Ansible-common
##############

An Ansible role with common tasks that ran on all (or most) hosts.
The tls_key_path, tls_cert_path and tls_ca_cert_path facts are added to point to
the path of the host's key and cert.

Requirements
------------

Debian Wheeyz or later or OpenBSD 5.5 or later (best effort, Ubuntu Precise or
later should also work, but aren't tested).

Role Variables
--------------
::

    extra_tls_certs: [] # List of filenames of TLS certs to be added.
    ufw: True # To enable UFW.
    ufw_policy: deny # Default UFW policy.
    extra_repos: [] # List of Debian repos to add.
    backports: False # To enable Debian backports repos.
    ssh_ca: # TBD.
    syslog_server: # The address of syslog server to forward.
    collectd_graphite_server:
    collectd_riemann_server:
    collectd_collectd_server:
    collectd_statsd_server:
    mail_root_alias:
    ldap_login_server:
    sudo:
    ntp:
    unattended_upgrades:
    tls_cert: # Filename of the TLS cert for that host.
    tls_key: # Filename of the TLS key for that host.
    tls_ca_cert: #Filename of the TLS CA cert for that host.
    # If tls_key or tls_cert aren't defined, self-signed key and cert are
    # generated and used.


Dependencies
------------

Part of the point is to run first, before any other role, so that other roles
can make certain assumptions (for example, that a TLS cert is available).

Example Playbook
----------------
::

    - hosts:
      - all
      roles:
      - role: common
        extra_tls_certs: ['vagrant.crt', 'example.com.crt']
        ufw_policy: deny
        tls_key: 'servers.key'
        tls_cert: 'server.crt'

Example requirements.yml
------------------------
::

    - src: https://www.shore.co.il/cgit/ansible-common
      scm: git
      path: roles/
      name: common

License
-------

This software is licnesed under the MIT licese (see the ``LICENSE.txt`` file).

Author Information
------------------

Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
at: https://www.shore.co.il/cgit/.

TODO
----

- Implement:
  - add_tls_cert (Debian works, OpenBSD has no mechannism).
  - collectd_agent.
  - init (via module).
  - ldap_login (with pam_mkhomedir).
  - ntp.
  - mail_forward (OpenBSD support?).
  - ssh_ca.
  - syslog_forwarding.
- Test.
- Wait for services to come online.
- Document.
- Create a module to add a TLS certificate to store for both Debian-based and
  OpenBSD.
- Create a module to detect the init system.