|
@@ -188,47 +188,52 @@ With such a playbook in place, it would be invoked with:
|
|
|
|
|
|
ansible-playbook --ask-pass -e server=test1.example.com bootstrap.yml
|
|
|
|
|
|
|
|
|
Common
|
|
|
------
|
|
|
|
|
|
The ``common`` role can be used for applying a common configuration and
|
|
|
hardening across all servers, no matter what services they provide.
|
|
|
|
|
|
The role implements the following:
|
|
|
|
|
|
* Configures apt to use caching proxy (if any was specified).
|
|
|
* Sets-up umask for all logins to ``0027``.
|
|
|
* Installs sudo.
|
|
|
* Installs additional base packages, as configured.
|
|
|
* Creates additional operating system groups, as configured.
|
|
|
* Creates additional operating system users, as configured.
|
|
|
* Hardens the SSH server by disabling remote ``root`` logins and password-based
|
|
|
authentication.
|
|
|
* Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets
|
|
|
you put TLS private keys in central location where any operating system user
|
|
|
can reach them provided they have appropriate read/write rights on the file
|
|
|
itself, and provided they know the exact path of the file.
|
|
|
* Deploys CA certificate files, normally used for truststore purposes, to
|
|
|
``/etc/ssl/certs/``.
|
|
|
* Installs ``ferm`` (for iptables management), configuring a basic firewall
|
|
|
which allows ICMP echo requests (PING), incoming connection on TCP port 22
|
|
|
(SSH), and also introduces rate-limitting for incoming ICMP echo request
|
|
|
pacakges and (new) TCP connections. The rate-limitting is based on the source
|
|
|
IP address, using the ``iptables hashlimit`` module.
|
|
|
|
|
|
|
|
|
Parameters
|
|
|
~~~~~~~~~~
|
|
|
|
|
|
**apt_proxy** (string, optional)
|
|
|
URI of a caching proxy that should be used when retrieving the packages via
|
|
|
apt. Default is no proxy.
|
|
|
|
|
|
**os_users** (list, optional)
|
|
|
A list of operating system users that should be set-up on a server. Each item
|
|
|
is a dictionary with the following options describing the user parameters:
|
|
|
|
|
|
**name** (string, mandatory)
|
|
|
Name of the operating system user that should be created. User's default
|
|
|
group will have the same name as the user.
|
|
|
|
|
|
**uid** (number, mandatory)
|
|
|
UID for the operating system user. User's default group will have a GID
|
|
|
identical to the user's UID.
|
|
|
|