split common role

common/tasks/filesystem.yml

----
-# file: roles/common/tasks/filesystem.yml
-
-- name: ensure /tmp is a tmpfs
-  mount: name=/tmp src=tmpfs fstype=tmpfs opts=nosuid,rw,noexec state=mounted
-  tags:
-    - config
-    - mount

common/tasks/locale.yml

----
-
-- apt: name=locales state=latest
-  tags:
-    - packages
-    - locale
-
-- locale_gen: name="{{item}}.UTF-8" state=present
-  with_items:
-    - en_US
-    - de_DE
-    - en_DK
-  tags:
-    - config
-    - locale
-
-- copy: src=locale dest=/etc/default/locale owner=root group=root mode=0644
-  tags:
-    - config
-    - locale

common/tasks/logging.yml

----
-# file: roles/common/task/logging.yml
-
-## TODO /var/log vs systemd journal
-
-- name: ensure rsyslog is running and enabled
-  service: name=rsyslog state=running enabled=yes
-  tags:
-    - syslog
-    - service
-
-- name: ensure that central logging works
-  template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf owner=root group=root mode=0644
-  when: ansible_fqdn != "rumo.fsmpi.rwth-aachen.de"
-  notify:
-    - restart rsyslogd
-  tags:
-    - syslog
-    - config
-
-- name: ensure our logrotate.conf is present
-  copy: src=logrotate.conf dest=/etc/logrotate.conf owner=root group=root mode=0644
-  tags:
-    - syslog
-    - config
-

common/tasks/main.yml

----
-# file: roles/common/tasks/main.yml
-
-- include: filesystem.yml
-- meta: flush_handlers
-- include: locale.yml
-- meta: flush_handlers
-- include: repositories.yml
-- meta: flush_handlers
-- include: dns.yml
-- meta: flush_handlers
-- include: tls.yml
-- meta: flush_handlers
-- include: sshd.yml
-- meta: flush_handlers
-- include: sudo.yml
-- meta: flush_handlers
-- include: logging.yml
-- meta: flush_handlers
-- include: ntpd.yml
-- meta: flush_handlers
-- include: shell.yml
-- meta: flush_handlers
-- include: software.yml
-- meta: flush_handlers
-- include: sysctl.yml
-- meta: flush_handlers

common/tasks/ntpd.yml

----
-# file: roles/common/tasks/ntp.yml
-
-- name: ensure correct timezone setting
-  copy: src=timezone dest=/etc/timezone owner=root group=root mode=0644
-  notify:
-    - update timezone
-  tags:
-    - config
-    - ntpd
-
-- name: ensure ntpd is installed
-  apt:  name=ntp state=latest
-  tags:
-    - ntpd
-    - packages 
-
-- name: ensure ntpd configured
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify:
-    - restart ntpd
-  tags:
-    - ntpd
-    - config
-
-- name: ensure ntpd is running and enabled
-  service: name=ntp state=running enabled=yes
-  tags:
-    - ntpd
-    - service

common/tasks/repositories.yml

----
-# file: roles/common/tasks/repositories.yml
-
-- name: provide default sources.list
-  template:
-    src: sources.list
-    dest: /etc/apt/sources.list
-    owner: root
-    group: root
-    mode: 0644
-  tags:
-    - packages
-    - repos
-
-- name: remove old sources
-  file:
-    name: "/etc/apt/sources.list.d/{{item}}.list"
-    state: absent
-  with_items:
-    - ftp_halifax_rwth_aachen_de_debian
-    - security_debian_org
-  tags:
-    - packages
-    - repos
- 
-- name: remove unused packages
-  command: apt-get autoremove -y
-  tags:
-    - packages
-    - repos
-    - clean
-
-- name: update apt cache and upgrade existing packages
-  apt: update_cache=yes upgrade=dist
-  tags:
-    - packages
-    - repos
-    - clean

common/tasks/software.yml

----
-# file: roles/common/tasks/software.yml
-
-- name: ensure installaton of some essential software
-  apt: state=latest name={{ item }}
-  with_items:
-    - rsync
-    - screen
-    - tmux
-    - sysstat
-    - tcpdump
-    - iotop
-    - pv
-    - atop
-    - htop
-    - build-essential
-    - aptitude
-    - lsof
-    - curl
-    - lftp
-    - strace
-    - nmap
-    - ethtool
-    - telnet
-    - snmp
-    - pwgen
-    - reptyr
-    - file
-    - ipmitool
-    - squashfs-tools
-  tags:
-    - packages
-    - shell
-
-- name: ensure installation of microcode updates
-  apt: state=latest name={{ item }}
-  with_items:
-    - intel-microcode
-    - amd64-microcode
-  tags:
-    - packages
-
-#- name: ensure facter and co are uninstalled
-#  apt: name=libruby2.1:i386,ruby2.1,ruby-json,ruby,facter,vim-addon-manager state=absent
-#  tags:
-#    - packages
-
-- name: remove unused packages
-  command: apt-get autoremove -y
-  tags:
-    - packages
-    - clean
-
-- name: update apt cache and upgrade existing packages
-  apt: update_cache=yes upgrade=dist
-  tags:
-    - packages
-    - deb-updates

common/tasks/sshd.yml

----
-# file: roles/common/tasks/sshd.yml
-
-- name: ensure sshd is installed
-  apt:
-    name: openssh-server
-    state: installed
-  tags:
-    - ssh
-    - packages 
-
-- name: ensure sshd configured
-  template:
-    src: sshd_config.j2
-    dest: /etc/ssh/sshd_config
-    owner: root
-    group: root
-    mode: 0644
-    backup: yes
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify:
-    - restart sshd
-  tags:
-    - ssh
-    - config
-
-- name: ensure standard pam configuration for sshd
-  copy:
-    src: pam/sshd
-    dest: /etc/pam.d/sshd
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - restart sshd
-  tags:
-    - ssh
-    - config
-
-- name: ensure pam creates a home dir if necessary
-  copy:
-    src: pam/mkhomedir
-    dest: /usr/share/pam-configs/mkhomedir
-    owner: root
-    group: root
-    mode: 0644
-  when: "ssh_mkhomedir"
-  notify:
-    - regenerate pam config
-  tags:
-    - pam
-    - config
-
-- name: ensure sshd is running and enabled
-  service:
-    name: ssh
-    state: started
-    enabled: yes
-  tags:
-    - ssh
-    - service
-
-- name: ensure a proper ssh environment for root
-  file:
-    state: directory
-    path: /root/.ssh
-    owner: root
-    group: root
-    mode: 0700
-  tags:
-    - ssh
-    - root
-
-# filename syntax: name.pub or name+dest_host_1,...,dest_host_n.pub
-- name: ensure our and only our keys are authorized for root
-  assemble:
-    dest: /root/.ssh/authorized_keys
-    owner: root
-    group: root
-    mode: 0600
-    remote_src: False
-    src: "{{ ssh_authorized_keys }}"
-    backup: True
-    ignore_hidden: True
-    regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
-  tags:
-    - ssh
-    - root
-
-- name: ensure we fail2ban bad people
-  apt:
-    name: fail2ban
-    state: installed
-  tags:
-    - ssh
-    - packages
-
-- name: ensure we got ourselves protected from sleepiness
-  apt:
-    name: molly-guard
-    state: installed
-  tags:
-    - molly
-    - packages
-    - shell
-    - ssh
-
-- name: ensure screen does not interfere with sleepiness
-  copy:
-    src: molly-guard
-    dest: /etc/molly-guard/rc
-    owner: root
-    group: root
-    mode: 0644
-  tags:
-    - molly
-    - config
-    - shell
-    - ssh

common/tasks/sudo.yml

----
-# file: roles/common/tasks/sudo.yml
-
-- name: ensure sudo is installed 
-  apt: state=latest name=sudo
-  tags:
-    - sudo
-    - packages
-
-- name: ensure we got a sane sudo config
-  copy: src=sudo/default dest=/etc/sudoers owner=root group=root mode=0440 validate='visudo -q -c -f %s'
-  tags:
-    - sudo
-    - config
-
-- name: check whole sudo config
-  command: visudo -q -c -f /etc/sudoers
-  tags:
-    - sudo
-    - test
-
-- name: ensure we got root
-  user: name=root password={{ rootpassword }}
-  tags:
-    - root
-    - config

common/tasks/sysctl.yml

----
-# file: roles/common/tasks/sysctl.yml
-
-- name: ensure deactivation of tcp_timestamps
-  sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
-  tags: 
-    - security
-    - sysctl
-    - config
-
-- name: restrict dmesg access to only root
-  sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
-  tags: 
-    - security
-    - sysctl
-    - config
-

common/tasks/tls.yml

----
-# file: roles/common/tasks/tls.yml
-
-- name: ensure openssl is installed
-  apt: name=openssl state=latest
-  tags:
-    - packages
-    - tls
-
-- name: ensure the sha2 rwth chain is available
-  copy:
-    src: rwth_chain_sha2.pem
-    dest: /etc/ssl/certs/rwth_chain.pem
-    owner: root
-    group: root
-    mode: 0644
-  tags:
-    - tls
-    - rwth

common/templates/ntp.conf.j2

-driftfile /var/lib/ntp/ntp.drift
-
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
-
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
-
-restrict 127.0.0.1
-restrict ::1
-
-{% for server in ntpservers %} 
-	server {{ server }} iburst
-{% endfor %}

common/templates/resolv.conf.j2

-domain {{ domain }}
-search {{ domain }}
-
-{% for server in nameservers %}
-nameserver {{ server }}
-{% endfor %}

common/templates/rsyslog.conf.j2

-$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog   # provides kernel logging support
-#$ModLoad immark  # provides --MARK-- message capability
-
-# provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-
-###########################
-#### GLOBAL DIRECTIVES ####
-###########################
-
-#
-# Use traditional timestamp format.
-# To enable high precision timestamps, comment out the following line.
-#
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
-
-#
-# Set the default permissions for all log files.
-#
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-#
-# Where to place spool and state files
-#
-$WorkDirectory /var/spool/rsyslog
-
-$ActionQueueType LinkedList   # use asynchronous processing
-$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
-$ActionResumeRetryCount -1    # infinite retries on insert failure
-$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
-*.*       @@{{ syslogserver }}
-
-#
-# Include all config files in /etc/rsyslog.d/
-#
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-
-###############
-#### RULES ####
-###############
-
-#
-# First some standard log files.  Log by facility.
-#
-auth,authpriv.*			/var/log/auth.log
-*.*;auth,authpriv.none		-/var/log/syslog
-#cron.*				/var/log/cron.log
-daemon.*			-/var/log/daemon.log
-kern.*				-/var/log/kern.log
-lpr.*				-/var/log/lpr.log
-mail.*				-/var/log/mail.log
-user.*				-/var/log/user.log
-
-#
-# Logging for the mail system.  Split it up so that
-# it is easy to write scripts to parse these files.
-#
-mail.info			-/var/log/mail.info
-mail.warn			-/var/log/mail.warn
-mail.err			/var/log/mail.err
-
-#
-# Logging for INN news system.
-#
-news.crit			/var/log/news/news.crit
-news.err			/var/log/news/news.err
-news.notice			-/var/log/news/news.notice
-
-#
-# Some "catch-all" log files.
-#
-*.=debug;\
-	auth,authpriv.none;\
-	news.none;mail.none	-/var/log/debug
-*.=info;*.=notice;*.=warn;\
-	auth,authpriv.none;\
-	cron,daemon.none;\
-	mail,news.none		-/var/log/messages
-
-#
-# Emergencies are sent to everybody logged in.
-#
-*.emerg				:omusrmsg:*
-
-#
-# I like to have messages displayed on the console, but only on a virtual
-# console I usually leave idle.
-#
-#daemon,mail.*;\
-#	news.=crit;news.=err;news.=notice;\
-#	*.=debug;*.=info;\
-#	*.=notice;*.=warn	/dev/tty8
-
-# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
-# you must invoke `xconsole' with the `-file' option:
-# 
-#    $ xconsole -file /dev/xconsole [...]
-#
-# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
-#      busy site..
-#
-daemon.*;mail.*;\
-	news.err;\
-	*.=debug;*.=info;\
-	*.=notice;*.=warn	|/dev/xconsole

common/templates/sources.list

-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}} main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}} main contrib non-free
-
-deb http://security.debian.org/ {{debian_version}}/updates main contrib non-free
-deb-src http://security.debian.org/ {{debian_version}}/updates main contrib non-free
-
-{% if apt_use_updates %}
-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-updates main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-updates main contrib non-free
-{% endif %}
-
-{% if apt_use_backports %}
-deb http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-backports main contrib non-free
-deb-src http://ftp.halifax.rwth-aachen.de/debian/ {{debian_version}}-backports main contrib non-free
-{% endif %}

common/templates/ssh_config

-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   ForwardX11Trusted yes
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   GSSAPIKeyExchange no
-#   GSSAPITrustDNS no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-    SendEnv LANG LC_*
-    HashKnownHosts yes
-    GSSAPIAuthentication yes
-    GSSAPIDelegateCredentials no

common/templates/sshd_config.j2

-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-
-# What ports, IPs and protocols we listen for
-Port 22
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-{% if ssh_strong_crypto %}
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
-{% endif %}
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
-
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin without-password
-StrictModes yes
-
-RSAAuthentication yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile	%h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
-#GSSAPICleanupCredentials yes
-
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-Subsystem sftp /usr/lib/openssh/sftp-server {{ ssh_sftp_options }}
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-{% for group in ssh_allow_groups %}
-AllowGroups {{ group }}
-{% endfor %}