diff --git a/server/files/apticron.conf b/apticron/files/apticron.conf
similarity index 100%
rename from server/files/apticron.conf
rename to apticron/files/apticron.conf
diff --git a/server/tasks/apticron.yml b/apticron/tasks/apticron.yml
similarity index 100%
rename from server/tasks/apticron.yml
rename to apticron/tasks/apticron.yml
diff --git a/server/tasks/main.yml b/apticron/tasks/main.yml
similarity index 100%
rename from server/tasks/main.yml
rename to apticron/tasks/main.yml
diff --git a/common/files/fsmpi/issue.net b/branding/files/fsmpi/issue.net
similarity index 100%
rename from common/files/fsmpi/issue.net
rename to branding/files/fsmpi/issue.net
diff --git a/common/files/fsmpi/motd b/branding/files/fsmpi/motd
similarity index 100%
rename from common/files/fsmpi/motd
rename to branding/files/fsmpi/motd
diff --git a/common/files/root/gitconfig b/branding/files/gitconfig
similarity index 100%
rename from common/files/root/gitconfig
rename to branding/files/gitconfig
diff --git a/common/tasks/shell.yml b/branding/tasks/shell.yml
similarity index 100%
rename from common/tasks/shell.yml
rename to branding/tasks/shell.yml
diff --git a/common/defaults/main.yml b/common/defaults/main.yml
deleted file mode 100644
index afa7d3a0edd3f4ffc049f3a3fe3a7a4d498d95ec..0000000000000000000000000000000000000000
--- a/common/defaults/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-# file: roles/common/defaults/main.yml
-
-apt_use_updates: yes
-apt_use_backports: yes
-ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
-ssh_mkhomedir: yes
-ssh_strong_crypto: yes
-ssh_gssapi: yes
-ssh_sftp_options: ""
-ssh_allow_groups: []
diff --git a/common/files/locale b/common/files/locale
deleted file mode 100644
index 01ec548f82205efd53e4fc1be27aef47ddaee9cc..0000000000000000000000000000000000000000
--- a/common/files/locale
+++ /dev/null
@@ -1 +0,0 @@
-LANG=en_US.UTF-8
diff --git a/common/files/logrotate.conf b/common/files/logrotate.conf
deleted file mode 100644
index 0e3ac370bca9f495559b9285b99a84083e8a9007..0000000000000000000000000000000000000000
--- a/common/files/logrotate.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# see "man logrotate" for details
-# rotate log files daily
-daily
-
-# keep 7 days worth of backlogs
-rotate 7
-
-# create new (empty) log files after rotating old ones
-create
-
-# uncomment this if you want your log files compressed
-compress
-delaycompress
-
-# packages drop log rotation information into this directory
-include /etc/logrotate.d
-
-# no packages own wtmp, or btmp -- we'll rotate them here
-/var/log/wtmp {
- missingok
- monthly
- create 0664 root utmp
- rotate 1
-}
-
-/var/log/btmp {
- missingok
- monthly
- create 0660 root utmp
- rotate 1
-}
-
-# system-specific logs may be configured here
diff --git a/common/files/molly-guard b/common/files/molly-guard
deleted file mode 100644
index f3310582ddb81a7cde08da73beb3d8bce8e678d7..0000000000000000000000000000000000000000
--- a/common/files/molly-guard
+++ /dev/null
@@ -1,6 +0,0 @@
-# molly-guard settings
-#
-# ALWAYS_QUERY_HOSTNAME
-# when set, causes the 30-query-hostname script to always ask for the
-# hostname, even if no SSH session was detected.
-ALWAYS_QUERY_HOSTNAME=true
diff --git a/common/files/pam/mkhomedir b/common/files/pam/mkhomedir
deleted file mode 100644
index be7b76507a21d177d25c631c12a542cbc41b9ac0..0000000000000000000000000000000000000000
--- a/common/files/pam/mkhomedir
+++ /dev/null
@@ -1,6 +0,0 @@
-Name: Create home directory during login
-Default: yes
-Priority: 900
-Session-Type: Additional
-Session:
- required pam_mkhomedir.so umask=0077 skel=/etc/skel
diff --git a/common/files/pam/sshd b/common/files/pam/sshd
deleted file mode 100644
index d70b384bd9a388f3e04f25c47316dbf6677e02d5..0000000000000000000000000000000000000000
--- a/common/files/pam/sshd
+++ /dev/null
@@ -1,55 +0,0 @@
-# PAM configuration for the Secure Shell service
-
-# Standard Un*x authentication.
-@include common-auth
-
-# Disallow non-root logins when /etc/nologin exists.
-account required pam_nologin.so
-
-# Uncomment and edit /etc/security/access.conf if you need to set complex
-# access limits that are hard to express in sshd_config.
-# account required pam_access.so
-
-# Standard Un*x authorization.
-@include common-account
-
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
-
-# Set the loginuid process attribute.
-session required pam_loginuid.so
-
-# Create a new session keyring.
-session optional pam_keyinit.so force revoke
-
-# Standard Un*x session setup and teardown.
-@include common-session
-
-# Print the message of the day upon successful login.
-# This includes a dynamically generated part from /run/motd.dynamic
-# and a static (admin-editable) part from /etc/motd.
-session optional pam_motd.so motd=/run/motd.dynamic
-session optional pam_motd.so noupdate
-
-# Print the status of the user's mailbox upon successful login.
-session optional pam_mail.so standard noenv # [1]
-
-# Set up user limits from /etc/security/limits.conf.
-session required pam_limits.so
-
-# Read environment variables from /etc/environment and
-# /etc/security/pam_env.conf.
-session required pam_env.so # [1]
-# In Debian 4.0 (etch), locale-related environment variables were moved to
-# /etc/default/locale, so read that as well.
-session required pam_env.so user_readenv=1 envfile=/etc/default/locale
-
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context. Only sessions which are intended
-# to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-
-# Standard Un*x password updating.
-@include common-password
diff --git a/common/files/root/bashrc b/common/files/root/bashrc
deleted file mode 100644
index df6453adbf8de9de0cb8a47928ca32160d8fb950..0000000000000000000000000000000000000000
--- a/common/files/root/bashrc
+++ /dev/null
@@ -1,175 +0,0 @@
-
-bash_prompt() {
- case $TERM in
- xterm*|rxvt*)
- local TITLEBAR='\[\033]0;\u:${NEW_PWD}\007\]'
- ;;
- *)
- local TITLEBAR=""
- ;;
- esac
- local NONE="\[\033[0m\]" # unsets color to term's fg color
-
- # regular colors
- local K="\[\033[0;30m\]" # black
- local R="\[\033[0;31m\]" # red
- local G="\[\033[0;32m\]" # green
- local Y="\[\033[0;33m\]" # yellow
- local B="\[\033[0;34m\]" # blue
- local M="\[\033[0;35m\]" # magenta
- local C="\[\033[0;36m\]" # cyan
- local W="\[\033[0;37m\]" # white
-
- # emphasized (bolded) colors
- local EMK="\[\033[1;30m\]"
- local EMR="\[\033[1;31m\]"
- local EMG="\[\033[1;32m\]"
- local EMY="\[\033[1;33m\]"
- local EMB="\[\033[1;34m\]"
- local EMM="\[\033[1;35m\]"
- local EMC="\[\033[1;36m\]"
- local EMW="\[\033[1;37m\]"
-
- # background colors
- local BGK="\[\033[40m\]"
- local BGR="\[\033[41m\]"
- local BGG="\[\033[42m\]"
- local BGY="\[\033[43m\]"
- local BGB="\[\033[44m\]"
- local BGM="\[\033[45m\]"
- local BGC="\[\033[46m\]"
- local BGW="\[\033[47m\]"
-
- local UC=$G # user's color
- [ $UID -eq "0" ] && UC=$R # root's color
-
- PS1="$TITLEBAR ${EMW}\t [${UC}\u ${EMK}@ ${C}\h${EMW}] ${EMC}\w ${UC}\\$ ${NONE}"
- # without colors: PS1="[\u@\h \${NEW_PWD}]\\$ "
- # extra backslash in front of \$ to make bash colorize the prompt
-}
-
-#append_root() {
-# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$1/lib
-# export PATH=$PATH:$1/bin
-# export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$1/lib/pkgconfig
-# for D in $1/lib/python*/site-packages; do
-# export PYTHONPATH=$PYTHONPATH:$D
-# done
-#}
-
-prepend_root() {
- echo "** prepend $1"
- export LD_LIBRARY_PATH="$1/lib:$LD_LIBRARY_PATH"
- export PATH="$1/bin:$PATH"
- export PKG_CONFIG_PATH="$1/lib/pkgconfig:$PKG_CONFIG_PATH"
- for D in $1/lib/python*/site-packages; do
- export PYTHONPATH="$D:$PYTHONPATH"
- done
-}
-
-append_element() {
- local IFS=":"
- for item in $1; do
- if ! [[ $item == $2* ]]; then
- echo -n "$item:"
- fi
- done
- echo $2
-}
-
-prepend_element() {
- local IFS=":"
- echo $2
- for item in $1; do
- if ! [[ $item == $2* ]]; then
- echo -n ":$item"
- fi
- done
-}
-
-remove_element() {
- local IFS=":"
- for item in $1; do
- if ! [[ $item == $2* ]]; then
- echo -n ":$item"
- fi
- done
-}
-
-list_path() {
- local IFS=":"
- for item in $1; do
- echo $item
- done
-}
-
-append_root() {
- export LD_LIBRARY_PATH=$(append_element $LD_LIBRARY_PATH $1/lib)
- export PATH=$(append_element $PATH $1/bin)
- export PKG_CONFIG_PATH=$(append_element $PKG_CONFIG_PATH $1/lib/pkgconfig)
- for D in $1/lib/python*/site-packages; do
- export PYTHONPATH=$(append_element $PYTHONPATH $D)
- done
-}
-
-
-remove_root() {
- PATH=$(remove_element $PATH $1)
- LD_LIBRARY_PATH=$(remove_element $LD_LIBRARY_PATH $1)
- PKG_CONFIG_PATH=$(remove_element $PKG_CONFIG_PATH $1)
- PYTHONPATH=$(remove_element $PYTHONPATH $1)
-}
-
-# Check for an interactive session
-[ -z "$PS1" ] && return
-
-if [ "$PS1" ]; then
- shopt -s checkwinsize
- shopt -s cdspell
-
- # don't put duplicate lines in the history. See bash(1) for more options
- # don't overwrite GNU Midnight Commander's setting of `ignorespace'.
- HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoredups
- # ... or force ignoredups and ignorespace
- HISTCONTROL=ignoreboth
-
- # append to the history file, don't overwrite it
- shopt -s histappend
-
- alias ls='ls -h --color=auto'
- alias l='ls -lh --color=auto'
- alias ll='ls -Alh --color=auto'
- alias ssh='ssh -A -X'
- alias make='make -j 4'
- alias ne='TERM=xterm ne'
- alias ..='cd ..'
- bash_prompt
-
- export EDITOR=/usr/bin/vim
-
- set bell-style none
-
- # enhanced bash completition
- if [ -f /etc/bash_completion ]; then
- . /etc/bash_completion
- fi
- if [ -f ~/.bash_completion ]; then
- . ~/.bash_completion
- fi
-
-# if [ -z "$SSH_AUTH_SOCK" ] && [ "${SSH_AUTH_SOCK}xxx" = "xxx" ]; then
-# SSH_ENV="$HOME/.ssh/environment"
-# echo "Starting KeyChain"
-# # Source SSH settings, if applicable
-# keychain --nogui --eval id_rsa
-# . ~/.keychain/$HOSTNAME-sh &> /dev/null
-# . ~/.keychain/$HOSTNAME-sh-gpg &> /dev/null
-# fi
-
- #prepend_root $HOME/.local
-
- if [ -f $HOME/.bashrc.local ]
- then
- source $HOME/.bashrc.local
- fi
-fi
diff --git a/common/files/root/vimrc b/common/files/root/vimrc
deleted file mode 100644
index b9ce89d2f030277c6534c6a1b94d60e7b291aea6..0000000000000000000000000000000000000000
--- a/common/files/root/vimrc
+++ /dev/null
@@ -1,52 +0,0 @@
-filetype plugin indent on
-syntax enable
-let g:tex_flavor = "latex"
-let g:ansible_options = {'ignore_blank_lines': 0}
-
-set noexrc
-set nocompatible
-
-set ruler
-set showmode
-set number
-set showcmd
-set showmatch
-set wrap
-
-set tabstop=8
-set shiftwidth=8
-set softtabstop=8
-set noexpandtab
-set smarttab
-"set autoindent
-set copyindent
-
-set wrapscan
-set hlsearch
-set incsearch
-set ignorecase
-set smartcase
-
-set notitle
-set undolevels=1000
-set history=1000
-set noerrorbells
-set novisualbell
-set background=dark
-"set spell
-set nobackup
-"set viminfo=$HOME/.cache/viminfo
-
-":nmap <Space> i_<Esc>r
-:nmap <F1> :echo<CR>
-:imap <F1> <C-o>:echo<CR>
-
-cmap w!! w !sudo tee % >/dev/null
-
-au BufRead /tmp/mutt-* set textwidth=72
-map <F6> : !hunspell %<CR>: e %<CR>
-
-"set textwidth=79
-set backspace=2
-set wrapmargin=0
-set formatoptions=c,q,r,t
diff --git a/common/files/rwth_chain_sha2.pem b/common/files/rwth_chain_sha2.pem
deleted file mode 100644
index 6c7fa44d2868424a006cb9b91840bbeebb3362ec..0000000000000000000000000000000000000000
--- a/common/files/rwth_chain_sha2.pem
+++ /dev/null
@@ -1,84 +0,0 @@
-SHA-2 chain, PCA Jul 14
-subject= /C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca@rwth-aachen.de
------BEGIN CERTIFICATE-----
-MIIFOTCCBCGgAwIBAgIHF5Bg4cwAkzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQG
-EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIG
-A1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxMjE1MDU1
-M1oXDTE5MDcwOTIzNTkwMFowXjELMAkGA1UEBhMCREUxFDASBgNVBAoTC1JXVEgg
-QWFjaGVuMRcwFQYDVQQDEw5SV1RIIEFhY2hlbiBDQTEgMB4GCSqGSIb3DQEJARYR
-Y2FAcnd0aC1hYWNoZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQC4MAhk48jcelLfNUI5kvMv+CF54xJnL4x/cJQnN2NId6CJ3fqs0siO2exIACfz
-djxOUpQ6ZFOn5pdTvTi7stnk8WAaP/d9LFd8k9Gbxjh7xh3L+0a3ac+/tHJcX564
-ntUxGtVGMuShEoUaZUT5fw97TL36UJ8OqXLrqpdAKcFKaJ+pgRp2gTLj4MNUMPjA
-4GlstpjoLnT++qFm7t/ZS92/E3OqNJUwHH6C35vSroVscmg+a7XxT6U4JO99MYxN
-cTIMzhPS9Ytp+302w7i51daBjr0hFGPK0nLSV6gv77zBSFJ7AVGJJxBSUzDn0xkD
-LYvZwqaeYkj8kDB2oSeRyfGjAgMBAAGjggH+MIIB+jASBgNVHRMBAf8ECDAGAQH/
-AgEBMA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYE
-FG7VPsAcL3HJPL9JTu9qVUjs0fI4MB8GA1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn3
-8QpwPt5kMBwGA1UdEQQVMBOBEWNhQHJ3dGgtYWFjaGVuLmRlMIGIBgNVHR8EgYAw
-fjA9oDugOYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9w
-dWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5kZS9n
-bG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB1wYIKwYBBQUHAQEEgcow
-gccwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2
-ZXIvT0NTUDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9i
-YWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwRwYIKwYBBQUHMAKGO2h0
-dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9j
-YWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQBu4RMsIIzIOBrkrz5loQOmoZuH
-ekB7LGlYBiou7YTqjWOaAxUGL5xf2L9qo2QnxeFhWUnDIHsgTHtoJQmAgM/e/gwT
-v0u/x3zWAsgOGPPXKuLrJRrLIcwoWT9V9VzqZfbzga9s0Uo2s7wVxGnSexKAmzGG
-dIsYP7BBQWkAr6bFWLQmD2R8Cr5OTOHNBS//w2ZuWsvetM7HAOH4ECTYZtG4ZXP2
-u0jclErqjePssIkh09lb3ESeIZ+8avIqAXz0QVTNti3HYAPandLyq7PhR/PaWajJ
-Z6Hq30iq2w32zhFAghqTjJMPJCgU78MehKS5QdVCFfIr4xJA+O7sr1kh3eYu
------END CERTIFICATE-----
-subject= /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
------BEGIN CERTIFICATE-----
-MIIE1TCCA72gAwIBAgIIUE7G9T0RtGQwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE
-BhMCREUxHDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQt
-VGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20g
-Um9vdCBDQSAyMB4XDTE0MDcyMjEyMDgyNloXDTE5MDcwOTIzNTkwMFowWjELMAkG
-A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kx
-JDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuV
-InTUIOs0j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2g
-AHp8v0oOGwDDhulcKzERewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90
-D8EJovZrzr3TzRQwT/Xl46TIYpuCGgMnMA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt
-/zWGfW8zs9sPxRHCioOhlF1Ba9jSEPVM/cpRrNm975KDu9rrixZWVkPP4dUTPaYf
-JzDNSVTbyRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEAAaOCAYYw
-ggGCMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUSbfGz+g9H3/qRHsTKffxCnA+
-3mQwHwYDVR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwEgYDVR0TAQH/BAgw
-BgEB/wIBAjBiBgNVHSAEWzBZMBEGDysGAQQBga0hgiwBAQQCAjARBg8rBgEEAYGt
-IYIsAQEEAwAwEQYPKwYBBAGBrSGCLAEBBAMBMA8GDSsGAQQBga0hgiwBAQQwDQYL
-KwYBBAGBrSGCLB4wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3BraTAzMzYudGVs
-ZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMHgGCCsGAQUFBwEBBGwwajAsBggr
-BgEFBQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwOgYIKwYB
-BQUHMAKGLmh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L0RUX1JPT1RfQ0Ff
-Mi5jZXIwDQYJKoZIhvcNAQELBQADggEBAGMgKP2cIYZyvjlGWTkyJbypAZsNzMp9
-QZyGbQpuLLMTWXWxM5IbYScW/8Oy1TWC+4QqAUm9ZrtmL7LCBl1uP27jAVpbykNj
-XJW24TGnH9UHX03mZYJOMvnDfHpLzU1cdO4h8nUC7FI+0slq05AjbklnNb5/TVak
-7Mwvz7ehl6hyPsm8QNZapAg91ryCw7e3Mo6xLI5qbbc1AhnP9TlEWGOnJAAQsLv8
-Tq9uLzi7pVdJP9huUG8sl5bcHUaaZYnPrszy5dmfU7M+oS+SqdgLxoQfBMbrHuif
-fbV7pQLxJMUkYxE0zFqTICp5iDolQpCpZTt8htMSFSMp/CzazDlbVBc=
------END CERTIFICATE-----
-subject= /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
------BEGIN CERTIFICATE-----
-MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
-MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
-IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
-IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
-RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
-U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
-IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
-ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
-QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
-rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
-NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
-QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
-txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
-BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
-AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
-tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
-IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
-6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
-xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
-Cm26OWMohpLzGITY+9HPBVZkVw==
------END CERTIFICATE-----
diff --git a/common/files/sudo/default b/common/files/sudo/default
deleted file mode 100644
index e96668f1980da358365d11e07c43dafd98474c2e..0000000000000000000000000000000000000000
--- a/common/files/sudo/default
+++ /dev/null
@@ -1,27 +0,0 @@
-#
-# This file MUST be edited with the 'visudo' command as root.
-#
-# Please consider adding local content in /etc/sudoers.d/ instead of
-# directly modifying this file.
-#
-# See the man page for details on how to write a sudoers file.
-#
-Defaults env_reset
-Defaults mail_badpass
-Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-# Host alias specification
-
-# User alias specification
-
-# Cmnd alias specification
-
-# User privilege specification
-root ALL=(ALL:ALL) ALL
-
-# Allow members of group sudo to execute any command
-%admin ALL=(ALL:ALL) ALL
-
-# See sudoers(5) for more information on "#include" directives:
-
-#includedir /etc/sudoers.d
diff --git a/common/files/timezone b/common/files/timezone
deleted file mode 100644
index 94d5accc464988d1b1ddbaac5277ba48459f464a..0000000000000000000000000000000000000000
--- a/common/files/timezone
+++ /dev/null
@@ -1 +0,0 @@
-Europe/Berlin
diff --git a/common/handlers/main.yml b/common/handlers/main.yml
deleted file mode 100644
index eaae134a11216d5b19f6d30c0ef653b74025b8ee..0000000000000000000000000000000000000000
--- a/common/handlers/main.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-# file: roles/common/handlers/main.yml
-
-- name: restart ntpd
- service: name=ntp state=restarted
-
-- name: restart sshd
- service: name=ssh state=restarted
-
-- name: restart lldpd
- service: name=lldpd state=restarted
-
-- name: restart rsyslogd
- service: name=rsyslog state=restarted
-
-- name: rerun depmod
- command: depmod -ae
-
-- name: update initramfs
- command: update-initramfs -u
-
-- name: update timezone
- command: dpkg-reconfigure --frontend noninteractive tzdata
-
-- name: regenerate pam config
- shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
diff --git a/common/tasks/dns.yml b/common/tasks/dns.yml
deleted file mode 100644
index 0a2d51a0a43abeb3eb9f0366e38a03f7052f1c88..0000000000000000000000000000000000000000
--- a/common/tasks/dns.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# file: roles/common/tasks/dns.yml
-
-- name: ensure dns is configured
- template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
- tags:
- - dns
- - config
-
-- name: ensure dbus is installed, since hostnamectl needs this
- apt: name=dbus state=present
- tags:
- - packages
- - dns
- - network
- - config
-
-- name: ensure the hostname is not a fqdn for non-hypervisors
- hostname: name="{{ inventory_hostname }}"
- when: not (inventory_hostname in groups['vm-hosts']) and not (inventory_hostname == 'cloud')
- tags:
- - dns
- - network
- - config
diff --git a/common/tasks/filesystem.yml b/common/tasks/filesystem.yml
deleted file mode 100644
index bd080c5dc9f76295b509019b8ab7c7ab73a7afa4..0000000000000000000000000000000000000000
--- a/common/tasks/filesystem.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# file: roles/common/tasks/filesystem.yml
-
-- name: ensure /tmp is a tmpfs
- mount: name=/tmp src=tmpfs fstype=tmpfs opts=nosuid,rw,noexec state=mounted
- tags:
- - config
- - mount
diff --git a/common/tasks/locale.yml b/common/tasks/locale.yml
deleted file mode 100644
index 781cbb4851a5ca67d041a81891746237577f7d53..0000000000000000000000000000000000000000
--- a/common/tasks/locale.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-- apt: name=locales state=latest
- tags:
- - packages
- - locale
-
-- locale_gen: name="{{item}}.UTF-8" state=present
- with_items:
- - en_US
- - de_DE
- - en_DK
- tags:
- - config
- - locale
-
-- copy: src=locale dest=/etc/default/locale owner=root group=root mode=0644
- tags:
- - config
- - locale
diff --git a/common/tasks/logging.yml b/common/tasks/logging.yml
deleted file mode 100644
index cbd9a3195245d27ad47ca5693759fb57172126fa..0000000000000000000000000000000000000000
--- a/common/tasks/logging.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-# file: roles/common/task/logging.yml
-
-## TODO /var/log vs systemd journal
-
-- name: ensure rsyslog is running and enabled
- service: name=rsyslog state=running enabled=yes
- tags:
- - syslog
- - service
-
-- name: ensure that central logging works
- template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf owner=root group=root mode=0644
- when: ansible_fqdn != "rumo.fsmpi.rwth-aachen.de"
- notify:
- - restart rsyslogd
- tags:
- - syslog
- - config
-
-- name: ensure our logrotate.conf is present
- copy: src=logrotate.conf dest=/etc/logrotate.conf owner=root group=root mode=0644
- tags:
- - syslog
- - config
-
diff --git a/common/tasks/main.yml b/common/tasks/main.yml
deleted file mode 100644
index d50223f47c94c9e515efedf95b26eaaec49c6923..0000000000000000000000000000000000000000
--- a/common/tasks/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-# file: roles/common/tasks/main.yml
-
-- include: filesystem.yml
-- meta: flush_handlers
-- include: locale.yml
-- meta: flush_handlers
-- include: repositories.yml
-- meta: flush_handlers
-- include: dns.yml
-- meta: flush_handlers
-- include: tls.yml
-- meta: flush_handlers
-- include: sshd.yml
-- meta: flush_handlers
-- include: sudo.yml
-- meta: flush_handlers
-- include: logging.yml
-- meta: flush_handlers
-- include: ntpd.yml
-- meta: flush_handlers
-- include: shell.yml
-- meta: flush_handlers
-- include: software.yml
-- meta: flush_handlers
-- include: sysctl.yml
-- meta: flush_handlers
diff --git a/common/tasks/ntpd.yml b/common/tasks/ntpd.yml
deleted file mode 100644
index 389884040562656f9886038624a0657a8c8febba..0000000000000000000000000000000000000000
--- a/common/tasks/ntpd.yml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# file: roles/common/tasks/ntp.yml
-
-- name: ensure correct timezone setting
- copy: src=timezone dest=/etc/timezone owner=root group=root mode=0644
- notify:
- - update timezone
- tags:
- - config
- - ntpd
-
-- name: ensure ntpd is installed
- apt: name=ntp state=latest
- tags:
- - ntpd
- - packages
-
-- name: ensure ntpd configured
- template: src=ntp.conf.j2 dest=/etc/ntp.conf
- notify:
- - restart ntpd
- tags:
- - ntpd
- - config
-
-- name: ensure ntpd is running and enabled
- service: name=ntp state=running enabled=yes
- tags:
- - ntpd
- - service
diff --git a/common/tasks/repositories.yml b/common/tasks/repositories.yml
deleted file mode 100644
index 1923ed5cb9359623207a2cc835b03e64adaff5e9..0000000000000000000000000000000000000000
--- a/common/tasks/repositories.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-# file: roles/common/tasks/repositories.yml
-
-- name: provide default sources.list
- template:
- src: sources.list
- dest: /etc/apt/sources.list
- owner: root
- group: root
- mode: 0644
- tags:
- - packages
- - repos
-
-- name: remove old sources
- file:
- name: "/etc/apt/sources.list.d/{{item}}.list"
- state: absent
- with_items:
- - ftp_halifax_rwth_aachen_de_debian
- - security_debian_org
- tags:
- - packages
- - repos
-
-- name: remove unused packages
- command: apt-get autoremove -y
- tags:
- - packages
- - repos
- - clean
-
-- name: update apt cache and upgrade existing packages
- apt: update_cache=yes upgrade=dist
- tags:
- - packages
- - repos
- - clean
diff --git a/common/tasks/software.yml b/common/tasks/software.yml
deleted file mode 100644
index 73e5f3019ba5171744b9720e7a79ca40c15e757b..0000000000000000000000000000000000000000
--- a/common/tasks/software.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# file: roles/common/tasks/software.yml
-
-- name: ensure installaton of some essential software
- apt: state=latest name={{ item }}
- with_items:
- - rsync
- - screen
- - tmux
- - sysstat
- - tcpdump
- - iotop
- - pv
- - atop
- - htop
- - build-essential
- - aptitude
- - lsof
- - curl
- - lftp
- - strace
- - nmap
- - ethtool
- - telnet
- - snmp
- - pwgen
- - reptyr
- - file
- - ipmitool
- - squashfs-tools
- tags:
- - packages
- - shell
-
-- name: ensure installation of microcode updates
- apt: state=latest name={{ item }}
- with_items:
- - intel-microcode
- - amd64-microcode
- tags:
- - packages
-
-#- name: ensure facter and co are uninstalled
-# apt: name=libruby2.1:i386,ruby2.1,ruby-json,ruby,facter,vim-addon-manager state=absent
-# tags:
-# - packages
-
-- name: remove unused packages
- command: apt-get autoremove -y
- tags:
- - packages
- - clean
-
-- name: update apt cache and upgrade existing packages
- apt: update_cache=yes upgrade=dist
- tags:
- - packages
- - deb-updates
diff --git a/common/tasks/sshd.yml b/common/tasks/sshd.yml
deleted file mode 100644
index 45b7b0a843ab0e927187b02e1de024ac2373e25a..0000000000000000000000000000000000000000
--- a/common/tasks/sshd.yml
+++ /dev/null
@@ -1,119 +0,0 @@
----
-# file: roles/common/tasks/sshd.yml
-
-- name: ensure sshd is installed
- apt:
- name: openssh-server
- state: installed
- tags:
- - ssh
- - packages
-
-- name: ensure sshd configured
- template:
- src: sshd_config.j2
- dest: /etc/ssh/sshd_config
- owner: root
- group: root
- mode: 0644
- backup: yes
- validate: '/usr/sbin/sshd -t -f %s'
- notify:
- - restart sshd
- tags:
- - ssh
- - config
-
-- name: ensure standard pam configuration for sshd
- copy:
- src: pam/sshd
- dest: /etc/pam.d/sshd
- owner: root
- group: root
- mode: 0644
- notify:
- - restart sshd
- tags:
- - ssh
- - config
-
-- name: ensure pam creates a home dir if necessary
- copy:
- src: pam/mkhomedir
- dest: /usr/share/pam-configs/mkhomedir
- owner: root
- group: root
- mode: 0644
- when: "ssh_mkhomedir"
- notify:
- - regenerate pam config
- tags:
- - pam
- - config
-
-- name: ensure sshd is running and enabled
- service:
- name: ssh
- state: started
- enabled: yes
- tags:
- - ssh
- - service
-
-- name: ensure a proper ssh environment for root
- file:
- state: directory
- path: /root/.ssh
- owner: root
- group: root
- mode: 0700
- tags:
- - ssh
- - root
-
-# filename syntax: name.pub or name+dest_host_1,...,dest_host_n.pub
-- name: ensure our and only our keys are authorized for root
- assemble:
- dest: /root/.ssh/authorized_keys
- owner: root
- group: root
- mode: 0600
- remote_src: False
- src: "{{ ssh_authorized_keys }}"
- backup: True
- ignore_hidden: True
- regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
- tags:
- - ssh
- - root
-
-- name: ensure we fail2ban bad people
- apt:
- name: fail2ban
- state: installed
- tags:
- - ssh
- - packages
-
-- name: ensure we got ourselves protected from sleepiness
- apt:
- name: molly-guard
- state: installed
- tags:
- - molly
- - packages
- - shell
- - ssh
-
-- name: ensure screen does not interfere with sleepiness
- copy:
- src: molly-guard
- dest: /etc/molly-guard/rc
- owner: root
- group: root
- mode: 0644
- tags:
- - molly
- - config
- - shell
- - ssh
diff --git a/common/tasks/sudo.yml b/common/tasks/sudo.yml
deleted file mode 100644
index 1f77254f7cd937d5869719827b8b1be6e4edef92..0000000000000000000000000000000000000000
--- a/common/tasks/sudo.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-# file: roles/common/tasks/sudo.yml
-
-- name: ensure sudo is installed
- apt: state=latest name=sudo
- tags:
- - sudo
- - packages
-
-- name: ensure we got a sane sudo config
- copy: src=sudo/default dest=/etc/sudoers owner=root group=root mode=0440 validate='visudo -q -c -f %s'
- tags:
- - sudo
- - config
-
-- name: check whole sudo config
- command: visudo -q -c -f /etc/sudoers
- tags:
- - sudo
- - test
-
-- name: ensure we got root
- user: name=root password={{ rootpassword }}
- tags:
- - root
- - config
diff --git a/common/tasks/sysctl.yml b/common/tasks/sysctl.yml
deleted file mode 100644
index acfd19fb477c407f646d8567873c9a27f2257fc8..0000000000000000000000000000000000000000
--- a/common/tasks/sysctl.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-# file: roles/common/tasks/sysctl.yml
-
-- name: ensure deactivation of tcp_timestamps
- sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
- tags:
- - security
- - sysctl
- - config
-
-- name: restrict dmesg access to only root
- sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
- tags:
- - security
- - sysctl
- - config
-
diff --git a/common/tasks/tls.yml b/common/tasks/tls.yml
deleted file mode 100644
index 916b4bf4e881f169a41e48ac68af68504ad8ea99..0000000000000000000000000000000000000000
--- a/common/tasks/tls.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-# file: roles/common/tasks/tls.yml
-
-- name: ensure openssl is installed
- apt: name=openssl state=latest
- tags:
- - packages
- - tls
-
-- name: ensure the sha2 rwth chain is available
- copy:
- src: rwth_chain_sha2.pem
- dest: /etc/ssl/certs/rwth_chain.pem
- owner: root
- group: root
- mode: 0644
- tags:
- - tls
- - rwth
diff --git a/common/templates/ntp.conf.j2 b/common/templates/ntp.conf.j2
deleted file mode 100644
index 1ea2f972f11ac53b8cfc0a874628c17491e73d47..0000000000000000000000000000000000000000
--- a/common/templates/ntp.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-driftfile /var/lib/ntp/ntp.drift
-
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
-
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
-
-restrict 127.0.0.1
-restrict ::1
-
-{% for server in ntpservers %}
- server {{ server }} iburst
-{% endfor %}
diff --git a/common/templates/resolv.conf.j2 b/common/templates/resolv.conf.j2
deleted file mode 100644
index 414dbbb3be8c1d44d062eeba30bc3a5d93f3508a..0000000000000000000000000000000000000000
--- a/common/templates/resolv.conf.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-domain {{ domain }}
-search {{ domain }}
-
-{% for server in nameservers %}
-nameserver {{ server }}
-{% endfor %}
diff --git a/common/templates/rsyslog.conf.j2 b/common/templates/rsyslog.conf.j2
deleted file mode 100644
index 26f5868073090b7fa497d560a3ce8e47978a94a4..0000000000000000000000000000000000000000
--- a/common/templates/rsyslog.conf.j2
+++ /dev/null
@@ -1,117 +0,0 @@
-$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog # provides kernel logging support
-#$ModLoad immark # provides --MARK-- message capability
-
-# provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-
-###########################
-#### GLOBAL DIRECTIVES ####
-###########################
-
-#
-# Use traditional timestamp format.
-# To enable high precision timestamps, comment out the following line.
-#
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
-
-#
-# Set the default permissions for all log files.
-#
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-#
-# Where to place spool and state files
-#
-$WorkDirectory /var/spool/rsyslog
-
-$ActionQueueType LinkedList # use asynchronous processing
-$ActionQueueFileName srvrfwd # set file name, also enables disk mode
-$ActionResumeRetryCount -1 # infinite retries on insert failure
-$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
-*.* @@{{ syslogserver }}
-
-#
-# Include all config files in /etc/rsyslog.d/
-#
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-
-###############
-#### RULES ####
-###############
-
-#
-# First some standard log files. Log by facility.
-#
-auth,authpriv.* /var/log/auth.log
-*.*;auth,authpriv.none -/var/log/syslog
-#cron.* /var/log/cron.log
-daemon.* -/var/log/daemon.log
-kern.* -/var/log/kern.log
-lpr.* -/var/log/lpr.log
-mail.* -/var/log/mail.log
-user.* -/var/log/user.log
-
-#
-# Logging for the mail system. Split it up so that
-# it is easy to write scripts to parse these files.
-#
-mail.info -/var/log/mail.info
-mail.warn -/var/log/mail.warn
-mail.err /var/log/mail.err
-
-#
-# Logging for INN news system.
-#
-news.crit /var/log/news/news.crit
-news.err /var/log/news/news.err
-news.notice -/var/log/news/news.notice
-
-#
-# Some "catch-all" log files.
-#
-*.=debug;\
- auth,authpriv.none;\
- news.none;mail.none -/var/log/debug
-*.=info;*.=notice;*.=warn;\
- auth,authpriv.none;\
- cron,daemon.none;\
- mail,news.none -/var/log/messages
-
-#
-# Emergencies are sent to everybody logged in.
-#
-*.emerg :omusrmsg:*
-
-#
-# I like to have messages displayed on the console, but only on a virtual
-# console I usually leave idle.
-#
-#daemon,mail.*;\
-# news.=crit;news.=err;news.=notice;\
-# *.=debug;*.=info;\
-# *.=notice;*.=warn /dev/tty8
-
-# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
-# you must invoke `xconsole' with the `-file' option:
-#
-# $ xconsole -file /dev/xconsole [...]
-#
-# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
-# busy site..
-#
-daemon.*;mail.*;\
- news.err;\
- *.=debug;*.=info;\
- *.=notice;*.=warn |/dev/xconsole
diff --git a/common/templates/sources.list b/common/templates/sources.list
deleted file mode 100644
index 9624c182532e8e66a33458f5f3e7b27c449235d8..0000000000000000000000000000000000000000
--- a/common/templates/sources.list
+++ /dev/null
@@ -1,15 +0,0 @@
-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}} main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}} main contrib non-free
-
-deb http://security.debian.org/ {{debian_version}}/updates main contrib non-free
-deb-src http://security.debian.org/ {{debian_version}}/updates main contrib non-free
-
-{% if apt_use_updates %}
-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-updates main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-updates main contrib non-free
-{% endif %}
-
-{% if apt_use_backports %}
-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-backports main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-backports main contrib non-free
-{% endif %}
diff --git a/common/templates/ssh_config b/common/templates/ssh_config
deleted file mode 100644
index 3810e13d739e15cf0404b417eb3a3a193ac90e6b..0000000000000000000000000000000000000000
--- a/common/templates/ssh_config
+++ /dev/null
@@ -1,54 +0,0 @@
-
-# This is the ssh client system-wide configuration file. See
-# ssh_config(5) for more information. This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-# 1. command line options
-# 2. user-specific file
-# 3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options. For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Host *
-# ForwardAgent no
-# ForwardX11 no
-# ForwardX11Trusted yes
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
-# PasswordAuthentication yes
-# HostbasedAuthentication no
-# GSSAPIAuthentication no
-# GSSAPIDelegateCredentials no
-# GSSAPIKeyExchange no
-# GSSAPITrustDNS no
-# BatchMode no
-# CheckHostIP yes
-# AddressFamily any
-# ConnectTimeout 0
-# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/identity
-# IdentityFile ~/.ssh/id_rsa
-# IdentityFile ~/.ssh/id_dsa
-# Port 22
-# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
-# EscapeChar ~
-# Tunnel no
-# TunnelDevice any:any
-# PermitLocalCommand no
-# VisualHostKey no
-# ProxyCommand ssh -q -W %h:%p gateway.example.com
-# RekeyLimit 1G 1h
- SendEnv LANG LC_*
- HashKnownHosts yes
- GSSAPIAuthentication yes
- GSSAPIDelegateCredentials no
diff --git a/common/templates/sshd_config.j2 b/common/templates/sshd_config.j2
deleted file mode 100644
index 0fadada5c25de68f53260cc4684a93b4157e0bd2..0000000000000000000000000000000000000000
--- a/common/templates/sshd_config.j2
+++ /dev/null
@@ -1,95 +0,0 @@
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
-Port 22
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-{% if ssh_strong_crypto %}
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
-{% endif %}
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
-
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin without-password
-StrictModes yes
-
-RSAAuthentication yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile %h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
-#GSSAPICleanupCredentials yes
-
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-Subsystem sftp /usr/lib/openssh/sftp-server {{ ssh_sftp_options }}
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-{% for group in ssh_allow_groups %}
-AllowGroups {{ group }}
-{% endfor %}