Add base playbooks and roles to bootstrap a new server

We want to launch a new bastion host to run ansible on. Because we're
working on the transition to ansible, it seems like being able to do
that without needing puppet would be nice. This gets user management,
base repo setup and whatnot installed. It doesn't remove them from the
existing puppet, nor does it change the way we're calling anything that
currently exists.

Add bridge.openstack.org to the disabled group so that we don't try to
run puppet on it.

Change-Id: I3165423753009c639d9d2e2ed7d9adbe70360932

launch/dns.py

@@ -43,35 +43,35 @@ def print_dns(cloud, server):
         raise
     href = get_href(raw_server)
 
-    print
-    print "Run the following commands to set up DNS:"
-    print
-    print ". ~root/ci-launch/openstackci-rs-nova.sh"
-    print ". ~root/rackdns-venv/bin/activate"
-    print
-    print (
+    print("\n")
+    print("Run the following commands to set up DNS:")
+    print("\n")
+    print(". ~root/ci-launch/openstackci-rs-nova.sh")
+    print(". ~root/rackdns-venv/bin/activate")
+    print("\n")
+    print(
         "rackdns rdns-create --name %s \\\n"
         "    --data %s \\\n"
         "    --server-href %s \\\n"
         "    --ttl 3600" % (
             server.name, ip6, href))
-    print
-    print (
+    print("\n")
+    print(
         "rackdns rdns-create --name %s \\\n"
         "    --data %s \\\n"
         "    --server-href %s \\\n"
         "    --ttl 3600" % (
             server.name, ip4, href))
-    print
-    print ". ~root/ci-launch/openstack-rs-nova.sh"
-    print
-    print (
+    print("\n")
+    print(". ~root/ci-launch/openstack-rs-nova.sh")
+    print("\n")
+    print(
         "rackdns record-create --name %s \\\n"
         "    --type AAAA --data %s \\\n"
         "    --ttl 3600 openstack.org" % (
             server.name, ip6))
-    print
-    print (
+    print("\n")
+    print(
         "rackdns record-create --name %s \\\n"
         "    --type A --data %s \\\n"
         "    --ttl 3600 openstack.org" % (

launch/launch-node-ansible.py

@@ -0,0 +1,353 @@
+#!/usr/bin/env python
+
+# Launch a new OpenStack project infrastructure node.
+
+# Copyright (C) 2011-2012 OpenStack LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+#
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import os
+import shutil
+import subprocess
+import sys
+import threading
+import tempfile
+import time
+import traceback
+
+import dns
+import utils
+
+import openstack
+import os_client_config
+import paramiko
+
+SCRIPT_DIR = os.path.dirname(sys.argv[0])
+
+try:
+    # This unactionable warning does not need to be printed over and over.
+    import requests.packages.urllib3
+    requests.packages.urllib3.disable_warnings()
+except:
+    pass
+
+
+class JobDir(object):
+    def __init__(self, keep=False):
+        self.keep = keep
+        self.root = tempfile.mkdtemp()
+        self.inventory_root = os.path.join(self.root, 'inventory')
+        os.makedirs(self.inventory_root)
+        self.hosts = os.path.join(self.inventory_root, 'hosts')
+        self.groups = os.path.join(self.inventory_root, 'groups')
+        self.key = os.path.join(self.root, 'id_rsa')
+        self.ansible_log = os.path.join(self.root, 'ansible_log.txt')
+        # XXX if we need more, we might like to setup an ansible.cfg
+        # file and use that rather than env vars.  See
+        # zuul/launcher/ansiblelaunchserver.py as an example
+        self.env = os.environ.copy()
+        self.env['ANSIBLE_LOG_PATH'] = self.ansible_log
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, etype, value, tb):
+        if not self.keep:
+            shutil.rmtree(self.root)
+
+
+def run(cmd, **args):
+    args['stdout'] = subprocess.PIPE
+    args['stderr'] = subprocess.STDOUT
+    print("Running: %s" % (cmd,))
+    proc = subprocess.Popen(cmd, **args)
+    out = ''
+    for line in iter(proc.stdout.readline, b''):
+        line = line.decode('utf-8')
+        sys.stdout.write(line)
+        sys.stdout.flush()
+        out += line
+    ret = proc.wait()
+    print("Return code: %s" % (ret,))
+    if ret != 0:
+        raise subprocess.CalledProcessError(ret, cmd, out)
+    return ret
+
+
+def stream_syslog(ssh_client):
+    try:
+        ssh_client.ssh('tail -f /var/log/syslog')
+    except Exception:
+        print("Syslog stream terminated")
+
+
+def bootstrap_server(server, key, name, volume_device, keep,
+                     mount_path, fs_label, environment):
+
+    ip = server.public_v4
+    ssh_kwargs = dict(pkey=key)
+
+    print("--- Running initial configuration on host %s ---" % ip)
+    for username in ['root', 'ubuntu', 'centos', 'admin']:
+        ssh_client = utils.ssh_connect(ip, username, ssh_kwargs, timeout=600)
+        if ssh_client:
+            break
+
+    if not ssh_client:
+        raise Exception("Unable to log in via SSH")
+
+    # cloud-init puts the "please log in as user foo" message and
+    # subsequent exit() in root's authorized_keys -- overwrite it with
+    # a normal version to get root login working again.
+    if username != 'root':
+        ssh_client.ssh("sudo cp ~/.ssh/authorized_keys"
+                       " ~root/.ssh/authorized_keys")
+        ssh_client.ssh("sudo chmod 644 ~root/.ssh/authorized_keys")
+        ssh_client.ssh("sudo chown root.root ~root/.ssh/authorized_keys")
+
+    ssh_client = utils.ssh_connect(ip, 'root', ssh_kwargs, timeout=600)
+
+    # Something up with RAX images that they have the ipv6 interface in
+    # /etc/network/interfaces but eth0 hasn't noticed yet; reload it
+    ssh_client.ssh('(ifdown eth0 && ifup eth0) || true')
+
+    if server.public_v6:
+        ssh_client.ssh('ping6 -c5 -Q 0x10 review.openstack.org '
+                       '|| ping6 -c5 -Q 0x10 wiki.openstack.org')
+
+    ssh_client.scp(os.path.join(SCRIPT_DIR, '..', 'make_swap.sh'),
+                   'make_swap.sh')
+    ssh_client.ssh('bash -x make_swap.sh')
+
+    if volume_device:
+        ssh_client.scp(os.path.join(SCRIPT_DIR, '..', 'mount_volume.sh'),
+                       'mount_volume.sh')
+        ssh_client.ssh('bash -x mount_volume.sh %s %s %s' %
+                       (volume_device, mount_path, fs_label))
+
+    with JobDir(keep) as jobdir:
+        # Update the generated-groups file globally and incorporate it
+        # into our inventory
+        # Remove cloud and region from the environment to work
+        # around a bug in occ
+        expand_env = os.environ.copy()
+        for env_key in list(expand_env.keys()):
+            if env_key.startswith('OS_'):
+                expand_env.pop(env_key, None)
+        expand_env['ANSIBLE_LOG_PATH'] = jobdir.ansible_log
+
+        # Write out the private SSH key we generated
+        with open(jobdir.key, 'w') as key_file:
+            key.write_private_key(key_file)
+        os.chmod(jobdir.key, 0o600)
+
+        # Write out inventory
+        with open(jobdir.hosts, 'w') as inventory_file:
+            inventory_file.write(
+                "{host} ansible_host={ip} ansible_user=root {python}".format(
+                    host=name, ip=server.interface_ip,
+                    python='ansible_python_interpreter=/usr/bin/python3'))
+
+        t = threading.Thread(target=stream_syslog, args=(ssh_client,))
+        t.daemon = True
+        t.start()
+
+        ansible_cmd = [
+            'ansible-playbook',
+            '-i', jobdir.inventory_root, '-l', name,
+            '--private-key={key}'.format(key=jobdir.key),
+            "--ssh-common-args='-o StrictHostKeyChecking=no'",
+            '-e', 'target={name}'.format(name=name),
+        ]
+
+        # Run the remote puppet apply playbook limited to just this server
+        # we just created
+        for playbook in [
+                'set-hostnames.yaml',
+                'base.yaml',
+        ]:
+            run(ansible_cmd + [
+                os.path.join(SCRIPT_DIR, '..', 'playbooks', playbook)],
+                env=jobdir.env)
+
+    try:
+        ssh_client.ssh("reboot")
+    except Exception as e:
+        # Some init system kill the connection too fast after reboot.
+        # Deal with it by ignoring ssh errors when rebooting.
+        if e.rc == -1:
+            pass
+        else:
+            raise
+
+
+def build_server(cloud, name, image, flavor,
+                 volume, keep, network, boot_from_volume, config_drive,
+                 mount_path, fs_label, availability_zone, environment):
+    key = None
+    server = None
+
+    create_kwargs = dict(image=image, flavor=flavor, name=name,
+                         reuse_ips=False, wait=True,
+                         boot_from_volume=boot_from_volume,
+                         network=network,
+                         config_drive=config_drive)
+
+    if availability_zone:
+        create_kwargs['availability_zone'] = availability_zone
+
+    if volume:
+        create_kwargs['volumes'] = [volume]
+
+    key_name = 'launch-%i' % (time.time())
+    key = paramiko.RSAKey.generate(2048)
+    public_key = key.get_name() + ' ' + key.get_base64()
+    cloud.create_keypair(key_name, public_key)
+    create_kwargs['key_name'] = key_name
+
+    try:
+        server = cloud.create_server(**create_kwargs)
+    except Exception:
+        try:
+            cloud.delete_keypair(key_name)
+        except Exception:
+            print("Exception encountered deleting keypair:")
+            traceback.print_exc()
+        raise
+
+    try:
+        cloud.delete_keypair(key_name)
+
+        server = cloud.get_openstack_vars(server)
+        if volume:
+            volume = cloud.get_volume(volume)
+            volume_device = cloud.get_volume_attach_device(volume,
+                                                           server['id'])
+        else:
+            volume_device = None
+        bootstrap_server(server, key, name, volume_device, keep,
+                         mount_path, fs_label, environment)
+        print('UUID=%s\nIPV4=%s\nIPV6=%s\n' % (
+            server.id, server.public_v4, server.public_v6))
+    except Exception:
+        print("****")
+        print("Server %s failed to build!" % (server.id))
+        try:
+            if keep:
+                print("Keeping as requested")
+                # Write out the private SSH key we generated, as we
+                # may not have got far enough for ansible to run
+                with open('/tmp/%s.id_rsa' % server.id, 'w') as key_file:
+                    key.write_private_key(key_file)
+                    os.chmod(key_file.name, 0o600)
+                    print("Private key saved in %s" % key_file.name)
+                print(
+                    "Run to delete -> openstack server delete %s" % \
+                    (server.id))
+            else:
+                cloud.delete_server(server.id, delete_ips=True)
+        except Exception:
+            print("Exception encountered deleting server:")
+            traceback.print_exc()
+        print("The original exception follows:")
+        print("****")
+        # Raise the important exception that started this
+        raise
+
+    return server
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("name", help="server name")
+    parser.add_argument("--cloud", dest="cloud", required=True,
+                        help="cloud name")
+    parser.add_argument("--region", dest="region",
+                        help="cloud region")
+    parser.add_argument("--flavor", dest="flavor", default='1GB',
+                        help="name (or substring) of flavor")
+    parser.add_argument("--image", dest="image",
+                        default="Ubuntu 18.04 LTS (Bionic Beaver) (PVHVM)",
+                        help="image name")
+    parser.add_argument("--environment", dest="environment",
+                        help="Puppet environment to use",
+                        default=None)
+    parser.add_argument("--volume", dest="volume",
+                        help="UUID of volume to attach to the new server.",
+                        default=None)
+    parser.add_argument("--mount-path", dest="mount_path",
+                        help="Path to mount cinder volume at.",
+                        default=None)
+    parser.add_argument("--fs-label", dest="fs_label",
+                        help="FS label to use when mounting cinder volume.",
+                        default=None)
+    parser.add_argument("--boot-from-volume", dest="boot_from_volume",
+                        help="Create a boot volume for the server and use it.",
+                        action='store_true',
+                        default=False)
+    parser.add_argument("--keep", dest="keep",
+                        help="Don't clean up or delete the server on error.",
+                        action='store_true',
+                        default=False)
+    parser.add_argument("--verbose", dest="verbose", default=False,
+                        action='store_true',
+                        help="Be verbose about logging cloud actions")
+    parser.add_argument("--network", dest="network", default=None,
+                        help="network label to attach instance to")
+    parser.add_argument("--config-drive", dest="config_drive",
+                        help="Boot with config_drive attached.",
+                        action='store_true',
+                        default=False)
+    parser.add_argument("--az", dest="availability_zone", default=None,
+                        help="AZ to boot in.")
+    options = parser.parse_args()
+
+    openstack.enable_logging(debug=options.verbose)
+
+    cloud_kwargs = {}
+    if options.region:
+        cloud_kwargs['region_name'] = options.region
+    cloud = openstack.connect(cloud=options.cloud, **cloud_kwargs)
+
+    flavor = cloud.get_flavor(options.flavor)
+    if flavor:
+        print("Found flavor", flavor.name)
+    else:
+        print("Unable to find matching flavor; flavor list:")
+        for i in cloud.list_flavors():
+            print(i.name)
+        sys.exit(1)
+
+    image = cloud.get_image_exclude(options.image, 'deprecated')
+    if image:
+        print("Found image", image.name)
+    else:
+        print("Unable to find matching image; image list:")
+        for i in cloud.list_images():
+            print(i.name)
+        sys.exit(1)
+
+    server = build_server(cloud, options.name, image, flavor,
+                          options.volume, options.keep,
+                          options.network, options.boot_from_volume,
+                          options.config_drive,
+                          options.mount_path, options.fs_label,
+                          options.availability_zone,
+                          options.environment)
+    dns.print_dns(cloud, server)
+
+if __name__ == '__main__':
+    main()

launch/launch-node.py

@@ -206,7 +206,7 @@ def bootstrap_server(server, key, name, volume_device, keep,
         # Run the remote puppet apply playbook limited to just this server
         # we just created
         for playbook in [
-                'set_hostnames.yml',
+                'set-hostnames.yaml',
                 'remote_puppet_adhoc.yaml']:
             run(ansible_cmd + [
                 os.path.join(SCRIPT_DIR, '..', 'playbooks', playbook)],

launch/utils.py

@@ -43,7 +43,7 @@ def ssh_connect(ip, username, connect_kwargs={}, timeout=60):
             client = SSHClient(ip, username, **connect_kwargs)
             break
         except socket.error as e:
-            print "While testing ssh access:", e
+            print("While testing ssh access:", e)
             time.sleep(5)
         except paramiko.ssh_exception.AuthenticationException:
             return None

make_swap.sh

@@ -27,7 +27,7 @@ if [ `grep SwapTotal /proc/meminfo | awk '{ print $2; }'` -eq 0 ]; then
         MEMKB=`grep MemTotal /proc/meminfo | awk '{print $2; }'`
         # Use the nearest power of two in MB as the swap size.
         # This ensures that the partitions below are aligned properly.
-        MEM=`python -c "import math ; print 2**int(round(math.log($MEMKB/1024, 2)))"`
+        MEM=`python3 -c "import math ; print(2**int(round(math.log($MEMKB/1024, 2))))"`
         if mount | grep ${DEV} > /dev/null; then
             echo "*** ${DEV} appears to already be mounted"
             echo "*** ${DEV} unmounting and reformating"

modules/openstack_project/files/puppetmaster/groups.txt

@@ -11,6 +11,7 @@ files ~files\d+\.openstack\.org
 git-loadbalancer ~git(-fe\d+)?\.openstack\.org
 git-server ~git\d+\.openstack\.org
 logstash-worker ~logstash-worker\d+\.openstack\.org
+mailman ~lists\d*\.openstack\.org:~lists\d*\.katacontainers\.io
 nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org
 review ~review\d+\.openstack\.org
 review-dev ~review-dev\d*\.openstack\.org

playbooks/base.yaml

@@ -0,0 +1,5 @@
+- hosts: "!disabled"
+  roles:
+    - users
+    - base-repos
+    - base-server

playbooks/group_vars/all.yaml

@@ -10,3 +10,208 @@ puppet:
   copy_puppet: true
   manifest: /opt/system-config/production/manifests/site.pp
   manifest_base: /opt/system-config
+
+all_users:
+  mordred:
+    comment: Monty Taylor
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLsTZJ8hXTmzjKxYh/7V07mIy8xl2HL+9BaUlt6A6TMsL3LSvaVQNSgmXX5g0XfPWSCKmkZb1O28q49jQI2n7n7+sHkxn0dJDxj1N2oNrzNY7pDuPrdtCijczLFdievygXNhXNkQ2WIqHXDquN/jfLLJ9L0jxtxtsUMbiL2xxZEZcaf/K5MqyPhscpqiVNE1MjE4xgPbIbv8gCKtPpYIIrktOMb4JbV7rhOp5DcSP5gXtLhOF5fbBpZ+szqrTVUcBX0oTYr3iRfOje9WPsTZIk9vBfBtF416mCNxMSRc7KhSW727AnUu85hS0xiP0MRAf69KemG1OE1pW+LtDIAEYp mordred@camelot
+    uid: 2000
+    gid: 2000
+
+  corvus:
+    comment: James E. Blair
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvKYcWK1T7e3PKSFiqb03EYktnoxVASpPoq2rJw2JvhsP0JfS+lKrPzpUQv7L4JCuQMsPNtZ8LnwVEft39k58Kh8XMebSfaqPYAZS5zCNvQUQIhP9myOevBZf4CDeG+gmssqRFcWEwIllfDuIzKBQGVbomR+Y5QuW0HczIbkoOYI6iyf2jB6xg+bmzR2HViofNrSa62CYmHS6dO04Z95J27w6jGWpEOTBjEQvnb9sdBc4EzaBVmxCpa2EilB1u0th7/DvuH0yP4T+X8G8UjW1gZCTOVw06fqlBCST4KjdWw1F/AuOCT7048klbf4H+mCTaEcPzzu3Fkv8ckMWtS/Z9Q== jeblair@operational-necessity
+    uid: 2001
+    gid: 2001
+
+  smaffulli:
+    comment: Stefano Maffulli
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD/zAvXaOUXCAT6/B4sCMu/38d/PyOIg/tYsYFAMgfDUzuZwkjZWNGrTpp/HFrOAZISER5KmOg48DKPvm91AeZOHfAXHCP6x9/FcogP9rmc48ym1B5XyIc78QVQjgN6JMSlEZsl0GWzFhQsPDjXundflY07TZfSC1IhpG9UgzamEVFcRjmNztnBuvq2uYVGpdI+ghmqFw9kfvSXJvUbj/F7Pco5XyJBx2e+gofe+X/UNee75xgoU/FyE2a6dSSc4uP4oUBvxDNU3gIsUKrSCmV8NuVQvMB8C9gXYR+JqtcvUSS9DdUAA8StP65woVsvuU+lqb+HVAe71JotDfOBd6f stefano@mattone-E6420
+    uid: 2002
+    gid: 2002
+
+  oubiwann:
+    comment: Duncan McGreggor
+    uid: 2003
+    gid: 2003
+
+  rockstar:
+    comment: Paul Hummer
+    uid: 2004
+    gid: 2004
+
+  clarkb:
+    comment: Clark Boylan
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnfoVhOTkrY7uoebL8PoHXb0Fg4jJqGCbwkxUdNUdheIdbnfyjuRG3iL8WZnzf7nzWnD+IGo6kkAo8BkNMK9L0P0Y+5IjI8NH49KU22tQ1umij4EIf5tzLh4gsqkJmy6QLrlbf10m6UF4rLFQhKzOd4b2H2K6KbP00CIymvbW3BwvNDODM4xRE2uao387qfvXZBUkB0PpRD+7fWPoN58gpFUm407Eba3WwX5PCD+1DD+RVBsG8maIDXerQ7lvFLoSuyMswv1TfkvCj0ZFhSFbfTd2ZysCu6eryFfeixR7NY9SNcp9YTqG6LrxGA7Ci6wz+hycFHXlDrlBgfFJDe5At clark@work
+    uid: 2005
+    gid: 2005
+
+  rlane:
+    comment: Ryan Lane
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdtI7H+fsgSrjrdG8aGVcrN0GFW3XqLVsLG4n7JW4qH2W//hqgdL7A7cNVQNPoB9I1jAqvnO2Ct6wrVSh84QU89Uufw412M3qNSNeiGgv2c2KdxP2XBrnsLYAaJRbgOWJX7nty1jpO0xwF503ky2W3OMUsCXMAbYmYNSod6gAdzf5Xgo/3+eXRh7NbV1eKPrzwWoMOYh9T0Mvmokon/GXV5PiAA2bIaQvCy4BH/BzWiQwRM7KtiEt5lHahY172aEu+dcWxciuxHqkYqlKhbU+x1fwZJ+MpXSj5KBU+L0yf3iKySob7g6DZDST/Ylcm4MMjpOy8/9Cc6Xgpx77E/Pvd laner@Free-Public-Wifi.local
+    uid: 2006
+    gid: 2006
+
+  fungi:
+    comment: Jeremy Stanley
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3KnRBTH5QPpKjf4RWu4akzYt2gwp796cMkFl5vu8e7G/cHuh4979FeNJXMVP6F3rvZB+yXDHLCU5LBVLq0K+1GbAZT/hH38hpMOIvniwKIquvI6C/drkVPHO6YmVlapw/NI530PGnT/TAqCOycHBO5eF1bYsaqV1yZqvs9v7UZc6J4LukoLZwpmyWZ5P3ltAiiy8+FGq3SLCKWDMmv/Bjz4zTsaNbSWThJi0BydINjC1/0ze5Tyc/XgW1sDuxmmXJxgQp4EvLpronqb2hT60iA52kj8lrmoCIryRpgnbaRA7BrxKF8zIr0ZALHijxEUeWHhFJDIVRGUf0Ef0nrmBv fungi-openstack-2015
+    uid: 2007
+    gid: 2007
+
+  ttx:
+    comment: Thierry Carrez
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCGpMtSehQNZL0/EJ7VUbklJygsxvii2Qi4HPSUFcLJUWAx4VltsmPkmx43D9ITwnRPRMPNtZrOvhY7v0myVlFuRnyTYAqZwigf5gxrktb+4PwCWb+2XobziUVnfJlbOTjneWSTYoZ+OjTaWd5AcVbUvgYAP2qbddycc5ACswpPDo5VrS6fQfCwE4z3BqLFNeOnqxbECHwHeFYIR6Kd6mnKAzDNZxZIkviWg9eIwwuFf5V5bUPiVkeFHVL3EJlCoYs2Em4bvYZBtrV7kUseN85X/+5Uail4uYBEcB3GLL32e6HeD1Qk4xIxLTI2bFPGUp0Oq7iPgrQQe4zCBsGi7Dx+JVy+U0JqLLAN94UPCn2fhsX7PdKfTPcxFPFKeX/PRutkb7qxdbS2ubCdOEhc6WN7OkQmbdK8lk6ms4v4dFc0ooMepWELqKC6thICsVdizpuij0+h8c4SRD3gtwGDPxrkJcodPoAimVVlW1p+RpMxsCFrK473TzgeNPVeAdSZVpqZ865VOwFqoFQB6WpmCDZQPFlkS2VDe9R54ePDHWKYLvVW6yvQqWTx3KrIrS1twSoydj+gADgBYsZaW5MNkWYHAWotEX67j6fMZ6ZSTS5yaTeLywB2Ykh0kjo4jpTFk5JNL7DINkfmCEZMLw60da29iN4QzAJr9cP1bwjf/QDqw== ttx@mercury
+    uid: 2008
+    gid: 2008
+
+  rbryant:
+    comment: Russell Bryant
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZVikFz5KoRg3gKdiSa3PQ0i2bN5+bUyc4lMMg6P+jEStVddwN+nAgpa3zJaokmNAOp+MjcGa7K1Zi4b9Fe2ufusTzSKdNVlRDiw0R4Lk0LwTIfkhLywKvgcAz8hkqWPUIgTMU4xIizh50KTL9Ttsu9ULop8t7urTpPE4TthHX4nz1Y9NwYLU0W8cWhzgRonBbqtGs/Lif0NC+TdWGkVyTaP3x1A48s0SMPcZKln1hDv7KbKdknG4XyS4jlr4qI+R+har7m2ED/PH93PSXi5QnT4U6laWRg03HTxpPKWq077u/tPW9wcbkgpBcYMmDKTo/NDPtoN+r/jkbdW7zKJHx russel@russelbryant.net
+    uid: 2009
+    gid: 2009
+
+  pabelanger:
+    comment: Paul Belanger
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuP0CZE8AYnbm8gxecCxKeRw0wHRyryd+FKmNNsdr0d3UvfCbqNzLigrqEBZsKpofi3M4qCWNpKRyfhnjPynLTQjP1vnX9AbL9UGoiHxScfvh3skntTYMs9ezJRd0rMJJZO76FPo8bJLDlwxAQl8m/nuj3HfYiO5hYE7P+a3rhsJh4nEfBb7xh+Q5yM0PWObkkBl6IRiBYjlcsXNZHgTA5kNuihUk5bHqAw54sHh05DhpgOITpTw4LFbh4Ew2NKq49dEb2xbTuAyAr2DHNOGgIwKEZpwtKZEIGEuiLbb4DQRsfivrvyOjnK2NFjQzGyNOHfsOldWHRQwUKUs8nrxKdXvqcrfMnSVaibeYK2TRL+6jd9kc5SIhWI3XLm7HbX7uXMD7/JQrkL25Rcs6nndDCH72DJLz+ynA/T5umMbNBQ9tybL5z73IOpfShRGjQYego22CxDOy7e/5OEMHNoksbFb1S02viM9O2puS7LDqqfT9JIbbPqCrbRi/zOXo0f4EXo6xKUAmd8qlV+6f/p57/qFihzQDaRFVlFEH3k7qwsw7PYGUTwkPaThe6xyZN6D5jqxCZU3aSYu+FGb0oYo+M5IxOm0Cb4NNsvvkRPxWtwSayfFGu6+m/+/RyA3GBcAMev7AuyKN+K2vGMsLagHOx4i+5ZAcUwGzLeXAENNum3w== pabelanger@redhat.com
+    uid: 2010
+    gid: 2010
+
+  mkiss:
+    comment: Marton Kiss
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb5qdaiKaRqBRgLW8Df+zD3C4a+gO/GFZYEDEd5nvk+LDGPuzi6s639DLqdfx6yvJ1sxxNUOOYhE/T7raDeS8m8fjk0hdVzARXraYDbckt6AELl7B16ZM4aEzjAPoSByizmfwIVkO1zP6kghyumV1kr5Nqx0hTd5/thIzgwdaGBY4I+5iqcWncuLyBCs34oTh/S+QFzjmMgoT86PrdLSsBIINx/4rb2Br2Sb6pRHmzbU+3evnytdlDFwDUPfdzoCaQEdXtjISC0xBdmnjEvHJYgmSkWMZGgRgomrA06Al9M9+2PR7x+burLVVsZf9keRoC7RYLAcryRbGMExC17skL marton.kiss@gmail.com
+    uid: 2011
+    gid: 2011
+
+  smarcet:
+    comment: Sebastian Marcet
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP5ce0Ywtbgi3LGMZWA5Zlv/EQ07F/gWnZOMN6TRfiCiiBNyf8ARtKgmYSINS8W537HJYBt3qTfa5xkZmpBrtE6x8OTfR5y1L+x/PrLTUkQhVDY19EixD9wDIrQIIjo2ZVq+zErXBRQuGmJ3Hl+OGw+wtvGS8f768kMnwhKUgyITjWV2tKr/q88J8mBOep48XUcRhidDWsOjgIDJQeY2lbsx1bbZ7necrJS17PHqxhUbWntyR/VKKbBbrNmf2bhtTRUSYoJuqabyGDTZ0J25A88Qt2IKELy6jsVTxHj9Y5D8oH57uB7GaNsNiU+CaOcVfwOenES9mcWOr1t5zNOdrp smarcet@gmail.com
+    uid: 2012
+    gid: 2012
+
+  zaro:
+    comment: Khai Do
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJqB//ilMx7Y1tKzviAn/6yeXSRAi2VnaGN0/bfaa5Gciz+SWt8vAEAUE99fzuqeJ/ezjkuIXDFm/sjZr93y567a6sDT6CuhVUac1FZIhXRTs0J+pBOiENbwQ7RZxbkyNHQ0ndvtz3kBA1DF5D+MDkluBlIWb085Z31rFJmetsB2Zb8s1FKUjHVk/skyeKSj0qAK5KN3Wme6peWhYjwBiM0gUlxIsEZM6JLYdoPIbD5B8GYAktMN2FvJU9LgKGL93jLZ/vnMtoQIHHAG/85NdPURL1Zbi92Xlxbm4LkbcHnruBdmtPfSgaEupwJ+zFmK264OHD7QFt10ztPMbAFCFn khaido@khaido-HP-EliteBook-Folio-9470m
+    uid: 2013
+    gid: 2013
+
+  slukjanov:
+    comment: Sergey Lukjanov
+    uid: 2014
+    gid: 2014
+
+  elizabeth:
+    comment: Elizabeth K. Joseph
+    uid: 2015
+    gid: 2015
+
+  jhesketh:
+    comment: Joshua Hesketh
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3onVLOZiiGpQWTCIV0QwHmc3Jvqyl7UaJxIu7D49OQcLHqVZsozI9pSiCdTnWyAaM+E+5wD9yVcSTqMWqn2AZmZSwQ+Fh6KnCgPZ/o63+iCZPGL0RNk20M1iNh5dvdStDnn+j2fpeV/JONF0tBn07QvNL2eF4BwtbTG9Zhl186QNsXjXDghrSO3Etl6DSfcUhxyvMoA2LnclWWD5hLmiRhcBm+PIxveVsr4B+o0k1HV5SUOvJMWtbEC37AH5I818O4fNOob6CnOFaCsbA9oUDzB5rqxutPZb9SmNJpNoLqYqDgyppM0yeql0Kn97tUt7H4j5xHrWoGnJ4IXfuDc0AMmmy4fpcLGkNf7zcBftKS6iz/3AlOXjlp5WZvKxngJj9HIir2SE/qV4Lxw9936BzvAcQyw5+bEsLQJwi+LPZxEqLC6oklkX9dg/+1yBFHsz6mulA0b4Eq7VF9omRzrhhN4iPpU5KQYPRNz7yRYckXDxYnp2lz6yHgSYh2/lqMc+UqmCL9EAWcDw3jsgvJ6kH/YUVUojiRHD9QLqlhOusu1wrTfojjwF05mqkXKmH+LH8f8AJAlMdYg0c2WLlrcxnwCkLLxzU5cYmKcZ41LuLtQR3ik+EKjYzBXXyCEzFm6qQEbR2akpXyxvONgrf7pijrgNOi0GeatUt0bUQcAONYw== jhesketh@infra
+    uid: 2016
+    gid: 2016
+
+  nibz:
+    comment: Spencer Krum
+    uid: 2017
+    gid: 2017
+
+  yolanda:
+    comment: Yolanda Robla
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSR2NmJC8PSanHUpKJuaMmohG80COO2IPkE3Mxhr7US8P1B3p1c6lOrT6M1txRzBY8FlbxfOinGtutP+ADCB2taXfpO8UiaG9eOqojAT/PeP2Y2ov72rVMSWupLozUv2uAR5yyFVFHOjKPYGAa01aJtfzfJujSak8dM0ifFeFwgp/8RBGEfC7atq+45TdrfAURRcEgcOLiF5Aq6fprCOwpllnrH6VoId9YS7u/5xF2/zBjr9PuOP7jEgCaL/+FNqu7jgj87aG5jiZPlweb7GTLJON9H6eFpyfpoJE0sZ1yR9Q+e9FAqQIA44Zi748qKBlFKbLxzoC4mc0SbNUAleEL yolanda@infra
+    uid: 2018
+    gid: 2018
+
+  rcarrillocruz:
+    comment: Ricardo Carrillo Cruz
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz1CW5E87v8o7O8B5fe7j1uaPCToRdaBukjH2HzQZ+DSGTIPjirLpp5ZXPuyNnmtRMzwld6mlHYlevVEwuZTNyQwS7ut5o0LjyW6yoEcvPq0xMEZLxaso5dZAtzNgf3FzbtaUYBnkhSwX7c24lf8wPGAl7TC3yO0dePQh2lXVdaBiGB9ybVeQr+kwJIxleUE4puuQ+ONJE2D+hHjoQ/huUMpb996pb/YzkjkAxqHguMid0c1taelyW8n17nEDoWvlV9Qqbo8cerhgURo1OBt2zENLjQQ0kOkPxJx4qx3652e0kbkr11y50r9BMs418mnJdWselMxkSqQNZ+XotoH5Dwn+3K2a6Wv4OX3Dqb9SF/JTD7lA/tIkNfxgsRlzfEQ01rK1+g7Je10EnDCLEzHpFjvZ5q4EEMcYqY+osLFpHAOWGLMx+3eY4pz/xEzRP/x3sjGU09uNOZ3oCWUfSkE4xebnnWtxwWZKyFmv3GHtaqJn2UvpAbODPEYyYcOS3XV3zd233W3C09YYnFUyZbGLXpD05Yet5fZfGTnveMRn5/9LZai+dBPwoMWUJdX4yPnGXgOG8zk0u1nWfcNJfYg+xajSUDiMKjDhlkuFK/GXNYuINe42s1TxzL7pJ4X4UhqLiopeJvPg/U5xdCV5pxVKf1MVenrGe2pfwf1Yr2WMv5w== rcarrillocruz@infra
+    uid: 2019
+    gid: 2019
+
+  krotscheck:
+    comment: Michael Krotscheck
+    uid: 2020
+    gid: 2020
+
+  colleen:
+    comment: Colleen Murphy
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcHzySqYlH1TfAPx5PaVzqkuMbI3zksJ5E2aZBlsIN7wNSoyO0Dts6HegHZIgi5NGT05wRBAUMCNZwupqFoWDg41JBKzPKITkqvEe/FnNmJFxt591ltXigZZ+ZLoX8B12nww/eeA5nx9PT4hIsLQG50MxEm0iC4ApusaAXMXa7+gTDkzf6yyl4QwinyFFTYtyJwFw5XfQXXRQwL8Qv6mVGrhDz3Fj4VWawByQuxRHgt5G3Ux/PnZzatJ3tuSK66o1uXrvuOiGdUtDCuAFUx+kgcmUTpCC6vgMZdDbrfyw0CGxkmAUNfeEMOw0TWbdioJ2FwH5+4BEvMgiFgsCTjIwDqqyFV9eK8sd0mbJ+I82EyOXPlFPKGan6Ie6LD1qotdUW9vT3pfpR/44s/Id2un3FBnVg7GZkGJshikGO1UqjmZfhEpQ6Q+auLir+mBv2X/ril6qJ2NuQpwMRVzZmriPMxdJDs6xhzg2fGEYRvEvh0kzsqNf4OgKbSWiVOB3WALM30Cx3YdmnB6JonRGA+6CqD+LO4HQMbD7LBVcYzEIS1WtP8aPx/NiybemrF0LWmIgl34A0Tpcc+5MLzzUtgUt6lYFyWxltCP43u1N7ODH+FsFALzo6CO9DjyMxEd6Ay61hyx8Btfhn8NH/wEdCQj1WAMHU+d2ljk5ndAfp8c6LRQ== krinkle@gir
+    uid: 2021
+    gid: 2021
+
+  Zara:
+    comment: Zara Zaimeche
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt9wQvGgQIvLvifm7n5g+2sjgjGCQLt03D0v5Fb5xEMufJncIDkwBNDzGvsASwHGjP9YEAA8+f8Ya+Yc9EaDgqQl9r9YEO9CoEC6O1Euk41nQJYYRnzkgmMaxTSlUKNur8XSmzoElLut6ivlLW71fZmSKHAcg9O4lgd9weDDjCcWLD1C9WmRVdtEnw6NQJd5Mn/llHqdbmMlf3I5VL8QvzPndxZEyESdSBz0ywLO5ygtUxtPaCxaanHSTz1yNooT9t2vwDnfc1LB9oT4CaEnVG+FugCPGFnn204eJ2BVEQ945ZsabgFndyvfmEwxlzAeA6+YjQYrukMijb1Owxh1fv zara.zaimeche@codethink.co.uk
+    uid: 2022
+    gid: 2022
+
+  SotK:
+    comment: Adam Coldrick
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2oe+2lRld58OiTjpdR3yUTobWcDWaYhWpU3bWz36rQAcbtYQmCBJRF8Ec2ZazvLNrmv075k/kb18eWjBLzItorBppIlNkIazG002LsrvlME6FDrZ3MoeDiswXG8a0P0IJyUyvfald7EBkjjiCVO3CwyMdFF2fXb+oqKxrSL9nKyPZtSXAzHmq01Eqm6Jok971+C+tvk47W4w7LXy+H/1GfMJdppwIWD6fQ5NmxQp9fHowh3ztNthhEk6Vn46qGrtMru4HImIw6nVU+0tHNRgxRjn9SRTPSsYPiBKJJ90rXl7WB5Ep42hGZySdz7l0LjxXAGxZgiHso/ANPYzRgpr adam@arreliam
+    uid: 2023
+    gid: 2023
+
+  maxwell:
+    comment: JP Maxwell
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2b5I7Yff9FCrtRmSjpILUePi54Vbc8zqJTbzrIAQZGFLBi3xd2MLlhV5QVgpDBC9H3lGjbdnc81D3aFd3HwHT4dvvvyedT12PR3VDEpftdW84vw3jzdtALcayOQznjbGnScwvX5SgnRhNxuX9Rkh8qNvOsjYPUafRr9azkQoomJFkdNVI4Vb5DbLhTpt18FPeOf0UuqDt/J2tHI4SjZ3kjzr7Nbwpg8xGgANPNE0+2pJbwCA8YDt4g3bzfzvVafQs5o9Gfc9tudkR9ugQG1M+EWCgu42CleOwMTd/rYEB2fgNNPsZAWqwQfdPajVuk70EBKUEQSyoA09eEZX+xJN9Q== jpmaxman@tipit.net
+    uid: 2024
+    gid: 2024
+
+  ianw:
+    comment: Ian Wienand
+    key_type: ssh-ed25519
+    key: ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAILOjz+dkwRWTJcW9Gt3iGHSzRBsvVlTAK6G2oH3+0D41 iwienand+osinfra@redhat.com
+    uid: 2025
+    gid: 2025
+
+  shrews:
+    comment: David Shrewsbury
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNtbgLw0dyRVnuwZz4oUcWTzEUtpO2V47t4ykijdH1hkEe7qkuusM5bD8pC4L3wDZP5U3lsIAvZ97LCQp+MNJz1j8cjXuAboqP5FC3TtCJR1WtCWmOBSO7sIvcsgwse/9KZN/TETOGA9no1oKS43Adi9bXrRFAKDAAM34IVt/UHNS51vxUhuGv+56yJmaki7CjxrGtXcB4hi+TCQAfKJPzhAMwcFQUyvXJkRei6NN6uYyHnVtLR3KXEkeTesZ2GQxmQ+1jmCMN1zUN2VLypmDqAvlKtuQW+3nY89q4HDwzCpuC1rscJgOuncdMahTMoKA3/dQtT4WuJIwLQa3tEEn shrews2018
+    uid: 2026
+    gid: 2026
+
+  jbryce:
+    comment: Jonathan Bryce
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApFGM9q1gfiawBX5EnCQGxx2T1hwPDxrX2M64MfqcoBRpdrWRjxWm6Vhczfl+Ar2EQtGsuIm1QQiyiPL4zsJSQOfYXB0TqOQaAuFamSzZSNEm8coSa93E3zfXR9uln1lgCGutaWwH/KmGcSeAuuQCipKmKxc8QSAepGNP4Jx2L/EnXQh850xTQEIviJkJpA9oTRzXu12T7vzxsUCw041Q/KX16UvvGpt9IAoMAWFlQrMPzPFmqbUOIr7pRvv8TKcK9BNFS8S8jjT+wN0y/LY7cbTblgDfwSAl1P/naME5ugRVD5MZKixIE1F+x/j+M8+fpZ/EyR/6jSA3DYjEXOk2zQ== jbryce@jbryce-mbp-3.local
+    uid: 2027
+    gid: 2027
+
+  dmsimard:
+    comment: David Moreau-Simard
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDyXfFj44OTsJZnHbecbYrwA8zXuMiULb+o326maOh3wh5/6fk+MzivkUzJC2uZqAlKvBnNXsrb/07eV1gRjaIQBQJxaV9HQUwMNX7AkjkDzaMXVDjG/JOium90R23gVGMukzp9IamezUscAqAxVK+2C10k3tq8dZ/GeZfHl3NFGRHlIAXsJ/SIQoxJAEA0IQ/8Y50nR1Hp2mV2xsfxH9oZhLR/eiFdhJpNupdfw/oE9+vpCHS8SG88KGeLYbn+EhH6LSCD+6WNthF6oE7NANnScqn1Fl0ZpSd3RlRb+kDVKGqNxfB7EJTeimYvqaYmrTiTZTaTJua5Bj5yBTudqnBgdHCz3xMb2Nv2s2INNcJmP/CKpivYQ8AJs6cVlqRWnLJiNQQYCj+xAXBvY5T0Xq/qOhVifLiWZvZQOTHFWqFP9asZkrGa1mFWIaR9VPQY0FoYlUOT9t6J6TRbzktJIuP5AiOVoJLL6wjZuUMjghHfkYbqtyBqE4BbCY8YF3JSf8jx+9eWy+sD+dRwKXBCrGV0dNidioZR7ZJpBb6ye8wElebjPZizKhppsNpwtRxPfiAM52f55lXGD7IDpz9CZrOKUcV2uc3Rhl50u7T3psZfX7GysZvlnAH+Yr+UM+LPBAabXAfKlMnJp+SskLuOplTeQrvAwMluBmFnla8TnwnxQ== dmsimard@hostname
+    uid: 2028
+    gid: 2028
+
+  frickler:
+    comment: Jens Harbott
+    key_type: ssh-ed25519
+    key: ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIGmc5fbzMptjAb5D86zSH13ZYCbf3QuV1jk9hL0r1qHw frickler@os-infra-2017
+    uid: 2029
+    gid: 2029
+
+  diablo_rojo:
+    comment: Kendall Nelson
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx96P1BVbRALeCz8jktUtT9qWzeXbG5yQrwQZ6n3NWsqEueCHp9DaVPDQLWIFAyvL0PKtlSOktClsUYuGfxB+dBuAFFMsx1Apk78EID4wvdXfEUDxZOsKX7zE9teJSxPEMppHAJIcnPu7dMFzZWxh+sA+fR8ZddPRunxtztGayNdYsCqDGIc9GqemjOqXDIFMIXgJLxNaHGSR56UcDHwgqmXXANkpTKsLW+U+VdNofHKpRhbXNS07jPFAAe1rBmoU/TRitzQFz7WYA4ml54ZiB7Q1O7RIyJWVBihHVrxSZbjn2a46CVeLo5Xw7loWF32wY/hA98hmpBNiF8tGSI6mh kennelson11@gmail.com
+    uid: 2030
+    gid: 2030
+
+# List of users to install on all hosts
+base_users:
+  - mordred
+  - corvus
+  - clarkb
+  - fungi
+  - jhesketh
+  - yolanda
+  - pabelanger
+  - rcarrillocruz
+  - ianw
+  - shrews
+  - dmsimard
+  - frickler
+# Default empty list of users to install on specific hosts or groups
+extra_users: []
+# Users who should be removed
+disabled_users:
+  - elizabeth
+  - nibz
+  - slukjanov

playbooks/roles/base-repos/defaults/main.yaml

@@ -0,0 +1 @@
+purge_apt_sources: true

playbooks/roles/base-repos/files/80retry

@@ -0,0 +1 @@
+APT::Acquire::Retries "20";

playbooks/roles/base-repos/files/90no-translations

@@ -0,0 +1 @@
+Acquire::Languages "none";

playbooks/roles/base-repos/files/sources.list.bionic.x86_64

@@ -0,0 +1,10 @@
+# This file is kept updated by ansible, adapted from
+# https://help.ubuntu.com/lts/serverguide/configuration.html
+
+deb http://us.archive.ubuntu.com/ubuntu bionic main restricted
+deb http://us.archive.ubuntu.com/ubuntu bionic-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu bionic universe
+deb http://us.archive.ubuntu.com/ubuntu bionic-updates universe
+deb http://us.archive.ubuntu.com/ubuntu bionic-backports main restricted universe
+deb http://security.ubuntu.com/ubuntu bionic-security main restricted
+deb http://security.ubuntu.com/ubuntu bionic-security universe

playbooks/roles/base-repos/files/sources.list.trusty.x86_64

@@ -0,0 +1,13 @@
+# This file is kept updated by ansible, adapted from
+# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
+
+deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty universe
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
+deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu trusty-security main restricted
+deb http://security.ubuntu.com/ubuntu trusty-security universe
+deb http://security.ubuntu.com/ubuntu trusty-security multiverse

playbooks/roles/base-repos/files/sources.list.xenial.aarch64

@@ -0,0 +1,35 @@
+# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+# newer versions of the distribution.
+
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
+
+## Uncomment the following two lines to add software from the 'universe'
+## repository.
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team. Also, please note that software in universe WILL NOT receive any
+## review or updates from the Ubuntu security team.
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial universe
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial universe
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
+
+## N.B. software from this repository may not have been tested as
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features.
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team.
+# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
+# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
+
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
+deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
+deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
+# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse
+# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse

playbooks/roles/base-repos/files/sources.list.xenial.x86_64

@@ -0,0 +1,13 @@
+# This file is kept updated by ansible, adapted from
+# https://help.ubuntu.com/lts/serverguide/configuration.html
+
+deb http://us.archive.ubuntu.com/ubuntu xenial main restricted
+deb http://us.archive.ubuntu.com/ubuntu xenial-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu xenial universe
+deb http://us.archive.ubuntu.com/ubuntu xenial-updates universe
+deb http://us.archive.ubuntu.com/ubuntu xenial multiverse
+deb http://us.archive.ubuntu.com/ubuntu xenial-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu xenial-security main restricted
+deb http://security.ubuntu.com/ubuntu xenial-security universe
+deb http://security.ubuntu.com/ubuntu xenial-security multiverse

playbooks/roles/base-repos/handlers/main.yaml

@@ -0,0 +1,3 @@
+- name: Update apt cache
+  apt:
+    update_cache: true

playbooks/roles/base-repos/tasks/Debian.yaml

@@ -0,0 +1,18 @@
+- name: Configure apt retries
+  copy:
+    mode: 0444
+    src: 80retry
+    dest: /etc/apt/apt.conf.d/80retry
+
+- name: Disable apt translations
+  copy:
+    mode: 0444
+    src: 90no-translations
+    dest: /etc/apt/apt.conf.d/90no-translations
+
+- name: Replace sources.list file
+  when: purge_apt_sources
+  copy:
+    src: 'sources.list.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}'
+    dest: /etc/apt/sources.list
+  notify: Update apt cache

playbooks/roles/base-repos/tasks/main.yaml

@@ -0,0 +1,6 @@
+- name: Set up additional repos
+  include_tasks: "{{ lookup('first_found', file_list) }}"
+  vars:
+    file_list:
+      - "{{ ansible_facts.distribution }}.yaml"
+      - "{{ ansible_facts.os_family }}.yaml"

playbooks/roles/base-server/defaults/main.yaml

@@ -0,0 +1,12 @@
+bastion_ipv4: 23.253.245.198
+bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072
+base_packages:
+  - at
+  - git
+  - lvm2
+  - parted
+  - rsync
+  - rsyslog
+  - strace
+  - tcpdump
+  - wget

playbooks/roles/base-server/files/bash-history.sh

@@ -0,0 +1 @@
+export HISTTIMEFORMAT="%Y-%m-%dT%T%z "

playbooks/roles/base-server/files/debian_limits.conf

@@ -0,0 +1,4 @@
+# Original 1024
+*                soft   nofile           4096
+# Original 4096
+*                hard   nofile           8192

playbooks/roles/base-server/files/rsyslog.d_50-default.conf

@@ -0,0 +1,69 @@
+#  Default rules for rsyslog.
+#
+#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+#daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+#lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+#user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+#mail.info			-/var/log/mail.info
+#mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+#	auth,authpriv.none;\
+#	news.none;mail.none	-/var/log/debug
+#*.=info;*.=notice;*.=warn;\
+#	auth,authpriv.none;\
+#	cron,daemon.none;\
+#	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                                :omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+# Commenting out since we don't install xconsoles on headless servers.
+#daemon.*;mail.*;\
+#	news.err;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	|/dev/xconsole

playbooks/roles/base-server/files/yum/yum-cron.conf

@@ -0,0 +1,81 @@
+[commands]
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix update-minimal
+# minimal-security                   = yum --security update-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
+update_cmd = default
+
+# Whether a message should be emitted when updates are available,
+# were downloaded, or applied.
+update_messages = yes
+
+# Whether updates should be downloaded when they are available.
+download_updates = yes
+
+# Whether updates should be applied when they are available.  Note
+# that download_updates must also be yes for the update to be applied.
+apply_updates = yes
+
+# Maximum amout of time to randomly sleep, in minutes.  The program
+# will sleep for a random amount of time between 0 and random_sleep
+# minutes before running.  This is useful for e.g. staggering the
+# times that multiple systems will access update servers.  If
+# random_sleep is 0 or negative, the program will run immediately.
+# 6*60 = 360
+random_sleep = 360
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  If
+# system_name is None, the hostname will be used.
+system_name = None
+
+# How to send messages.  Valid options are stdio and email.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio
+
+# The width, in characters, that messages that are emitted should be
+# formatted to.
+output_width = 80
+
+
+[email]
+# The address to send email messages from.
+# NOTE: 'localhost' will be replaced with the value of system_name.
+email_from = root@localhost
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+
+[groups]
+# NOTE: This only works when group_command != objects, which is now the default
+# List of groups to update
+group_list = None
+
+# The types of group packages to install
+group_package_types = mandatory, default
+
+[base]
+# This section overrides yum.conf
+
+# Use this to filter Yum core messages
+# -4: critical
+# -3: critical+errors
+# -2: critical+errors+warnings (default)
+debuglevel = -2
+
+# skip_broken = True
+mdpolicy = group:main
+
+# Uncomment to auto-import new gpg keys (dangerous)
+# assumeyes = True

playbooks/roles/base-server/handlers/main.yaml

@@ -0,0 +1,4 @@
+- name: Restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted

playbooks/roles/base-server/tasks/Debian.yaml

@@ -0,0 +1,20 @@
+- name: Remove packages that make no sense for servers
+  apt:
+    name: '{{ item }}'
+    state: absent
+  loop:
+    - whoopsie
+    - popularity-contest
+
+- name: Configure file limits
+  copy:
+    mode: 0644
+    src: debian_limits.conf
+    dest: /etc/security/limits.d/60-nofile-limit.conf
+
+- name: Custom rsyslog config to disable /dev/xconsole noise
+  copy:
+    mode: 0644
+    src: rsyslog.d_50-default.conf
+    dest: /etc/rsyslog.d/50-default.conf
+  notify: Restart rsyslog

playbooks/roles/base-server/tasks/RedHat.yaml

@@ -0,0 +1,22 @@
+# NOTE(pabelanger): We need to ensure ntpdate service starts on boot for
+# centos-7.  Currently, ntpd explicitly require ntpdate to be running before
+# the sync process can happen in ntpd.  As a result, if ntpdate is not
+# running, ntpd will start but fail to sync because of DNS is not properly
+# setup.
+- name: Ensure ntpdate service is running
+  service:
+    name: ntpdate
+    enabled: yes
+    state: running
+
+- name: Configure yum cron
+  copy:
+    mode: 0644
+    src: yum/yum-cron.conf
+    dest: /etc/yum/yum-cron.conf
+
+- name: Ensure yum cron service is running
+  service:
+    name: yum-cron
+    enabled: yes
+    state: running

playbooks/roles/base-server/tasks/Ubuntu.xenial.aarch64.yaml

@@ -0,0 +1,4 @@
+- name: Install HWE kernel for arm64
+  apt:
+    name: linux-generic-hwe-16.04
+    state: present

playbooks/roles/base-server/tasks/main.yaml

@@ -0,0 +1,62 @@
+- name: Install base packages
+  package:
+    state: present
+    name: '{{ item }}'
+  loop: '{{ base_packages }}'
+
+- name: Include OS-specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml"
+    - "{{ ansible_facts.distribution }}.yaml"
+    - "{{ ansible_facts.os_family }}.yaml"
+    - "default.yaml"
+
+- name: Install distro specific packages
+  package:
+    state: present
+    name: '{{ item }}'
+  loop: '{{ distro_packages }}'
+
+- name: Increase syslog message size in order to capture python tracebacks
+  copy:
+    content: '$MaxMessageSize 6k'
+    dest: /etc/rsyslog.d/99-maxsize.conf
+    mode: 0644
+  notify: Restart rsyslog
+
+- name: Ensure rsyslog is running
+  service:
+    name: rsyslog
+    enabled: yes
+    state: started
+
+- name: Set ssh key for managment
+  authorized_key:
+    state: present
+    user: root
+    key: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15
+    key_options: |
+      from="{{ bastion_ipv4 }}:{{ bastion_ipv6 }},localhost"
+
+- name: Disable byobu
+  file:
+    path: /etc/profile.d/Z98-byobu.sh
+    state: absent
+
+- name: Setup RFC3339 bash history timestamps
+  copy:
+    mode: 0644
+    src: bash-history.sh
+    dest: /etc/profile.d/bash-history.sh
+
+- name: Include OS-specific tasks
+  include_tasks: "{{ lookup('first_found', file_list) }}"
+  static: no
+  vars:
+    file_list:
+      - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}.yaml"
+      - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml"
+      - "{{ ansible_facts.distribution }}.yaml"
+      - "{{ ansible_facts.os_family }}.yaml"

playbooks/roles/base-server/vars/Debian.yaml

@@ -0,0 +1,3 @@
+distro_packages:
+  - dnsutils
+  - iputils-ping

playbooks/roles/base-server/vars/RedHat.yaml

@@ -0,0 +1,9 @@
+- distro_packages:
+  - bind-utils
+  - iputils
+  # Utils in ntp-perl are included in Debian's ntp package; we
+  # add it here for consistency.  See also
+  # https://tickets.puppetlabs.com/browse/MODULES-3660
+  - ntp-perl
+  - ntpdate
+  - yum-cron

playbooks/roles/users/defaults/main.yaml

@@ -0,0 +1,3 @@
+all_users: {}
+disabled_users: []
+extra_users: []

playbooks/roles/users/files/Debian/login.defs

@@ -0,0 +1,340 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+# UMASK is the default umask value for pam_umask and is used by
+# useradd and newusers to set the mode of the new home directories.
+# 022 is the "historical" value in Debian for UMASK
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+SYS_UID_MAX		  999
+UID_MIN			 3000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  100
+#SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+SYS_GID_MAX		  999
+GID_MIN			 3000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  100
+#SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# If set to yes, userdel will remove the user´s group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR

playbooks/roles/users/files/RedHat/login.defs

@@ -0,0 +1,69 @@
+#
+# Please note that the parameters in this configuration file control the
+# behavior of the tools from the shadow-utils component. None of these
+# tools uses the PAM mechanism, and the utilities that use PAM (such as the
+# passwd command) should therefore be configured elsewhere. Refer to
+# /etc/pam.d/system-auth for more information.
+#
+
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/spool/mail
+#MAIL_FILE	.mail
+
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+SYS_UID_MIN		  201
+SYS_UID_MAX		  499
+UID_MIN			 3000
+UID_MAX			60000
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+SYS_GID_MIN		  201
+SYS_GID_MAX		  499
+GID_MIN			 3000
+GID_MAX			60000
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
+#
+CREATE_HOME	yes
+
+# The permission mask is initialized to this value. If not specified,
+# the permission mask will be initialized to 022.
+UMASK           077
+
+# This enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+# Use SHA512 to encrypt password.
+ENCRYPT_METHOD SHA512

playbooks/roles/users/tasks/main.yaml

@@ -0,0 +1,49 @@
+- name: Setup login.defs file
+  copy:
+    dest: /etc/login.defs
+    src: '{{ ansible_facts.os_family }}/login.defs'
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Delete old users
+  loop: "{{ disabled_users }}"
+  user:
+    name: "{{ item }}"
+    state: absent
+    remove: yes
+
+- name: Add groups
+  loop: "{{ base_users + extra_users }}"
+  group:
+    name: "{{ item }}"
+    state: present
+    gid: "{{ all_users[item].gid|default(omit) }}"