init

20 files changed, 857 insertions, 0 deletions

diff --git a/group_vars/all b/group_vars/all
new file mode 100644
index 0000000..0abd54a
--- /dev/null
+++ b/group_vars/all
@@ -0,0 +1,10 @@
+---
+# Global vars set here. Host specific vars set in host_vars/
+# This file is used for global defaults. Meaning vars which are either being shared or need to be controlled globably
+
+##### SSH #####
+# Set the SSH port.
+ssh_port: 22
+# Set ldap server.
+ldap_server: login.linaro.org
+
diff --git a/host_vars/template.host.vars b/host_vars/template.host.vars
new file mode 100644
index 0000000..64aafec
--- /dev/null
+++ b/host_vars/template.host.vars
@@ -0,0 +1,22 @@
+sudoers_root_acl:
+ - user.name
+
+sudoers_access_acl:
+ - user.name
+
+sudoers_logaccess:
+ - logaccess
+
+sudoers_access:
+     - /foo/bar/*
+     - /foo/bin
+
+sudoers_root:
+ - (ALL) ALL
+
+ssh_local:
+ - localuser
+
+ssh_access:
+ - group/user
+
diff --git a/ssh-ldap/README.md b/ssh-ldap/README.md
new file mode 100644
index 0000000..337a03c
--- /dev/null
+++ b/ssh-ldap/README.md
@@ -0,0 +1,6 @@
+This role deploys openssh (client and server) with ldap (nss-ldapd) functionally.
+
+
+Please read the documentation before deploying this role:
+
+https://collaborate.linaro.org/display/ITS/Deploying+Playbooks#DeployingPlaybooks-Playbook-ssh-servers.yml
\ No newline at end of file
diff --git a/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2 b/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2
new file mode 100644
index 0000000..71bbd2b
--- /dev/null
+++ b/ssh-ldap/files/sudoers.d/90-cloud-init-users.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+# User rules for ubuntu
+ubuntu ALL=(ALL) NOPASSWD:ALL
\ No newline at end of file
diff --git a/ssh-ldap/handlers/main.yml b/ssh-ldap/handlers/main.yml
new file mode 100644
index 0000000..1a046e0
--- /dev/null
+++ b/ssh-ldap/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: ssh - restart agent
+  service: name=ssh state=restarted enabled=yes
+
+- name: nscd - restart
+  service: name=nscd state=restarted enabled=yes
+
+- name: nslcd - restart
+  service: name=nslcd state=restarted enabled=yes
\ No newline at end of file
diff --git a/ssh-ldap/tasks/main.yml b/ssh-ldap/tasks/main.yml
new file mode 100644
index 0000000..ed9784b
--- /dev/null
+++ b/ssh-ldap/tasks/main.yml
@@ -0,0 +1,239 @@
+#
+#
+# Install and configure openssh server/client with LDAP access
+#
+# Supported OS Ubuntu 12.04 and 14.04
+#
+# Ubuntu 12.04 requires a custom PPA for AuthorizedKeysCommand to work. Because it uses a PPA it requires holding the openssh
+# package. If SSH is update on 12.04, and ldap is enabled, ssh *WILL* break.
+#
+# 14.04 includes the AuthorizedKeysCommand by default. So it just requires installing the openssh-client/server.
+---
+
+- name: install ssh-ldap for precise 12.04
+  include: precise.yml
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'precise'
+  tags:
+    - install
+    - precise
+    - package
+
+- name: Install ldap tools
+  action: apt pkg={{ item }} state=latest update_cache=yes force=yes
+  with_items:
+  - ldap-utils
+  - libnss-ldapd
+  tags:
+    - install
+    - package
+
+- name: Install openssh-client and server for ubuntu 14.04
+  action: apt pkg={{ item }} state=latest update_cache=yes
+  with_items:
+  - openssh-client
+  - openssh-server
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'trusty'
+  tags:
+    - install
+    - package
+
+- name: uncomment pam_access.so so access.conf works
+  lineinfile: dest=/etc/pam.d/sshd
+             regexp='^# account  required     pam_access.so'
+             insertafter='^#pam_access.so'
+             line='account  required     pam_access.so'
+  tags:
+    - configupdate
+
+- name: Copy bundle file to ca-certificates
+  template: src=gd_bundle.crt
+            dest=/usr/share/ca-certificates/
+            owner=root
+            group=root
+            mode=0644
+  ignore_errors: yes
+  tags:
+    - install
+    - sslcert
+
+- name: update ca-certificates
+  shell: update-ca-certificates
+  tags:
+    - install
+    - sslcert
+
+#### Now copy the template files across
+
+- name: Copy ldap shell script
+  template: src=ldap-keys.sh.j2
+            dest=/etc/ssh/ldap-keys.sh
+            owner=root
+            group=root
+            mode=0755
+  notify:
+    - ssh - restart agent
+  tags:
+    - configupdate
+
+#### Contains LDAP BIND PASSWORD
+- name: Copy ldap conf
+  template: src=ldap.conf.j2
+            dest=/etc/ldap.conf
+            owner=root
+            group=root
+            mode=0644
+  notify:
+    - ssh - restart agent
+  tags:
+    - configupdate
+
+#### Contains LDAP BIND PASSWORD
+- name: Copy nslcd conf
+  template: src=nslcd.conf.j2
+            dest=/etc/nslcd.conf
+            owner=root
+            group=root
+            mode=0400
+  notify:
+    - nslcd - restart
+  tags:
+    - configupdate
+
+- name: Copy nsswitch conf
+  template: src=nsswitch.conf.j2
+            dest=/etc/nsswitch.conf
+            owner=root
+            group=root
+            mode=0644
+  notify:
+    - nscd - restart
+    - nslcd - restart
+  tags:
+    - configupdate
+
+- name: Copy nscd.conf
+  template: src=nscd.conf.j2
+            dest=/etc/nscd.conf
+            owner=root
+            group=root
+            mode=0644
+  notify:
+    - nscd - restart
+  tags:
+    - configupdate
+
+- name: update ca-certificates with gd_bundle
+  lineinfile: dest=/etc/ca-certificates.conf
+              state=present
+              regexp=''
+              insertafter=EOF
+              line='gd_bundle.crt'
+
+- name: Copy access.conf
+  template: src=access.conf.j2
+            dest=/etc/security/access.conf
+            owner=root
+            group=root
+            mode=0644
+            backup=yes
+  notify:
+    - nslcd - restart
+  tags:
+    - configupdate
+    - groupsupdate
+
+- name: Copy sshd config
+  template: src=sshd_config.j2
+            dest=/etc/ssh/sshd_config
+            owner=root
+            group=root
+            mode=0644
+            backup=yes
+  notify:
+    - ssh - restart agent
+  tags:
+    - configupdate
+
+- name: copy pam file to create home folders
+  template: src=my_mkhomedir.j2
+            dest=/usr/share/pam-configs/my_mkhomedir
+            owner=root
+            group=root
+            mode=0644
+  tags:
+   - configupdate
+   - pam
+   - mkhomedir
+- name: Add pam_mkhomedir into pam.d
+  lineinfile: dest=/etc/pam.d/common-session
+              state=present
+              regexp=''
+              insertafter=EOF
+              line='session required        pam_mkhomedir.so umask=0022 skel=/etc/skel'
+  when: inventory_hostname != "linaro-private.git.linaro.org"
+  tags:
+   - configupdate
+   - pam
+   - mkhomedir
+
+- name: Remove pam_mkhomedir from pam.d
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    state: absent
+    regexp: 'pam_mkhomedir.so'
+  when: inventory_hostname == "linaro-private.git.linaro.org"
+  notify: nscd - restart
+  tags:
+   - configupdate
+   - pam
+   - mkhomedir
+
+- name: configure admin sudoers
+  template: src=sudoers.d/sudoers.j2
+            dest=/etc/sudoers.d/ansible
+            owner=root
+            group=root
+            mode=0400
+            validate='visudo -cf %s'
+  when: sudoers_root is defined
+  tags:
+  - sudoers
+  - configupdate
+
+- name: configure sudoers_logaccess
+  template: src=sudoers.d/sudoers_logaccess.j2
+            dest=/etc/sudoers.d/ansible_logaccess
+            owner=root
+            group=root
+            mode=0400
+            validate='visudo -cf %s'
+  when: sudoers_logaccess is defined
+  tags:
+  - sudoers
+  - configupdate
+
+- name: configure sudoers controlled ACL
+  template: src=sudoers.d/sudoers_acl.j2
+            dest=/etc/sudoers.d/ansible_acl
+            owner=root
+            group=root
+            mode=0400
+            validate='visudo -cf %s'
+  when: sudoers_access is defined
+  tags:
+  - sudoers
+  - configupdate
+
+#precise uses file format 90-cloudimg-ubuntu whilst trusty uses 90-cloud-init-users
+- name: copy suoders ubuntu cloud-init file (useful for non-ec2 hosts)
+  copy: src=sudoers.d/90-cloud-init-users.j2
+            dest=/etc/sudoers.d/90-cloud-init-users
+            owner=root
+            group=root
+            mode=0400
+            force=no
+            validate='visudo -cf %s'
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'trusty'
+  tags:
+  - sudoers
+  - configupdate
diff --git a/ssh-ldap/tasks/precise.yml b/ssh-ldap/tasks/precise.yml
new file mode 100644
index 0000000..89fa8de
--- /dev/null
+++ b/ssh-ldap/tasks/precise.yml
@@ -0,0 +1,56 @@
+#
+# This role is to deploy openssh-client and server to 12.04 precise.
+#
+# Ubuntu 12.04 requires a custom PPA for AuthorizedKeysCommand to work. Because it uses a PPA it requires holding the openssh
+# package. If SSH is update on 12.04, and ldap is enabled, ssh *WILL* break.
+#
+#
+---
+
+- name: Install custom openssh ppa for AuthorizedKeysCommand only if OS is 12.04
+  apt_repository: repo='ppa:zsoftich/ssh+authkeyscommand'
+  tags:
+    - install
+    - precise
+    - package
+
+- name: Install openssh-client and server only if OS is 12.04
+  action: apt pkg={{ item }} state=present update_cache=yes force=yes
+  with_items:
+  - openssh-client=1:5.9p1-5ubuntu1+lpk1
+  - openssh-server=1:5.9p1-5ubuntu1+lpk1
+
+  tags:
+    - install
+    - precise
+    - package
+
+- name: hold openssh-client only if OS is 12.04 (with dpkg)
+  shell: echo "openssh-client hold" | sudo dpkg --set-selections
+  tags:
+    - install
+    - precise
+    - package
+
+- name: hold openssh-server only if OS is 12.04 (with dpkg)
+  shell: echo "openssh-server hold" | sudo dpkg --set-selections
+  tags:
+    - install
+    - precise
+    - package
+
+- name: hold openssh-client only if OS is 12.04 (with aptitude)
+  shell: aptitude hold openssh-client -y
+  sudo: yes
+  tags:
+    - install
+    - precise
+    - package
+
+- name: hold openssh-server only if OS is 12.04 (with aptitude)
+  shell: aptitude hold openssh-server -y
+  sudo: yes
+  tags:
+    - install
+    - precise
+    - package
\ No newline at end of file
diff --git a/ssh-ldap/templates/access.conf.j2 b/ssh-ldap/templates/access.conf.j2
new file mode 100644
index 0000000..b7697a9
--- /dev/null
+++ b/ssh-ldap/templates/access.conf.j2
@@ -0,0 +1,138 @@
+# {{ ansible_managed }}
+# Login access control table.
+#
+# Comment line must start with "#", no space at front.
+# Order of lines is important.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination.  The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
+# module, you can change the field separation character to be
+# '|'. This is useful for configurations where you are trying to use
+# pam_access with X applications that provide PAM_TTY values that are
+# the display variable like "host:0".]
+#
+# 	permission : users : origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches), NONE (matches no tty on non-networked logins) or
+# LOCAL (matches any string that does not contain a "." character).
+#
+# You can use @netgroupname in host or user patterns; this even works
+# for @usergroup@@hostgroup patterns.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Both the user's primary group is matched, as well as
+# groups in which users are explicitly listed.
+# To avoid problems with accounts, which have the same name as a group,
+# you can use brackets around group names '(group)' to differentiate.
+# In this case, you should also set the "nodefgroup" option.
+#
+# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
+# "/dev" (e.g. tty1 or vc/1)
+#
+##############################################################################
+#
+# Disallow non-root logins on tty1
+#
+#-:ALL EXCEPT root:tty1
+#
+# Disallow console logins to all but a few accounts.
+#
+#-:ALL EXCEPT wheel shutdown sync:LOCAL
+#
+# Same, but make sure that really the group wheel and not the user
+# wheel is used (use nodefgroup argument, too):
+#
+#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
+##############################################################################
+# All lines from here up to the end are building a more complex example.
+##############################################################################
+#
+# User "root" should be allowed to get access via cron .. tty5 tty6.
+#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+#
+# User "root" should be allowed to get access from hosts with ip addresses.
+#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+#+ : root : 127.0.0.1
+#
+# User "root" should get access from network 192.168.201.
+# This term will be evaluated by string matching.
+# comment: It might be better to use network/netmask instead.
+#          The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+#+ : root : 192.168.201.
+#
+# User "root" should be able to have access from domain.
+# Uses string matching also.
+#+ : root : .foo.bar.org
+#
+# User "root" should be denied to get access from all other sources.
+#- : root : ALL
+#
+# User "foo" and members of netgroup "nis_group" should be
+# allowed to get access from all sources.
+# This will only work if netgroup service is available.
+#+ : @nis_group foo : ALL
+#
+# User "john" should get access from ipv4 net/mask
+#+ : john : 127.0.0.0/24
+#
+# User "john" should get access from ipv4 as ipv6 net/mask
+#+ : john : ::ffff:127.0.0.0/127
+#
+# User "john" should get access from ipv6 host address
+#+ : john : 2001:4ca0:0:101::1
+#
+# User "john" should get access from ipv6 host address (same as above)
+#+ : john : 2001:4ca0:0:101:0:0:0:1
+#
+# User "john" should get access from ipv6 net/mask
+#+ : john : 2001:4ca0:0:101::/64
+#
+# All other users should be denied to get access from all sources.
+#- : ALL : ALL
+#
+#
+# Please include host_vars/hostname.linaro.org
+# ssh_access:
+#  - user/group
+
+{% if ssh_access is defined %}
+-:ALL EXCEPT root sysadmin ubuntu {% if ssh_local is defined %}{{(ssh_local)|join(' ') }}{% endif %} {{ (ssh_access) | join(' ') }}:ALL
+
+  {%else%}
+
+#No ssh_access defined in host_vars, assume basic ACL. Allows *ONLY* ITS. If this is wrong, please set correct group/user in host_vars.
+-:ALL EXCEPT root sysadmin ubuntu (its):ALL
+
+{% endif %}
diff --git a/ssh-ldap/templates/gd_bundle.crt b/ssh-ldap/templates/gd_bundle.crt
new file mode 100644
index 0000000..9aa63ce
--- /dev/null
+++ b/ssh-ldap/templates/gd_bundle.crt
@@ -0,0 +1,53 @@
+-----BEGIN CERTIFICATE-----
+MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
+ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
+RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
+MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH
+QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
+b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
+b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H
+KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm
+VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR
+SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT
+cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ
+6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu
+MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS
+kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB
+BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
+BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
+c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH
+AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG
+OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU
+A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o
+0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
+RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
+qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
+U+4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----
diff --git a/ssh-ldap/templates/ldap-keys.sh.j2 b/ssh-ldap/templates/ldap-keys.sh.j2
new file mode 100644
index 0000000..cf9932c
--- /dev/null
+++ b/ssh-ldap/templates/ldap-keys.sh.j2
@@ -0,0 +1,22 @@
+#!/bin/bash
+# {{ ansible_managed }}
+# get configuration from /etc/ldap.conf
+for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do
+    eval $x;
+done
+
+OPTIONS=
+case "$ssl" in
+    start_tls)
+	case "$tls_checkpeer" in
+	    no) OPTIONS+="-Z";;
+	    *) OPTIONS+="-ZZ";;
+	esac;;
+esac
+
+ldapsearch $OPTIONS -H ${uri} \
+    -w "${bindpw}" -D "${binddn}" \
+    -b "${base}" \
+    '(&(objectClass=posixAccount)(uid='"$1"'))' \
+    'sshPublicKey' \
+    | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' | tee /tmp/ssh.log
\ No newline at end of file
diff --git a/ssh-ldap/templates/ldap.conf.j2 b/ssh-ldap/templates/ldap.conf.j2
new file mode 100644
index 0000000..259b619
--- /dev/null
+++ b/ssh-ldap/templates/ldap.conf.j2
@@ -0,0 +1,19 @@
+## {{ ansible_managed }}
+## LDAP Defaults
+##
+## See ldap.conf(5) for details
+##
+##
+
+base dc=linaro,dc=org
+uri ldaps://{{ldap_server}}
+binddn cn=bindaccount,dc=linaro,dc=org
+bindpw someverylongcomplexpassword
+ldap_version 3
+pam_password md5
+rootbinddn
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
diff --git a/ssh-ldap/templates/my_mkhomedir.j2 b/ssh-ldap/templates/my_mkhomedir.j2
new file mode 100644
index 0000000..8a003f5
--- /dev/null
+++ b/ssh-ldap/templates/my_mkhomedir.j2
@@ -0,0 +1,6 @@
+Name: activate mkhomedir
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
\ No newline at end of file
diff --git a/ssh-ldap/templates/nscd.conf.j2 b/ssh-ldap/templates/nscd.conf.j2
new file mode 100644
index 0000000..320cfe4
--- /dev/null
+++ b/ssh-ldap/templates/nscd.conf.j2
@@ -0,0 +1,91 @@
+## {{ ansible_managed }}
+#
+# /etc/nscd.conf
+#
+# An example Name Service Cache config file.  This file is needed by nscd.
+#
+# Legal entries are:
+#
+#	logfile			<file>
+#	debug-level		<level>
+#	threads			<initial #threads to use>
+#	max-threads		<maximum #threads to use>
+#	server-user             <user to run server as instead of root>
+#		server-user is ignored if nscd is started with -S parameters
+#       stat-user               <user who is allowed to request statistics>
+#	reload-count		unlimited|<number>
+#	paranoia		<yes|no>
+#	restart-interval	<time in seconds>
+#
+#       enable-cache		<service> <yes|no>
+#	positive-time-to-live	<service> <time in seconds>
+#	negative-time-to-live   <service> <time in seconds>
+#       suggested-size		<service> <prime number>
+#	check-files		<service> <yes|no>
+#	persistent		<service> <yes|no>
+#	shared			<service> <yes|no>
+#	max-db-size		<service> <number bytes>
+#	auto-propagate		<service> <yes|no>
+#
+# Currently supported cache names (services): passwd, group, hosts, services
+#
+
+
+#	logfile			/var/log/nscd.log
+#	threads			4
+#	max-threads		32
+#	server-user		nobody
+#	stat-user		somebody
+	debug-level		0
+#	reload-count		5
+	paranoia		no
+#	restart-interval	3600
+
+	enable-cache			passwd		yes
+	positive-time-to-live	passwd		60
+	negative-time-to-live	passwd		20
+	suggested-size			passwd		211
+	check-files				passwd		yes
+	persistent				passwd		yes
+	shared					passwd		yes
+	max-db-size				passwd		33554432
+	auto-propagate			passwd		yes
+
+	enable-cache			group		yes
+	positive-time-to-live	group		60
+	negative-time-to-live	group		60
+	suggested-size			group		211
+	check-files				group		yes
+	persistent				group		yes
+	shared					group		yes
+	max-db-size				group		33554432
+	auto-propagate			group		yes
+
+	enable-cache			hosts		yes
+	positive-time-to-live	hosts		60
+	negative-time-to-live	hosts		20
+	suggested-size			hosts		211
+	check-files				hosts		yes
+	persistent				hosts		yes
+	shared					hosts		yes
+	max-db-size				hosts		33554432
+
+	enable-cache			services	no
+	positive-time-to-live	services	28800
+	negative-time-to-live	services	20
+	suggested-size			services	211
+	check-files				services	yes
+	persistent				services	yes
+	shared					services	yes
+	max-db-size				services	33554432
+
+# netgroup caching is known-broken, so disable it in the default config,
+# see: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1068889
+	enable-cache			netgroup	no
+	positive-time-to-live	netgroup	28800
+	negative-time-to-live	netgroup	20
+	suggested-size			netgroup	211
+	check-files				netgroup	yes
+	persistent				netgroup	yes
+	shared					netgroup	yes
+	max-db-size				netgroup	33554432
diff --git a/ssh-ldap/templates/nslcd.conf.j2 b/ssh-ldap/templates/nslcd.conf.j2
new file mode 100644
index 0000000..907d6b2
--- /dev/null
+++ b/ssh-ldap/templates/nslcd.conf.j2
@@ -0,0 +1,40 @@
+## {{ ansible_managed }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ldaps://{{ldap_server}}
+
+# The search base that will be used for all queries.
+base dc=linaro,dc=org
+
+# The LDAP protocol version to use.
+ldap_version 3
+
+# The DN to bind with for normal lookups.
+binddn cn=bindaccount,dc=linaro,dc=org
+bindpw someverylongcomplexpassword
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+ssl on
+tls_reqcert allow
+
+# The search scope.
+#scope sub
+
+#base passwd cn=NodeAdmin,ou=group,dc=x4b,dc=org
+#filter passwd (|(gidNumber=10001)(gidNumber=10000))
+#filter group  (objectClass=Group)
+
+# automatically added on upgrade of nslcd package
+{% if inventory_hostname == 'flexlm.linaro.org' %}
+map    passwd loginShell       "/usr/sbin/nologin"
+{% endif %}
diff --git a/ssh-ldap/templates/nsswitch.conf.j2 b/ssh-ldap/templates/nsswitch.conf.j2
new file mode 100644
index 0000000..235dd21
--- /dev/null
+++ b/ssh-ldap/templates/nsswitch.conf.j2
@@ -0,0 +1,17 @@
+## {{ ansible_managed }}

+# /etc/nsswitch.conf

+#

+

+passwd:         files ldap

+group:          files ldap

+shadow:         files ldap

+

+hosts:          files dns ldap

+networks:       files ldap

+

+protocols:      db files

+services:       db files

+ethers:         db files

+rpc:            db files

+

+netgroup:       nis

diff --git a/ssh-ldap/templates/sshd_config.j2 b/ssh-ldap/templates/sshd_config.j2
new file mode 100644
index 0000000..a372dea
--- /dev/null
+++ b/ssh-ldap/templates/sshd_config.j2
@@ -0,0 +1,96 @@
+# {{ ansible_managed }}
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+# SSH port set in group_vars. Host specific port set in host_vars
+Port {{ssh_port}}
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+AuthorizedKeysCommand /etc/ssh/ldap-keys.sh
+{% if ansible_distribution_release == 'jessie'  %}
+#This is required for 14.04
+AuthorizedKeysCommandUser root
+{% endif %}
+
+UseDNS no
diff --git a/ssh-ldap/templates/sudoers.d/sudoers.j2 b/ssh-ldap/templates/sudoers.d/sudoers.j2
new file mode 100644
index 0000000..20bb5ff
--- /dev/null
+++ b/ssh-ldap/templates/sudoers.d/sudoers.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+# Controls "root" access.
+
+{% for user in sudoers_root_acl %}
+{{ user }} ALL={{ sudoers_root | join(',') }}
+{% endfor %}
diff --git a/ssh-ldap/templates/sudoers.d/sudoers_acl.j2 b/ssh-ldap/templates/sudoers.d/sudoers_acl.j2
new file mode 100644
index 0000000..8dbdd46
--- /dev/null
+++ b/ssh-ldap/templates/sudoers.d/sudoers_acl.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+# This file control sudo access to servers, but only by the given directory or binary.
+
+{% for user in sudoers_access_acl %}
+{{ user }} ALL=NOPASSWD:{{ sudoers_access | join(',') }}
+{% endfor %}
diff --git a/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2 b/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2
new file mode 100644
index 0000000..ec49ad6
--- /dev/null
+++ b/ssh-ldap/templates/sudoers.d/sudoers_logaccess.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+# for weblogs.linaro.org
+
+# MANAGED BY ANSIBLE
+{% for user in sudoers_logaccess %}
+{{user}} ALL=NOPASSWD: /var/log/apache2/*,/bin/cat,/usr/bin/rsync,/bin/ls
+{% endfor %}
diff --git a/ssh-servers.yml b/ssh-servers.yml
new file mode 100644
index 0000000..c2716e2
--- /dev/null
+++ b/ssh-servers.yml
@@ -0,0 +1,11 @@
+# Deploy the ssh-ldap module.
+# Maintainer: Ben Copeland ben.copeland@linaro.org
+---
+
+- name: Deploy the ssh-ldap module.
+  hosts: ssh
+  roles:
+   - role: ssh-ldap
+     sudo: yes
+   - role: logrotate
+     sudo: yes