Initial commit

roles/common/templates/etc/apt/sources.list.Debian.j2

@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
+
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
+{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
+
+# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
+
+# Contrib packages contain DFSG-compliant software,
+# but have dependencies not in main (possibly packaged for Debian in non-free).
+# Non-free contains software that does not comply with the DFSG.
+{% if apt_debian_contrib_nonfree_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
+{% endif %}
+
+# # N.B. software from this repository may not have been tested as
+# # extensively as that contained in the main release, although it includes
+# # newer versions of some applications which may provide useful features.
+{% if apt_backports_enable %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{% endif %}
+

roles/common/templates/etc/bind/named.conf.options.j2

@@ -0,0 +1,106 @@
+# {{ ansible_managed }}
+
+{% if acl_caching_nameserver is defined and acl_caching_nameserver|length > 0 %}
+{% for acl in acl_caching_nameserver %}
+
+acl {{ acl.name }} {
+{%    for entry in acl.entries %}
+   {{ entry }}
+{%    endfor %}
+};
+{% endfor %}
+{% endif %}
+
+options {
+   directory "/var/cache/bind";
+
+   // If there is a firewall between you and nameservers you want
+   // to talk to, you may need to fix the firewall to allow multiple
+   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+   // If your ISP provided one or more IP addresses for stable
+   // nameservers, you probably want to use them as forwarders.
+   // Uncomment the following block, and insert the addresses replacing
+   // the all-0's placeholder.
+
+   // forwarders {
+   //    0.0.0.0;
+   // };
+
+   //========================================================================
+   // If BIND logs error messages about the root key being expired,
+   // you will need to update your keys.  See https://www.isc.org/bind-keys
+   //========================================================================
+   dnssec-validation auto;
+
+   // caching name services
+   recursion yes;
+
+{% if acl_caching_nameserver is defined and acl_caching_nameserver|length > 0 %}
+   listen-on port 53 {
+      any ;
+   };
+
+   listen-on-v6 port 53 {
+      any;
+   };
+
+   allow-recursion {
+      127.0.0.1;
+      ::1 ;
+{% for acl in acl_caching_nameserver %}
+      {{ acl.name }};
+{% endfor %}
+   };
+
+{% else %}
+   listen-on port 53 {
+      127.0.0.1;
+   };
+
+   listen-on-v6 port 53 {
+      ::1;
+   };
+
+   allow-recursion {
+      127.0.0.1;
+      ::1;
+   };
+{% endif %}
+};
+
+logging {
+   channel simple_log {
+      file "/var/log/named/bind.log" versions 3 size 5m;
+      severity warning;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   channel queries_log {
+      file "/var/log/named/query.log" versions 5 size 2m;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category no;
+   };
+   channel dnssec_log {
+      file "/var/log/named/dnssec.log" versions 5 size 2m;
+      severity debug 3;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   category resolver {
+      queries_log;
+   };
+   category queries {
+      queries_log;
+   };
+   category dnssec {
+      dnssec_log;
+   };
+   category default{
+      simple_log;
+   };
+};

roles/common/templates/etc/ssh/sshd_config.j2

@@ -0,0 +1,286 @@
+# {{ ansible_managed }}
+
+#-----------------------------
+# Daemon
+#-----------------------------
+
+# What ports, IPs and protocols we listen for
+{% for item in sshd_ports %}
+Port {{ item }}
+{% endfor %}
+
+# Specifies the local addresses sshd(8) should listen on.  The following forms may be used:
+# 
+#    ListenAddress host|IPv4_addr|IPv6_addr
+#    ListenAddress host|IPv4_addr:port
+#    ListenAddress [host|IPv6_addr]:port
+# 
+# If port is not specified, sshd will listen on the address and all Port options specified.  The default
+# is to listen on all local addresses.  Multiple ListenAddress options are permitted.
+#
+#    ListenAddress ::
+#    ListenAddress 0.0.0.0
+#    ListenAddress 159.69.72.24
+#    ListenAddress 2a01:4f8:231:171f::2
+#
+{% if (sshd_listen_address is defined) and sshd_listen_address %}
+{% for item in sshd_listen_address %}
+ListenAddress {{ item }}
+{% endfor %}
+{% endif %}
+
+# Specifies the protocol versions sshd(8) supports.
+# The possible values are ‘1’ , `2' and ‘1,2’.
+# The default is ‘2’.
+Protocol 2
+
+# HostKeys for protocol version 2
+{% for item in sshd_host_keys %}
+HostKey {{ item }}
+{% endfor %}
+
+# Lifetime and size of ephemeral version 1 server key
+#
+# Note:
+#    Deprecated option KeyRegenerationInterval
+#    Deprecated option ServerKeyBits
+#
+#KeyRegenerationInterval 3600
+#ServerKeyBits 768
+
+# Specifies the maximum number of concurrent unauthenticated connections
+# to the SSH daemon. See sshd_config(5) for specifiing the three colon 
+# separated values.
+# The default is 10.
+#MaxStartups 10:30:100
+#MaxStartups 3
+MaxStartups 10:30:100
+
+# Specifies the maximum number of authentication attempts permitted per
+# connection.
+# The default is 6.
+MaxAuthTries 3
+
+# Specifies the maximum number of open sessions permitted per network
+# connection.
+# The default is 10.
+MaxSessions 10
+
+
+#-----------------------------
+# Authentication
+#-----------------------------
+
+# Specifies whether sshd(8) separates privileges by creating an unprivileged
+# child process to deal with incoming network traffic.
+# The default is "yes" (for security).
+UsePrivilegeSeparation yes
+
+# The server disconnects after this time if the user has not
+# successfully logged in.
+# The default is 120 seconds.
+LoginGraceTime 120
+
+# Specifies whether root can log in using ssh(1).
+# The default is "yes".
+# Possible values: yes, no, prohibit-password (or teh older one: without-password)
+#PermitRootLogin yes
+PermitRootLogin {{ sshd_permit_root_login }}
+
+# Specifies whether sshd(8) should check file modes and ownership of the 
+# user's files and home directory before accepting login.  This is normally 
+# desirable because novices sometimes accidentally leave their directory or 
+# files world-writable. Note that this does not apply to ChrootDirectory, 
+# whose permissions and ownership are checked unconditionally.  
+# The default is “yes”.
+StrictModes yes
+
+# Specifies whether pure RSA authentication is allowed. This option 
+# applies to protocol version 1 only.
+# The default is “yes”.
+#
+# Note:
+#    Deprecated option RSAAuthentication
+#
+#RSAAuthentication yes
+
+# Specifies whether public key authentication is allowed. Note that this 
+# option applies to protocol version 2 only.
+# The default is “yes”.
+PubkeyAuthentication {{ sshd_pubkey_authentication }}
+
+# Specifies the file that contains the public keys that can be used for 
+# user authentication.  The format is described in the AUTHORIZED_KEYS FILE 
+# FORMAT section of sshd(8).
+# AuthorizedKeysFile may contain tokens of the form %T which are substituted
+# during connection setup. The following tokens are defined: %% is replaced 
+# by a literal '%', %h is replaced by the home directory of the user being 
+# authenticated, and %u is replaced by the username of that user. After 
+# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative 
+# to the user's home directory. Multiple files may be listed, separated by 
+# whitespace.
+# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+AuthorizedKeysFile {{ sshd_authorized_keys_file }}
+
+# Specifies whether password authentication is allowed.
+# Change to no to disable tunnelled clear text passwords
+# The default is "yes".
+#PasswordAuthentication yes
+PasswordAuthentication {{ sshd_password_authentication }}
+
+# When password authentication is allowed, it specifies whether the 
+# server allows login to accounts with empty password strings.
+# The default is “no”.
+PermitEmptyPasswords no
+
+# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
+# The default is “yes”.
+ChallengeResponseAuthentication no
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+#
+# Note:
+#    Deprecated option RhostsRSAAuthentication
+#
+#RhostsRSAAuthentication no
+
+# similar for protocol version 2
+HostbasedAuthentication no
+
+# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
+# during RhostsRSAAuthentication or HostbasedAuthentication. 
+# The default is “no”.
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# If specified, login is allowed only for user names that match one of
+# the patterns.
+# The allow/deny directives are processed in the following order: DenyUsers, 
+# AllowUsers, DenyGroups, and finally AllowGroups.
+# By default, login is allowed for all users.
+#AllowUsers chris cityslang sysadm
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# Specifies whether login(1) is used for interactive login sessions.
+# Note that login(1) is never used for remote command execution. 
+# Note also, that if this is enabled, X11Forwarding will be disabled 
+# because login(1) does not know how to handle xauth(1) cookies. If
+# UsePrivilegeSeparation is specified, it will be disabled after 
+# authentication.
+# The default is “no”.
+#UseLogin no
+
+
+#-----------------------------
+# Logging
+#-----------------------------
+
+# Gives the facility code that is used when logging messages from sshd(8).  
+# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 
+# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
+# The default is AUTH.
+SyslogFacility AUTH
+
+# Gives the verbosity level that is used when logging messages from
+# sshd(8).
+# The default is INFO.
+LogLevel INFO
+
+
+#-----------------------------
+# Behavior
+#-----------------------------
+
+# Specifies whether the distribution-specified extra version suffix is included
+# during initial protocol handshake.
+# The default is "yes".
+DebianBanner no
+
+# The contents of the specified file are sent to the remote user before
+# authentication is allowed.
+# By default, no banner is displayed.
+#Banner /etc/issue.net
+
+# Specifies whether sshd(8) should print /etc/motd when a user logs in 
+# interactively. (On some systems it is also printed by the shell, 
+# /etc/profile, or equivalent.)  
+# The default is “yes”.
+PrintMotd {{ sshd_print_motd }}
+
+# Specifies what environment variables sent by the client will be copied
+# into the session's environ(7).
+# The default is not to accept any environment variables.
+AcceptEnv LANG LC_*
+
+# Configures an external subsystem (e.g. file transfer daemon).
+# By default no subsystems are defined.
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Specifies whether sshd(8) should look up the remote host name and check 
+# that the resolved host name for the remote IP address maps back to the 
+# very same IP address.
+# The default is “yes”.
+UseDNS {{ sshd_use_dns }}
+
+# Specifies whether X11 forwarding is permitted. The argument must be 
+# “yes” or “no”. See sshd_config(5) for further expalnation
+# The default is “no”.
+#X11Forwarding yes
+
+# Specifies the first display number available for sshd(8)'s X11 
+# forwarding. This prevents sshd from interfering with real X11 servers.
+# The default is 10.
+X11DisplayOffset 10
+
+# Specifies whether the system should send TCP keepalive messages to the 
+# other side. If they are sent, death of the connection or crash of one 
+# of the machines will be properly noticed.  However, this means
+# that connections will die if the route is down temporarily, and some 
+# people find it annoying. On the other hand, if TCP keepalives are not 
+# sent, sessions may hang indefinitely on the server, leaving “ghost” users 
+# and consuming server resources.
+#
+# The default is “yes” (to send TCP keepalive messages), and the server 
+# will notice if the network goes down or the client host crashes. This 
+# avoids infinitely hanging sessions.
+TCPKeepAlive yes
+
+#Specifies whether sshd(8) should print the date and time of the last 
+# user login when a user logs in interactively.
+# The default is “yes”.
+PrintLastLog yes
+
+
+#-----------------------------
+# Kerberos options
+#-----------------------------
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+
+#-----------------------------
+# GSSAPI options
+#-----------------------------
+
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+
+
+
+

roles/common/templates/etc/sudoers.d/50-user.j2

@@ -0,0 +1,84 @@
+# {{ ansible_managed }}
+
+{% for item in sudoers_file_defaults | default([]) %}
+Defaults {{ item }}
+{% endfor %}
+
+# Host alias specification
+{% for item in sudoers_file_host_aliases | default([]) %}
+Host_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# User alias specification
+{% for item in sudoers_file_user_aliases | default([]) %}
+User_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# Cmnd alias specification
+{% for item in sudoers_file_cmnd_aliases | default([]) %}
+Cmnd_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# Runas alias specification
+{% for item in sudoers_file_runas_aliases | default([]) %}
+Runas_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# User privilege specification
+
+{# rule for user 'back' #}
+{% for item in sudoers_file_user_back_privileges | default([]) %}
+back {{ item }}
+{% endfor -%}
+
+
+{%- if ansible_virtualization_role == 'host' %}
+
+{% for item in sudoers_file_user_back_disk_privileges | default([]) %}
+back {{ item }}
+{% endfor %}
+{% endif -%}
+
+
+{%- if groups['webadmin']|string is search(inventory_hostname) %}
+
+{% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %}
+webadmin {{ item }}
+{% endfor %}
+{% endif -%}
+
+
+{%- if groups['postgresql_server']|string is search(inventory_hostname) %}
+
+{% for item in sudoers_file_user_back_postgres_privileges | default([]) %}
+back {{ item }}
+{% endfor %}
+{% endif -%}
+
+
+{# dns server #}
+{%- if groups['dns_server']|string is search(inventory_hostname) %}
+
+{% for item in sudoers_file_dns_server_privileges | default([]) %}
+{{ item.name }} {{ item.entry }}
+{% endfor %}
+{% endif -%}
+
+
+{# postfixadmin rules #}
+{%- if groups['mail_server']|string is search(inventory_hostname) %}
+
+{% for item in sudoers_file_postfixadmin_privileges | default([]) %}
+{{ item.name }} {{ item.entry }}
+{% endfor %}
+{% endif -%}
+
+{# other (host specific) rules #} 
+{%-  if (sudoers_file_user_privileges is defined and sudoers_file_user_privileges) %}
+
+{% for item in sudoers_file_user_privileges | default([]) %}
+{{ item.name }} {{ item.entry }}
+{% endfor %}
+{% endif %}
+
+# Group privilege specification

roles/common/templates/etc/sudoers.j2

@@ -0,0 +1,53 @@
+# {{ ansible_managed }}
+
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+{% for item in sudoers_defaults %}
+{% if item != '' %}
+Defaults {{ item }}
+{% endif %}
+{% endfor %}
+
+# Host alias specification
+{% for item in sudoers_host_aliases | default([]) %}
+Host_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# User alias specification
+{% for item in sudoers_user_aliases | default([]) %}
+User_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# Cmnd alias specification
+{% for item in sudoers_cmnd_aliases | default([]) %}
+Cmnd_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# Runas alias specification
+{% for item in sudoers_runas_aliases | default([]) %}
+Runas_Alias {{ item.name }} = {{ item.entry }}
+{% endfor %}
+
+# User privilege specification
+{% for item in sudoers_user_privileges | default([]) %}
+{{ item.name }} {{ item.entry }}
+{% endfor %}
+
+# Allow members of group sudo to execute any command
+%sudo ALL=(ALL:ALL) ALL
+
+# Group privilege specification
+
+{% for item in sudoers_group_privileges | default([]) %}
+{{ item.name }} {{ item.entry }}
+{% endfor %}
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d
+

roles/common/templates/var/www/.ssh/config.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+Host wf.oopen.de 80.152.216.128 gw-d11.oopen.de d11.warenform.de
+   user webadmin
+   Protocol 2
+   Port 9998
+   ForwardAgent yes
+   StrictHostKeyChecking no
+