Initial Commit

README.md

@@ -0,0 +1,13 @@
+# linuxws2122 - Ansible
+
+Setup gateway and client vm via ansible.
+
+- Adapt IP-Adresse of the client and gateway VM in host_vars.
+- Adapt name of the interfaces for booth VMs in host_vars.
+- Configure your Router (Fritz!Box, SpeedPort, ect) to route traffic for
+  192.168.181.0/24 via gateway.
+
+```bash
+ansible-playbook -i hosts.yaml gateway.linuxws2122.de.yaml
+ansible-playbook -i hosts.yaml client.linuxws2122.de.yaml
+```

ansible.cfg

@@ -0,0 +1,3 @@
+[default]
+inventory = hosts.yaml
+roles_path = roles

client.linuxws2122.de.yaml

@@ -0,0 +1,13 @@
+---
+
+- name: setup client.linuxws2122.de
+  hosts: client.linuxws2122.de
+  remote_user: root
+  roles:
+  - { role: common }
+  - { role: networking }
+  - { role: hostname }
+  - { role: sshd }
+  - { role: unix_users }
+  - { role: sudo_users }
+  - { role: vim }

gateway.linuxws2122.de.yaml

@@ -0,0 +1,14 @@
+---
+- name: setup gateway.linuxws2122.de
+  hosts: gateway.linuxws2122.de
+  remote_user: root
+  roles:
+  - { role: common }
+  - { role: networking }
+  - { role: hostname }
+  - { role: sshd }
+  - { role: unix_users }
+  - { role: sudo_users }
+  - { role: vim }
+  - { role: sysctl }
+  - { role: bind_dhcp }

group_vars/all/ansible.yml

@@ -0,0 +1,5 @@
+---
+ansible_connection: ssh
+ansible_ssh_user: root
+ansible_ssh_pass: linuxws2122
+ansible_ssh_extra_args: "-o PubkeyAuthentication=no -o PasswordAuthentication=yes"

group_vars/all/sudo_users.yaml

@@ -0,0 +1,7 @@
+---
+
+sudo_users:
+- root
+- linuxws2122
+
+sudo_without_password: true

group_vars/all/unix_users.yaml

@@ -0,0 +1,16 @@
+---
+
+unix_groups:
+- linuxws2122
+
+unix_users:
+  linuxws2122:
+    name: "linuxws2122"
+    ssh_key: markus@markus-pc.pub
+    additional_ssh_keys:
+    - name: markus@markus-nb.pub
+      hosts:
+      - all
+    shell: /bin/bash
+    main_group: linuxws2122
+    password: "linuxws2122"

group_vars/all/vim_users.yaml

@@ -0,0 +1,6 @@
+---
+vim_users:
+- user: root
+  branch: no-plugins
+- user: linuxws2122
+  branch: no-plugins

host_vars/client.linuxws2122.de.yaml

@@ -0,0 +1,20 @@
+---
+ansible_host: 192.168.179.73
+
+networking:
+- type: "ethernet"
+  filename: "10-enp1s0.network"
+  interface: "enp1s0"
+  route_metric: "10"
+  dhcp: true
+- type: "ethernet"
+  filename: "10-enp2s0.network"
+  interface: "enp2s0"
+  route_metric: "20"
+  dhcp: false
+  ipv4_address: "192.168.179.251"
+  ipv4_netmask: "/24"
+  ipv4_gateway: "192.168.179.1"
+  ipv6_ignore_ra: true
+  dns_servers:
+  - "192.168.179.12"

host_vars/gateway.linuxws2122.de.yaml

@@ -0,0 +1,116 @@
+---
+ansible_host: 192.168.179.117
+
+networking:
+- type: "ethernet"
+  filename: "10-enp1s0.network"
+  interface: "enp1s0"
+  route_metric: "10"
+  dhcp: false
+  ipv4_address: "192.168.179.250"
+  ipv4_netmask: "/24"
+  ipv4_gateway: "192.168.179.1"
+  ipv6_ignore_ra: true
+  dns_servers:
+  - "192.168.179.12"
+- type: "ethernet"
+  filename: "10-enp2s0.network"
+  interface: "enp2s0"
+  route_metric: "20"
+  dhcp: false
+  ipv4_address: "192.168.181.1"
+  ipv4_netmask: "/24"
+  ipv4_gateway: ""
+  ipv6_ignore_ra: true
+  dns_servers:
+  - "192.168.181.1"
+
+
+dhcpd_keys:
+- name: dyndns
+  algorithm: hmac-sha256
+  secret: "KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o="
+
+dhcpd_zones:
+- name: linuxws2122.de
+  primary: "192.168.181.1"
+  key: dyndns
+- name: 181.168.192.in-addr.arpa
+  primary: "192.168.181.1"
+  key: dyndns
+
+dhcpd_interface: "enp2s0"
+dhcpd_network_start: "192.168.181.0"
+dhcpd_network_netmask: "255.255.255.0"
+dhcpd_network_range: 192.168.181.20 192.168.181.200
+
+dhcpd_ddns_domainname: linuxws2122.de
+
+dhcpd_default_lease_time: "43200"
+dhcpd_max_lease_time: "86400"
+dhcpd_min_lease_time: "21600"
+
+dhcpd_option_broadcast_address: "192.168.181.255"
+dhcpd_option_domain_name: linuxws2122.de
+dhcpd_option_domain_name_servers: "192.168.181.1"
+dhcpd_option_routers: "192.168.181.1"
+dhcpd_option_subnet_mask: "255.255.255.0"
+
+
+bind9_global_allow_query:
+- 192.168.179.0/24
+- 192.168.181.0/24
+
+bind9_keys:
+- name: dyndns
+  algorithm: hmac-sha256
+  secret: KS8hRpqgCk0UKQRD3eBbxriXkTt6ePr0tQ7bUUcwX+o=
+
+bind9_listen_on_ipv4:
+- "192.168.181.1"
+
+bind9_listen_on_ipv6: []
+
+bind9_forward_zones:
+- allow_query:
+  - any
+  allow_update:
+  - dyndns
+  type: master
+  origin: linuxws2122.de.
+  ttl: "3600"
+  records:
+  - name: "@\t\t" # \t only for indention
+    class: IN
+    type: SOA
+    value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
+  - name: "\t\t" # \t only for indention
+    class: IN
+    type: NS
+    value: gateway
+  - name: "gateway\t\t" # \t only for indention
+    class: IN
+    type: A
+    value: 192.168.181.1
+
+bind9_reverse_zones:
+- allow_query:
+  - any
+  allow_update:
+  - dyndns
+  type: master
+  origin: 181.168.192.IN-ADDR.ARPA.
+  ttl: "3600"
+  records:
+  - name: "@\t\t" # "\t" only for indention
+    class: IN
+    type: SOA
+    value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021121000 86400 7200 604800 3600"
+  - name: "\t\t" # "\t" only for indention
+    class: IN
+    type: NS
+    value: gateway.linuxws2122.de.
+  - name: "1\t\t" # "\t" only for indention
+    class: IN
+    type: PTR
+    value: gateway.linuxws2122.de.

hosts.yaml

@@ -0,0 +1,11 @@
+all:
+  hosts:
+    client.linuxws2122.de:
+    gateway.linuxws2122.de:
+  children:
+    client:
+      hosts:
+        client.linuxws2122.de:
+    gateway:
+      hosts:
+        gateway.linuxws2122.de:

pubkeys/markus@markus-nb.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUTcUBb+55jRY9TkpLgm8K/8nJfEXyjEX8zljdCCRpi markus@markus-nb

pubkeys/markus@markus-pc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOydCxv9/tAV7AdS2HsUIEu547Z5qUJnWYwiO7rI9YL markus@markus-pc

roles/bind_dhcp/defaults/main.yaml

@@ -0,0 +1,90 @@
+---
+
+# dhcpd_interface: "enp7s0"
+# dhcpd_network_start: "192.168.181.0"
+# dhcpd_network_netmask: "255.255.255.0"
+# dhcpd_network_range: "192.168.181.20 192.168.181.200"
+
+# dhcpd_default_lease_time: "43200"
+# dhcpd_max_lease_time: "2168640000"
+# dhcpd_min_lease_time: "21600"
+
+# dhcpd_ddns_domainname: "linuxws2122.de"
+
+# dhcpd_option_broadcast_address: "192.168.181.255"
+# dhcpd_option_domain_name: "linuxws2122.de"
+# dhcpd_option_domain_name_servers: "192.168.181.1"
+# dhcpd_option_routers: "192.168.181.1"
+# dhcpd_option_subnet_mask: "255.255.255.0"
+
+
+# dhcpd_keys:
+# - name: dyndns
+#   algorithm: hmac-sha256
+#   secret: ""
+
+# dhcpd_zones:
+# - name: linuxws2122.de
+#   primary: "192.168.181.1"
+#   key: dyndns
+# - name: 181.168.192.in-addr.arpa
+#   primary: "192.168.181.1"
+#   key: dyndns
+
+
+# bind9_global_allow_query:
+# - "192.168.181.0/24"
+
+# bind9_keys:
+# - name: dyndns
+#   algorithm: hmac-sha512
+#   secret: "+7bISG4ktFi2ytU9WXvBX41ZlxxfW5G+sHKtetNlQjk="
+
+# bind9_listen_on_ipv4:
+# - "192.168.181.1"
+
+# bind9_listen_on_ipv6: []
+
+# bind9_forward_zones:
+# - allow_query:
+#   - "any"
+#   allow_update:
+#   - dyndns
+#   type: master
+#   origin: "linuxws2122.de."
+#   ttl: "3600"
+#   records:
+#   - name: "\t\t" # only for indention
+#     class: "IN"
+#     type: "SOA"
+#     value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
+#   - name: "\t\t" # only for indention
+#     class: "IN"
+#     type: "NS"
+#     value: "gateway"
+#   - name: "gateway\t\t"
+#     class: "IN"
+#     type: "A"
+#     value: "192.168.181.1"
+
+# bind9_reverse_zones:
+# - allow_query:
+#   - "any"
+#   allow_update:
+#   - dyndns
+#   type: master
+#   origin: "181.168.192.IN-ADDR.ARPA."
+#   ttl: "3600"
+#   records:
+#   - name: "\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: SOA
+#     value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
+#   - name: "\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: NS
+#     value: "gateway.linuxws2122.de."
+#   - name: "1\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: A
+#     value: "gateway.linuxws2122.de."

roles/bind_dhcp/handlers/main.yaml

@@ -0,0 +1,13 @@
+---
+
+- name: restart dhcpd
+  systemd:
+    name: dhcpd
+    state: restarted
+    daemon_reload: true
+
+- name: restart named
+  systemd:
+    name: named
+    state: restarted
+    daemon_reload: true

roles/bind_dhcp/tasks/bind9.yaml

@@ -0,0 +1,36 @@
+---
+
+- name: create dhcp config dir
+  file:
+    path: /etc/named
+    owner: named
+    group: named
+    mode: 0755
+    state: directory
+
+- name: set up zones
+  template:
+    src: zone.j2
+    dest: /etc/named/{{ item.origin }}db
+    owner: named
+    group: named
+    mode: 0644
+  with_items:
+  - "{{ bind9_forward_zones }}"
+  - "{{ bind9_reverse_zones }}"
+  notify: restart named
+
+- name: set up global bind config
+  template:
+    src: named.conf.j2
+    dest: /etc/named.conf
+    owner: named
+    group: named
+    mode: 0644
+  notify: restart named
+
+- name: start and enabled named
+  systemd:
+    name: named
+    state: started
+    enabled: yes

roles/bind_dhcp/tasks/dhcpd.yaml

@@ -0,0 +1,53 @@
+---
+
+- name: create dhcp config dir
+  file:
+    path: /etc/dhcp
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: create dhcpd config
+  template:
+    src: dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: cleanup cache files
+  block:
+  - name: check if cache dir exists
+    stat:
+      path: /var/lib/dhcpd
+    register: cache_stats
+  - name: remove cache dir
+    file:
+      path: /var/lib/dhcpd/
+      state: absent
+    when: cache_stats.stat.exists
+  - name: create cache dir
+    file:
+      path: /var/lib/dhcpd/
+      owner: dhcpd
+      group: dhcpd
+      mode: 0755
+      state: directory
+  - name: create cache files
+    file:
+      path: "/var/lib/dhcpd/{{ item }}"
+      owner: dhcpd
+      group: dhcpd
+      mode: 0644
+      state: touch
+    with_items:
+    - dhcpd.leases
+    - dhcpd6.leases
+    notify: restart dhcpd
+
+- name: start and enable dhcpd
+  systemd:
+    name: dhcpd
+    state: started
+    enabled: yes

roles/bind_dhcp/tasks/main.yaml

@@ -0,0 +1,15 @@
+---
+
+- name: install bind (named) and dependencies
+  yum:
+    name: "{{ item }}"
+  with_items:
+  - bind
+  - bind-utils
+  - dhcp-server
+
+- name: configure dhcpd server
+  include_tasks: dhcpd.yaml
+
+- name: configure bind9 server
+  include_tasks: bind9.yaml

roles/bind_dhcp/templates/dhcpd.conf.j2

@@ -0,0 +1,37 @@
+authoritative;
+ddns-update-style interim;
+ignore client-updates;
+
+{% for key in dhcpd_keys %}
+key "{{ key.name }}" {
+  algorithm {{ key.algorithm }};
+  secret "{{ key.secret }}";
+}
+{% endfor %}
+
+{% for zone in dhcpd_zones %}
+zone {{ zone.name }} {
+  primary {{ zone.primary }};
+  key "{{ zone.key }}";
+}
+{% endfor %}
+
+subnet {{ dhcpd_network_start }} netmask {{ dhcpd_network_netmask }} {
+  interface {{ dhcpd_interface }};
+
+  range {{ dhcpd_network_range }};
+
+  default-lease-time {{ dhcpd_default_lease_time }};
+  max-lease-time {{ dhcpd_max_lease_time }};
+  min-lease-time {{ dhcpd_min_lease_time }};
+
+  ddns-domainname "{{ dhcpd_ddns_domainname }}";
+
+  update-static-leases on;
+
+  option broadcast-address {{ dhcpd_option_broadcast_address }};
+  option domain-name "{{ dhcpd_option_domain_name }}";
+  option domain-name-servers {{ dhcpd_option_domain_name_servers }};
+  option routers {{ dhcpd_option_routers }};
+  option subnet-mask {{ dhcpd_option_subnet_mask }};
+}

roles/bind_dhcp/templates/named.conf.j2

@@ -0,0 +1,129 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+  listen-on port 53 {
+{% for ip in bind9_listen_on_ipv4 %}
+    {{ ip }};
+{% endfor %}
+    127.0.0.1;
+  };
+
+  listen-on-v6 port 53 {
+{% for ip in bind9_listen_on_ipv6 %}
+    {{ ip }};
+{% endfor %}
+    ::1;
+  };
+
+  directory           "/var/named";
+  dump-file           "/var/named/data/cache_dump.db";
+  statistics-file     "/var/named/data/named_stats.txt";
+  memstatistics-file  "/var/named/data/named_mem_stats.txt";
+  secroots-file       "/var/named/data/named.secroots";
+  recursing-file      "/var/named/data/named.recursing";
+
+  allow-query {
+{% for ip in bind9_global_allow_query %}
+    {{ ip }};
+{% endfor %}
+    localhost;
+  };
+
+  /*
+   - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+   - If you are building a RECURSIVE (caching) DNS server, you need to enable
+     recursion.
+   - If your recursive DNS server has a public IP address, you MUST enable access
+     control to limit queries to your legitimate users. Failing to do so will
+     cause your server to become part of large scale DNS amplification
+     attacks. Implementing BCP38 within your network would greatly
+     reduce such attack surface
+  */
+  recursion yes;
+
+  dnssec-validation yes;
+
+  managed-keys-directory "/var/named/dynamic";
+  geoip-directory "/usr/share/GeoIP";
+
+  pid-file "/run/named/named.pid";
+  session-keyfile "/run/named/session.key";
+
+  /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+  include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+  channel default_debug {
+    file "data/named.run";
+    severity dynamic;
+  };
+};
+
+zone "." IN {
+  type hint;
+  file "named.ca";
+};
+
+{% for zone in bind9_forward_zones %}
+zone "{{ zone.origin }}" {
+
+  allow-query {
+{% for entry in zone.allow_query %}
+    {{ entry }};
+{% endfor %}
+  };
+
+  allow-update {
+{% for entry in zone.allow_update %}
+    key {{ entry }};
+{% endfor %}
+  };
+
+  file "/etc/named/{{ zone.origin }}db";
+
+  type {{ zone.type }};
+
+};
+{% endfor %}
+
+
+
+{% for zone in bind9_reverse_zones %}
+zone "{{ zone.origin }}" {
+
+  allow-query {
+{% for entry in zone.allow_query %}
+    {{ entry }};
+{% endfor %}
+  };
+
+  allow-update {
+{% for entry in zone.allow_update %}
+    key {{ entry }};
+{% endfor %}
+  };
+
+  file "/etc/named/{{ zone.origin }}db";
+
+  type {{ zone.type }};
+
+};
+{% endfor %}
+
+{% for key in bind9_keys %}
+key "{{ key.name }}" {
+  algorithm {{ key.algorithm }};
+  secret "{{ key.secret }}";
+};
+{% endfor %}
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";

roles/bind_dhcp/templates/zone.j2

@@ -0,0 +1,6 @@
+$ORIGIN {{ item.origin }}
+$TTL {{ item.ttl }}
+
+{% for record in item.records %}
+{{ record.name }} {{ record.class | default('IN') }} {{ record.type | default('A') }} {{ record.value }}
+{% endfor %}

roles/common/tasks/main.yaml

@@ -0,0 +1,16 @@
+---
+
+- name: system update
+  yum:
+    name: '*'
+    state: latest
+
+- name: stop firewalld
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: no
+
+- name: disable SELinux
+  selinux:
+    state: disabled

roles/hostname/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+hostname_reboot: true

roles/hostname/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: update hosts file
+  ansible.builtin.template:
+    src: hosts.j2
+    dest: /etc/hosts
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes
+  register: _hostname
+
+- name: update hostname
+  ansible.builtin.template:
+    src: hostname.j2
+    dest: /etc/hostname
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes
+  register: _hostname

roles/hostname/templates/hostname.j2

@@ -0,0 +1 @@
+{{ inventory_hostname }}

roles/hostname/templates/hosts.j2

@@ -0,0 +1,2 @@
+127.0.0.1   localhost.localdomain localhost localhost4
+::1         localhost.localdomain localhost localhost6

roles/networking/defaults/main.yml

@@ -0,0 +1,41 @@
+---
+
+networking_timezone: Europe/Berlin
+
+networking:
+- type: "ethernet"
+  filename: "10-en.network"
+  interface: "en*"
+  route_metric: "10"
+  dhcp: true
+
+# Example: Static IP-Address
+# networking:
+# - type: "ethernet"
+#   filename: "10-eth0.network"
+#   interface: "eth0"
+#   route_metric: "99"
+#   dhcp: false
+#   ipv4_address: "192.168.178.12"
+#   ipv4_netmask: "/24"
+#   ipv4_gateway: "192.168.178.1"
+#   ipv6_address:
+#   ipv6_netmask:
+#   ipv6_gateway:
+#   ipv6_ignore_ra: true
+#   dns_servers:
+#   - 10.11.12.13
+#   - 13.12.11.10
+
+# Example: WLAN interface
+# networking:
+# - type: "wireless"
+#   filename: "20-wlp.network"
+#   interface: "wlp*"
+#   route_metric: "20"
+#   dhcp: true
+
+# networking_wpa_supplicant:
+# - interface: "wlp4s0"
+#   ssid: ""
+#   psk: ""

roles/networking/files/wpa_supplicant@.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=WPA supplicant daemon (interface-specific version)
+Requires=sys-subsystem-net-devices-%i.device
+After=sys-subsystem-net-devices-%i.device
+Before=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext
+
+[Install]
+Alias=multi-user.target.wants/wpa_supplicant@%i.service

roles/networking/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: restart networkd
+  systemd:
+    name: systemd-networkd
+    state: restarted
+    daemon_reload: true

roles/networking/tasks/main.yml

@@ -0,0 +1,154 @@
+---
+
+- name: "install systemd-networkd"
+  block:
+  - name: "install systemd-networkd (Arch Linux)"
+    pacman:
+      name: systemd-networkd
+      state: present
+    when: ansible_os_family == "Archlinux"
+  - name: "install systemd-networkd (RedHat)"
+    yum:
+      name: systemd-networkd
+      state: present
+    when: ansible_os_family == "RedHat"
+
+- name: "uninstall NetworkManager"
+  block:
+  - name: "uninstall NetworkManager (Arch Linux)"
+    pacman:
+      name: NetworkManager
+      state: absent
+    when: ansible_os_family == "Archlinux"
+  - name: "uninstall systemd-networkd (RedHat)"
+    yum:
+      name: NetworkManager
+      state: absent
+    when: ansible_os_family == "RedHat"
+
+- name: "remove existing systemd-networkd configuration"
+  file:
+    path: "/etc/systemd/network"
+    state: absent
+
+- name: "create systemd-networkd directory"
+  file:
+    path: "/etc/systemd/network"
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: "setup network interfaces via systemd-networkd (DHCP)"
+  block:
+  - name: filter dhcp interfaces
+    set_fact:
+      dhcp_interfaces: "{{ (dhcp_interfaces | default([])) + [ item ] }}"
+    when: item.dhcp
+    with_items: "{{ networking }}"
+
+  - name: "configure network interface {{ item.name }} (DHCP)"
+    template:
+      src: 10-dhcp.network.j2
+      dest: "/etc/systemd/network/{{ item.filename }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: dhcp_interfaces is defined
+    with_items: "{{ dhcp_interfaces }}"
+
+- name: "setup network interfaces via systemd-networkd (static)"
+  block:
+  - name: filter static interfaces
+    set_fact:
+      static_interfaces: "{{ (static_interfaces | default([])) + [ item ] }}"
+    when: not item.dhcp
+    with_items: "{{ networking }}"
+
+  - name: "configure network interface {{ item.name }} (static)"
+    template:
+      src: 10-static.network.j2
+      dest: "/etc/systemd/network/{{ item.filename }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: static_interfaces is defined
+    with_items: "{{ static_interfaces }}"
+
+- name: "setup wpa_supplicant configurations"
+  when: networking_wpa_supplicant is defined and networking_wpa_supplicant | length > 0
+  block:
+  - name: "copy systemd unit for custom wpa_supplicant@.service"
+    copy:
+      src: files/wpa_supplicant@.service
+      dest: /etc/systemd/system/wpa_supplicant@.service
+      owner: root
+      group: root
+
+  - name: "create wpa_supplicant configuration files"
+    template:
+      src: wpa_supplicant.conf.j2
+      dest: "/etc/wpa_supplicant/wpa_supplicant-{{ item.interface }}.conf"
+      owner: root
+      group: root
+      mode: 0640
+    with_items: "{{ networking_wpa_supplicant }}"
+
+  - name: "start and enable wpa_supplicant for interfaces"
+    service:
+      name: wpa_supplicant@{{ item.interface }}.service
+      state: started
+      enabled: yes
+    with_items: "{{ networking_wpa_supplicant }}"
+
+- name: create symlink to resolv.conf
+  file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: yes
+    follow: no
+    owner: root
+    group: root
+
+- name: enable networkd
+  service:
+    name: systemd-networkd
+    enabled: yes
+    daemon_reload: yes
+
+- name: start and enable resolved
+  service:
+    name: systemd-resolved
+    state: started
+    enabled: yes
+    daemon_reload: yes
+
+- name: set timezone
+  timezone:
+    name: "{{ networking_timezone }}"
+
+- name: start and enable timesyncd
+  service:
+    name: systemd-timesyncd
+    state: started
+    enabled: yes
+    daemon_reload: yes
+
+- name: start systemd-networkd after dbus.sock
+  block:
+  - name: create drop-in for systemd-networkd
+    file:
+      path: /etc/systemd/system/systemd-networkd.d
+      owner: root
+      group: root
+      mode: 0755
+      state: directory
+  - name: template after-dbus.conf
+    template:
+      src: after-dbus.conf.j2
+      dest: /etc/systemd/system/systemd-networkd.d/after-dbus.conf
+      owner: root
+      group: root
+      mode: 0644
+  when: ansible_os_family == "RedHat"

roles/networking/templates/10-dhcp.network.j2

@@ -0,0 +1,9 @@
+[Match]
+Name={{ item.interface }}
+
+[Network]
+DHCP=yes
+Domains={{ inventory_hostname.split(".")[1:] | join('.') | lower }}
+
+[DHCP]
+RouteMetric={{ item.route_metric }}

roles/networking/templates/10-static.network.j2

@@ -0,0 +1,31 @@
+[Match]
+Name={{ item.interface }}
+
+[Network]
+Gateway={{ item.ipv4_gateway }}
+{% if item.ipv6_gateway is defined %}
+Gateway={{ item.ipv6_gateway }}
+{% endif %}
+{% if item.ipv6_ignore_ra|default(false) is true %}
+IPv6AcceptRA=false
+{% endif %}
+{% for dns_server in item.dns_servers %}
+DNS={{ dns_server }}
+{% endfor %}
+
+[Address]
+Address={{ item.ipv4_address }}{{ item.ipv4_netmask }}
+RouteMetric={{ item.route_metric }}
+{% if item.ipv4_netmask == "/32" %}
+Peer={{ item.ipv4_gateway }}{{ item.ipv4_netmask}}
+{% endif %}
+
+{% if item.ipv6_address is defined %}
+[Address]
+Address={{ item.ipv6_address }}{{ item.ipv6_netmask }}
+{% endif %}
+
+{% if item.ipv6_gateway is defined and not item.ipv6_gateway.startswith("fe80") %}
+[Route]
+Destination={{ item.ipv6_gateway }}
+{% endif %}

roles/networking/templates/after-dbus.conf.j2

@@ -0,0 +1,2 @@
+[Unit]
+After=dbus.sock

roles/networking/templates/wpa_supplicant.conf.j2

@@ -0,0 +1,9 @@
+ctrl_interface=/run/wpa_supplicant
+ctrl_interface_group=wheel
+update_config=1
+ap_scan=1
+
+network={
+  ssid="{{ item.ssid }}"
+  psk="{{ item.psk }}"
+}

roles/sshd/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+
+# sshd_port: 22

roles/sshd/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted

roles/sshd/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: install openssh
+  yum:
+    name: openssh
+    state: present
+
+- name: configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify:
+  - restart sshd

roles/sshd/templates/sshd_config.j2

@@ -0,0 +1,120 @@
+#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+{% if sshd_port is defined and sshd_port > 0 %}
+Port {{ sshd_port }}
+{% else %}
+# Port 22
+{% endif %}
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

roles/sudo_users/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+sudo_users:
+  - root
+
+sudo_without_password: false

roles/sudo_users/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+
+- name: install sudo
+  yum:
+    name: sudo
+    state: present
+
+# https://github.com/ansible/ansible/issues/11024
+- name: remove all users from wheel group
+  command: groupmems -g wheel --purge
+  register: groupmems
+  changed_when: "groupmems.rc == 0"
+
+- name: add sudo users to wheel
+  user:
+    name: "{{ item }}"
+    append: yes
+    groups: [ wheel ]
+  with_items: "{{ sudo_users }}"
+
+- name: remove wheel group to use sudo
+  block:
+  - name: remove wheel group to use sudo with password
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^%wheel ALL=\(ALL\) ALL'
+      line: '# %wheel ALL=(ALL) ALL'
+      validate: 'visudo -cf %s'
+      mode: 0440
+      owner: root
+      group: root
+
+  - name: remove wheel group to use sudo without password
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^%wheel ALL=\(ALL\) NOPASSWD: ALL'
+      line: '# %wheel ALL=(ALL) NOPASSWD: ALL'
+      validate: 'visudo -cf %s'
+      mode: 0440
+      owner: root
+      group: root
+
+- name:  allow wheel group to use sudo
+  block:
+  - name: allow wheel group to use sudo with password
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^# %wheel ALL=\(ALL\) ALL'
+      line: '%wheel ALL=(ALL) ALL'
+      validate: 'visudo -cf %s'
+      mode: 0440
+      owner: root
+      group: root
+    when: not sudo_without_password
+
+  - name: allow wheel group to use sudo without password
+    tags: [ sudo_users_no_pwd ]
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^# %wheel ALL=\(ALL\) NOPASSWD: ALL'
+      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+      validate: 'visudo -cf %s'
+      mode: 0440
+      owner: root
+      group: root
+    when: sudo_without_password
+
+# - name: secure path to protect against attacks
+#   lineinfile:
+#     dest: /etc/sudoers
+#     state: present
+#     regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
+#     insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
+#     line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
+#     validate: 'visudo -cf %s'
+#     mode: 0440
+#     owner: root
+#     group: root

roles/sysctl/tasks/main.yaml

@@ -0,0 +1,7 @@
+---
+
+- name: configure sysctl properties
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present

roles/unix_users/tasks/main.yml

@@ -0,0 +1,76 @@
+---
+
+- name: create unix groups
+  group:
+    name: "{{ item }}"
+    state: present
+    system: no
+  with_items: "{{ unix_groups }}"
+  when: unix_groups is defined
+
+- name: filter unix_users for users with non-matching hosts
+  set_fact:
+    unix_users_filtered: "{{ (unix_users_filtered | default([])) + [ item ] }}"
+  when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
+  with_dict: "{{ unix_users }}"
+
+- name: create unix users
+  block:
+  - name: create unix users
+    user:
+      name: "{{ item.key }}"
+      group: "{{ item.value.main_group | default('users') }}"
+      comment: "{{ item.value.name }}"
+      shell: "{{ item.value.shell | default('/bin/bash') }}"
+      password: "{{ item.value.password | password_hash('sha512') }}"
+      state: present
+    loop: "{{ unix_users_filtered }}"
+    when: "item.value.groups is not defined"
+
+  - name: create unix users with additional groups
+    user:
+      name: "{{ item.key }}"
+      group: "{{ item.value.main_group }}"
+      groups: "{{ item.value.groups | join(',') }}"
+      comment: "{{ item.value.name }}"
+      shell: "{{ item.value.shell | default('/bin/bash') }}"
+      password: "{{ item.value.password | password_hash('sha512') }}"
+      state: present
+    loop: "{{ unix_users_filtered }}"
+    when: "item.value.groups is defined"
+
+- name: create .ssh directory
+  file:
+    path: "/home/{{ item.key }}/.ssh"
+    state: directory
+    owner: "{{ item.key }}"
+    group: "{{ item.value.main_group | default('users') }}"
+    mode: 0700
+  loop: "{{ unix_users_filtered }}"
+
+- name: configure ssh keys
+  template:
+    src: authorized_keys.j2
+    dest: "/home/{{ item.key }}/.ssh/authorized_keys"
+    owner: "{{ item.key }}"
+    group: "{{ item.value.main_group | default('users') }}"
+    mode: 0600
+  when: item.value.ssh_key is defined
+  loop: "{{ unix_users_filtered }}"
+
+- name: remove ssh keys if undefined
+  file:
+    path: "/home/{{ item.key }}/.ssh/authorized_keys"
+    state: absent
+  when: item.value.ssh_key is not defined
+  loop: "{{ unix_users_filtered }}"
+
+- name: create email forward file if defined
+  template:
+    src: forward.j2
+    dest: "/home/{{ item.key }}/.forward"
+    owner: "{{ item.key }}"
+    group: "{{ item.value.main_group | default('users') }}"
+    mode: 0644
+  when: item.value.email is defined
+  loop: "{{ unix_users_filtered }}"

roles/unix_users/templates/authorized_keys.j2

@@ -0,0 +1,16 @@
+#jinja2: lstrip_blocks: True
+{% set keys = [item.value.ssh_key] %}
+{% if item.value.additional_ssh_keys is defined %}
+	{% for key in item.value.additional_ssh_keys %}
+		{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
+			{{- keys.append(key.name) -}}
+		{% endif %}
+	{% endfor %}
+{% endif %}
+{% for key in keys %}
+	{% if unix_users_ssh_options is defined %}
+{{ lookup('file', 'pubkeys/' + key) | regex_replace('(.*\S.*)', unix_users_ssh_options + ' \\1') }}
+	{% else %}
+{{ lookup('file', 'pubkeys/' + key) }}
+	{% endif %}
+{% endfor %}

roles/unix_users/templates/forward.j2

@@ -0,0 +1 @@
+{{ item.value.email }}

roles/vim/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+vimrc_repository: https://git.cryptic.systems/volker.raschek/vim.git
+
+vim_users: []
+# - user: markus
+#   branch: master

roles/vim/tasks/git-clone.yml

@@ -0,0 +1,19 @@
+---
+- name: "getent for user {{ item.user }}"
+  getent:
+    database: passwd
+    key: "{{ item.user }}"
+
+- name: "clone vimrc repository for user {{ item.user }}"
+  git:
+    repo: https://git.cryptic.systems/volker.raschek/vim.git
+    dest: "{{ getent_passwd[item.user][4] }}/.vim"
+    version: "{{ item.branch }}"
+
+- name: correct permissions
+  file:
+    path: "{{ getent_passwd[item.user][4] }}/.vim"
+    owner: "{{ getent_passwd[item.user][1] }}"
+    group: "{{ getent_passwd[item.user][2] }}"
+    state: directory
+    recurse: yes

roles/vim/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: install vim
+  yum:
+    name: vim
+    state: present
+
+- name: install git to clone vimrc repository
+  yum:
+    name: git
+    state: present
+
+- name: clone vimrc repository
+  include_tasks: git-clone.yml
+  with_items: "{{ vim_users }}"