|
@@ -152,119 +152,124 @@ The role implements the following:
|
|
|
* Configures sudo to allow operating system user ``ansible`` to run sudo
|
|
|
commands without password authentication.
|
|
|
* Removes the Ansible user's key from the list of authorized keys for user root
|
|
|
at the end of bootstrap process. This key was necessary only for the bootstrap
|
|
|
process.
|
|
|
|
|
|
|
|
|
Parameters
|
|
|
~~~~~~~~~~
|
|
|
|
|
|
**ansible_key** (string, mandatory)
|
|
|
SSH public key that should be deployed to authorized_keys truststore for
|
|
|
operating system user ``ansible``.
|
|
|
|
|
|
|
|
|
Examples
|
|
|
~~~~~~~~
|
|
|
|
|
|
Since the role is meant to be used just after the server has been installed, and
|
|
|
using the ``root`` account, it is probably going to be invoked from a separate
|
|
|
playbook.
|
|
|
|
|
|
For example, a playbook (``bootstrap.yml``) could look something similar to:
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
---
|
|
|
|
|
|
- hosts: "{{ server }}"
|
|
|
remote_user: root
|
|
|
roles:
|
|
|
- bootstrap
|
|
|
vars:
|
|
|
ansible_key: "{{ lookup('file', 'authorized_keys/ansible.pub') }}"
|
|
|
|
|
|
With such a playbook in place, it would be invoked with:
|
|
|
|
|
|
ansible-playbook --ask-pass -e server=test1.example.com bootstrap.yml
|
|
|
|
|
|
|
|
|
Common
|
|
|
------
|
|
|
|
|
|
The ``common`` role can be used for applying a common configuration and
|
|
|
hardening across all servers, no matter what services they provide.
|
|
|
|
|
|
The role implements the following:
|
|
|
|
|
|
* Configures apt to use caching proxy (if any was specified).
|
|
|
* Sets-up umask for all logins to ``0027``.
|
|
|
* Installs sudo.
|
|
|
* Installs additional base packages, as configured.
|
|
|
* Creates additional operating system groups, as configured.
|
|
|
* Creates additional operating system users, as configured.
|
|
|
* Hardens the SSH server by disabling remote ``root`` logins and password-based
|
|
|
authentication.
|
|
|
* Allows traversing of directory ``/etc/ssl/private/`` to everyone. This lets
|
|
|
you put TLS private keys in central location where any operating system user
|
|
|
can reach them provided they have appropriate read/write rights on the file
|
|
|
itself, and provided they know the exact path of the file.
|
|
|
* Deploys CA certificate files, normally used for truststore purposes, to
|
|
|
``/etc/ssl/certs/``.
|
|
|
* Installs ``ferm`` (for iptables management), configuring a basic firewall
|
|
|
which allows ICMP echo requests (PING), incoming connection on TCP port 22
|
|
|
(SSH), and also introduces rate-limitting for incoming ICMP echo request
|
|
|
pacakges and (new) TCP connections. The rate-limitting is based on the source
|
|
|
IP address, using the ``iptables hashlimit`` module.
|
|
|
|
|
|
|
|
|
Parameters
|
|
|
~~~~~~~~~~
|
|
|
|
|
|
**apt_proxy** (string, optional)
|
|
|
URI of a caching proxy that should be used when retrieving the packages via
|
|
|
apt. Default is no proxy.
|
|
|
|
|
|
**os_users** (list, optional)
|
|
|
A list of operating system users that should be set-up on a server. Each item
|
|
|
is a dictionary with the following options describing the user parameters:
|
|
|
|
|
|
**name** (string, mandatory)
|
|
|
Name of the operating system user that should be created. User's default
|
|
|
group will have the same name as the user.
|
|
|
|
|
|
**uid** (number, mandatory)
|
|
|
UID for the operating system user. User's default group will have a GID
|
|
|
identical to the user's UID.
|
|
|
|
|
|
**additional_groups** (string, mandatory)
|
|
|
Comma-separated list of additional groups that a user should belong to. If
|
|
|
no additional groups should be appended to user's list of groups, set it to
|
|
|
empty string (``""``).
|
|
|
|
|
|
**authorized_keys** (list, mandatory)
|
|
|
List of SSH public keys that should be deployed to user's authorized_keys
|
|
|
truststore. If no authorized keys should be deployed, set it to empty list
|
|
|
(``[]``).
|
|
|
|
|
|
**password** (string, mandatory)
|
|
|
Encrypted password that should be set for the user.
|
|
|
|
|
|
**os_groups** (list, optional)
|
|
|
A list of operating system groups that should be set-up on a server. Each item
|
|
|
is a dictionary with the following options describing the group parameters:
|
|
|
|
|
|
**name** (string, mandatory)
|
|
|
Name of the operating system group that should be created.
|
|
|
|
|
|
**gid** (number, mandatory)
|
|
|
GID for the operating system group.
|
|
|
|
|
|
**common_packages** (list, optional)
|
|
|
List of additional operating system packages that should be installed on the
|
|
|
server. Each element of the list should be a simple string denoting the name
|
|
|
of the package.
|
|
|
|
|
|
**ca_certificates** (list, optional)
|
|
|
List of additional CA certificate files that should be deployed on the
|
|
|
server. Each element of the list should be a filepath to a CA certificate file
|
|
|
on originating (Ansible) host that should be copied to destination
|
|
|
server.
|
|
|
|
|
|
**incoming_connection_limit** (string, mandatory)
|
|
|
Rate at which the incoming ICMP echo-request packages and new TCP connections
|