dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
4b8b5fa90bc1d3c45bb4f9ceba80c36fb1390018
configpolicy/roles
History
Dustin C. Hatch 091d9e1f78 r/sudo: Optionally enable pam_ssh_agent_auth 
The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in
their SSH agent.  Using SSH agent forwarding, it can even authenticate
users with keys on a remote system.  By adding it to the PAM stack for
`sudo`, we can configure the latter to authenticate users without
requiring a password.  For servers especially, this is significantly
more secure than configuring `sudo` not to require a password, while
still being almost as convenient.

For this to work, users need to enable SSH agent forwarding on their
clients, and their public keys have to be listed in the
`/etc/security/sudo.authorized_keys` file.  Additionally, although the
documentation suggests otherwise, the `SSH_AUTH_SOCK` environment
variable has to be added to the `env_keep` list in *sudoers(5)*.

[0]: https://github.com/jbeverly/pam_ssh_agent_auth
2024-01-28 12:16:35 -06:00
..
alertmanager
r/alertmanager: Deploy AlertManager
2022-08-10 22:18:53 -05:00
ansible/tasks
roles/ansible: Install python-netaddr
2018-04-08 12:33:54 -05:00
apache
Add HTTPS certificate for hass2.p.b
2021-07-24 18:39:45 -05:00
aria2
aria2: Deploy aria2 download manager
2018-08-19 14:17:48 -05:00
base
r/base: Clear facts after installing python-selinux
2022-12-23 08:44:30 -06:00
bitwarden_rs
r/bitwarden_rs: Remove dangling container at start
2022-08-22 20:06:02 -05:00
blackbox-exporter
r/blackbox-exporter: Deploy blackbox_exporter
2022-08-10 22:18:53 -05:00
burp-client
synapse: Back up data using BURP
2023-05-23 09:52:50 -05:00
burp-server
roles/burp-server: switch to version_compare test
2020-01-25 13:54:42 -06:00
cert/tasks
roles/cert: Add handler topic notification
2020-12-26 10:38:17 -06:00
certbot
roles/certbot: Ensure certbot is configured first
2019-09-19 19:50:35 -05:00
collectd
r/collectd: Max unixsock plugin optional
2022-08-10 21:55:54 -05:00
collectd-nut
r/collectd-nut: Configure nut plugin for collectd
2021-10-31 14:26:26 -05:00
collectd-prometheus
r/collectd-prometheus: Work w/o firewalld, selinux
2022-08-10 19:47:12 -05:00
collectd-sensors/tasks
r/collectd-sensors: Install collectd sensors plugin
2022-07-21 13:14:25 -05:00
collectd-version
r/collectd-version: Fix handlers
2022-12-19 10:17:57 -06:00
cronie/tasks
roles/cronie: Install cronie
2018-08-08 21:38:56 -05:00
dch-gw
dch-gw: Restrict traffic from Management network
2018-07-15 12:16:43 -05:00
dch-openvpn-server
dch-openvpn: Support road-warrior clients
2018-10-07 21:42:18 -05:00
dch-proxy
websites: Add chmod777.sh
2020-03-09 20:29:52 -05:00
dch-selinux
r/dch-selinux: Install dch-selinux package
2022-12-23 06:52:28 -06:00
dch-storage-net
roles/dch-storage-net: Add After device dependency
2018-07-29 10:14:00 -05:00
dch-vpn-server
roles/strongswan: Update service name
2020-07-04 14:32:22 -05:00
dch-yum
r/dch-yum: Configure dch Yum repository
2023-11-07 21:24:40 -06:00
dhcpcd
roles/dhcpcd: Always send FQDN
2018-07-23 17:35:10 -05:00
dhcpd
roles/dhcpd: Support UniFi DHCP option 43
2019-03-22 09:29:56 -05:00
docker
roles/docker: Install and set up Docker daemon
2019-09-19 19:27:12 -05:00
elasticsearch
roles/elasticsearch: Add Elasticsearch deployment
2019-10-28 18:33:37 -05:00
fileserver
roles/fileserver: Deploy Samba file server
2018-08-01 22:04:07 -05:00
formsubmit
r/formsubmit: Deploy formsubmit app
2022-02-27 17:42:15 -06:00
freeradius
hosts: dc2: Add RADIUS server certificate
2021-10-17 14:03:52 -05:00
frigate
r/frigate: Restart service if it fails
2022-08-22 20:08:09 -05:00
gitea
r/gitea: use sshd_config.d
2023-11-13 17:45:21 -06:00
grafana
r/grafana: Allow configuring LDAP CA cert
2022-08-11 21:40:19 -05:00
graylog
roles/graylog: Update Graylog repository RPM URL
2021-01-31 15:33:42 -06:00
haproxy
roles/haproxy: Fix undefined var on Fedora hosts
2020-03-03 19:27:19 -06:00
hass-dhcp
r/hass-dhcp: Start dnsmasq after network is up
2022-08-21 08:03:00 -05:00
hassdb/tasks
roles/hassdb: Deploy Home Assistant database
2020-07-14 11:38:30 -05:00
homeassistant
r/homeassistant: Protect ~/.ssh
2023-06-08 10:05:36 -05:00
hostname
hostname: Also write /etc/hosts
2018-04-08 10:11:43 -05:00
jellyfin
r/jellyfin: Enable service auto restart
2024-01-22 20:37:21 -06:00
jenkins-slave
jenkins-slave: Allow Jenkins to connect to Docker
2019-09-19 19:50:35 -05:00
journal2ntfy
journal2ntfy: Script to send log messagess via ntfy
2023-05-17 14:51:21 -05:00
kerberos
roles/kerberos: Configure mit-krb5
2018-01-29 15:05:51 -06:00
koji-builder
roles/koji-builder: Deploy the Koji builder
2018-08-12 10:14:25 -05:00
koji-client
roles/koji-client: Configure the koji client
2018-08-12 10:05:56 -05:00
koji-gc
roles/koji-gc: Deploy the Koji garbage collector
2018-08-12 09:58:56 -05:00
koji-hub
roles/koji-hub: Deploy the Koji Hub
2018-08-12 09:33:08 -05:00
koji-web
roles/koji-web: Deploy the Koji Web UI
2018-08-12 10:08:01 -05:00
kojira
roles/kojira: Deploy the Koji repository agent
2018-08-12 10:04:23 -05:00
logrotate/tasks
roles/logrotate: Install and enable logrotate
2020-12-08 20:59:40 -06:00
minio
r/minio: Start more reliably on boot
2024-01-21 15:53:33 -06:00
mongodb
roles/mongodb: Add MongoDB deployment
2019-10-28 18:34:45 -05:00
mosquitto
r/mosquitto: Support persistence
2022-05-29 11:25:25 -05:00
motioneye
motioneye: Deploy motionEye camera software
2020-10-03 11:29:39 -05:00
named
r/named: Fix typo in firewalld condition
2022-08-20 18:18:38 -05:00
nbd-server
r/nbd-server: Deploy nbd-server
2022-08-15 16:55:36 -05:00
net-ifaces
roles/net-ifaces: Update VLAN for pyrocufflink.blue
2020-05-25 09:17:24 -05:00
netboot
r/netboot/basementhud: Configure NBD export
2022-08-15 17:18:48 -05:00
nextcloud
r/nextcloud: Increase Apache timeout
2021-12-22 11:28:52 -06:00
nftables
roles/nftables: Basic nftables configuration
2018-03-27 20:44:43 -05:00
nginx
r/nginx: Fix applying on Buildroot systems
2022-08-10 21:55:54 -05:00
nsswitch
roles/nsswitch: Configure glibc name service
2018-03-11 18:16:17 -05:00
ntpd
ntp: Initial PB and role to set up ntpd
2018-04-22 11:19:22 -05:00
nut
r/nut{,-monitor}: Enable nut.target
2024-01-22 09:03:15 -06:00
nut-common
r/nut{,-monitor}: Enable nut.target
2024-01-22 09:03:15 -06:00
nut-monitor
r/nut{,-monitor}: Enable nut.target
2024-01-22 09:03:15 -06:00
postfix
smtp-relay: Switch to Fastmail
2023-10-24 17:27:21 -05:00
postgresql-server
roles/postgresql-server: Remove postgresql-setup
2020-07-14 10:56:01 -05:00
protonvpn
r/protonvpn: Move remote_addrs file to /var
2022-08-20 18:18:21 -05:00
pxe
r/pxe: Set up a PXE server
2022-08-15 17:12:35 -05:00
rabbitmq/tasks
roles/rabbitmq: Deploy RabbitMQ
2019-03-07 13:29:29 -06:00
radvd
roles/radvd: Support multiple prefixes per network
2018-04-06 20:16:02 -05:00
redis/tasks
roles/redis: Add role to deploy Redis
2021-06-25 11:10:10 -05:00
repohost
r/repohost: Configure Yum package repo host
2023-11-07 20:51:10 -06:00
rhel-network
roles/rhel-network: Add static route support
2018-03-27 20:44:43 -05:00
samba
roles/samba: Support selecting interfaces
2018-06-23 14:42:45 -05:00
samba-dc
r/samba-dc: sysvolsync: Remove winbind cache file
2023-10-28 09:56:44 -05:00
scrape-collectd
r/scrape-collectd: Also scrape unmanaged targets
2023-09-27 20:24:47 -05:00
serial-console
r/serial-console: Enable getty on serial console
2021-10-16 14:34:51 -05:00
squid
r/squid: Fix SELinux AVC denial after cache init
2024-01-27 20:28:06 -06:00
ssh-host-certs
r/ssh-host-certs: Manage SSH host certificates
2023-11-07 21:27:02 -06:00
ssh-hostkeys
hosts: Add dc-nrtxms.p.b
2023-10-28 16:07:39 -05:00
sshd
roles/sshd: Configure OpenSSH daemon
2018-06-06 21:44:28 -05:00
strongswan
roles/strongswan: Update service name
2020-07-04 14:32:22 -05:00
strongswan-swanctl
roles/strongswan-swanctl: Load esp4 module at boot
2021-02-17 20:33:41 -06:00
sudo
r/sudo: Optionally enable pam_ssh_agent_auth
2024-01-28 12:16:35 -06:00
synapse
r/synapse: Increase service startup timeout
2024-01-21 19:05:00 -06:00
system-auth
r/system-auth: Tag install tasks
2023-10-21 22:16:28 -05:00
systemd-networkd
r/systemd-networkd: Enable and start the service
2021-10-31 14:29:30 -05:00
systemd-resolved
r/systemd-resolved: Manage systemd resolver daemon
2022-08-12 14:35:14 -05:00
taiga
roles/taiga: Fix HTTP->HTTPS redirect
2019-03-22 09:29:56 -05:00
tftp/tasks
r/tftp: Deploy TFTP server
2022-08-15 17:06:20 -05:00
trustca
roles/trustca: Generic role for adding CA certs
2018-06-04 20:03:55 -05:00
unifi
r/unifi: Increase startup timeout
2024-01-21 16:12:29 -06:00
victoria-metrics
r/v-m: Add role for Victoria Metrics
2022-08-10 19:47:12 -05:00
victoria-metrics-nginx
r/v-m-nginx: Prevent requesting reload
2022-08-12 13:14:05 -05:00
vmagent
metrics: Scrape metrics from Kubernetes API server
2023-05-22 21:21:08 -05:00
vmalert
vmalert: Allow configuring http.pathPrefix
2022-08-12 13:10:36 -05:00
vmhost
r/vmhost: Remove system call filters from unit
2024-01-21 15:53:44 -06:00
websites
r/web/hlc: Add formsubmit config for summer signup
2024-01-23 22:04:29 -06:00
wheelhost
wheelhost: Publish wheels built by Jenkins
2019-03-22 10:19:27 -05:00
winbind
r/winbind: Disable offline login by default
2023-10-27 17:37:49 -05:00
zabbix-agent
roles/zabbix: Add support for Debian
2019-03-22 09:29:56 -05:00
zabbix-server
roles/zabbix-server: Redirect HTTP -> HTTPS
2018-06-09 14:35:22 -05:00
zezere
zezere: role/playbook to deploy Zezere
2021-07-05 09:34:25 -05:00
zigbee2mqtt
r/z*2mqtt: Restart services after unexpected stop
2022-08-21 22:25:12 -05:00
zwavejs2mqtt
r/z*2mqtt: Restart services after unexpected stop
2022-08-21 22:25:12 -05:00