Initial

roles/base/templates/provision.sh.j2

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# options
+ANSIBLEUSER="<ansible-user-name>"
+BRANCH="{{ branch | default('master') }}"
+LOGFILE="/var/log/ansible.log"
+REPO="<https://url-to-git-server/ansible.git>"
+VAULT_KEY="</path/to/ansible_vault_key">
+PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'"
+
+# check if ansible-pull is already running, and if not, run it
+if pgrep -f ansible-pull; then
+    printf "\n$(date +"%Y-%m-%d %H:%M:%S") A running ansible-pull process was found.\nExiting.\n"\
+        |tee -a $LOGFILE
+    exit 1
+else
+    if [ ! $1 == "" ]; then
+        $PRECMD sudo -iH -u $ANSIBLEUSER ansible-pull --vault-password-file=$VAULT_KEY -U $REPO -C $BRANCH --tags $1 2>&1
+    else
+        $PRECMD sudo -iH -u $ANSIBLEUSER ansible-pull --vault-password-file=$VAULT_KEY -o -U $REPO -C $BRANCH 2>&1
+    fi
+fi

roles/base/templates/sshd_config.j2

@@ -0,0 +1,33 @@
+Banner /etc/issue.net
+PrintMOTD no
+
+Port {{ ssh_port |default(22) }}
+Protocol 2
+
+# Authentication:
+AllowUsers {{ ssh_users | default("bzoicas") }}
+ChallengeResponseAuthentication no
+HostbasedAuthentication no
+LoginGraceTime 120
+PasswordAuthentication {{ passwd_auth | default("no") }}
+PermitEmptyPasswords no
+PermitRootLogin no
+PubkeyAuthentication yes
+StrictModes yes
+UsePAM yes
+
+# Security
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+IgnoreRhosts yes
+
+# Misc. options
+AcceptEnv LANG LC_*
+TCPKeepAlive yes
+Subsystem sftp {{ sftp_path }}
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO