Common configuration and baseline for all Data.gov platform nodes.
Install the role with a requirements.yml.
# requirements.yml
---
- src: https://github.com/GSA/datagov-deploy-common
version: v1.0.0
name: gsa.datagov-deploy-commonAnd install with ansible-galaxy.
$ ansible-galaxy install -r requirements.yml
An example playbook.
---
- name: install application
roles:
- role: gsa.datagov-deploy-commoncommon_audit_report_enabled boolean (default: false)
Enable or disable the host audit report.
common_reboot_notify_email string
Email address to send reboot-notify emails.
common_operators array (default: [])
The list of operators and their public SSH keys to install on the machine for access.
common_operators:
- username: userone
email: userone@example.com
public_key: ssh-rsa aabbccddeeff1234567890 comment
-
nessus_agent_key: key used for linking with nessus host (this is a required variable) -
nessus_agent_group: host group this agent should be added to when linking with nessus host (this is a required variable) -
nessus_agent_host: nessus host to link with (default:cloud.tenable.com) -
nessus_agent_port: nessus host port (default:443) -
nessus_agent_package: can be either a repository package or a path to a file (default:NessusAgent)nessus_agent_package: nessus-agent nessus_agent_package: /tmp/nessus-agent_6.8.1_amd64.deb
common_python_version_number string (default: 2.7.10)
Custom version of python to install.
common_python_version_directory string (default: /usr/local/lib/python{{ common_python_version_number }})
Directory to install custom python to.
common_python_version_url string (default: https://www.python.org/ftp/python/{{ common_python_version_number}}/{{ common_python_version_name }}.tgz)
URL to download python from.
common_python_version_name string (default: Python-{{ common_python_version_number }})
Python filename.
force_rebuild_python boolean (default: false)
Force a rebuild of our custom python. In case you want to rebuild python with additional features, use this flag to force the rebuild.
You can run the playbook with these tags for quicker or targeted plays.
Configure the audit report.
Install GSA internal CA certificates.
Filebeat log streaming agent.
Grub fixes.
Tasks for OS hardening.
Includes the hostname tasks to update /etc/hosts and hostname.
The IP of the jumpbox to limit SSH access from jumpbox only. Defaults to * to allow access from anywhere.
Schedule log rotation.
Security compliance scanning agent.
New Relic host monitoring.
Network Time Protocol agent.
Install and configure postfix mail server for mail relay.
Install a custom version of python.
Send an email to administrators when a reboot is required.
Install common OS packages.
Install the host certificate and key.
On-host SecOps managed firewall.
trendmicro_enabled boolean (default: false)
Enable or disable trendmicro install. Setting this to false does not remove trendmicro.
trendmicro_policy_id boolean required
This is required when trendmicro_enabled is set. This is the numeric policy id that should be applied to this host and is assigned by SecOps.
Install/update the ubuntu-advantage-tools
common_ubuntu_advantage_enabled boolean (default: false) required
common_ubuntu_advantage_token string required
Configure unattended-upgrades for automatic apt-get updates/upgrades.
See CONTRIBUTING for additional information.
Install dependencies.
$ pipenv install --dev
Run the playbook with molecule.
$ pipenv run molecule converge
Run the tests.
$ pipenv run molecule test
For more information on how to use Molecule for development, see our wiki.
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.