Files @ 626eadba53b7
Branch filter:

Location: majic-ansible-roles/docs/rolereference.rst

626eadba53b7 6.5 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
branko
MAR-2: Added the 'common' role for some basic server set-up.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
Role Reference
==============


Preseed
-------

The ``preseed`` role can be used for generating simple preseed files for Debian
Wheezy installations.

The generated preseed files allow simplified installation, with a single root
partition. A number of common parameters can be provided.


Parameters
~~~~~~~~~~

**preseed_directory** (mandatory)
    Destination directory where the preseed files should be stored.

**preseed_servers** (mandatory)
  List of servers for which a preseed file should be created. Each item in
  this list defines options for a single server. The options are as follows:

  **name** (string, mandatory)
    Name associated with the server. This name is used in the preseed
    configuration filename.

  **language** (string, mandatory)
    Language.

  **country** (string, mandatory)
    Country.

  **locale** (string, mandatory)
    Locale.

  **keymap** (string, mandatory)
    Keymap.

  **network_interface** (string, mandatory)
    Name of network interface (for example *eth0*) that should be
    configured.

  **network_auto** (boolean, mandatory)
    Specifies whether the network configuration should be automatic (using
    DHCP) or manual. If manual configuration is selected a number of
    additional options needs to be specified.

  **network_ip** (string, mandatory if **network_auto** if *False*)
    IP address for the server network interface.

  **network_netmask** (string, mandatory if **network_auto** if *False*)
    Netmask for the server network interface.

  **network_gateway** (string, mandatory if **network_auto** if *False*)
    Default gateway for the server.

  **network_dns** (string, mandatory if **network_auto** if *False*)
    Comma-separated list of DNS servers.

  **network_hostname** (string, mandatory if **network_auto** if *False*)
    Server hostname.

  **network_domain** (string, mandatory if **network_auto** if *False*)
    Server domain.

  **mirror_hostname** (string, mandatory)
    Resolvable hostname of FQDN where the Debian apt repositories can be
    found. Only HTTP mirrors are supported.

  **mirror_directory** (string, mandatory)
    Directory under which the Debian apt repositories can be found on the
    specified mirror.

  **mirror_proxy** (string, optional, default is *None*)
    An HTTP proxy that should be used for accessing the Debian apt
    repositories.

  **root_password** (string, mandatory)
    Initial password that should be set for the server during the
    installation.

  **timezone** (string, mandatory)
    Timezone that should be used when calculating server time. It is assumed
    that the local hardware clock is set to UTC.


Examples
~~~~~~~~

Here is an example configuration for a preseed file for two servers, one with
automatic and one with manual network configuration:

.. code-block:: yaml

  ---

  preseed_directory: /var/www/preseed/

  preseed_servers:
    - name: test1.example.com
      language: en
      country: SE
      locale: en_US.UTF-8
      keymap: us
      network_interface: eth0
      network_auto: yes
      mirror_hostname: ftp.se.debian.org
      mirror_directory: /debian
      mirror_proxy: http://proxy.example.com/
      root_password: testserver
      timezone: Europe/Stockholm
    - name: test2.example.com
      language: en
      country: SE
      locale: en_US.UTF-8
      keymap: us
      network_interface: eth0
      network_auto: no
      network_ip: 10.0.0.10
      network_netmask: 255.255.255.0
      network_gateway: 10.0.0.1
      network_dns: 10.0.0.2,10.0.0.3
      network_hostname: test1
      network_domain: example.com
      mirror_hostname: ftp.se.debian.org
      mirror_proxy: http://proxy.example.com/
      mirror_directory: /debian
      root_password: testserver
      timezone: Europe/Stockholm


Common
------

The ``common`` role can be used for applying a common configuration and
hardening across all servers, no matter what services they provide.

The role implements the following:

* Sets-up umask for all logins to ``0027``.
* Installs sudo.
* Installs additional base packages, as configured.
* Creates additional operating system groups, as configured.
* Creates additional operating system users, as configured.
* Hardens the SSH server by disabling remote ``root`` logins and password-based
  authentication.


Parameters
~~~~~~~~~~

**os_users** (list, optional)
  A list of operating system users that should be set-up on a server. Each item
  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)
    Name of the operating system user that should be created. User's default
    group will have the same name as the user.

  **uid** (number, mandatory)
    UID for the operating system user. User's default group will have a GID
    identical to the user's UID.

  **additional_groups** (string, mandatory)
    Comma-separated list of additional groups that a user should belong to. If
    no additional groups should be appended to user's list of groups, set it to
    empty string.

  **authorized_keys** (list, mandatory)
    List of SSH public keys that should be deployed to user's authorized_keys
    truststore. If no authorized keys should be deployed, set it to empty list
    (``[]``).

  **password** (string, mandatory)
    Encrypted password that should be set for the user.

**os_groups** (list, optional)
  A list of operating system groups that should be set-up on a server. Each item
  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)
    Name of the operating system group that should be created.

  **gid** (number, mandatory)
    GID for the operating system group.

**common_packages** (list, optional)
  List of additional operating system packages that should be installed on the
  server. Each element of the list should be a simple string denoting the name
  of the package.


Examples
~~~~~~~~

Here is an example configuration for setting-up some common users, groups, and
packages on all servers:

.. code-block:: yaml

  ---

  os_users:
    - name: admin
      uid: 1000
      additional_groups: sudo
      authorized_keys:
        - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"
      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'
    - name: john
      uid: 1001
      additional_groups: ""
      authorized_keys: []
      password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'

  os_groups:
    - name: localusers
      gid: 2500

  common_packages:
    - emacs23-nox
    - screen
    - debconf-utils
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.