From acc8f15e9ef9ec7ed7b164217a947b523e8b121d Mon Sep 17 00:00:00 2001 From: Farhad Shahbazi Date: Sat, 5 Mar 2016 16:30:21 +0100 Subject: [PATCH] initial commit --- defaults/main.yml | 71 +++++++++++++++++ files/scripts/zombies | 6 ++ handlers/main.yml | 28 +++++++ meta/main.yml | 15 ++++ tasks/apt.yml | 25 ++++++ tasks/main.yml | 35 ++++++++ tasks/ntp.yml | 11 +++ tasks/openssh.yml | 20 +++++ tasks/postfix.yml | 13 +++ tasks/resolvconf.yml | 16 ++++ tasks/rsyslog.yml | 25 ++++++ templates/aliases.j2 | 7 ++ templates/postfix/main.cf.j2 | 46 +++++++++++ templates/postfix/master.cf.j2 | 122 ++++++++++++++++++++++++++++ templates/resolvconf_tail.j2 | 17 ++++ templates/rsyslog.conf.j2 | 124 +++++++++++++++++++++++++++++ templates/rsyslog_forwards.conf.j2 | 9 +++ templates/sshd_config.j2 | 89 +++++++++++++++++++++ 18 files changed, 679 insertions(+) create mode 100644 defaults/main.yml create mode 100755 files/scripts/zombies create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/apt.yml create mode 100644 tasks/main.yml create mode 100644 tasks/ntp.yml create mode 100644 tasks/openssh.yml create mode 100644 tasks/postfix.yml create mode 100644 tasks/resolvconf.yml create mode 100644 tasks/rsyslog.yml create mode 100644 templates/aliases.j2 create mode 100644 templates/postfix/main.cf.j2 create mode 100644 templates/postfix/master.cf.j2 create mode 100644 templates/resolvconf_tail.j2 create mode 100644 templates/rsyslog.conf.j2 create mode 100644 templates/rsyslog_forwards.conf.j2 create mode 100644 templates/sshd_config.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..0dcdaa8 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,71 @@ +--- +common_apt_keys: [] +common_apt_repositories: + - "deb http://cdn.debian.net/debian {{ ansible_distribution_release }} main contrib non-free" + - "deb http://cdn.debian.net/debian {{ ansible_distribution_release }}-backports main contrib non-free" + - "deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib non-free" +common_apt_upgrade_policy: "" +common_resolvconf_hnfqdn: true +common_resolvconf_nameservers: [] +common_resolvconf_domain: "" +common_resolvconf_search: [] +common_rsyslog_forwards: [] +common_basic_packages: + - apt-transport-https + - cron-apt + - curl + - dstat + - etckeeper + - git + - htop + - iputils-ping + - mtr-tiny + - ncdu + - strace + - sudo + - tmux + - tree + - vim + - zsh + # for ansible/debian + - lsb-release + - python-apt + - python-pycurl + +common_scripts: + - { dest: "/usr/local/bin/zombies", src: "scripts/zombies" } +common_openssh_keys_root: [] + +common_aliases: + - "mailer-daemon: postmaster" + - "postmaster: root" + - "nobody: root" + - "hostmaster: root" + - "usenet: root" + - "news: root" + - "webmaster: root" + - "www: root" + - "ftp: root" + - "abuse: root" + - "noc: root" + - "security: root" + +common_mailer: "postfix" +common_mailname: "{{ ansible_fqdn }}" + +common_postfix_debug_peer_list: "" +common_postfix_delay_warning_time: "0h" +common_postfix_hostname: "{{ ansible_fqdn }}" +common_postfix_inet_interfaces: loopback-only +common_postfix_inet_protocols: all +common_postfix_masquerade_domains: [] +common_postfix_message_size_limit: 10240000 +common_postfix_mydestination: "{{ common_postfix_hostname }}, {{ ansible_hostname }}, localhost.localdomain, localhost" +common_postfix_mynetworks: "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" +common_postfix_relay_domains: "{{ common_postfix_mydestination }}" +common_postfix_relayhost: "" +common_postfix_smtpd_tls_security_level: False +common_postfix_smtpd_tls_cert_file: "/etc/ssl/certs/ssl-cert-snakeoil.pem" +common_postfix_smtpd_tls_key_file: "/etc/ssl/private/ssl-cert-snakeoil.key" +common_postfix_smtpd_tls_session_cache_database: "btree:${data_directory}/smtpd_scache" +common_postfix_smtp_tls_session_cache_database: "btree:${data_directory}/smtp_scache" diff --git a/files/scripts/zombies b/files/scripts/zombies new file mode 100755 index 0000000..ee6aa7e --- /dev/null +++ b/files/scripts/zombies @@ -0,0 +1,6 @@ +#!/bin/sh +# zombies - list all zombies and their parents to kill + +ps f -eo state,pid,ppid,comm | awk ' + { cmds[$2] = $NF } + /^Z/ { print $(NF-1) "/" $2 " zombie child of " cmds[$3] "/" $3 }' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b6ee1a9 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,28 @@ +--- + +- name: restart ntp + service: name=ntp state=restarted + +- name: restart rsyslog + service: name=rsyslog state=restarted + +- name: reload openssh + service: name=ssh state=reloaded + +- name: restart openssh + service: name=ssh state=restarted + +- name: restart resolvconf + service: name=resolvconf state=restarted + +- name: reload mailer + service: name="{{ common_mailer }}" state=reloaded + +- name: restart mailer + service: name="{{ common_mailer }}" state=restarted + +- name: newaliases + command: newaliases + +- name: apt-get update + apt: update_cache=yes diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..017a046 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Farhad Shahbazi + description: Common + company: Spherical Elephant GmbH + license: MIT + min_ansible_version: 1.9 + platforms: + - name: Debian + versions: + - jessie + - wheezy + categories: + - system +dependencies: [] diff --git a/tasks/apt.yml b/tasks/apt.yml new file mode 100644 index 0000000..e974560 --- /dev/null +++ b/tasks/apt.yml @@ -0,0 +1,25 @@ +--- +- name: apt - add apt keys + apt_key: id="{{ item.id }}" url="{{ item.url }}" file="{{ item.file }}" state="{{ item.state }}" + tags: ['common', 'apt'] + with_items: "{{ common_apt_keys }}" + +- name: apt - add repositories + apt_repository: repo="{{ item }}" update_cache=yes + with_items: "{{ common_apt_repositories }}" + tags: ['common', 'apt'] + +- name: apt - remove /etc/apt/sources.list + file: path=/etc/apt/sources.list state=absent + notify: apt-get update + tags: ['common', 'apt'] + +- name: install basic tools + apt: pkg="{{ item }}" cache_valid_time=3600 update_cache=yes + with_items: "{{ common_basic_packages }}" + tags: common + +#- name: apt - upgrade system +# apt: upgrade="{{ common_apt_upgrade_policy }}" +# when: common_apt_upgrade_policy +# tags: ['common', 'apt'] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..76b5dd0 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- include: resolvconf.yml +- include: apt.yml + +- name: set vim as default editor + alternatives: name=editor path=/usr/bin/vim.basic + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + tags: common + +- name: copy some custom script + copy: dest="{{ item.dest }}" src="{{ item.src }}" owner=root group=root mode=0755 + with_items: "{{ common_scripts }}" + tags: common + +- name: /etc/mailname + copy: dest=/etc/mailname content="{{ common_mailname }}\n" owner=root group=root mode=0644 + notify: restart mailer + when: common_mailer != False + tags: common + +- name: /etc/aliases + template: dest=/etc/aliases src=aliases.j2 owner=root group=root mode=0644 + notify: + - newaliases + - restart mailer + when: common_mailer != False + tags: common + +- include: ntp.yml +- include: openssh.yml +- include: rsyslog.yml + +- include: "{{ common_mailer }}.yml" + when: common_mailer != False diff --git a/tasks/ntp.yml b/tasks/ntp.yml new file mode 100644 index 0000000..a14cb18 --- /dev/null +++ b/tasks/ntp.yml @@ -0,0 +1,11 @@ +--- + +- name: ntp - install + apt: name=ntp + when: ansible_virtualization_type != 'lxc' or ansible_virtualization_role == 'host' + tags: ['common', 'ntp'] + +- name: ntp - run and enable + service: name=ntp state=started enabled=yes + when: ansible_virtualization_type != 'lxc' or ansible_virtualization_role == 'host' + tags: ['common', 'ntp'] diff --git a/tasks/openssh.yml b/tasks/openssh.yml new file mode 100644 index 0000000..3890efb --- /dev/null +++ b/tasks/openssh.yml @@ -0,0 +1,20 @@ +--- + +- name: openssh - install + apt: name=openssh-server + tags: ['common', 'openssh'] + +- name: openssh - start and enable + service: name=ssh state=running enabled=yes + tags: ['common', 'openssh'] + +- name: openssh - config + template: dest=/etc/ssh/sshd_config src=sshd_config.j2 owner=root group=root mode=0600 + notify: reload openssh + tags: ['common', 'openssh'] + +- name: openssh - root keys + authorized_key: user="root" key="{{ item }}" + with_items: "{{ common_openssh_keys_root }}" + when: common_openssh_keys_root + tags: ['common', 'openssh', 'ssh-keys'] diff --git a/tasks/postfix.yml b/tasks/postfix.yml new file mode 100644 index 0000000..1d21488 --- /dev/null +++ b/tasks/postfix.yml @@ -0,0 +1,13 @@ +--- + +- name: install postfix + apt: name="postfix" state=present + tags: ['common', 'postfix'] + +- name: postfix config + template: dest="/etc/postfix/{{ item }}" src="postfix/{{ item }}.j2" owner=root group=root mode=0644 + with_items: + - main.cf + - master.cf + notify: restart mailer + tags: ['common', 'postfix'] diff --git a/tasks/resolvconf.yml b/tasks/resolvconf.yml new file mode 100644 index 0000000..dbc8309 --- /dev/null +++ b/tasks/resolvconf.yml @@ -0,0 +1,16 @@ +--- + +- name: resolvconf - install + apt: name=resolvconf state=present + tags: ['common', 'resolvconf'] + +- name: resolvconf - tail file + template: dest=/etc/resolvconf/resolv.conf.d/tail src=resolvconf_tail.j2 owner=root group=root mode=0644 + when: common_resolvconf_nameservers + notify: restart resolvconf + tags: ['common', 'resolvconf'] + +- name: resolvconf - start and enable + service: name=resolvconf state=started enabled=yes + tags: ['common', 'resolvconf'] + diff --git a/tasks/rsyslog.yml b/tasks/rsyslog.yml new file mode 100644 index 0000000..74aeaef --- /dev/null +++ b/tasks/rsyslog.yml @@ -0,0 +1,25 @@ +--- + +- name: rsyslog - install + apt: name=rsyslog + tags: ['common', 'rsyslog'] + +- name: rsyslog - rsyslog.conf + template: dest=/etc/rsyslog.conf src=rsyslog.conf.j2 owner=root group=root mode=0644 + notify: restart rsyslog + tags: ['common', 'rsyslog'] + +- name: rsyslog - rsyslog.d + file: path=/etc/rsyslog.d state=directory owner=root group=root mode=0755 + notify: restart rsyslog + tags: ['common', 'rsyslog'] + +- name: rsyslog - syslog forwarding client.conf + template: dest=/etc/rsyslog.d/forwards.conf src=rsyslog_forwards.conf.j2 owner=root group=root mode=0644 + when: common_rsyslog_forwards + notify: restart rsyslog + tags: ['common', 'rsyslog'] + +- name: rsyslog - start and enable + service: name=rsyslog state=started enabled=yes + tags: ['common', 'rsyslog'] diff --git a/templates/aliases.j2 b/templates/aliases.j2 new file mode 100644 index 0000000..70ac29d --- /dev/null +++ b/templates/aliases.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +# /etc/aliases + +{% for alias in common_aliases %} +{{ alias }} +{% endfor %} diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..1c0323f --- /dev/null +++ b/templates/postfix/main.cf.j2 @@ -0,0 +1,46 @@ +# {{ ansible_managed }} +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + +myorigin = /etc/mailname + +debug_peer_list = {{ common_postfix_debug_peer_list }} + +{% if common_postfix_masquerade_domains %} +masquerade_domains = +{% for domain in common_postfix_masquerade_domains %} + {{ domain }} +{% endfor %} +{% endif %} + +smtpd_banner = $myhostname ESMTP $mail_name +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# generate "delayed mail" warnings +delay_warning_time = {{ common_postfix_delay_warning_time }} + +readme_directory = no + +{% if common_postfix_smtpd_tls_security_level %} +# TLS parameters +smtpd_tls_security_level={{ common_postfix_smtpd_tls_security_level }} +smtpd_tls_cert_file={{ common_postfix_smtpd_tls_cert_file }} +smtpd_tls_key_file={{ common_postfix_smtpd_tls_key_file }} +smtpd_tls_session_cache_database = {{ common_postfix_smtpd_tls_session_cache_database }} +smtp_tls_session_cache_database = {{ common_postfix_smtp_tls_session_cache_database }} +{% endif %} + +myhostname = {{ common_postfix_hostname }} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = {{ common_postfix_mydestination }} +relayhost = {{ common_postfix_relayhost }} +mynetworks = {{ common_postfix_mynetworks }} +relay_domains = {{ common_postfix_relay_domains }} +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = {{ common_postfix_inet_interfaces }} +inet_protocols = {{ common_postfix_inet_protocols }} +message_size_limit = {{ common_postfix_message_size_limit }} diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2 new file mode 100644 index 0000000..5f46329 --- /dev/null +++ b/templates/postfix/master.cf.j2 @@ -0,0 +1,122 @@ +# {{ansible_managed}} +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup unix n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/templates/resolvconf_tail.j2 b/templates/resolvconf_tail.j2 new file mode 100644 index 0000000..e2ec761 --- /dev/null +++ b/templates/resolvconf_tail.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +{% if common_resolvconf_domain %} +domain {{ common_resolvconf_domain }} +{% endif %} + +{% if ansible_local is defined and ansible_local.hardwarenode.hnfqdn and common_resolvconf_hnfqdn %} +nameserver {{ lookup('dig', ansible_local.hardwarenode.hnfqdn ) }} +{% else %} +{% for n in common_resolvconf_nameservers %} +nameserver {{ n }} +{% endfor %} +{% endif %} + +{% if common_resolvconf_search %} +search {% for s in common_resolvconf_search %}{{ s }} {% endfor %} +{% endif %} diff --git a/templates/rsyslog.conf.j2 b/templates/rsyslog.conf.j2 new file mode 100644 index 0000000..5ae03c9 --- /dev/null +++ b/templates/rsyslog.conf.j2 @@ -0,0 +1,124 @@ +# {{ ansible_managed }} +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +{% if ansible_virtualization_type != 'lxc' %} +$ModLoad imklog # provides kernel logging support +{% endif %} +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole diff --git a/templates/rsyslog_forwards.conf.j2 b/templates/rsyslog_forwards.conf.j2 new file mode 100644 index 0000000..55e72eb --- /dev/null +++ b/templates/rsyslog_forwards.conf.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +{% for dest in common_rsyslog_forwards %} +$ActionQueueType LinkedList +$ActionQueueFileName {{ dest.name }} +$ActionResumeRetryCount -1 +$ActionQueueSaveOnShutdown on +*.* {{ dest.dest }};RSYSLOG_ForwardFormat +{% endfor %} diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..5148b1c --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,89 @@ +# {{ ansible_managed }} +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp {{ common_openssh_subsystem_sftp | default("/usr/lib/openssh/sftp-server") }} + + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes