No newline at end of file