diff --git a/launch/dns.py b/launch/dns.py index 22addc6b8f..573040514d 100755 --- a/launch/dns.py +++ b/launch/dns.py @@ -43,35 +43,35 @@ def print_dns(cloud, server): raise href = get_href(raw_server) - print - print "Run the following commands to set up DNS:" - print - print ". ~root/ci-launch/openstackci-rs-nova.sh" - print ". ~root/rackdns-venv/bin/activate" - print - print ( + print("\n") + print("Run the following commands to set up DNS:") + print("\n") + print(". ~root/ci-launch/openstackci-rs-nova.sh") + print(". ~root/rackdns-venv/bin/activate") + print("\n") + print( "rackdns rdns-create --name %s \\\n" " --data %s \\\n" " --server-href %s \\\n" " --ttl 3600" % ( server.name, ip6, href)) - print - print ( + print("\n") + print( "rackdns rdns-create --name %s \\\n" " --data %s \\\n" " --server-href %s \\\n" " --ttl 3600" % ( server.name, ip4, href)) - print - print ". ~root/ci-launch/openstack-rs-nova.sh" - print - print ( + print("\n") + print(". ~root/ci-launch/openstack-rs-nova.sh") + print("\n") + print( "rackdns record-create --name %s \\\n" " --type AAAA --data %s \\\n" " --ttl 3600 openstack.org" % ( server.name, ip6)) - print - print ( + print("\n") + print( "rackdns record-create --name %s \\\n" " --type A --data %s \\\n" " --ttl 3600 openstack.org" % ( diff --git a/launch/launch-node-ansible.py b/launch/launch-node-ansible.py new file mode 100755 index 0000000000..23cc793c20 --- /dev/null +++ b/launch/launch-node-ansible.py @@ -0,0 +1,353 @@ +#!/usr/bin/env python + +# Launch a new OpenStack project infrastructure node. + +# Copyright (C) 2011-2012 OpenStack LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import os +import shutil +import subprocess +import sys +import threading +import tempfile +import time +import traceback + +import dns +import utils + +import openstack +import os_client_config +import paramiko + +SCRIPT_DIR = os.path.dirname(sys.argv[0]) + +try: + # This unactionable warning does not need to be printed over and over. + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except: + pass + + +class JobDir(object): + def __init__(self, keep=False): + self.keep = keep + self.root = tempfile.mkdtemp() + self.inventory_root = os.path.join(self.root, 'inventory') + os.makedirs(self.inventory_root) + self.hosts = os.path.join(self.inventory_root, 'hosts') + self.groups = os.path.join(self.inventory_root, 'groups') + self.key = os.path.join(self.root, 'id_rsa') + self.ansible_log = os.path.join(self.root, 'ansible_log.txt') + # XXX if we need more, we might like to setup an ansible.cfg + # file and use that rather than env vars. See + # zuul/launcher/ansiblelaunchserver.py as an example + self.env = os.environ.copy() + self.env['ANSIBLE_LOG_PATH'] = self.ansible_log + + def __enter__(self): + return self + + def __exit__(self, etype, value, tb): + if not self.keep: + shutil.rmtree(self.root) + + +def run(cmd, **args): + args['stdout'] = subprocess.PIPE + args['stderr'] = subprocess.STDOUT + print("Running: %s" % (cmd,)) + proc = subprocess.Popen(cmd, **args) + out = '' + for line in iter(proc.stdout.readline, b''): + line = line.decode('utf-8') + sys.stdout.write(line) + sys.stdout.flush() + out += line + ret = proc.wait() + print("Return code: %s" % (ret,)) + if ret != 0: + raise subprocess.CalledProcessError(ret, cmd, out) + return ret + + +def stream_syslog(ssh_client): + try: + ssh_client.ssh('tail -f /var/log/syslog') + except Exception: + print("Syslog stream terminated") + + +def bootstrap_server(server, key, name, volume_device, keep, + mount_path, fs_label, environment): + + ip = server.public_v4 + ssh_kwargs = dict(pkey=key) + + print("--- Running initial configuration on host %s ---" % ip) + for username in ['root', 'ubuntu', 'centos', 'admin']: + ssh_client = utils.ssh_connect(ip, username, ssh_kwargs, timeout=600) + if ssh_client: + break + + if not ssh_client: + raise Exception("Unable to log in via SSH") + + # cloud-init puts the "please log in as user foo" message and + # subsequent exit() in root's authorized_keys -- overwrite it with + # a normal version to get root login working again. + if username != 'root': + ssh_client.ssh("sudo cp ~/.ssh/authorized_keys" + " ~root/.ssh/authorized_keys") + ssh_client.ssh("sudo chmod 644 ~root/.ssh/authorized_keys") + ssh_client.ssh("sudo chown root.root ~root/.ssh/authorized_keys") + + ssh_client = utils.ssh_connect(ip, 'root', ssh_kwargs, timeout=600) + + # Something up with RAX images that they have the ipv6 interface in + # /etc/network/interfaces but eth0 hasn't noticed yet; reload it + ssh_client.ssh('(ifdown eth0 && ifup eth0) || true') + + if server.public_v6: + ssh_client.ssh('ping6 -c5 -Q 0x10 review.openstack.org ' + '|| ping6 -c5 -Q 0x10 wiki.openstack.org') + + ssh_client.scp(os.path.join(SCRIPT_DIR, '..', 'make_swap.sh'), + 'make_swap.sh') + ssh_client.ssh('bash -x make_swap.sh') + + if volume_device: + ssh_client.scp(os.path.join(SCRIPT_DIR, '..', 'mount_volume.sh'), + 'mount_volume.sh') + ssh_client.ssh('bash -x mount_volume.sh %s %s %s' % + (volume_device, mount_path, fs_label)) + + with JobDir(keep) as jobdir: + # Update the generated-groups file globally and incorporate it + # into our inventory + # Remove cloud and region from the environment to work + # around a bug in occ + expand_env = os.environ.copy() + for env_key in list(expand_env.keys()): + if env_key.startswith('OS_'): + expand_env.pop(env_key, None) + expand_env['ANSIBLE_LOG_PATH'] = jobdir.ansible_log + + # Write out the private SSH key we generated + with open(jobdir.key, 'w') as key_file: + key.write_private_key(key_file) + os.chmod(jobdir.key, 0o600) + + # Write out inventory + with open(jobdir.hosts, 'w') as inventory_file: + inventory_file.write( + "{host} ansible_host={ip} ansible_user=root {python}".format( + host=name, ip=server.interface_ip, + python='ansible_python_interpreter=/usr/bin/python3')) + + t = threading.Thread(target=stream_syslog, args=(ssh_client,)) + t.daemon = True + t.start() + + ansible_cmd = [ + 'ansible-playbook', + '-i', jobdir.inventory_root, '-l', name, + '--private-key={key}'.format(key=jobdir.key), + "--ssh-common-args='-o StrictHostKeyChecking=no'", + '-e', 'target={name}'.format(name=name), + ] + + # Run the remote puppet apply playbook limited to just this server + # we just created + for playbook in [ + 'set-hostnames.yaml', + 'base.yaml', + ]: + run(ansible_cmd + [ + os.path.join(SCRIPT_DIR, '..', 'playbooks', playbook)], + env=jobdir.env) + + try: + ssh_client.ssh("reboot") + except Exception as e: + # Some init system kill the connection too fast after reboot. + # Deal with it by ignoring ssh errors when rebooting. + if e.rc == -1: + pass + else: + raise + + +def build_server(cloud, name, image, flavor, + volume, keep, network, boot_from_volume, config_drive, + mount_path, fs_label, availability_zone, environment): + key = None + server = None + + create_kwargs = dict(image=image, flavor=flavor, name=name, + reuse_ips=False, wait=True, + boot_from_volume=boot_from_volume, + network=network, + config_drive=config_drive) + + if availability_zone: + create_kwargs['availability_zone'] = availability_zone + + if volume: + create_kwargs['volumes'] = [volume] + + key_name = 'launch-%i' % (time.time()) + key = paramiko.RSAKey.generate(2048) + public_key = key.get_name() + ' ' + key.get_base64() + cloud.create_keypair(key_name, public_key) + create_kwargs['key_name'] = key_name + + try: + server = cloud.create_server(**create_kwargs) + except Exception: + try: + cloud.delete_keypair(key_name) + except Exception: + print("Exception encountered deleting keypair:") + traceback.print_exc() + raise + + try: + cloud.delete_keypair(key_name) + + server = cloud.get_openstack_vars(server) + if volume: + volume = cloud.get_volume(volume) + volume_device = cloud.get_volume_attach_device(volume, + server['id']) + else: + volume_device = None + bootstrap_server(server, key, name, volume_device, keep, + mount_path, fs_label, environment) + print('UUID=%s\nIPV4=%s\nIPV6=%s\n' % ( + server.id, server.public_v4, server.public_v6)) + except Exception: + print("****") + print("Server %s failed to build!" % (server.id)) + try: + if keep: + print("Keeping as requested") + # Write out the private SSH key we generated, as we + # may not have got far enough for ansible to run + with open('/tmp/%s.id_rsa' % server.id, 'w') as key_file: + key.write_private_key(key_file) + os.chmod(key_file.name, 0o600) + print("Private key saved in %s" % key_file.name) + print( + "Run to delete -> openstack server delete %s" % \ + (server.id)) + else: + cloud.delete_server(server.id, delete_ips=True) + except Exception: + print("Exception encountered deleting server:") + traceback.print_exc() + print("The original exception follows:") + print("****") + # Raise the important exception that started this + raise + + return server + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("name", help="server name") + parser.add_argument("--cloud", dest="cloud", required=True, + help="cloud name") + parser.add_argument("--region", dest="region", + help="cloud region") + parser.add_argument("--flavor", dest="flavor", default='1GB', + help="name (or substring) of flavor") + parser.add_argument("--image", dest="image", + default="Ubuntu 18.04 LTS (Bionic Beaver) (PVHVM)", + help="image name") + parser.add_argument("--environment", dest="environment", + help="Puppet environment to use", + default=None) + parser.add_argument("--volume", dest="volume", + help="UUID of volume to attach to the new server.", + default=None) + parser.add_argument("--mount-path", dest="mount_path", + help="Path to mount cinder volume at.", + default=None) + parser.add_argument("--fs-label", dest="fs_label", + help="FS label to use when mounting cinder volume.", + default=None) + parser.add_argument("--boot-from-volume", dest="boot_from_volume", + help="Create a boot volume for the server and use it.", + action='store_true', + default=False) + parser.add_argument("--keep", dest="keep", + help="Don't clean up or delete the server on error.", + action='store_true', + default=False) + parser.add_argument("--verbose", dest="verbose", default=False, + action='store_true', + help="Be verbose about logging cloud actions") + parser.add_argument("--network", dest="network", default=None, + help="network label to attach instance to") + parser.add_argument("--config-drive", dest="config_drive", + help="Boot with config_drive attached.", + action='store_true', + default=False) + parser.add_argument("--az", dest="availability_zone", default=None, + help="AZ to boot in.") + options = parser.parse_args() + + openstack.enable_logging(debug=options.verbose) + + cloud_kwargs = {} + if options.region: + cloud_kwargs['region_name'] = options.region + cloud = openstack.connect(cloud=options.cloud, **cloud_kwargs) + + flavor = cloud.get_flavor(options.flavor) + if flavor: + print("Found flavor", flavor.name) + else: + print("Unable to find matching flavor; flavor list:") + for i in cloud.list_flavors(): + print(i.name) + sys.exit(1) + + image = cloud.get_image_exclude(options.image, 'deprecated') + if image: + print("Found image", image.name) + else: + print("Unable to find matching image; image list:") + for i in cloud.list_images(): + print(i.name) + sys.exit(1) + + server = build_server(cloud, options.name, image, flavor, + options.volume, options.keep, + options.network, options.boot_from_volume, + options.config_drive, + options.mount_path, options.fs_label, + options.availability_zone, + options.environment) + dns.print_dns(cloud, server) + +if __name__ == '__main__': + main() diff --git a/launch/launch-node.py b/launch/launch-node.py index 080fd5709d..1d164aa24e 100755 --- a/launch/launch-node.py +++ b/launch/launch-node.py @@ -206,7 +206,7 @@ def bootstrap_server(server, key, name, volume_device, keep, # Run the remote puppet apply playbook limited to just this server # we just created for playbook in [ - 'set_hostnames.yml', + 'set-hostnames.yaml', 'remote_puppet_adhoc.yaml']: run(ansible_cmd + [ os.path.join(SCRIPT_DIR, '..', 'playbooks', playbook)], diff --git a/launch/utils.py b/launch/utils.py index 077a1e32a3..3e1387dfe2 100644 --- a/launch/utils.py +++ b/launch/utils.py @@ -43,7 +43,7 @@ def ssh_connect(ip, username, connect_kwargs={}, timeout=60): client = SSHClient(ip, username, **connect_kwargs) break except socket.error as e: - print "While testing ssh access:", e + print("While testing ssh access:", e) time.sleep(5) except paramiko.ssh_exception.AuthenticationException: return None diff --git a/make_swap.sh b/make_swap.sh index 6939ba82ac..0713cf8905 100644 --- a/make_swap.sh +++ b/make_swap.sh @@ -27,7 +27,7 @@ if [ `grep SwapTotal /proc/meminfo | awk '{ print $2; }'` -eq 0 ]; then MEMKB=`grep MemTotal /proc/meminfo | awk '{print $2; }'` # Use the nearest power of two in MB as the swap size. # This ensures that the partitions below are aligned properly. - MEM=`python -c "import math ; print 2**int(round(math.log($MEMKB/1024, 2)))"` + MEM=`python3 -c "import math ; print(2**int(round(math.log($MEMKB/1024, 2))))"` if mount | grep ${DEV} > /dev/null; then echo "*** ${DEV} appears to already be mounted" echo "*** ${DEV} unmounting and reformating" diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt index 6ba474f1bd..4b050cdcbf 100644 --- a/modules/openstack_project/files/puppetmaster/groups.txt +++ b/modules/openstack_project/files/puppetmaster/groups.txt @@ -11,6 +11,7 @@ files ~files\d+\.openstack\.org git-loadbalancer ~git(-fe\d+)?\.openstack\.org git-server ~git\d+\.openstack\.org logstash-worker ~logstash-worker\d+\.openstack\.org +mailman ~lists\d*\.openstack\.org:~lists\d*\.katacontainers\.io nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org review ~review\d+\.openstack\.org review-dev ~review-dev\d*\.openstack\.org diff --git a/playbooks/base.yaml b/playbooks/base.yaml new file mode 100644 index 0000000000..814e2f663c --- /dev/null +++ b/playbooks/base.yaml @@ -0,0 +1,5 @@ +- hosts: "!disabled" + roles: + - users + - base-repos + - base-server diff --git a/playbooks/group_vars/all.yaml b/playbooks/group_vars/all.yaml index 39e8789cf2..cac3158d80 100644 --- a/playbooks/group_vars/all.yaml +++ b/playbooks/group_vars/all.yaml @@ -10,3 +10,208 @@ puppet: copy_puppet: true manifest: /opt/system-config/production/manifests/site.pp manifest_base: /opt/system-config + +all_users: + mordred: + comment: Monty Taylor + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLsTZJ8hXTmzjKxYh/7V07mIy8xl2HL+9BaUlt6A6TMsL3LSvaVQNSgmXX5g0XfPWSCKmkZb1O28q49jQI2n7n7+sHkxn0dJDxj1N2oNrzNY7pDuPrdtCijczLFdievygXNhXNkQ2WIqHXDquN/jfLLJ9L0jxtxtsUMbiL2xxZEZcaf/K5MqyPhscpqiVNE1MjE4xgPbIbv8gCKtPpYIIrktOMb4JbV7rhOp5DcSP5gXtLhOF5fbBpZ+szqrTVUcBX0oTYr3iRfOje9WPsTZIk9vBfBtF416mCNxMSRc7KhSW727AnUu85hS0xiP0MRAf69KemG1OE1pW+LtDIAEYp mordred@camelot + uid: 2000 + gid: 2000 + + corvus: + comment: James E. Blair + key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvKYcWK1T7e3PKSFiqb03EYktnoxVASpPoq2rJw2JvhsP0JfS+lKrPzpUQv7L4JCuQMsPNtZ8LnwVEft39k58Kh8XMebSfaqPYAZS5zCNvQUQIhP9myOevBZf4CDeG+gmssqRFcWEwIllfDuIzKBQGVbomR+Y5QuW0HczIbkoOYI6iyf2jB6xg+bmzR2HViofNrSa62CYmHS6dO04Z95J27w6jGWpEOTBjEQvnb9sdBc4EzaBVmxCpa2EilB1u0th7/DvuH0yP4T+X8G8UjW1gZCTOVw06fqlBCST4KjdWw1F/AuOCT7048klbf4H+mCTaEcPzzu3Fkv8ckMWtS/Z9Q== jeblair@operational-necessity + uid: 2001 + gid: 2001 + + smaffulli: + comment: Stefano Maffulli + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD/zAvXaOUXCAT6/B4sCMu/38d/PyOIg/tYsYFAMgfDUzuZwkjZWNGrTpp/HFrOAZISER5KmOg48DKPvm91AeZOHfAXHCP6x9/FcogP9rmc48ym1B5XyIc78QVQjgN6JMSlEZsl0GWzFhQsPDjXundflY07TZfSC1IhpG9UgzamEVFcRjmNztnBuvq2uYVGpdI+ghmqFw9kfvSXJvUbj/F7Pco5XyJBx2e+gofe+X/UNee75xgoU/FyE2a6dSSc4uP4oUBvxDNU3gIsUKrSCmV8NuVQvMB8C9gXYR+JqtcvUSS9DdUAA8StP65woVsvuU+lqb+HVAe71JotDfOBd6f stefano@mattone-E6420 + uid: 2002 + gid: 2002 + + oubiwann: + comment: Duncan McGreggor + uid: 2003 + gid: 2003 + + rockstar: + comment: Paul Hummer + uid: 2004 + gid: 2004 + + clarkb: + comment: Clark Boylan + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnfoVhOTkrY7uoebL8PoHXb0Fg4jJqGCbwkxUdNUdheIdbnfyjuRG3iL8WZnzf7nzWnD+IGo6kkAo8BkNMK9L0P0Y+5IjI8NH49KU22tQ1umij4EIf5tzLh4gsqkJmy6QLrlbf10m6UF4rLFQhKzOd4b2H2K6KbP00CIymvbW3BwvNDODM4xRE2uao387qfvXZBUkB0PpRD+7fWPoN58gpFUm407Eba3WwX5PCD+1DD+RVBsG8maIDXerQ7lvFLoSuyMswv1TfkvCj0ZFhSFbfTd2ZysCu6eryFfeixR7NY9SNcp9YTqG6LrxGA7Ci6wz+hycFHXlDrlBgfFJDe5At clark@work + uid: 2005 + gid: 2005 + + rlane: + comment: Ryan Lane + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdtI7H+fsgSrjrdG8aGVcrN0GFW3XqLVsLG4n7JW4qH2W//hqgdL7A7cNVQNPoB9I1jAqvnO2Ct6wrVSh84QU89Uufw412M3qNSNeiGgv2c2KdxP2XBrnsLYAaJRbgOWJX7nty1jpO0xwF503ky2W3OMUsCXMAbYmYNSod6gAdzf5Xgo/3+eXRh7NbV1eKPrzwWoMOYh9T0Mvmokon/GXV5PiAA2bIaQvCy4BH/BzWiQwRM7KtiEt5lHahY172aEu+dcWxciuxHqkYqlKhbU+x1fwZJ+MpXSj5KBU+L0yf3iKySob7g6DZDST/Ylcm4MMjpOy8/9Cc6Xgpx77E/Pvd laner@Free-Public-Wifi.local + uid: 2006 + gid: 2006 + + fungi: + comment: Jeremy Stanley + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3KnRBTH5QPpKjf4RWu4akzYt2gwp796cMkFl5vu8e7G/cHuh4979FeNJXMVP6F3rvZB+yXDHLCU5LBVLq0K+1GbAZT/hH38hpMOIvniwKIquvI6C/drkVPHO6YmVlapw/NI530PGnT/TAqCOycHBO5eF1bYsaqV1yZqvs9v7UZc6J4LukoLZwpmyWZ5P3ltAiiy8+FGq3SLCKWDMmv/Bjz4zTsaNbSWThJi0BydINjC1/0ze5Tyc/XgW1sDuxmmXJxgQp4EvLpronqb2hT60iA52kj8lrmoCIryRpgnbaRA7BrxKF8zIr0ZALHijxEUeWHhFJDIVRGUf0Ef0nrmBv fungi-openstack-2015 + uid: 2007 + gid: 2007 + + ttx: + comment: Thierry Carrez + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCGpMtSehQNZL0/EJ7VUbklJygsxvii2Qi4HPSUFcLJUWAx4VltsmPkmx43D9ITwnRPRMPNtZrOvhY7v0myVlFuRnyTYAqZwigf5gxrktb+4PwCWb+2XobziUVnfJlbOTjneWSTYoZ+OjTaWd5AcVbUvgYAP2qbddycc5ACswpPDo5VrS6fQfCwE4z3BqLFNeOnqxbECHwHeFYIR6Kd6mnKAzDNZxZIkviWg9eIwwuFf5V5bUPiVkeFHVL3EJlCoYs2Em4bvYZBtrV7kUseN85X/+5Uail4uYBEcB3GLL32e6HeD1Qk4xIxLTI2bFPGUp0Oq7iPgrQQe4zCBsGi7Dx+JVy+U0JqLLAN94UPCn2fhsX7PdKfTPcxFPFKeX/PRutkb7qxdbS2ubCdOEhc6WN7OkQmbdK8lk6ms4v4dFc0ooMepWELqKC6thICsVdizpuij0+h8c4SRD3gtwGDPxrkJcodPoAimVVlW1p+RpMxsCFrK473TzgeNPVeAdSZVpqZ865VOwFqoFQB6WpmCDZQPFlkS2VDe9R54ePDHWKYLvVW6yvQqWTx3KrIrS1twSoydj+gADgBYsZaW5MNkWYHAWotEX67j6fMZ6ZSTS5yaTeLywB2Ykh0kjo4jpTFk5JNL7DINkfmCEZMLw60da29iN4QzAJr9cP1bwjf/QDqw== ttx@mercury + uid: 2008 + gid: 2008 + + rbryant: + comment: Russell Bryant + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZVikFz5KoRg3gKdiSa3PQ0i2bN5+bUyc4lMMg6P+jEStVddwN+nAgpa3zJaokmNAOp+MjcGa7K1Zi4b9Fe2ufusTzSKdNVlRDiw0R4Lk0LwTIfkhLywKvgcAz8hkqWPUIgTMU4xIizh50KTL9Ttsu9ULop8t7urTpPE4TthHX4nz1Y9NwYLU0W8cWhzgRonBbqtGs/Lif0NC+TdWGkVyTaP3x1A48s0SMPcZKln1hDv7KbKdknG4XyS4jlr4qI+R+har7m2ED/PH93PSXi5QnT4U6laWRg03HTxpPKWq077u/tPW9wcbkgpBcYMmDKTo/NDPtoN+r/jkbdW7zKJHx russel@russelbryant.net + uid: 2009 + gid: 2009 + + pabelanger: + comment: Paul Belanger + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuP0CZE8AYnbm8gxecCxKeRw0wHRyryd+FKmNNsdr0d3UvfCbqNzLigrqEBZsKpofi3M4qCWNpKRyfhnjPynLTQjP1vnX9AbL9UGoiHxScfvh3skntTYMs9ezJRd0rMJJZO76FPo8bJLDlwxAQl8m/nuj3HfYiO5hYE7P+a3rhsJh4nEfBb7xh+Q5yM0PWObkkBl6IRiBYjlcsXNZHgTA5kNuihUk5bHqAw54sHh05DhpgOITpTw4LFbh4Ew2NKq49dEb2xbTuAyAr2DHNOGgIwKEZpwtKZEIGEuiLbb4DQRsfivrvyOjnK2NFjQzGyNOHfsOldWHRQwUKUs8nrxKdXvqcrfMnSVaibeYK2TRL+6jd9kc5SIhWI3XLm7HbX7uXMD7/JQrkL25Rcs6nndDCH72DJLz+ynA/T5umMbNBQ9tybL5z73IOpfShRGjQYego22CxDOy7e/5OEMHNoksbFb1S02viM9O2puS7LDqqfT9JIbbPqCrbRi/zOXo0f4EXo6xKUAmd8qlV+6f/p57/qFihzQDaRFVlFEH3k7qwsw7PYGUTwkPaThe6xyZN6D5jqxCZU3aSYu+FGb0oYo+M5IxOm0Cb4NNsvvkRPxWtwSayfFGu6+m/+/RyA3GBcAMev7AuyKN+K2vGMsLagHOx4i+5ZAcUwGzLeXAENNum3w== pabelanger@redhat.com + uid: 2010 + gid: 2010 + + mkiss: + comment: Marton Kiss + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb5qdaiKaRqBRgLW8Df+zD3C4a+gO/GFZYEDEd5nvk+LDGPuzi6s639DLqdfx6yvJ1sxxNUOOYhE/T7raDeS8m8fjk0hdVzARXraYDbckt6AELl7B16ZM4aEzjAPoSByizmfwIVkO1zP6kghyumV1kr5Nqx0hTd5/thIzgwdaGBY4I+5iqcWncuLyBCs34oTh/S+QFzjmMgoT86PrdLSsBIINx/4rb2Br2Sb6pRHmzbU+3evnytdlDFwDUPfdzoCaQEdXtjISC0xBdmnjEvHJYgmSkWMZGgRgomrA06Al9M9+2PR7x+burLVVsZf9keRoC7RYLAcryRbGMExC17skL marton.kiss@gmail.com + uid: 2011 + gid: 2011 + + smarcet: + comment: Sebastian Marcet + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP5ce0Ywtbgi3LGMZWA5Zlv/EQ07F/gWnZOMN6TRfiCiiBNyf8ARtKgmYSINS8W537HJYBt3qTfa5xkZmpBrtE6x8OTfR5y1L+x/PrLTUkQhVDY19EixD9wDIrQIIjo2ZVq+zErXBRQuGmJ3Hl+OGw+wtvGS8f768kMnwhKUgyITjWV2tKr/q88J8mBOep48XUcRhidDWsOjgIDJQeY2lbsx1bbZ7necrJS17PHqxhUbWntyR/VKKbBbrNmf2bhtTRUSYoJuqabyGDTZ0J25A88Qt2IKELy6jsVTxHj9Y5D8oH57uB7GaNsNiU+CaOcVfwOenES9mcWOr1t5zNOdrp smarcet@gmail.com + uid: 2012 + gid: 2012 + + zaro: + comment: Khai Do + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJqB//ilMx7Y1tKzviAn/6yeXSRAi2VnaGN0/bfaa5Gciz+SWt8vAEAUE99fzuqeJ/ezjkuIXDFm/sjZr93y567a6sDT6CuhVUac1FZIhXRTs0J+pBOiENbwQ7RZxbkyNHQ0ndvtz3kBA1DF5D+MDkluBlIWb085Z31rFJmetsB2Zb8s1FKUjHVk/skyeKSj0qAK5KN3Wme6peWhYjwBiM0gUlxIsEZM6JLYdoPIbD5B8GYAktMN2FvJU9LgKGL93jLZ/vnMtoQIHHAG/85NdPURL1Zbi92Xlxbm4LkbcHnruBdmtPfSgaEupwJ+zFmK264OHD7QFt10ztPMbAFCFn khaido@khaido-HP-EliteBook-Folio-9470m + uid: 2013 + gid: 2013 + + slukjanov: + comment: Sergey Lukjanov + uid: 2014 + gid: 2014 + + elizabeth: + comment: Elizabeth K. Joseph + uid: 2015 + gid: 2015 + + jhesketh: + comment: Joshua Hesketh + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3onVLOZiiGpQWTCIV0QwHmc3Jvqyl7UaJxIu7D49OQcLHqVZsozI9pSiCdTnWyAaM+E+5wD9yVcSTqMWqn2AZmZSwQ+Fh6KnCgPZ/o63+iCZPGL0RNk20M1iNh5dvdStDnn+j2fpeV/JONF0tBn07QvNL2eF4BwtbTG9Zhl186QNsXjXDghrSO3Etl6DSfcUhxyvMoA2LnclWWD5hLmiRhcBm+PIxveVsr4B+o0k1HV5SUOvJMWtbEC37AH5I818O4fNOob6CnOFaCsbA9oUDzB5rqxutPZb9SmNJpNoLqYqDgyppM0yeql0Kn97tUt7H4j5xHrWoGnJ4IXfuDc0AMmmy4fpcLGkNf7zcBftKS6iz/3AlOXjlp5WZvKxngJj9HIir2SE/qV4Lxw9936BzvAcQyw5+bEsLQJwi+LPZxEqLC6oklkX9dg/+1yBFHsz6mulA0b4Eq7VF9omRzrhhN4iPpU5KQYPRNz7yRYckXDxYnp2lz6yHgSYh2/lqMc+UqmCL9EAWcDw3jsgvJ6kH/YUVUojiRHD9QLqlhOusu1wrTfojjwF05mqkXKmH+LH8f8AJAlMdYg0c2WLlrcxnwCkLLxzU5cYmKcZ41LuLtQR3ik+EKjYzBXXyCEzFm6qQEbR2akpXyxvONgrf7pijrgNOi0GeatUt0bUQcAONYw== jhesketh@infra + uid: 2016 + gid: 2016 + + nibz: + comment: Spencer Krum + uid: 2017 + gid: 2017 + + yolanda: + comment: Yolanda Robla + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSR2NmJC8PSanHUpKJuaMmohG80COO2IPkE3Mxhr7US8P1B3p1c6lOrT6M1txRzBY8FlbxfOinGtutP+ADCB2taXfpO8UiaG9eOqojAT/PeP2Y2ov72rVMSWupLozUv2uAR5yyFVFHOjKPYGAa01aJtfzfJujSak8dM0ifFeFwgp/8RBGEfC7atq+45TdrfAURRcEgcOLiF5Aq6fprCOwpllnrH6VoId9YS7u/5xF2/zBjr9PuOP7jEgCaL/+FNqu7jgj87aG5jiZPlweb7GTLJON9H6eFpyfpoJE0sZ1yR9Q+e9FAqQIA44Zi748qKBlFKbLxzoC4mc0SbNUAleEL yolanda@infra + uid: 2018 + gid: 2018 + + rcarrillocruz: + comment: Ricardo Carrillo Cruz + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz1CW5E87v8o7O8B5fe7j1uaPCToRdaBukjH2HzQZ+DSGTIPjirLpp5ZXPuyNnmtRMzwld6mlHYlevVEwuZTNyQwS7ut5o0LjyW6yoEcvPq0xMEZLxaso5dZAtzNgf3FzbtaUYBnkhSwX7c24lf8wPGAl7TC3yO0dePQh2lXVdaBiGB9ybVeQr+kwJIxleUE4puuQ+ONJE2D+hHjoQ/huUMpb996pb/YzkjkAxqHguMid0c1taelyW8n17nEDoWvlV9Qqbo8cerhgURo1OBt2zENLjQQ0kOkPxJx4qx3652e0kbkr11y50r9BMs418mnJdWselMxkSqQNZ+XotoH5Dwn+3K2a6Wv4OX3Dqb9SF/JTD7lA/tIkNfxgsRlzfEQ01rK1+g7Je10EnDCLEzHpFjvZ5q4EEMcYqY+osLFpHAOWGLMx+3eY4pz/xEzRP/x3sjGU09uNOZ3oCWUfSkE4xebnnWtxwWZKyFmv3GHtaqJn2UvpAbODPEYyYcOS3XV3zd233W3C09YYnFUyZbGLXpD05Yet5fZfGTnveMRn5/9LZai+dBPwoMWUJdX4yPnGXgOG8zk0u1nWfcNJfYg+xajSUDiMKjDhlkuFK/GXNYuINe42s1TxzL7pJ4X4UhqLiopeJvPg/U5xdCV5pxVKf1MVenrGe2pfwf1Yr2WMv5w== rcarrillocruz@infra + uid: 2019 + gid: 2019 + + krotscheck: + comment: Michael Krotscheck + uid: 2020 + gid: 2020 + + colleen: + comment: Colleen Murphy + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcHzySqYlH1TfAPx5PaVzqkuMbI3zksJ5E2aZBlsIN7wNSoyO0Dts6HegHZIgi5NGT05wRBAUMCNZwupqFoWDg41JBKzPKITkqvEe/FnNmJFxt591ltXigZZ+ZLoX8B12nww/eeA5nx9PT4hIsLQG50MxEm0iC4ApusaAXMXa7+gTDkzf6yyl4QwinyFFTYtyJwFw5XfQXXRQwL8Qv6mVGrhDz3Fj4VWawByQuxRHgt5G3Ux/PnZzatJ3tuSK66o1uXrvuOiGdUtDCuAFUx+kgcmUTpCC6vgMZdDbrfyw0CGxkmAUNfeEMOw0TWbdioJ2FwH5+4BEvMgiFgsCTjIwDqqyFV9eK8sd0mbJ+I82EyOXPlFPKGan6Ie6LD1qotdUW9vT3pfpR/44s/Id2un3FBnVg7GZkGJshikGO1UqjmZfhEpQ6Q+auLir+mBv2X/ril6qJ2NuQpwMRVzZmriPMxdJDs6xhzg2fGEYRvEvh0kzsqNf4OgKbSWiVOB3WALM30Cx3YdmnB6JonRGA+6CqD+LO4HQMbD7LBVcYzEIS1WtP8aPx/NiybemrF0LWmIgl34A0Tpcc+5MLzzUtgUt6lYFyWxltCP43u1N7ODH+FsFALzo6CO9DjyMxEd6Ay61hyx8Btfhn8NH/wEdCQj1WAMHU+d2ljk5ndAfp8c6LRQ== krinkle@gir + uid: 2021 + gid: 2021 + + Zara: + comment: Zara Zaimeche + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt9wQvGgQIvLvifm7n5g+2sjgjGCQLt03D0v5Fb5xEMufJncIDkwBNDzGvsASwHGjP9YEAA8+f8Ya+Yc9EaDgqQl9r9YEO9CoEC6O1Euk41nQJYYRnzkgmMaxTSlUKNur8XSmzoElLut6ivlLW71fZmSKHAcg9O4lgd9weDDjCcWLD1C9WmRVdtEnw6NQJd5Mn/llHqdbmMlf3I5VL8QvzPndxZEyESdSBz0ywLO5ygtUxtPaCxaanHSTz1yNooT9t2vwDnfc1LB9oT4CaEnVG+FugCPGFnn204eJ2BVEQ945ZsabgFndyvfmEwxlzAeA6+YjQYrukMijb1Owxh1fv zara.zaimeche@codethink.co.uk + uid: 2022 + gid: 2022 + + SotK: + comment: Adam Coldrick + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2oe+2lRld58OiTjpdR3yUTobWcDWaYhWpU3bWz36rQAcbtYQmCBJRF8Ec2ZazvLNrmv075k/kb18eWjBLzItorBppIlNkIazG002LsrvlME6FDrZ3MoeDiswXG8a0P0IJyUyvfald7EBkjjiCVO3CwyMdFF2fXb+oqKxrSL9nKyPZtSXAzHmq01Eqm6Jok971+C+tvk47W4w7LXy+H/1GfMJdppwIWD6fQ5NmxQp9fHowh3ztNthhEk6Vn46qGrtMru4HImIw6nVU+0tHNRgxRjn9SRTPSsYPiBKJJ90rXl7WB5Ep42hGZySdz7l0LjxXAGxZgiHso/ANPYzRgpr adam@arreliam + uid: 2023 + gid: 2023 + + maxwell: + comment: JP Maxwell + key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2b5I7Yff9FCrtRmSjpILUePi54Vbc8zqJTbzrIAQZGFLBi3xd2MLlhV5QVgpDBC9H3lGjbdnc81D3aFd3HwHT4dvvvyedT12PR3VDEpftdW84vw3jzdtALcayOQznjbGnScwvX5SgnRhNxuX9Rkh8qNvOsjYPUafRr9azkQoomJFkdNVI4Vb5DbLhTpt18FPeOf0UuqDt/J2tHI4SjZ3kjzr7Nbwpg8xGgANPNE0+2pJbwCA8YDt4g3bzfzvVafQs5o9Gfc9tudkR9ugQG1M+EWCgu42CleOwMTd/rYEB2fgNNPsZAWqwQfdPajVuk70EBKUEQSyoA09eEZX+xJN9Q== jpmaxman@tipit.net + uid: 2024 + gid: 2024 + + ianw: + comment: Ian Wienand + key_type: ssh-ed25519 + key: ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAILOjz+dkwRWTJcW9Gt3iGHSzRBsvVlTAK6G2oH3+0D41 iwienand+osinfra@redhat.com + uid: 2025 + gid: 2025 + + shrews: + comment: David Shrewsbury + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNtbgLw0dyRVnuwZz4oUcWTzEUtpO2V47t4ykijdH1hkEe7qkuusM5bD8pC4L3wDZP5U3lsIAvZ97LCQp+MNJz1j8cjXuAboqP5FC3TtCJR1WtCWmOBSO7sIvcsgwse/9KZN/TETOGA9no1oKS43Adi9bXrRFAKDAAM34IVt/UHNS51vxUhuGv+56yJmaki7CjxrGtXcB4hi+TCQAfKJPzhAMwcFQUyvXJkRei6NN6uYyHnVtLR3KXEkeTesZ2GQxmQ+1jmCMN1zUN2VLypmDqAvlKtuQW+3nY89q4HDwzCpuC1rscJgOuncdMahTMoKA3/dQtT4WuJIwLQa3tEEn shrews2018 + uid: 2026 + gid: 2026 + + jbryce: + comment: Jonathan Bryce + key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApFGM9q1gfiawBX5EnCQGxx2T1hwPDxrX2M64MfqcoBRpdrWRjxWm6Vhczfl+Ar2EQtGsuIm1QQiyiPL4zsJSQOfYXB0TqOQaAuFamSzZSNEm8coSa93E3zfXR9uln1lgCGutaWwH/KmGcSeAuuQCipKmKxc8QSAepGNP4Jx2L/EnXQh850xTQEIviJkJpA9oTRzXu12T7vzxsUCw041Q/KX16UvvGpt9IAoMAWFlQrMPzPFmqbUOIr7pRvv8TKcK9BNFS8S8jjT+wN0y/LY7cbTblgDfwSAl1P/naME5ugRVD5MZKixIE1F+x/j+M8+fpZ/EyR/6jSA3DYjEXOk2zQ== jbryce@jbryce-mbp-3.local + uid: 2027 + gid: 2027 + + dmsimard: + comment: David Moreau-Simard + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDyXfFj44OTsJZnHbecbYrwA8zXuMiULb+o326maOh3wh5/6fk+MzivkUzJC2uZqAlKvBnNXsrb/07eV1gRjaIQBQJxaV9HQUwMNX7AkjkDzaMXVDjG/JOium90R23gVGMukzp9IamezUscAqAxVK+2C10k3tq8dZ/GeZfHl3NFGRHlIAXsJ/SIQoxJAEA0IQ/8Y50nR1Hp2mV2xsfxH9oZhLR/eiFdhJpNupdfw/oE9+vpCHS8SG88KGeLYbn+EhH6LSCD+6WNthF6oE7NANnScqn1Fl0ZpSd3RlRb+kDVKGqNxfB7EJTeimYvqaYmrTiTZTaTJua5Bj5yBTudqnBgdHCz3xMb2Nv2s2INNcJmP/CKpivYQ8AJs6cVlqRWnLJiNQQYCj+xAXBvY5T0Xq/qOhVifLiWZvZQOTHFWqFP9asZkrGa1mFWIaR9VPQY0FoYlUOT9t6J6TRbzktJIuP5AiOVoJLL6wjZuUMjghHfkYbqtyBqE4BbCY8YF3JSf8jx+9eWy+sD+dRwKXBCrGV0dNidioZR7ZJpBb6ye8wElebjPZizKhppsNpwtRxPfiAM52f55lXGD7IDpz9CZrOKUcV2uc3Rhl50u7T3psZfX7GysZvlnAH+Yr+UM+LPBAabXAfKlMnJp+SskLuOplTeQrvAwMluBmFnla8TnwnxQ== dmsimard@hostname + uid: 2028 + gid: 2028 + + frickler: + comment: Jens Harbott + key_type: ssh-ed25519 + key: ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIGmc5fbzMptjAb5D86zSH13ZYCbf3QuV1jk9hL0r1qHw frickler@os-infra-2017 + uid: 2029 + gid: 2029 + + diablo_rojo: + comment: Kendall Nelson + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx96P1BVbRALeCz8jktUtT9qWzeXbG5yQrwQZ6n3NWsqEueCHp9DaVPDQLWIFAyvL0PKtlSOktClsUYuGfxB+dBuAFFMsx1Apk78EID4wvdXfEUDxZOsKX7zE9teJSxPEMppHAJIcnPu7dMFzZWxh+sA+fR8ZddPRunxtztGayNdYsCqDGIc9GqemjOqXDIFMIXgJLxNaHGSR56UcDHwgqmXXANkpTKsLW+U+VdNofHKpRhbXNS07jPFAAe1rBmoU/TRitzQFz7WYA4ml54ZiB7Q1O7RIyJWVBihHVrxSZbjn2a46CVeLo5Xw7loWF32wY/hA98hmpBNiF8tGSI6mh kennelson11@gmail.com + uid: 2030 + gid: 2030 + +# List of users to install on all hosts +base_users: + - mordred + - corvus + - clarkb + - fungi + - jhesketh + - yolanda + - pabelanger + - rcarrillocruz + - ianw + - shrews + - dmsimard + - frickler +# Default empty list of users to install on specific hosts or groups +extra_users: [] +# Users who should be removed +disabled_users: + - elizabeth + - nibz + - slukjanov diff --git a/playbooks/roles/base-repos/defaults/main.yaml b/playbooks/roles/base-repos/defaults/main.yaml new file mode 100644 index 0000000000..d3f6ff49b1 --- /dev/null +++ b/playbooks/roles/base-repos/defaults/main.yaml @@ -0,0 +1 @@ +purge_apt_sources: true diff --git a/playbooks/roles/base-repos/files/80retry b/playbooks/roles/base-repos/files/80retry new file mode 100644 index 0000000000..8ebe6de130 --- /dev/null +++ b/playbooks/roles/base-repos/files/80retry @@ -0,0 +1 @@ +APT::Acquire::Retries "20"; diff --git a/playbooks/roles/base-repos/files/90no-translations b/playbooks/roles/base-repos/files/90no-translations new file mode 100644 index 0000000000..2318f84efe --- /dev/null +++ b/playbooks/roles/base-repos/files/90no-translations @@ -0,0 +1 @@ +Acquire::Languages "none"; diff --git a/playbooks/roles/base-repos/files/sources.list.bionic.x86_64 b/playbooks/roles/base-repos/files/sources.list.bionic.x86_64 new file mode 100644 index 0000000000..3372ec5bdb --- /dev/null +++ b/playbooks/roles/base-repos/files/sources.list.bionic.x86_64 @@ -0,0 +1,10 @@ +# This file is kept updated by ansible, adapted from +# https://help.ubuntu.com/lts/serverguide/configuration.html + +deb http://us.archive.ubuntu.com/ubuntu bionic main restricted +deb http://us.archive.ubuntu.com/ubuntu bionic-updates main restricted +deb http://us.archive.ubuntu.com/ubuntu bionic universe +deb http://us.archive.ubuntu.com/ubuntu bionic-updates universe +deb http://us.archive.ubuntu.com/ubuntu bionic-backports main restricted universe +deb http://security.ubuntu.com/ubuntu bionic-security main restricted +deb http://security.ubuntu.com/ubuntu bionic-security universe diff --git a/playbooks/roles/base-repos/files/sources.list.trusty.x86_64 b/playbooks/roles/base-repos/files/sources.list.trusty.x86_64 new file mode 100644 index 0000000000..4a4b94516d --- /dev/null +++ b/playbooks/roles/base-repos/files/sources.list.trusty.x86_64 @@ -0,0 +1,13 @@ +# This file is kept updated by ansible, adapted from +# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories + +deb http://us.archive.ubuntu.com/ubuntu trusty main restricted +deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted +deb http://us.archive.ubuntu.com/ubuntu trusty universe +deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe +deb http://us.archive.ubuntu.com/ubuntu trusty multiverse +deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse +deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse +deb http://security.ubuntu.com/ubuntu trusty-security main restricted +deb http://security.ubuntu.com/ubuntu trusty-security universe +deb http://security.ubuntu.com/ubuntu trusty-security multiverse diff --git a/playbooks/roles/base-repos/files/sources.list.xenial.aarch64 b/playbooks/roles/base-repos/files/sources.list.xenial.aarch64 new file mode 100644 index 0000000000..3c089f33f6 --- /dev/null +++ b/playbooks/roles/base-repos/files/sources.list.xenial.aarch64 @@ -0,0 +1,35 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. + +deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse + +## Major bug fix updates produced after the final release of the +## distribution. +deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse + +## Uncomment the following two lines to add software from the 'universe' +## repository. +## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu +## team. Also, please note that software in universe WILL NOT receive any +## review or updates from the Ubuntu security team. +deb http://ports.ubuntu.com/ubuntu-ports/ xenial universe +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial universe +deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main release, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted +# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted + +deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse +deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe +deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe +# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse +# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse \ No newline at end of file diff --git a/playbooks/roles/base-repos/files/sources.list.xenial.x86_64 b/playbooks/roles/base-repos/files/sources.list.xenial.x86_64 new file mode 100644 index 0000000000..89e89230ad --- /dev/null +++ b/playbooks/roles/base-repos/files/sources.list.xenial.x86_64 @@ -0,0 +1,13 @@ +# This file is kept updated by ansible, adapted from +# https://help.ubuntu.com/lts/serverguide/configuration.html + +deb http://us.archive.ubuntu.com/ubuntu xenial main restricted +deb http://us.archive.ubuntu.com/ubuntu xenial-updates main restricted +deb http://us.archive.ubuntu.com/ubuntu xenial universe +deb http://us.archive.ubuntu.com/ubuntu xenial-updates universe +deb http://us.archive.ubuntu.com/ubuntu xenial multiverse +deb http://us.archive.ubuntu.com/ubuntu xenial-updates multiverse +deb http://us.archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse +deb http://security.ubuntu.com/ubuntu xenial-security main restricted +deb http://security.ubuntu.com/ubuntu xenial-security universe +deb http://security.ubuntu.com/ubuntu xenial-security multiverse diff --git a/playbooks/roles/base-repos/handlers/main.yaml b/playbooks/roles/base-repos/handlers/main.yaml new file mode 100644 index 0000000000..603689e726 --- /dev/null +++ b/playbooks/roles/base-repos/handlers/main.yaml @@ -0,0 +1,3 @@ +- name: Update apt cache + apt: + update_cache: true diff --git a/playbooks/roles/base-repos/tasks/Debian.yaml b/playbooks/roles/base-repos/tasks/Debian.yaml new file mode 100644 index 0000000000..596691d072 --- /dev/null +++ b/playbooks/roles/base-repos/tasks/Debian.yaml @@ -0,0 +1,18 @@ +- name: Configure apt retries + copy: + mode: 0444 + src: 80retry + dest: /etc/apt/apt.conf.d/80retry + +- name: Disable apt translations + copy: + mode: 0444 + src: 90no-translations + dest: /etc/apt/apt.conf.d/90no-translations + +- name: Replace sources.list file + when: purge_apt_sources + copy: + src: 'sources.list.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}' + dest: /etc/apt/sources.list + notify: Update apt cache diff --git a/playbooks/roles/base-repos/tasks/main.yaml b/playbooks/roles/base-repos/tasks/main.yaml new file mode 100644 index 0000000000..779f0614b3 --- /dev/null +++ b/playbooks/roles/base-repos/tasks/main.yaml @@ -0,0 +1,6 @@ +- name: Set up additional repos + include_tasks: "{{ lookup('first_found', file_list) }}" + vars: + file_list: + - "{{ ansible_facts.distribution }}.yaml" + - "{{ ansible_facts.os_family }}.yaml" diff --git a/playbooks/roles/base-server/defaults/main.yaml b/playbooks/roles/base-server/defaults/main.yaml new file mode 100644 index 0000000000..764fac6880 --- /dev/null +++ b/playbooks/roles/base-server/defaults/main.yaml @@ -0,0 +1,12 @@ +bastion_ipv4: 23.253.245.198 +bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072 +base_packages: + - at + - git + - lvm2 + - parted + - rsync + - rsyslog + - strace + - tcpdump + - wget diff --git a/playbooks/roles/base-server/files/bash-history.sh b/playbooks/roles/base-server/files/bash-history.sh new file mode 100644 index 0000000000..e3f56e6e65 --- /dev/null +++ b/playbooks/roles/base-server/files/bash-history.sh @@ -0,0 +1 @@ +export HISTTIMEFORMAT="%Y-%m-%dT%T%z " diff --git a/playbooks/roles/base-server/files/debian_limits.conf b/playbooks/roles/base-server/files/debian_limits.conf new file mode 100644 index 0000000000..860c08b8d8 --- /dev/null +++ b/playbooks/roles/base-server/files/debian_limits.conf @@ -0,0 +1,4 @@ +# Original 1024 +* soft nofile 4096 +# Original 4096 +* hard nofile 8192 diff --git a/playbooks/roles/base-server/files/rsyslog.d_50-default.conf b/playbooks/roles/base-server/files/rsyslog.d_50-default.conf new file mode 100644 index 0000000000..35e348ab1b --- /dev/null +++ b/playbooks/roles/base-server/files/rsyslog.d_50-default.conf @@ -0,0 +1,69 @@ +# Default rules for rsyslog. +# +# For more information see rsyslog.conf(5) and /etc/rsyslog.conf + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +#daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +#lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +#user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +#mail.info -/var/log/mail.info +#mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +#*.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +#*.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +# Commenting out since we don't install xconsoles on headless servers. +#daemon.*;mail.*;\ +# news.err;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole diff --git a/playbooks/roles/base-server/files/yum/yum-cron.conf b/playbooks/roles/base-server/files/yum/yum-cron.conf new file mode 100644 index 0000000000..bd1ec68583 --- /dev/null +++ b/playbooks/roles/base-server/files/yum/yum-cron.conf @@ -0,0 +1,81 @@ +[commands] +# What kind of update to use: +# default = yum upgrade +# security = yum --security upgrade +# security-severity:Critical = yum --sec-severity=Critical upgrade +# minimal = yum --bugfix update-minimal +# minimal-security = yum --security update-minimal +# minimal-security-severity:Critical = --sec-severity=Critical update-minimal +update_cmd = default + +# Whether a message should be emitted when updates are available, +# were downloaded, or applied. +update_messages = yes + +# Whether updates should be downloaded when they are available. +download_updates = yes + +# Whether updates should be applied when they are available. Note +# that download_updates must also be yes for the update to be applied. +apply_updates = yes + +# Maximum amout of time to randomly sleep, in minutes. The program +# will sleep for a random amount of time between 0 and random_sleep +# minutes before running. This is useful for e.g. staggering the +# times that multiple systems will access update servers. If +# random_sleep is 0 or negative, the program will run immediately. +# 6*60 = 360 +random_sleep = 360 + + +[emitters] +# Name to use for this system in messages that are emitted. If +# system_name is None, the hostname will be used. +system_name = None + +# How to send messages. Valid options are stdio and email. If +# emit_via includes stdio, messages will be sent to stdout; this is useful +# to have cron send the messages. If emit_via includes email, this +# program will send email itself according to the configured options. +# If emit_via is None or left blank, no messages will be sent. +emit_via = stdio + +# The width, in characters, that messages that are emitted should be +# formatted to. +output_width = 80 + + +[email] +# The address to send email messages from. +# NOTE: 'localhost' will be replaced with the value of system_name. +email_from = root@localhost + +# List of addresses to send messages to. +email_to = root + +# Name of the host to connect to to send email messages. +email_host = localhost + + +[groups] +# NOTE: This only works when group_command != objects, which is now the default +# List of groups to update +group_list = None + +# The types of group packages to install +group_package_types = mandatory, default + +[base] +# This section overrides yum.conf + +# Use this to filter Yum core messages +# -4: critical +# -3: critical+errors +# -2: critical+errors+warnings (default) +debuglevel = -2 + +# skip_broken = True +mdpolicy = group:main + +# Uncomment to auto-import new gpg keys (dangerous) +# assumeyes = True diff --git a/playbooks/roles/base-server/handlers/main.yaml b/playbooks/roles/base-server/handlers/main.yaml new file mode 100644 index 0000000000..a80bac59a0 --- /dev/null +++ b/playbooks/roles/base-server/handlers/main.yaml @@ -0,0 +1,4 @@ +- name: Restart rsyslog + service: + name: rsyslog + state: restarted diff --git a/playbooks/roles/base-server/tasks/Debian.yaml b/playbooks/roles/base-server/tasks/Debian.yaml new file mode 100644 index 0000000000..6d81390f5f --- /dev/null +++ b/playbooks/roles/base-server/tasks/Debian.yaml @@ -0,0 +1,20 @@ +- name: Remove packages that make no sense for servers + apt: + name: '{{ item }}' + state: absent + loop: + - whoopsie + - popularity-contest + +- name: Configure file limits + copy: + mode: 0644 + src: debian_limits.conf + dest: /etc/security/limits.d/60-nofile-limit.conf + +- name: Custom rsyslog config to disable /dev/xconsole noise + copy: + mode: 0644 + src: rsyslog.d_50-default.conf + dest: /etc/rsyslog.d/50-default.conf + notify: Restart rsyslog diff --git a/playbooks/roles/base-server/tasks/RedHat.yaml b/playbooks/roles/base-server/tasks/RedHat.yaml new file mode 100644 index 0000000000..f747f1982b --- /dev/null +++ b/playbooks/roles/base-server/tasks/RedHat.yaml @@ -0,0 +1,22 @@ +# NOTE(pabelanger): We need to ensure ntpdate service starts on boot for +# centos-7. Currently, ntpd explicitly require ntpdate to be running before +# the sync process can happen in ntpd. As a result, if ntpdate is not +# running, ntpd will start but fail to sync because of DNS is not properly +# setup. +- name: Ensure ntpdate service is running + service: + name: ntpdate + enabled: yes + state: running + +- name: Configure yum cron + copy: + mode: 0644 + src: yum/yum-cron.conf + dest: /etc/yum/yum-cron.conf + +- name: Ensure yum cron service is running + service: + name: yum-cron + enabled: yes + state: running diff --git a/playbooks/roles/base-server/tasks/Ubuntu.xenial.aarch64.yaml b/playbooks/roles/base-server/tasks/Ubuntu.xenial.aarch64.yaml new file mode 100644 index 0000000000..41e603e9d6 --- /dev/null +++ b/playbooks/roles/base-server/tasks/Ubuntu.xenial.aarch64.yaml @@ -0,0 +1,4 @@ +- name: Install HWE kernel for arm64 + apt: + name: linux-generic-hwe-16.04 + state: present diff --git a/playbooks/roles/base-server/tasks/main.yaml b/playbooks/roles/base-server/tasks/main.yaml new file mode 100644 index 0000000000..00476ab18d --- /dev/null +++ b/playbooks/roles/base-server/tasks/main.yaml @@ -0,0 +1,62 @@ +- name: Install base packages + package: + state: present + name: '{{ item }}' + loop: '{{ base_packages }}' + +- name: Include OS-specific variables + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml" + - "{{ ansible_facts.distribution }}.yaml" + - "{{ ansible_facts.os_family }}.yaml" + - "default.yaml" + +- name: Install distro specific packages + package: + state: present + name: '{{ item }}' + loop: '{{ distro_packages }}' + +- name: Increase syslog message size in order to capture python tracebacks + copy: + content: '$MaxMessageSize 6k' + dest: /etc/rsyslog.d/99-maxsize.conf + mode: 0644 + notify: Restart rsyslog + +- name: Ensure rsyslog is running + service: + name: rsyslog + enabled: yes + state: started + +- name: Set ssh key for managment + authorized_key: + state: present + user: root + key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15 + key_options: | + from="{{ bastion_ipv4 }}:{{ bastion_ipv6 }},localhost" + +- name: Disable byobu + file: + path: /etc/profile.d/Z98-byobu.sh + state: absent + +- name: Setup RFC3339 bash history timestamps + copy: + mode: 0644 + src: bash-history.sh + dest: /etc/profile.d/bash-history.sh + +- name: Include OS-specific tasks + include_tasks: "{{ lookup('first_found', file_list) }}" + static: no + vars: + file_list: + - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}.yaml" + - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml" + - "{{ ansible_facts.distribution }}.yaml" + - "{{ ansible_facts.os_family }}.yaml" diff --git a/playbooks/roles/base-server/vars/Debian.yaml b/playbooks/roles/base-server/vars/Debian.yaml new file mode 100644 index 0000000000..d6e870666f --- /dev/null +++ b/playbooks/roles/base-server/vars/Debian.yaml @@ -0,0 +1,3 @@ +distro_packages: + - dnsutils + - iputils-ping diff --git a/playbooks/roles/base-server/vars/RedHat.yaml b/playbooks/roles/base-server/vars/RedHat.yaml new file mode 100644 index 0000000000..b7c79ba837 --- /dev/null +++ b/playbooks/roles/base-server/vars/RedHat.yaml @@ -0,0 +1,9 @@ +- distro_packages: + - bind-utils + - iputils + # Utils in ntp-perl are included in Debian's ntp package; we + # add it here for consistency. See also + # https://tickets.puppetlabs.com/browse/MODULES-3660 + - ntp-perl + - ntpdate + - yum-cron diff --git a/playbooks/roles/set_hostname/tasks/main.yml b/playbooks/roles/set-hostname/tasks/main.yml similarity index 100% rename from playbooks/roles/set_hostname/tasks/main.yml rename to playbooks/roles/set-hostname/tasks/main.yml diff --git a/playbooks/roles/set_hostname/templates/hosts.j2 b/playbooks/roles/set-hostname/templates/hosts.j2 similarity index 100% rename from playbooks/roles/set_hostname/templates/hosts.j2 rename to playbooks/roles/set-hostname/templates/hosts.j2 diff --git a/playbooks/roles/set_hostname/templates/mailname.j2 b/playbooks/roles/set-hostname/templates/mailname.j2 similarity index 100% rename from playbooks/roles/set_hostname/templates/mailname.j2 rename to playbooks/roles/set-hostname/templates/mailname.j2 diff --git a/playbooks/roles/users/defaults/main.yaml b/playbooks/roles/users/defaults/main.yaml new file mode 100644 index 0000000000..1256d6b56a --- /dev/null +++ b/playbooks/roles/users/defaults/main.yaml @@ -0,0 +1,3 @@ +all_users: {} +disabled_users: [] +extra_users: [] diff --git a/playbooks/roles/users/files/Debian/login.defs b/playbooks/roles/users/files/Debian/login.defs new file mode 100644 index 0000000000..c7d5a15b4f --- /dev/null +++ b/playbooks/roles/users/files/Debian/login.defs @@ -0,0 +1,340 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +SYS_UID_MAX 999 +UID_MIN 3000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +SYS_GID_MAX 999 +GID_MIN 3000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# If set to yes, userdel will remove the userĀ“s group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR diff --git a/playbooks/roles/users/files/RedHat/login.defs b/playbooks/roles/users/files/RedHat/login.defs new file mode 100644 index 0000000000..b3f6e5934e --- /dev/null +++ b/playbooks/roles/users/files/RedHat/login.defs @@ -0,0 +1,69 @@ +# +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# QMAIL_DIR is for Qmail +# +#QMAIL_DIR Maildir +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +SYS_UID_MIN 201 +SYS_UID_MAX 499 +UID_MIN 3000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +SYS_GID_MIN 201 +SYS_GID_MAX 499 +GID_MIN 3000 +GID_MAX 60000 + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If useradd should create home directories for users by default +# On RH systems, we do. This option is overridden with the -m flag on +# useradd command line. +# +CREATE_HOME yes + +# The permission mask is initialized to this value. If not specified, +# the permission mask will be initialized to 022. +UMASK 077 + +# This enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# Use SHA512 to encrypt password. +ENCRYPT_METHOD SHA512 diff --git a/playbooks/roles/users/tasks/main.yaml b/playbooks/roles/users/tasks/main.yaml new file mode 100644 index 0000000000..9e33ce06df --- /dev/null +++ b/playbooks/roles/users/tasks/main.yaml @@ -0,0 +1,49 @@ +- name: Setup login.defs file + copy: + dest: /etc/login.defs + src: '{{ ansible_facts.os_family }}/login.defs' + owner: root + group: root + mode: 0644 + +- name: Delete old users + loop: "{{ disabled_users }}" + user: + name: "{{ item }}" + state: absent + remove: yes + +- name: Add groups + loop: "{{ base_users + extra_users }}" + group: + name: "{{ item }}" + state: present + gid: "{{ all_users[item].gid|default(omit) }}" + when: + - item in all_users + - "'gid' in all_users[item]" + +- name: Add users + loop: "{{ base_users + extra_users }}" + user: + name: "{{ item }}" + state: present + uid: "{{ all_users[item].uid }}" + group: "{{ item }}" + comment: "{{ all_users[item].comment }}" + groups: admin,sudo + shell: /bin/bash + when: + - item in all_users + - "'uid' in all_users[item]" + +- name: Add ssh keys to users + loop: "{{ base_users + extra_users }}" + authorized_key: + user: "{{ item }}" + state: present + key: "{{ all_users[item].key }}" + exclusive: yes + when: + - item in all_users + - "'key' in all_users[item]" diff --git a/playbooks/set-hostnames.yaml b/playbooks/set-hostnames.yaml new file mode 100644 index 0000000000..c781b5fb38 --- /dev/null +++ b/playbooks/set-hostnames.yaml @@ -0,0 +1,4 @@ +- hosts: "{{ target }}" + user: root + roles: + - set-hostname diff --git a/playbooks/set_hostnames.yml b/playbooks/set_hostnames.yml deleted file mode 100644 index 05947d09ae..0000000000 --- a/playbooks/set_hostnames.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# file: set_hostnames.yml -- hosts: "{{ target }}" - user: root - roles: - - { role: set_hostname }