working with jinga on sshd_config

11-jinga-templates/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory = inventory
+private_key_file = ~/.ssh/hetzner
+
+

11-jinga-templates/host_vars/10.0.0.11.yml

@@ -0,0 +1,7 @@
+webserver_package: httpd
+webserver_service: httpd
+php_package: php
+database_package: mariadb
+database_service: mariadb
+passwd_auth: "no"
+ssh_template_file: sshd_config_el.j2

11-jinga-templates/host_vars/10.0.0.5.yml

@@ -0,0 +1,7 @@
+webserver_package: httpd
+webserver_service: httpd
+php_package: php
+database_package: mariadb
+database_service: mariadb
+passwd_auth: "no"
+ssh_template_file: sshd_config_el.j2

11-jinga-templates/host_vars/10.0.0.7.yml

@@ -0,0 +1,7 @@
+webserver_package: apache2
+webserver_service: apache2
+php_package: libapache2-mod-php
+database_package: mariadb-server
+database_service: mariadb-server
+passwd_auth: "no"
+ssh_template_file: sshd_config_debian.j2

11-jinga-templates/host_vars/10.0.0.8.yml

@@ -0,0 +1,7 @@
+webserver_package: apache2
+webserver_service: apache2
+php_package: libapache2-mod-php
+database_package: mariadb-server
+database_service: mariadb-server
+passwd_auth: "no"
+ssh_template_file: sshd_config_debian.j2

11-jinga-templates/inventory

@@ -0,0 +1,8 @@
+[web_servers]
+10.0.0.7
+10.0.0.8
+
+
+[db_servers]
+10.0.0.5
+10.0.0.11

11-jinga-templates/roles/base/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart_sshd
+  service:
+    name: sshd
+    state: restarted

11-jinga-templates/roles/base/tasks/main.yml

@@ -0,0 +1,42 @@
+- name: Install common packages
+  package:
+    name:
+      - htop
+      - neofetch
+
+- name: Add lfultz account
+  tags: lfultz
+  user:
+    name: lfultz
+    comment: Logan Fultz
+    uid: 1040      
+    groups: root
+    append: yes
+    shell: /bin/bash
+    generate_ssh_key: yes
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+
+- name: Add lfultz group
+  tags: group
+  group: 
+    name: lfultz
+    state: present
+    gid: 1040
+
+- name: Add cfultz ssh key
+  tags: ssh_keys
+  authorized_key:
+    user: cfultz
+    state: present
+    key: "{{ lookup('url', 'https://git.cfultz.wtf/cfultz.keys', split_lines=False) }}"
+
+- name: Update sshd_config for key auth only
+  tags: key_auth
+  template:
+    src: "{{ ssh_template_file  }}"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart_sshd

11-jinga-templates/roles/base/templates/sshd_config_debian.j2

@@ -0,0 +1,117 @@
+# Include drop-in configurations
+Include /etc/ssh/sshd_config.d/*.conf
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ passwd_auth }}
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

11-jinga-templates/roles/base/templates/sshd_config_el.j2

@@ -0,0 +1,117 @@
+# Include drop-in configurations
+Include /etc/ssh/sshd_config.d/*.conf
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ passwd_auth }}
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

11-jinga-templates/roles/db_servers/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: install mariadb package on db servers
+  package: 
+    name: "{{ database_package }}"
+    state: latest

11-jinga-templates/roles/web_servers/files/default_site.html

@@ -0,0 +1,11 @@
+<html>
+
+   <head>
+     <title>Ansible Course</title>
+   </head>
+<body>
+
+    <p> Good evening, Caleb! </p>
+
+</body>
+</html>

11-jinga-templates/roles/web_servers/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart_apache
+  service:
+    name: "{{ webserver_package}}"
+    state: restarted

11-jinga-templates/roles/web_servers/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Install apache on web servers
+  tags: apache
+  package:
+    name: 
+      - "{{ webserver_package }}"
+      - "{{ php_package }}"
+  
+- name: Copy html file
+  tags: website
+  copy: 
+    src: default_site.html
+    dest: /var/www/html/index.html
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart_apache

11-jinga-templates/site.yml

@@ -0,0 +1,35 @@
+---
+- hosts: all
+  become: true
+  pre_tasks:
+
+    - name: install updates for RHEL distros
+      tags: always
+      package:
+        update_only: yes
+        update_cache: yes
+      when: ansible_os_family == "RedHat"
+
+    - name: install updates for Debian distros
+      tags: always
+      package:
+        upgrade: dist
+        update_cache: yes
+      when: ansible_os_family == "Debian"
+
+- hosts: all
+  become: true
+  roles: 
+    - base
+
+- hosts: web_servers
+  become: true
+  tags: web
+  roles: 
+    - web_servers
+  
+- hosts: db_servers
+  tags: db,
+  become: true
+  roles: 
+    - db_servers