initial

roles/base/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+users: []
+locale:
+  LC_CTYPE: fi_FI.UTF-8
+  LANG: en_US.UTF-8

roles/base/files/etc/ntp.conf

@@ -0,0 +1,6 @@
+driftfile /var/lib/ntp/ntp.drift
+
+server 0.pool.ntp.org
+server 1.pool.ntp.org
+server 2.pool.ntp.org
+server 3.pool.ntp.org

roles/base/files/etc/sshd_config

@@ -0,0 +1,47 @@
+Port 22
+Protocol 2
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication no
+PubkeyAuthentication yes
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+
+X11Forwarding no
+TCPKeepAlive yes
+
+UseLogin no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no

roles/base/files/etc/timezone

@@ -0,0 +1 @@
+Etc/UTC

roles/base/files/ssh/codeship.pub

@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFt3BBb3Rs/O/cpdRj7eeYbCpxR72c3xMmMUO4Rn/MtNZIdZJjxKcO3xUIJnugOyiaYGDGM5mw7rVO+cs9dHjQInoDYrawJRhGZ5aiYyA/4uJor8N17IhwVARQOFdWqcex9q36OCsAqIWUeiVKw07JqAJqFbPd5fpP8JczRIKBHChGfWuXj9ChQDpABKDHAcvYqQFJLwldgSg0oeweairaVLFqYxH3Uy37+LUviSBBX707mk8+Uz7E2JUv/M+9/HZ/XPkC4E3nQZKaYh0Abxgm5aQo309TGAzxIQZ4kSLka7jjEiChqu5xupo8y1PvVgdaShwWRm6HdoQtmaHmOJyB Codeship/koodiklinikka/koodiklinikka.fi
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjQzuhknObgjRNYZljb4CtB4xO7Bu2Gb/OjA4iKOFBDEsyynZOKJsXAA8v/8r+dUlv6TxXqZBL5H5uVKpmk2SwglAriLrN32bdvfAj5S+MrcrcRxwqT7Gq27Ilc8QF8qaLqPn1GZXDQFGkyz+Rel8oDP7ZdYn7uAeszjZZRqSi+Jyb27YmIuYU3OrBoU6JoHuQzT6kjFvbsu3tCozXc/pt/jIxkC1qPBvB2HWmaNb93MckjR57VO0NcI9TZLFrqJxxRajxE96MYuao0Kh/VbaLIQlvr46vulx0NfbqutlcAH3luKzuvZlhYWt+iIrcBjePtgcOBUxy8iNFRwYYBPgd Codeship/koodiklinikka/koodiklinikka.fi-api

roles/base/files/ssh/janne.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChQcArLHSSndZLkXEUK9CjHY9vRt60OS+ZoyyhPrHA2WEslke6Jc40n8xsIlZktToYnPiI6gq8E4//ricY5T6u/mLAGuyGtUq9RLQXrIibP+g4jboLuomw/OaykXGAHmD5JN/TP3I0bD9S8aWRVsFQr5dtBPVpwiXV8we0KiMndURwjdFKIIm/egYX9bFG3OLhFr4QCoIrjQ1SpQWR2jztXx52ajhbhycx9Ih2hPeVubwjcUmg2wSb09LSD85lReEGdscHnCGChA8JppiW9H+cFSPA3v52YU3S+T/pW4w8YdCGB8obcrhB5zwn801dguyoPxv7XgQsjIdKpDauE1Ap janne@kallunki.org

roles/base/files/ssh/lauri.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAlxwDg8CMsVuJ6MqkM7j1QPr+nsFP8b9Jk9XgdZhdzl2VtZHUBPMFJ9evxDOflO7GA0AE48/agkgKzElOYxGSbMX0NwwUf8B2zPpcB52bYEkiQ357qzh3PLREziGD80F2QI+xkIC6DTetuZRm8C2xaAkLlIa64NcdV4pW7kzC010= lauri@nuutinen.us

roles/base/files/ssh/n1ko.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAPULw/4vRl1fblbHFpHVQdilzz7eEbGn9UAnca0jaUZmkItyC38azjYtbQYJ+Yvo1DYdqvmkuC40dJgVtbDsAgpZ8owKH/G4Rxfdb/UM6Vl0Jb6Y5eimXUcS0Ybu5VpEclYt9SfqCF2pKezG8wH+VXHqVzCzWUoxCcDOEzY4emYWRl9jtfZiGYlbEWDmJZRaQzZU+XRHEBhVtQ5ndNUEIKFAtnYSUDMdWPy9s1lvfWRJTNVHrhZlXO0BS1UEoiSFupzOO83BZ/JgW5E9WLkRslFfjICmB0iuDBusQb6KazSCTGAvXuLtIJzOtiKfZLqhynbg2+90TKrLB8EBOh0DJ

roles/base/files/ssh/riku.pub

@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXw2RhJiPlvs+PN953MxPikikCa/S4euPPSoCPBCF7flWhQjp2M1SnfDffVP05zuefXdH1STX5DOuW7CQpS0moS/Y6LLgho6zaU2qNMVc2tvNK59Tdek5fNXEyZrnAOqPiIfHgdAiQVZFIte2PAlnGiMIBqdkVYoUEv9IKoHxS0wRkcJ9iF25l66yY35CB9CM62K1xnaoUW0p8fSm+naCx0lbsoPhUxmRUpdIvebAV78EZsBw7CjJ5fFrzmf9v6KNsMDVE0GdNLmMkeF3hF4VXXGrUzGQjZCHTaownpts/y/BsVO8VO24bL1ZkeQ5duyZ5wHfWfBmNdfyPXzU/0DoR riku.rouvila@gmail.com

roles/base/files/ssh/ville.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC66ZMAqPwNx1jthNYOAlIo+nKYN4crQp9m4Q2cDiyJRIB1d3/iqtqhXG5SUcfQXHQnmWO9d/Oe0fNTmdsIz7njPsmabfEkl/NtRse6Kfc/l9MEHcdCc3KVur0zTSRF4Hm9sU75/59kPJZ8ad5BdhbrgqyNJOljZDp7i/3PLZtTavy9aXrX8C5e6Q7pAuK9pjtNevknl+kbbJn5v1kYIeH4x0kFH9O+VcVE6tzUJSjaLzpQ+e1C/4+m3V7qzcrDfDE79yfJ4qEeMiVtQiLujIA/7HMHvzt/z1M5CMF/Ixg+v0l4JNcnYZZkYN3EX9A8f0OW17spmKOrWvlbKBC5SlgH ville@www1.daa.fi

roles/base/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: restart sshd
+  service: name=ssh state=restarted
+
+- name: update tzdata
+  command: dpkg-reconfigure --frontend noninteractive tzdata
+
+- name: restart ntpd
+  command: service ntp restart

roles/base/tasks/locale.yml

@@ -0,0 +1,18 @@
+---
+- command: grep LC_CTYPE={{ locale.LC_CTYPE }} /etc/default/locale
+  register: lc_ctype
+  changed_when: False
+  ignore_errors: True
+
+- command: grep LANG={{ locale.LANG }} /etc/default/locale
+  register: lang
+  changed_when: False
+  ignore_errors: True
+
+- name: Create locales
+  command: locale-gen {{ locale.LC_CTYPE }} {{ locale.LANG }}
+  when: lc_ctype|failed or lang|failed
+
+- name: Set LC_CTYPE=fi_FI.UTF-8 and LANG=en_US.UTF-8
+  command: update-locale LC_CTYPE={{ locale.LC_CTYPE }} LANG={{ locale.LANG }}
+  when: lc_ctype|failed or lang|failed

roles/base/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- include: locale.yml tags=base,locale
+- include: users.yml tags=base,users
+- include: packages.yml tags=base,packages
+- include: sudo.yml tags=base,sudo
+- include: sshd.yml tags=base,ssh
+- include: ufw.yml tags=base,ufw
+- include: ntp.yml tags=base,ntp
+- include: timezone.yml tags=base,timezone

roles/base/tasks/ntp.yml

@@ -0,0 +1,7 @@
+---
+- name: Install ntp
+  apt: pkg=ntp state=present
+
+- name: Copy ntp.conf
+  copy: src=etc/ntp.conf dest=/etc/ntp.conf
+  notify: restart ntpd

roles/base/tasks/packages.yml

@@ -0,0 +1,11 @@
+---
+- name: install basic packages
+  apt: >
+    pkg={{ item }}
+    state=present
+  with_items:
+    - screen
+    - vim
+    - git
+    - htop
+    - wget

roles/base/tasks/sshd.yml

@@ -0,0 +1,7 @@
+---
+- name: configure sshd
+  copy: >
+    src=etc/sshd_config
+    dest=/etc/ssh/sshd_config
+    validate='/usr/sbin/sshd -T -f %s'
+  notify: restart sshd

roles/base/tasks/sudo.yml

@@ -0,0 +1,8 @@
+---
+- name: setup sudo
+  lineinfile: >
+    dest=/etc/sudoers
+    state=present
+    regexp='^%admin ALL\='
+    line='%admin ALL=(ALL) NOPASSWD:ALL'
+    validate='visudo -cf %s'

roles/base/tasks/timezone.yml

@@ -0,0 +1,4 @@
+---
+- name: set /etc/timezone to Etc/UTC
+  copy: src=etc/timezone dest=/etc/timezone
+  notify: update tzdata

roles/base/tasks/ufw.yml

@@ -0,0 +1,9 @@
+---
+- name: Enable firewall
+  ufw: state=enabled policy=allow
+
+- name: Allow tcp/22 for SSH
+  ufw: rule=allow port=22 proto=tcp
+
+- name: Reject other ports
+  ufw: rule=reject

roles/base/tasks/users.yml

@@ -0,0 +1,17 @@
+---
+- name: create admin group
+  group: name=admin state=present
+
+- name: create users
+  user: >
+    name={{ item.name }}
+    groups=admin
+    shell=/bin/bash
+    password={{ item.password }}
+  with_items: users
+
+- name: set authorized keys
+  authorized_key: >
+    user='{{ item.name }}'
+    key='{{lookup('file', item.public_key)}}'
+  with_items: users