majic-ansible-roles Changeset

Changeset - babda105c9cf

Parent rev.

Child rev.

[Not reviewed]

0 2 1

Branko Majic (branko) - 9 years ago 2015-08-16 22:38:56
branko@majic.rs

MAR-16: Added option to common role for setting-up caching proxy for apt.

3 files changed with 15 insertions and 0 deletions:

docs/rolereference.rst

roles/common/tasks/main.yml

roles/common/templates/apt_proxy.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -188,47 +188,52 @@ With such a playbook in place, it would be invoked with: @@
   ansible-playbook --ask-pass -e server=test1.example.com bootstrap.yml
 Common
 ------
 The ``common`` role can be used for applying a common configuration and
 hardening across all servers, no matter what services they provide.
 The role implements the following:
 * Configures apt to use caching proxy (if any was specified).
 * Sets-up umask for all logins to ``0027``.
 * Installs sudo.
 * Installs additional base packages, as configured.
 * Creates additional operating system groups, as configured.
 * Creates additional operating system users, as configured.
 * Hardens the SSH server by disabling remote ``root`` logins and password-based
   authentication.
 * Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets
   you put TLS private keys in central location where any operating system user
   can reach them provided they have appropriate read/write rights on the file
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/etc/ssl/certs/``.
 * Installs ``ferm`` (for iptables management), configuring a basic firewall
   which allows ICMP echo requests (PING), incoming connection on TCP port 22
   (SSH), and also introduces rate-limitting for incoming ICMP echo request
   pacakges and (new) TCP connections. The rate-limitting is based on the source
   IP address, using the ``iptables hashlimit`` module.
 Parameters
 ~~~~~~~~~~
 **apt_proxy** (string, optional)
   URI of a caching proxy that should be used when retrieving the packages via
   apt. Default is no proxy.
 **os_users** (list, optional)
   A list of operating system users that should be set-up on a server. Each item
   is a dictionary with the following options describing the user parameters:
   **name** (string, mandatory)
     Name of the operating system user that should be created. User's default
     group will have the same name as the user.
   **uid** (number, mandatory)
     UID for the operating system user. User's default group will have a GID
     identical to the user's UID.

roles/common/tasks/main.yml

➞

Show inline comments

 ---
 - name: Enable use of proxy for retrieving system packages via apt
   template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
             owner=root group=root mode=644
   when: apt_proxy is defined
 - name: Disable use of proxy for retrieving system packages via apt
   file: path="/etc/apt/apt.conf.d/00proxy" state=absent
   when: apt_proxy is undefined
 - name: Deploy pam-auth-update configuration file for enabling pam_umask
   copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
   notify: Update PAM configuration
 - name: Set login UMASK
   lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'
 - name: Set home directory mask
   lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'
 - name: Install sudo
   apt: name=sudo state=present

roles/common/templates/apt_proxy.j2

➞

Show inline comments

		new file 100644
		Acquire::http::Proxy "{{ apt_proxy }}";

0 comments (0 inline, 0 general)