Add general core server configuration

ansible/core.yml

@@ -0,0 +1,5 @@
+---
+- hosts: core
+  become: yes
+  roles:
+  - core

ansible/roles/core/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible/roles/core/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+packages: [git, vim, ssh]
+ssh_port: 22
+auth_methods: "publickey,keyboard-interactive"
+git_email: "user@domain.com"
+git_name: "First Last"
+hostname: "localhost"
+domain_name: "www.localhost.com"
+

ansible/roles/core/files/.gitconfig

@@ -0,0 +1,3 @@
+[user]
+	email = "{{ git_email }}"
+	name = "{{ git_name }}"

ansible/roles/core/files/motd

@@ -0,0 +1,7 @@
+//  ██╗  ██╗█████╗██████╗██████╗█████████████╗
+//  ██║ ██╔██╔══████╔══████╔══████╔════██╔══██╗
+//  █████╔╝█████████████╔██████╔█████╗ ██████╔╝
+//  ██╔═██╗██╔══████╔═══╝██╔═══╝██╔══╝ ██╔══██╗
+//  ██║  ████║  ████║    ██║    █████████║  ██║
+//  ╚═╝  ╚═╚═╝  ╚═╚═╝    ╚═╝    ╚══════╚═╝  ╚═╝
+// Host: {{ hostname }} - {{ domain_name }}

ansible/roles/core/files/setup-vim.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# Author: Shaun Reed | Contact: shaunrd0@gmail.com | URL: www.shaunreed.com ##
+## A custom bash script to configure vim with my preferred settings          ##
+## Run as user with sudo within directory to store / stash .vimrc configs    ##
+###############################################################################
+
+
+printf "\nUpdating, upgrading required packages...\n"
+sudo apt -y update && sudo apt -y upgrade
+sudo apt install vim git 
+
+# Clone klips repository in a temp directory
+git clone https://github.com/shaunrd0/klips temp/
+# Relocate the files we need and remove the temp directory
+mkdir -pv /etc/config-vim
+mv -fuv temp/README.md /etc/config-vim/ && mv -fuv temp/configs/.vimrc* /etc/config-vim/
+rm -Rf temp/
+printf "\n${GREEN}Klips config files updated"\
+  "\nSee $PWD/etc/config-vim/README.md for more information.${NORMAL}\n\n"
+
+# Create backup dir for .vimrc
+mkdir -pv /etc/config-vim/backup/
+printf "\n${GREEN}Backup directory created - $PWD/etc/config-vim/backup/${NORMAL}\n"
+
+# Stash the current .vimrc
+mv -bv /home/kansible/.vimrc /etc/config-vim/backup/
+printf "${RED}Your local .vimrc has been stashed in $PWD/etc/config-vim/backup/${NORMAL}\n\n"
+
+# Copy our cloned config into the user home directory
+cp /etc/config-vim/.vimrc /home/kansible/
+printf "${GREEN}New /home/kansible/.vimrc configuration installed.${NORMAL}\n"
+
+# Reinstall Pathogen plugin manager for vim
+# https://github.com/tpope/vim-pathogen
+printf "\n${RED}Removing any previous installations of Pathogen...${NORMAL}\n"
+sudo rm -f /home/kansible/.vim/autoload/pathogen.vim
+
+# Install Pathogen
+printf "\n${GREEN}Installing Pathogen plugin manager for Vim....\n"\
+  "\nIf they don't exist, we will create the following directories:\n"\
+  "/home/kansible/.vim/autoload/    ~/.vim/bundle/${NORMAL}"
+mkdir -pv /home/kansible/.vim/autoload ~/.vim/bundle && \
+  sudo curl -LSso /home/kansible/.vim/autoload/pathogen.vim https://tpo.pe/pathogen.vim
+printf "\n${GREEN}Pathogen has been installed! Plugins plugins can now be easily installed.\n"\
+  "Clone any plugin repositories into /home/kansible/.vim/bundles${NORMAL}\n"
+
+# Remove any plugins managed by this config tool (Klips)
+printf "\n${RED}Removing plugins installed by this tool...${NORMAL}\n"
+sudo rm -R /home/kansible/.vim/bundle/*
+
+# Clone plugin repos into pathogen plugin directory 
+printf "\n${GREEN}Installing updated plugins...${NORMAL}\n"
+git clone https://github.com/ervandew/supertab /home/kansible/.vim/bundle/supertab && \
+  printf "\n${GREEN}Supertab plugin has been installed${NORMAL}\n\n" && \
+  git clone https://github.com/xavierd/clang_complete /home/kansible/.vim/bundle/clang_complete && \
+  printf "\n${GREEN}Clang Completion plugin has been installed${NORMAL}\n\n"
+vimConf=( "\n${UNDERLINE}Vim has been configured with the Klips repository.${NORMAL}" \
+  "\nConfiguration Changes: " )
+printf '%b\n' "${vimConf[@]}"
+sudo cat /etc/klips/configs/.vimrc-README
+

ansible/roles/core/files/sshd

@@ -0,0 +1,71 @@
+# PAM configuration for the Secure Shell service
+
+
+# Allow specified users to bypass any further PAM settings
+auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers
+
+# Prompt for YubiKey first, to gate off all other auth methods
+auth required pam_yubico.so id=12345 id key=gbsdS8adW\OsBfdsZhga12Z2AT34Q+saM= key authfile=/etc/ssh/authorized_yubikeys
+
+# Prompt for the local password associated with user attempting login
+# nullok allows for empty passwords, though it is not recommended.
+auth required pam_unix.so nullok
+
+# If /etc/nologin exists, do not allow users to login
+# Outputs content of /etc/nologin and denies auth attempt
+auth required pam_nologin.so
+
+
+# Standard Un*x authentication.
+#@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password

ansible/roles/core/files/sshd_config

@@ -0,0 +1,15 @@
+Port {{ ssh_port }}
+AuthenticationMethods {{ auth_methods }}
+PermitRootLogin no
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
+UsePAM yes
+X11Forwarding yes
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+
+Match User kansible LocalPort {{ ssh_port }}
+  PasswordAuthentication no
+  AuthenticationMethods publickey

ansible/roles/core/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+# handlers file for /etc/ansible/roles/core
+- name: restart ssh
+  service: name=ssh state=restarted

ansible/roles/core/meta/main.yml

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: Shaun Reed
+  description: Template for core configuration of my servers
+  company: (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.4
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

ansible/roles/core/tasks/configure-git.yml

@@ -0,0 +1,4 @@
+---
+- name: Configure Git
+  template: src=files/.gitconfig dest=~/.gitconfig
+

ansible/roles/core/tasks/configure-ssh.yml

@@ -0,0 +1,25 @@
+---
+- name: Copy server MOTD
+  template: src=files/motd dest=/etc/motd
+
+- name: Configure PAM
+  template: src=files/sshd dest=/etc/pam.d/sshd
+
+- name: Add authusers file
+  copy:
+    dest: "/etc/authusers"
+    content: |
+      user1
+      user2
+
+- name: Add authorized_yubikeys file
+  copy:
+    dest: "/etc/ssh/authorized_yubikeys"
+    content: |
+      user:cccckey1cccc:cccckey2cccc
+
+- name: Copy ssh configuration file
+  template: src=files/sshd_config dest=/etc/ssh/sshd_config
+  notify:
+  - restart ssh
+

ansible/roles/core/tasks/configure-vim.yml

@@ -0,0 +1,10 @@
+---
+- name: Clone github.com/shaunrd0/klips
+  git:
+    repo: https://github.com/shaunrd0/klips.git
+    clone: yes
+    dest: /etc/klips/ 
+
+- name: Vim setup script
+  script: /etc/ansible/roles/core/files/setup-vim.sh
+

ansible/roles/core/tasks/install-apps.yml

@@ -0,0 +1,4 @@
+---
+- name: Install packages
+  apt: name="{{ item }}" state=latest
+  with_items: "{{ packages }}"

ansible/roles/core/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+# tasks file for /etc/ansible/roles/core
+#
+
+# Install preferred apps
+- import_tasks: install-apps.yml
+
+# SSH
+- import_tasks: configure-ssh.yml
+- import_tasks: service-ssh.yml
+
+# Git
+- import_tasks: configure-git.yml
+
+# Vim
+- import_tasks: configure-vim.yml
+

ansible/roles/core/tasks/service-ssh.yml

@@ -0,0 +1,3 @@
+---
+- name: Start and enable ssh service
+  service: name=ssh state=restarted enabled=yes