hardening across all servers, no matter what services they provide.

The role implements the following:

* Configures apt to use caching proxy (if any was specified).

* Sets-up umask for all logins to ``0027``.

* Installs sudo.

* Sets-up uniform bash prompt for all accounts (optionally coloured and with

  identifier). This is useful for distinguishing machines and/or environments.

* Sets-up ability to have user-specific ``/etc/profile.d/`` entries via

  ``$HOME/.profile.d/``.

* Installs additional base packages, as configured.

* Disables ``electric-indent-mode`` in Emacs globally if either the ``emacs24``

  or ``emacs24-nox`` are installed through the role.

* Creates additional operating system groups, as configured.

* Creates additional operating system users, as configured.

* Hardens the SSH server by disabling remote ``root`` logins and password-based

  authentication.

* Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets

  you put TLS private keys in central location where any operating system user

  can reach them provided they have appropriate read/write rights on the file

  itself, and provided they know the exact path of the file.

* Deploys CA certificate files, normally used for truststore purposes, to

  ``/usr/local/share/ca-certificates/``.

* Installs ``ferm`` (for iptables management), configuring a basic firewall

  which allows ICMP echo requests (PING), incoming connection on TCP port 22

  (SSH), and also introduces rate-limitting for incoming ICMP echo request

  pacakges and (new) TCP connections. The rate-limitting is based on the source

  IP address, using the ``iptables hashlimit`` module.

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **backup_client**

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/var/log**

  Log files from the system.

**/home**

**/root**

**/etc/shadow**

  Operating system user passwords.

**/var/mail**

  Local user's mails.

**/var/spool/cron**

  Local user's cronjobs.

Parameters

~~~~~~~~~~

**apt_proxy** (string, optional, ``None``)

  URI of a caching proxy that should be used when retrieving the packages via

  apt.

**os_users** (list, optional, ``[]``)

  A list of operating system users that should be set-up on a server. Each item

  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)

    Name of the operating system user that should be created. User's default

    group will have the same name as the user.

  **uid** (number, optional, ``whatever OS picks``)

    UID for the operating system user. User's default group will have a GID

    identical to the user's UID if specified. Otherwise user's default group

    will have OS-determined GID.

  **additional_groups** (list, optional, ``[]``)

    Comma-separated list of additional groups that a user should belong to.

  **authorized_keys** (list, optional, ``[]``)

    List of SSH public keys that should be deployed to user's authorized_keys

    truststore.

  **password** (string, optional, ``!`` - no password)

    Encrypted password that should be set for the user.

**os_groups** (list, optional, ``[]``)

  A list of operating system groups that should be set-up on a server. Each item

  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)

    Name of the operating system group that should be created.

  **gid** (number, optional, ``whatever OS picks``)

    GID for the operating system group.

**common_packages** (list, optional, ``[]``)

  List of additional operating system packages that should be installed on the

  server. Each element of the list should be a simple string denoting the name

  of the package.

**ca_certificates** (list, optional, ``{}``)

  Dictionary containing the CA certificates to deploy. Keys are base filenames

  (**without extension**) to be used when placing a certificate file in

  directory ``/usr/local/share/ca-certificates/``, while values are

  corresponding content to be placed in the file.

**incoming_connection_limit** (string, optional, ``3/second``)

  Rate at which the incoming ICMP echo-request packages and new TCP connections

  will be accepted at. The value should be specified in the same format as value

  for the ``iptables hashlimit`` option ``--hashlimit-upto``.

**incoming_connection_limit_burst** (string, optional, ``9``)

  Initial burst of packages that should be accepted when the client with

  distinct source IP address connects to the server for the first time (usually

  higher than ``incoming_connection_limit``), even if it would go above the

  specified connection limit.

**prompt_colour** (string, optional, ``none``)

  Colour for showing the Bash prompt. Supported values are:

  ``black``, ``red``, ``green``, ``brown``, ``blue``, ``purple``, ``cyan``,

  ``light_gray``, ``dark_gray``, ``light_red``, ``light_green``, ``yellow``,

  ``light_blue``, ``light_purple``, ``light_cyan``, ``white``, ``none``.

  You should probably *not* use the ``black`` colour. Setting affects Bash

  shells *only*. Setting the value to ``none`` uses default terminal colour.

**prompt_id** (string, optional, ``NONE``)

  Optional identifier appended to regular Bash prompt, useful for visually

  identifying distinct environments. For example, if set to ``test``, resulting

  prompt will be similar to ``admin@web[test]:~$``. Setting affects Bash shells

  *only*.

Examples

~~~~~~~~

Here is an example configuration for setting-up some common users, groups, and

packages on all servers:

.. code-block:: yaml

  ---

  os_users:

    - name: admin

      uid: 1000

      additional_groups:

        - sudo

      authorized_keys:

        - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"

      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

    - name: john

      uid: 1001

---

enable_backup: False

common_packages: []

os_users: []

os_groups: []

ca_certificates: {}

incoming_connection_limit: 3/second

incoming_connection_limit_burst: 9

prompt_colour: none

prompt_id: null

# Internal use only.

prompt_colour_mapping:

  black: "0;30"

  red: "0;31"

  green: "0;32"

  brown: "0;33"

  blue: "0;34"

  purple: "0;35"

  cyan: "0;36"

  light_gray: "0;37"

  dark_gray: "1;30"

  light_red: "1;31"

  light_green: "1;32"

  yellow: "1;33"

  light_blue: "1;34"

  light_purple: "1;35"

  light_cyan: "1;36"

  white: "1;37"

  none: "0"

---

dependencies:

  - role: backup

    when: enable_backup

    backup_patterns_filename: common

    backup_patterns:

      - "/var/log"

      - "/etc/shadow"

      - "/var/mail"

---

mail_ldap_url: ldap://ldap.{{ testsite_domain }}/

mail_ldap_tls_truststore: "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"

mail_ldap_base_dn: "{{ testsite_ldap_base }}"

mail_ldap_postfix_password: postfix

mail_ldap_dovecot_password: dovecot

mail_user: vmail

mail_user_uid: 5000

mail_user_gid: 5000

local_mail_aliases:

  root: "root john.doe@{{ testsite_domain }}"

imap_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.pem') }}"

imap_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.key') }}"

smtp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.pem') }}"

smtp_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.key') }}"

imap_folder_separator: /

smtp_rbl:

  - bl.spamcop.net

  - zen.spamhaus.org

mail_postmaster: postmaster@{{ testsite_domain }}

smtp_allow_relay_from:

  - ldap.{{ testsite_domain }}

  - xmpp.{{ testsite_domain }}

  - web.{{ testsite_domain }}

imap_max_user_connections_per_ip: 50

mail_server_tls_protocols:

  - TLSv1.2

  - TLSv1.1