* Configures apt to use caching proxy (if any was specified).

* Sets-up umask for all logins to ``0027``.

* Installs sudo.

* Installs additional base packages, as configured.

* Creates additional operating system groups, as configured.

* Creates additional operating system users, as configured.

* Hardens the SSH server by disabling remote ``root`` logins and password-based

  authentication.

* Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets

  you put TLS private keys in central location where any operating system user

  can reach them provided they have appropriate read/write rights on the file

  itself, and provided they know the exact path of the file.

* Deploys CA certificate files, normally used for truststore purposes, to

  ``/etc/ssl/certs/``.

* Installs ``ferm`` (for iptables management), configuring a basic firewall

  which allows ICMP echo requests (PING), incoming connection on TCP port 22

  (SSH), and also introduces rate-limitting for incoming ICMP echo request

  pacakges and (new) TCP connections. The rate-limitting is based on the source

  IP address, using the ``iptables hashlimit`` module.

Parameters

~~~~~~~~~~

  URI of a caching proxy that should be used when retrieving the packages via

  A list of operating system users that should be set-up on a server. Each item

  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)

    Name of the operating system user that should be created. User's default

    group will have the same name as the user.

    UID for the operating system user. User's default group will have a GID

    List of SSH public keys that should be deployed to user's authorized_keys

    Encrypted password that should be set for the user.

  A list of operating system groups that should be set-up on a server. Each item

  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)

    Name of the operating system group that should be created.

    GID for the operating system group.

  List of additional operating system packages that should be installed on the

  server. Each element of the list should be a simple string denoting the name

  of the package.

  List of additional CA certificate files that should be deployed on the

  server. Each element of the list should be a filepath to a CA certificate file

  on originating (Ansible) host that should be copied to destination

  server.

  Rate at which the incoming ICMP echo-request packages and new TCP connections

  will be accepted at. The value should be specified in the same format as value

  for the ``iptables hashlimit`` option ``--hashlimit-upto``.

  Initial burst of packages that should be accepted when the client with

  distinct source IP address connects to the server for the first time (usually

  higher than ``incoming_connection_limit``), even if it would go above the

  specified connection limit.

Examples

~~~~~~~~

Here is an example configuration for setting-up some common users, groups, and

packages on all servers:

.. code-block:: yaml

  ---

  os_users:

    - name: admin

      uid: 1000

      authorized_keys:

        - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"

      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

    - name: john

      uid: 1001

      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

  os_groups:

    - name: localusers

      gid: 2500

  common_packages:

    - emacs23-nox

    - screen

    - debconf-utils

  ca_certificates:

    - ../certs/truststore.pem

  incoming_connection_limit: 2/second

  incoming_connection_limit_burst: 6

.. _ldap_client:

LDAP Client

-----------

The ``ldap_client`` role can be used for setting-up an OpenLDAP client on

---

packages: []

os_users: []

os_groups: []

  file: path="/etc/apt/apt.conf.d/00proxy" state=absent

  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root

  notify: Update PAM configuration

- name: Set login UMASK

  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask

  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo

  apt: name=sudo state=present

- name: Install ssl-cert package

  apt: name=ssl-cert state=present

- name: Install common packages

  apt: name="{{ item }}" state="present"

  with_items: common_packages

- name: Set-up operating system groups

  with_items: os_groups

- name: Set-up operating system user groups

  with_items: os_users

- name: Set-up operating system users

  with_items: os_users

- name: Set-up authorised keys

  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"

  with_subelements:

    - authorized_keys

- name: Disable remote logins for root

  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"

  notify:

    - Restart SSH

- name: Disable remote login authentication via password

  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"

  notify:

    - Restart SSH

- name: Deploy CA certificates

  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root

  with_items: ca_certificates

  notify:

    - Update CA certificate cache

- name: Install ferm (for firewall management)

  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file

  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644

  notify:

---

# Define domain for the test site that should be used.

testsite_domain: example.com

# Derive some additional values that will be used - basing them on domain.

testsite_domain_underscores: "{{ testsite_domain | regex_replace('\\.', '_') }}"

testsite_domain_alternative: "{{ testsite_domain | regex_replace('\\.[^.]+$', '.something') }}"

testsite_ldap_base: "{{ testsite_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"

# Configuration for roles bootstrap and preseed.

ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

# Configuration for role 'common', shared across all servers.

os_users:

  - name: admin

    uid: 1000

    authorized_keys:

      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

    password: '$6$/aerscJY6aevRG$ABBCymEDtk2mHW/dklre9dMEdgZNJvVHsGLCzgjGmy61FssZ.KW7ePcO2wsMGIkHcg3mZlrA4dhYh.APq9OQu0'

  - name: johndoe

    uid: 1001

    password: '$6$cJnUatae7cMz23fl$O3HE2TslnEaKaTDSZnvuDDrfqILAiuMV1wOPGVnkUQFxUu3gIWZOyO7AI1OWYkqeQMVBiezpSqYNiQy6NF6bi0'

os_groups:

  - name: office

    gid: 1500

  - name: developer

    gid: 1501

common_packages:

  - emacs24-nox

  - screen

  - debconf-utils

  - colordiff

  - unzip

ca_certificates:

  - "{{ inventory_dir }}/tls/ca.pem"

incoming_connection_limit: 2/second

incoming_connection_limit_burst: 6