The ``preseed`` role can be used for generating simple preseed files for Debian

Wheezy installations.

Common

------

The ``common`` role can be used for applying a common configuration and

hardening across all servers, no matter what services they provide.

The role implements the following:

* Sets-up umask for all logins to ``0027``.

* Installs sudo.

* Installs additional base packages, as configured.

* Creates additional operating system groups, as configured.

* Creates additional operating system users, as configured.

* Hardens the SSH server by disabling remote ``root`` logins and password-based

  authentication.

Parameters

~~~~~~~~~~

**os_users** (list, optional)

  A list of operating system users that should be set-up on a server. Each item

  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)

    Name of the operating system user that should be created. User's default

    group will have the same name as the user.

  **uid** (number, mandatory)

    UID for the operating system user. User's default group will have a GID

    identical to the user's UID.

  **additional_groups** (string, mandatory)

    Comma-separated list of additional groups that a user should belong to. If

    no additional groups should be appended to user's list of groups, set it to

    empty string.

  **authorized_keys** (list, mandatory)

    List of SSH public keys that should be deployed to user's authorized_keys

    truststore. If no authorized keys should be deployed, set it to empty list

    (``[]``).

  **password** (string, mandatory)

    Encrypted password that should be set for the user.

**os_groups** (list, optional)

  A list of operating system groups that should be set-up on a server. Each item

  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)

    Name of the operating system group that should be created.

  **gid** (number, mandatory)

    GID for the operating system group.

**common_packages** (list, optional)

  List of additional operating system packages that should be installed on the

  server. Each element of the list should be a simple string denoting the name

  of the package.

Examples

~~~~~~~~

Here is an example configuration for setting-up some common users, groups, and

packages on all servers:

.. code-block:: yaml

  ---

  os_users:

    - name: admin

      uid: 1000

      additional_groups: sudo

      authorized_keys:

        - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"

      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

    - name: john

      uid: 1001

      additional_groups: ""

      authorized_keys: []

      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

  os_groups:

    - name: localusers

      gid: 2500

  common_packages:

    - emacs23-nox

    - screen

    - debconf-utils

ansible	ALL=(ALL:ALL) NOPASSWD:ALL

---

- name: Install sudo

  apt: name=sudo state=installed

- name: Set-up the Ansible group

  group: name=ansible system=yes

- name: Set-up the Ansible user

  user: name=ansible system=yes group=ansible shell=/bin/bash

- name: Set-up authorized key for the Ansible user

  authorized_key: user=ansible key="{{ lookup('file', ansible_key) }}"

- name: Set-up password-less sudo for the ansible user

  copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root

---

packages: []

os_users: []

os_groups: []

Name: Autentication rules for enabling the use of pam_umask

Default: yes

Priority: 256

Session-Type: Additional

Session:

        required        pam_umask.so

Name: Autentication rules for enabling the use of pam_umask

Default: yes

Priority: 256

Session-Type: Additional

Session:

        required        pam_umask.so

---

- name: Update PAM configuration

  command: /bin/ls

  command: /usr/sbin/pam-auth-update --package

- name: Restart SSH

  service: name=ssh state=restarted

---

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root

  notify: Update PAM configuration

- name: Set login UMASK

  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask

  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo

  apt: name=sudo state=present

- name: Install common packages

  apt: name="{{ item }}" state="present"

  with_items: common_packages

- name: Set-up operating system groups

  group: name="{{ item.name }}" gid="{{ item.gid }}" state=present

  with_items: os_groups

- name: Set-up operating system user groups

  group: name="{{ item.name }}" gid="{{ item.uid }}" state=present

  with_items: os_users

- name: Set-up operating system users

  user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}"

        groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present

        password="{{ item.password }}"

  with_items: os_users

- name: Set-up authorised keys

  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"

  with_subelements:

    - os_users

    - authorized_keys

- name: Disable remote logins for root

  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"

  notify:

    - Restart SSH

- name: Disable remote login authentication via password

  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"

  notify:

    - Restart SSH