From 5fc6de272c4e1d6b41a8c24b6ff5116548ac12c5 Mon Sep 17 00:00:00 2001 Message-Id: <5fc6de272c4e1d6b41a8c24b6ff5116548ac12c5.1714822812.git.mdw@distorted.org.uk> From: Mark Wooding Date: Thu, 9 Jul 2015 10:32:00 +0100 Subject: [PATCH] roles/common/: Do the rest of the common configuration. Organization: Straylight/Edgeware From: Mark Wooding --- roles/common/files/backup/filter.home | 8 + roles/common/files/backup/filter.var-spool | 3 + roles/common/files/backup/fshash | 498 ++++++++++++++ roles/common/files/netdb/hosts | 131 ++++ roles/common/files/netdb/networks | 4 + roles/common/files/netdb/services | 627 ++++++++++++++++++ roles/common/files/pki/ca.cert | 110 +++ roles/common/files/pki/dh-param-2048.pem | 53 ++ roles/common/files/pki/dh-param.pem | 68 ++ roles/common/files/pki/openssl.conf | 114 ++++ roles/common/files/root/gitconfig | 3 + .../common/files/scripts/fetch-unpack-archive | 46 ++ roles/common/files/scripts/genx509 | 56 ++ roles/common/files/sudo/sudoers | 62 ++ roles/common/tasks/main.yml | 59 +- 15 files changed, 1841 insertions(+), 1 deletion(-) create mode 100644 roles/common/files/backup/filter.home create mode 100644 roles/common/files/backup/filter.var-spool create mode 100755 roles/common/files/backup/fshash create mode 100644 roles/common/files/netdb/hosts create mode 100644 roles/common/files/netdb/networks create mode 100644 roles/common/files/netdb/services create mode 100644 roles/common/files/pki/ca.cert create mode 100644 roles/common/files/pki/dh-param-2048.pem create mode 100644 roles/common/files/pki/dh-param.pem create mode 100644 roles/common/files/pki/openssl.conf create mode 100644 roles/common/files/root/gitconfig create mode 100755 roles/common/files/scripts/fetch-unpack-archive create mode 100755 roles/common/files/scripts/genx509 create mode 100644 roles/common/files/sudo/sudoers diff --git a/roles/common/files/backup/filter.home b/roles/common/files/backup/filter.home new file mode 100644 index 0000000..b101b69 --- /dev/null +++ b/roles/common/files/backup/filter.home @@ -0,0 +1,8 @@ +- /aquota.user +- /aquota.group + +- /*/.cache/ +- /*/.ccache/ +- /*/.local/share/Trash/ +- /*/.thumbnails/ +- /*/tmp/ diff --git a/roles/common/files/backup/filter.var-spool b/roles/common/files/backup/filter.var-spool new file mode 100644 index 0000000..df01fb6 --- /dev/null +++ b/roles/common/files/backup/filter.var-spool @@ -0,0 +1,3 @@ +- squid/ +- squid3/ +- lpd/ diff --git a/roles/common/files/backup/fshash b/roles/common/files/backup/fshash new file mode 100755 index 0000000..888ef73 --- /dev/null +++ b/roles/common/files/backup/fshash @@ -0,0 +1,498 @@ +#! /usr/bin/python +### +### Efficiently construct canonical digests of filesystems +### +### (c) 2012 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This file is part of the `rsync-backup' program. +### +### rsync-backup is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### rsync-backup is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with rsync-backup; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +from sys import argv, exit, stdin, stdout, stderr +import os as OS +import re as RX +import time as T +import stat as ST +import optparse as OP +import hashlib as H +import sqlite3 as DB +import zlib as Z + +PACKAGE = 'rsync-backup' +VERSION = '0.99.1-8-ga844' + +###-------------------------------------------------------------------------- +### Utilities. + +QUIS = OS.path.basename(argv[0]) + +def moan(msg): + stderr.write('%s: %s\n' % (QUIS, msg)) + +def die(msg, rc = 1): + moan(msg) + exit(rc) + +SYSERR = 0 +def syserr(msg): + global SYSERR + moan(msg) + SYSERR += 1 + +###-------------------------------------------------------------------------- +### File system enumeration. + +class FileInfo (object): + def __init__(me, file, st = None): + me.name = file + if st: + me.st = st + me.err = None + else: + try: + me.st = OS.lstat(file) + me.err = None + except OSError, err: + me.st = None + me.err = err + +def enum_walk(file, func): + + def dirents(name): + try: + return OS.listdir(name) + except OSError, err: + syserr("failed to read directory `%s': %s" % (name, err.strerror)) + return [] + + def dir(ee, dev): + ff = [] + dd = [] + for e in ee: + fi = FileInfo(e) + if fi.st and fi.st.st_dev != dev: pass + if fi.st and ST.S_ISDIR(fi.st.st_mode): dd.append(fi) + else: ff.append(fi) + ff.sort(key = lambda fi: fi.name) + dd.sort(key = lambda fi: fi.name + '/') + for f in ff: + func(f) + for d in dd: + if d.st.st_dev == dev: + func(d) + dir([OS.path.join(d.name, e) for e in dirents(d.name)], dev) + + if file.endswith('/'): + cwd = OS.open('.', OS.O_RDONLY) + try: + OS.chdir(file) + fi = FileInfo('.') + func(fi) + dir(dirents('.'), fi.st.st_dev) + finally: + OS.fchdir(cwd) + OS.close(cwd) + else: + fi = FileInfo(file) + func(fi) + if fi.st and ST.S_ISDIR(fi.st.st_mode): + dir([OS.path.join(fi.name, e) for e in dirents(fi.name)], + fi.st.st_dev) + +def enum_find0(f, func): + tail = "" + while True: + buf = f.read(8192) + last = len(buf) == 0 + names = (tail + buf).split('\0') + tail = names.pop() + for n in names: + func(FileInfo(n)) + if last: + break + if len(tail): + moan("ignored trailing junk after last filename") + +RX_RSYNCESC = RX.compile(r'\\ \# ([0-7]{3})', RX.VERBOSE) +def enum_rsync(f, func): + + ## The format is a little fiddly. Each line consists of PERMS SIZE DATE + ## TIME NAME, separated by runs of whitespace, but the NAME starts exactly + ## one space character after the TIME and may begin with a space. + ## Sequences of the form `\#OOO' where OOO are three octal digits, stand + ## for a byte with that value. Newlines and backslashes which would be + ## ambiguous are converted into this form; all other characters are + ## literal. + ## + ## We ignore the stat information and retrieve it ourselves, because it's + ## incomplete. Hopefully the dcache is still warm. + + for line in f: + if line.endswith('\n'): line = line[:-1] + + ## Extract the escaped name. + ff = line.split(None, 3) + if len(ff) != 4: + syserr("ignoring invalid line from rsync: `%s'" % line) + continue + tail = ff[3] + try: + spc = tail.index(' ') + except ValueError: + syserr("ignoring invalid line from rsync: `%s'" % line) + continue + name = tail[spc + 1:] + + ## Now translate escape sequences. + name = RX_RSYNCESC.sub(lambda m: chr(int(m.group(1), 8)), name) + + ## Call the client. + try: + fi = FileInfo(name) + except OSError, err: + syserr("failed to stat `%s': %s" % (name, err.strerror)) + continue + func(fi) + +###-------------------------------------------------------------------------- +### The hash cache. + +class HashCache (object): + + VERSION = 0 + BUFSZ = 128*1024 + + INIT = [ + """CREATE TABLE meta ( + version INTEGER NOT NULL, + hash TEXT NOT NULL + );""", + """CREATE TABLE hash ( + ino INTEGER PRIMARY KEY, + mtime INTEGER NOT NULL, + ctime INTEGER NOT NULL, + size INTEGER NOT NULL, + hash TEXT NOT NULL, + seen BOOLEAN NOT NULL DEFAULT TRUE + );""", + """PRAGMA journal_mode = WAL;""" + ] + + def __init__(me, file, hash = None): + + if file is None: + + ## We're going this alone, with no cache. + db = None + if hash is None: + die("no hash specified and no database cache to read from") + else: + + ## Connect to the database. + db = DB.connect(file) + db.text_factory = str + + ## See whether we can understand the cache database. + c = db.cursor() + v = h = None + try: + c.execute('SELECT version, hash FROM meta') + v, h = c.fetchone() + if c.fetchone() is not None: + die("cache database corrupt: meta table has mutliple rows") + except (DB.Error, TypeError): + pass + + ## If that didn't work, we'd better clear the thing and start again. + ## But only if we know how to initialize it. + if v != me.VERSION: + + ## Explain the situation. + moan("cache version %s not understood" % v) + if hash is None: + if h is None: + die("can't initialize cache: no hash function set") + else: + hash = h + try: + H.new(hash) + except Exception: + die("unknown hash function `%s'" % hash) + + ## Drop old things. + c.execute('SELECT type, name FROM sqlite_master') + for type, name in c.fetchall(): + c.execute('DROP %s IF EXISTS %s' % (type, name)) + + ## Now we're ready to go. + for stmt in me.INIT: + c.execute(stmt) + c.execute('INSERT INTO meta VALUES (?, ?)', [me.VERSION, hash]) + db.commit() + + ## Check the hash function if necessary. + if hash is None: + hash = h + elif h is not None and h != hash: + die("hash mismatch: cache uses %s but %s requested" % (h, hash)) + + ## All done. + me.hash = hash + me._db = db + me._pend = 0 + + def hashfile(me, fi): + + ## If this isn't a proper file then don't try to hash it. + if fi.err or not ST.S_ISREG(fi.st.st_mode): + return None + + ## See whether there's a valid entry in the cache. + if me._db: + c = me._db.cursor() + c.execute( + 'SELECT mtime, size, hash, seen FROM hash WHERE ino = ?;', + [fi.st.st_ino]) + r = c.fetchone() + if r is not None: + mt, sz, h, s = r + if mt == fi.st.st_mtime and \ + sz == fi.st.st_size: + if not s: + c.execute('UPDATE hash SET seen = 1 WHERE ino = ?', + [fi.st.st_ino]) + me._update() + return h + + ## Hash the file. Beware raciness: update the file information from the + ## open descriptor, but set the size from what we actually read. + h = H.new(me.hash) + try: + with open(fi.name, 'rb') as f: + sz = 0 + while True: + buf = f.read(me.BUFSZ) + if len(buf) == 0: + break + sz += len(buf) + h.update(buf) + fi.st = OS.fstat(f.fileno()) + ##fi.st.st_size = sz + hash = h.digest() + except (OSError, IOError), err: + fi.st = None + fi.err = err + return None + hash = hash.encode('hex') + + ## Insert a record into the database. + if me._db: + c.execute(""" + INSERT OR REPLACE INTO hash + (ino, mtime, ctime, size, hash, seen) + VALUES + (?, ?, ?, ?, ?, 1); + """, [fi.st.st_ino, + fi.st.st_mtime, + fi.st.st_ctime, + fi.st.st_size, + hash]) + me._update() + + ## Done. + return hash + + def _update(me): + me._pend += 1 + if me._pend >= 1024: + me.flush() + + def flush(me): + if me._db: + me._db.commit() + me._pend = 0 + + def need_db(me): + if not me._db: + die("no cache database") + + def reset(me): + me.need_db() + c = me._db.cursor() + c.execute('UPDATE hash SET seen = 0 WHERE seen') + me.flush() + + def prune(me): + me.need_db() + c = me._db.cursor() + c.execute('DELETE FROM hash WHERE NOT seen') + me.flush() + +###-------------------------------------------------------------------------- +### Printing output. + +class GenericFormatter (object): + def __init__(me, fi): + me.fi = fi + def _fmt_time(me, t): + tm = T.gmtime(t) + return T.strftime('%Y-%m-%dT%H:%M:%SZ', tm) + def _enc_name(me, n): + return ' \\-> '.join(n.encode('string_escape').split(' -> ')) + def name(me): + return me._enc_name(me.fi.name) + def info(me): + return me.TYPE + def mode(me): + return '%06o' % me.fi.st.st_mode + def size(me): + return me.fi.st.st_size + def mtime(me): + return me._fmt_time(me.fi.st.st_mtime) + def owner(me): + return '%5d:%d' % (me.fi.st.st_uid, me.fi.st.st_gid) + +class ErrorFormatter (GenericFormatter): + def info(me): + return 'E%d %s' % (me.fi.err.errno, me.fi.err.strerror) + def error(me): return 'error' + mode = size = mtime = owner = error + +class SocketFormatter (GenericFormatter): + TYPE = 'socket' +class PipeFormatter (GenericFormatter): + TYPE = 'fifo' + +class LinkFormatter (GenericFormatter): + TYPE = 'symbolic-link' + def name(me): + n = GenericFormatter.name(me) + try: + d = OS.readlink(me.fi.name) + return '%s -> %s' % (n, me._enc_name(d)) + except OSError, err: + return '%s -> ' % (n, err.errno, err.strerror) + +class DirectoryFormatter (GenericFormatter): + TYPE = 'directory' + def name(me): return GenericFormatter.name(me) + '/' + def size(me): return 'dir' + +class DeviceFormatter (GenericFormatter): + def info(me): + return '%s %d:%d' % (me.TYPE, + OS.major(me.fi.st.st_rdev), + OS.minor(me.fi.st.st_rdev)) +class BlockDeviceFormatter (DeviceFormatter): + TYPE = 'block-device' +class CharDeviceFormatter (DeviceFormatter): + TYPE = 'character-device' + +class FileFormatter (GenericFormatter): + TYPE = 'regular-file' + +class Reporter (object): + + TYMAP = { + ST.S_IFSOCK: SocketFormatter, + ST.S_IFDIR: DirectoryFormatter, + ST.S_IFLNK: LinkFormatter, + ST.S_IFREG: FileFormatter, + ST.S_IFBLK: BlockDeviceFormatter, + ST.S_IFCHR: CharDeviceFormatter, + ST.S_IFIFO: PipeFormatter, + } + + def __init__(me, db): + me._inomap = {} + me._vinomap = {} + me._db = db + me._hsz = int(H.new(db.hash).digest_size) + + def file(me, fi): + h = me._db.hashfile(fi) + if fi.err: + fmt = ErrorFormatter(fi) + vino = 'error' + else: + fmt = me.TYMAP[ST.S_IFMT(fi.st.st_mode)](fi) + inoidx = fi.st.st_dev, fi.st.st_ino + try: + vino = me._inomap[inoidx] + except KeyError: + suffix = '' + seq = 0 + while True: + vino = '%08x' % (Z.crc32(fi.name + suffix) & 0xffffffff) + if vino not in me._vinomap: break + suffix = '\0%d' % seq + seq += 1 + me._inomap[inoidx] = vino + if h: info = h + else: info = '[%-*s]' % (2*me._hsz - 2, fmt.info()) + print '%s %8s %6s %-12s %-20s %20s %s' % ( + info, vino, fmt.mode(), fmt.owner(), + fmt.mtime(), fmt.size(), fmt.name()) + +###-------------------------------------------------------------------------- +### Main program. + +FMTMAP = { + 'rsync': lambda f: enum_rsync(stdin, f), + 'find0': lambda f: enum_find0(stdin, f) +} +op = OP.OptionParser( + usage = '%prog [-a] [-c CACHE] [-f FORMAT] [-H HASH] [FILE ...]', + version = '%%prog, version %s' % VERSION, + description = '''\ +Print a digest of a filesystem (or a collection of specified files) to +standard output. The idea is that the digest should be mostly /complete/ +(i.e., any `interesting\' change to the filesystem results in a different +digest) and /canonical/ (i.e., identical filesystem contents result in +identical output). +''') + +for short, long, props in [ + ('-a', '--all', { 'action': 'store_true', 'dest': 'all', + 'help': 'clear cache of all files not seen' }), + ('-c', '--cache', { 'dest': 'cache', 'metavar': 'FILE', + 'help': 'use FILE as a cache for file hashes' }), + ('-f', '--files', { 'dest': 'files', 'metavar': 'FORMAT', + 'type': 'choice', 'choices': FMTMAP.keys(), + 'help': 'read files to report in the given FORMAT' }), + ('-H', '--hash', { 'dest': 'hash', 'metavar': 'HASH', + ##'type': 'choice', 'choices': H.algorithms, + 'help': 'use HASH as the hash function' })]: + op.add_option(short, long, **props) +opts, args = op.parse_args(argv) + +if not opts.files and len(args) <= 1: + die("no filename sources: nothing to do") +db = HashCache(opts.cache, opts.hash) +if opts.all: + db.reset() +rep = Reporter(db) +if opts.files: + FMTMAP[opts.files](rep.file) +for dir in args[1:]: + enum_walk(dir, rep.file) +if opts.all: + db.prune() +db.flush() + +###----- That's all, folks -------------------------------------------------- diff --git a/roles/common/files/netdb/hosts b/roles/common/files/netdb/hosts new file mode 100644 index 0000000..151f173 --- /dev/null +++ b/roles/common/files/netdb/hosts @@ -0,0 +1,131 @@ +## -*-conf-*- +### Statically defined hosts. +### +### This file is maintained on ibanez: edit it there and run `update-slaves'. + +###-------------------------------------------------------------------------- +### Standard infrastructural names. + +## IPv4 names. +127.0.0.1 localhost +224.0.0.1 all-hosts.mcast.net all-hosts +224.0.0.2 all-routers.mcast.net all-routers + +## IPv6 names. +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +###-------------------------------------------------------------------------- +### Hosts on the local network. + +## Globally routable addresses. +62.49.204.145 guvnor.dmz.distorted.org.uk guvnor.dmz +2001:470:1f09:1b98::1 guvnor.dmz.distorted.org.uk guvnor.dmz +62.49.204.146 radius.dmz.distorted.org.uk radius.dmz rd +2001:470:1f09:1b98::2 radius.dmz.distorted.org.uk radius.dmz rd +62.49.204.147 roadstar.dmz.distorted.org.uk roadstar.dmz rgd +2001:470:1f09:1b98::3 roadstar.dmz.distorted.org.uk roadstar.dmz rgd +62.49.204.148 jem.dmz.distorted.org.uk jem.dmz jd +2001:470:1f09:1b98::4 jem.dmz.distorted.org.uk jem.dmz jd +62.49.204.149 artist.dmz.distorted.org.uk artist.dmz ad +2001:470:1f09:1b98::5 artist.dmz.distorted.org.uk artist.dmz ad +62.49.204.150 vampire.dmz.distorted.org.uk vampire.dmz vd +2001:470:1f09:1b98::6 vampire.dmz.distorted.org.uk vampire.dmz vd +62.49.204.153 ibanez.dmz.distorted.org.uk ibanez.dmz id +2001:470:1f09:1b98::9 ibanez.dmz.distorted.org.uk ibanez.dmz id +62.49.204.156 anon.dmz.distorted.org.uk anon.dmz +2001:470:1f09:1b98::c anon.dmz.distorted.org.uk anon.dmz +62.49.204.158 nat.distorted.org.uk nat.dmz nat + +## Unsafe but trusted network. +172.29.199.1 radius.distorted.org.uk radius.unsafe radius r ru +2001:470:9740:1::1 radius.distorted.org.uk radius.unsafe radius r ru +172.29.199.2 roadstar.distorted.org.uk roadstar.unsafe roadstar rg rgu +2001:470:9740:1::2 roadstar.distorted.org.uk roadstar.unsafe roadstar rg rgu +172.29.199.3 jem.distorted.org.uk jem.unsafe jem j ju +2001:470:9740:1::3 jem.distorted.org.uk jem.unsafe jem j ju +172.29.199.4 artist.distorted.org.uk artist.unsafe artist a au +2001:470:9740:1::4 artist.distorted.org.uk artist.unsafe artist a au +172.29.199.5 vampire.distorted.org.uk vampire.unsafe vampire v vu +2001:470:9740:1::5 vampire.distorted.org.uk vampire.unsafe vampire v vu +172.29.199.14 ibanez.distorted.org.uk ibanez.unsafe ibanez i iu +2001:470:9740:1::e ibanez.distorted.org.uk ibanez.unsafe ibanez i iu +172.29.199.17 groove.distorted.org.uk groove.vpn groove gr +2001:470:9740:1::11 groove.distorted.org.uk groove.vpn groove gr + +## Safe, trusted network. +172.29.199.193 radius.safe.distorted.org.uk radius.safe rs +2001:470:9740:4001::1 radius.safe.distorted.org.uk radius.safe rs +172.29.199.194 vampire.safe.distorted.org.uk vampire.safe vs +2001:470:9740:4001::2 vampire.safe.distorted.org.uk vampire.safe vs +172.29.199.195 evolution.distorted.org.uk evolution.safe evolution evo +2001:470:9740:4001::3 evolution.distorted.org.uk evolution.safe evolution evo +172.29.199.196 grigsby.distorted.org.uk grigsby tp0.distorted.org.uk tp0 +2001:470:9740:4001::4 grigsby.distorted.org.uk grigsby tp0.distorted.org.uk tp0 +172.29.199.197 carling.distorted.org.uk carling tp1.distorted.org.uk tp1 +2001:470:9740:4001::5 carling.distorted.org.uk carling tp1.distorted.org.uk tp1 +172.29.199.198 tritan.distorted.org.uk tritan tp2.distorted.org.uk tp2 +2001:470:9740:4001::6 tritan.distorted.org.uk tritan tp2.distorted.org.uk tp2 + +## Untrusted network. +172.29.198.1 radius.untrusted.distorted.org.uk radius.untrusted rx +2001:470:9740:8001::1 radius.untrusted.distorted.org.uk radius.untrusted rx +172.29.198.2 artist.untrusted.distorted.org.uk artist.untrusted ax +2001:470:9740:8001::2 artist.untrusted.distorted.org.uk artist.untrusted ax +172.29.198.3 vampire.untrusted.distorted.org.uk vampire.untrusted vx +2001:470:9740:8001::3 vampire.untrusted.distorted.org.uk vampire.untrusted vx + +## Colocated border network. +212.13.198.69 fender.jump.distorted.org.uk fender.jump fj +2001:ba8:0:1d9::5 fender.jump.distorted.org.uk fender.jump fj +212.13.198.70 precision.jump.distorted.org.uk precision.jump pj +2001:ba8:0:1d9::6 precision.jump.distorted.org.uk precision.jump pj +212.13.198.71 telecaster.jump.distorted.org.uk telecaster.jump tele.jump tj +2001:ba8:0:1d9::7 telecaster.jump.distorted.org.uk telecaster.jump tele.jump tj +212.13.198.72 stratocaster.jump.distorted.org.uk stratocaster.jump strat.jump sj +2001:ba8:0:1d9::8 stratocaster.jump.distorted.org.uk stratocaster.jump strat.jump sj +212.13.198.73 jazz.jump.distorted.org.uk jazz.jump zj +2001:ba8:0:1d9::9 jazz.jump.distorted.org.uk jazz.jump zj +212.13.198.75 jaguar.distorted.org.uk jaguar.jump.distorted.org.uk jaguar jaguar.jump jag +2001:ba8:0:1d9::2:1 jaguar.distorted.org.uk jaguar.jump.distorted.org.uk jaguar jaguar.jump jag + +## Colocated internal network. +172.29.199.177 fender.distorted.org.uk fender.colo fender f fc +2001:ba8:1d9:2::1 fender.distorted.org.uk fender.colo fender f fc +172.29.199.178 precision.distorted.org.uk precision.colo precision p pc +2001:ba8:1d9:2::2 precision.distorted.org.uk precision.colo precision p pc +172.29.199.179 telecaster.distorted.org.uk telecaster.colo telecaster tele t tc +2001:ba8:1d9:2::3 telecaster.distorted.org.uk telecaster.colo telecaster tele t tc +172.29.199.180 stratocaster.distorted.org.uk stratocaster.colo stratocaster strat s sc +2001:ba8:1d9:2::4 stratocaster.distorted.org.uk stratocaster.colo stratocaster strat s sc +172.29.199.181 jazz.distorted.org.uk jazz.colo jazz jz z zc anon anon.colo +2001:ba8:1d9:2::5 jazz.distorted.org.uk jazz.colo jazz jz z zc anon anon.colo + +## Virtual private network. +172.29.199.129 crybaby.distorted.org.uk crybaby.vpn crybaby cb +2001:ba8:1d9:6000::1:1 crybaby.distorted.org.uk crybaby.vpn crybaby cb +172.29.199.130 terror.distorted.org.uk terror.vpn terror +172.29.199.131 orange.distorted.org.uk orange.vpn orange o +2001:ba8:1d9:6000::3:1 orange.distorted.org.uk orange.vpn orange o +172.29.199.132 haze.distorted.org.uk haze.vpn haze h +2001:ba8:1d9:6000::4:1 haze.distorted.org.uk haze.vpn haze h +172.29.199.133 radius.vpn.distorted.org.uk radius.vpn rv +2001:ba8:1d9:6000::5:1 radius.vpn.distorted.org.uk radius.vpn rv +172.29.199.134 precision.vpn.distorted.org.uk precision.vpn pv +2001:ba8:1d9:6000::6:1 precision.vpn.distorted.org.uk precision.vpn pv +172.29.199.135 jazz.vpn.distorted.org.uk jazz.vpn zv +2001:ba8:1d9:6000::7:1 jazz.vpn.distorted.org.uk jazz.vpn zv +172.29.199.136 vampire.vpn.distorted.org.uk vampire.vpn vv +2001:ba8:1d9:6000::8:1 vampire.vpn.distorted.org.uk vampire.vpn vv + +###-------------------------------------------------------------------------- +### Satellite networks. + +## binswood.org.uk +10.165.27.1 binswrt.binswood.org.uk binswrt.binswood binswrt bw +10.165.27.3 mango.binswood.org.uk mango.binswood mango + +###----- That's all, folks -------------------------------------------------- diff --git a/roles/common/files/netdb/networks b/roles/common/files/netdb/networks new file mode 100644 index 0000000..cdf6ffd --- /dev/null +++ b/roles/common/files/netdb/networks @@ -0,0 +1,4 @@ +default 0.0.0.0 +loopback 127.0.0.0 +link-local 169.254.0.0 + diff --git a/roles/common/files/netdb/services b/roles/common/files/netdb/services new file mode 100644 index 0000000..7930d21 --- /dev/null +++ b/roles/common/files/netdb/services @@ -0,0 +1,627 @@ +# Network services, Internet style +# +# Note that it is presently the policy of IANA to assign a single well-known +# port number for both TCP and UDP; hence, officially ports have two entries +# even if the protocol doesn't support UDP operations. +# +# Updated from http://www.iana.org/assignments/port-numbers and other +# sources like http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/services . +# New ports will be added on request if they have been officially assigned +# by IANA and used in the real-world or are needed by a debian package. +# If you need a huge list of used numbers please install the nmap package. + +### This file is maintained on ibanez: edit it there and run `update-slaves'. + +tcpmux 1/tcp # TCP port service multiplexer +echo 7/tcp +echo 7/udp +discard 9/tcp sink null +discard 9/udp sink null +systat 11/tcp users +daytime 13/tcp +daytime 13/udp +netstat 15/tcp +qotd 17/tcp quote +msp 18/tcp # message send protocol +msp 18/udp +chargen 19/tcp ttytst source +chargen 19/udp ttytst source +ftp-data 20/tcp +ftp 21/tcp +fsp 21/udp fspd +ssh 22/tcp # SSH Remote Login Protocol +ssh 22/udp +telnet 23/tcp +smtp 25/tcp mail +time 37/tcp timserver +time 37/udp timserver +rlp 39/udp resource # resource location +nameserver 42/tcp name # IEN 116 +whois 43/tcp nicname +tacacs 49/tcp # Login Host Protocol (TACACS) +tacacs 49/udp +re-mail-ck 50/tcp # Remote Mail Checking Protocol +re-mail-ck 50/udp +domain 53/tcp # name-domain server +domain 53/udp +mtp 57/tcp # deprecated +tacacs-ds 65/tcp # TACACS-Database Service +tacacs-ds 65/udp +bootps 67/tcp # BOOTP server +bootps 67/udp +bootpc 68/tcp # BOOTP client +bootpc 68/udp +tftp 69/udp +gopher 70/tcp # Internet Gopher +gopher 70/udp +rje 77/tcp netrjs +finger 79/tcp +www 80/tcp http # WorldWideWeb HTTP +www 80/udp # HyperText Transfer Protocol +link 87/tcp ttylink +kerberos 88/tcp kerberos5 krb5 kerberos-sec kdc # Kerberos v5 +kerberos 88/udp kerberos5 krb5 kerberos-sec kdc # Kerberos v5 +supdup 95/tcp +hostnames 101/tcp hostname # usually from sri-nic +iso-tsap 102/tcp tsap # part of ISODE +acr-nema 104/tcp dicom # Digital Imag. & Comm. 300 +acr-nema 104/udp dicom # Digital Imag. & Comm. 300 +csnet-ns 105/tcp cso-ns # also used by CSO name server +csnet-ns 105/udp cso-ns +rtelnet 107/tcp # Remote Telnet +rtelnet 107/udp +pop2 109/tcp postoffice pop-2 # POP version 2 +pop2 109/udp pop-2 +pop3 110/tcp pop-3 # POP version 3 +pop3 110/udp pop-3 +sunrpc 111/tcp portmapper # RPC 4.0 portmapper +sunrpc 111/udp portmapper +auth 113/tcp authentication tap ident +sftp 115/tcp +uucp-path 117/tcp +nntp 119/tcp readnews untp # USENET News Transfer Protocol +ntp 123/tcp +ntp 123/udp # Network Time Protocol +pwdgen 129/tcp # PWDGEN service +pwdgen 129/udp # PWDGEN service +loc-srv 135/tcp epmap # Location Service +loc-srv 135/udp epmap +netbios-ns 137/tcp # NETBIOS Name Service +netbios-ns 137/udp +netbios-dgm 138/tcp # NETBIOS Datagram Service +netbios-dgm 138/udp +netbios-ssn 139/tcp # NETBIOS session service +netbios-ssn 139/udp +imap2 143/tcp imap # Interim Mail Access P 2 and 4 +imap2 143/udp imap +snmp 161/tcp # Simple Net Mgmt Protocol +snmp 161/udp # Simple Net Mgmt Protocol +snmp-trap 162/tcp snmptrap # Traps for SNMP +snmp-trap 162/udp snmptrap # Traps for SNMP +cmip-man 163/tcp # ISO mgmt over IP (CMOT) +cmip-man 163/udp +cmip-agent 164/tcp +cmip-agent 164/udp +mailq 174/tcp # Mailer transport queue for Zmailer +mailq 174/udp # Mailer transport queue for Zmailer +xdmcp 177/tcp # X Display Mgr. Control Proto +xdmcp 177/udp +nextstep 178/tcp NeXTStep NextStep # NeXTStep window +nextstep 178/udp NeXTStep NextStep # server +bgp 179/tcp # Border Gateway Protocol +bgp 179/udp +prospero 191/tcp # Cliff Neuman's Prospero +prospero 191/udp +irc 194/tcp # Internet Relay Chat +irc 194/udp +smux 199/tcp # SNMP Unix Multiplexer +smux 199/udp +at-rtmp 201/tcp # AppleTalk routing +at-rtmp 201/udp +at-nbp 202/tcp # AppleTalk name binding +at-nbp 202/udp +at-echo 204/tcp # AppleTalk echo +at-echo 204/udp +at-zis 206/tcp # AppleTalk zone information +at-zis 206/udp +qmtp 209/tcp # Quick Mail Transfer Protocol +qmtp 209/udp # Quick Mail Transfer Protocol +z3950 210/tcp wais # NISO Z39.50 database +z3950 210/udp wais +ipx 213/tcp # IPX +ipx 213/udp +imap3 220/tcp # Interactive Mail Access +imap3 220/udp # Protocol v3 +pawserv 345/tcp # Perf Analysis Workbench +pawserv 345/udp +zserv 346/tcp # Zebra server +zserv 346/udp +fatserv 347/tcp # Fatmen Server +fatserv 347/udp +rpc2portmap 369/tcp +rpc2portmap 369/udp # Coda portmapper +codaauth2 370/tcp +codaauth2 370/udp # Coda authentication server +clearcase 371/tcp Clearcase +clearcase 371/udp Clearcase +ulistserv 372/tcp # UNIX Listserv +ulistserv 372/udp +ldap 389/tcp # Lightweight Directory Access Protocol +ldap 389/udp +imsp 406/tcp # Interactive Mail Support Protocol +imsp 406/udp +svrloc 427/tcp # Server Location +svrloc 427/udp # Server Location +https 443/tcp # http protocol over TLS/SSL +https 443/udp +snpp 444/tcp # Simple Network Paging Protocol +snpp 444/udp +microsoft-ds 445/tcp # Microsoft Naked CIFS +microsoft-ds 445/udp +kpasswd 464/tcp +kpasswd 464/udp +saft 487/tcp # Simple Asynchronous File Transfer +saft 487/udp +isakmp 500/tcp # IPsec - Internet Security Association +isakmp 500/udp # and Key Management Protocol +rtsp 554/tcp # Real Time Stream Control Protocol +rtsp 554/udp # Real Time Stream Control Protocol +nqs 607/tcp # Network Queuing system +nqs 607/udp +npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS +npmp-local 610/udp dqs313_qmaster +npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS +npmp-gui 611/udp dqs313_execd +hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS +hmmp-ind 612/udp dqs313_intercell +qmqp 628/tcp +qmqp 628/udp +ipp 631/tcp # Internet Printing Protocol +ipp 631/udp +# +# UNIX specific services +# +exec 512/tcp +biff 512/udp comsat +login 513/tcp +who 513/udp whod +shell 514/tcp cmd # no passwords used +syslog 514/udp +printer 515/tcp spooler # line printer spooler +talk 517/udp +ntalk 518/udp +route 520/udp router routed # RIP +timed 525/udp timeserver +tempo 526/tcp newdate +courier 530/tcp rpc +conference 531/tcp chat +netnews 532/tcp readnews +netwall 533/udp # for emergency broadcasts +gdomap 538/tcp # GNUstep distributed objects +gdomap 538/udp +uucp 540/tcp uucpd # uucp daemon +klogin 543/tcp # Kerberized `rlogin' (v5) +kshell 544/tcp krcmd # Kerberized `rsh' (v5) +dhcpv6-client 546/tcp +dhcpv6-client 546/udp +dhcpv6-server 547/tcp +dhcpv6-server 547/udp +afpovertcp 548/tcp # AFP over TCP +afpovertcp 548/udp +idfp 549/tcp +idfp 549/udp +remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem +nntps 563/tcp snntp # NNTP over SSL +nntps 563/udp snntp +submission 587/tcp # Submission [RFC4409] +submission 587/udp +ldaps 636/tcp # LDAP over SSL +ldaps 636/udp +tinc 655/tcp # tinc control port +tinc 655/udp +silc 706/tcp +silc 706/udp +kerberos-adm 749/tcp # Kerberos `kadmin' (v5) +# +webster 765/tcp # Network dictionary +webster 765/udp +rsync 873/tcp +rsync 873/udp +ftps-data 989/tcp # FTP over SSL (data) +ftps 990/tcp +telnets 992/tcp # Telnet over SSL +telnets 992/udp +imaps 993/tcp # IMAP over SSL +imaps 993/udp +ircs 994/tcp # IRC over SSL +ircs 994/udp +pop3s 995/tcp # POP-3 over SSL +pop3s 995/udp +# +# From ``Assigned Numbers'': +# +#> The Registered Ports are not controlled by the IANA and on most systems +#> can be used by ordinary user processes or programs executed by ordinary +#> users. +# +#> Ports are used in the TCP [45,106] to name the ends of logical +#> connections which carry long term conversations. For the purpose of +#> providing services to unknown callers, a service contact port is +#> defined. This list specifies the port used by the server process as its +#> contact port. While the IANA can not control uses of these ports it +#> does register or list uses of these ports as a convienence to the +#> community. +# +socks 1080/tcp # socks proxy server +socks 1080/udp +proofd 1093/tcp +proofd 1093/udp +rootd 1094/tcp +rootd 1094/udp +openvpn 1194/tcp +openvpn 1194/udp +rmiregistry 1099/tcp # Java RMI Registry +rmiregistry 1099/udp +kazaa 1214/tcp +kazaa 1214/udp +nessus 1241/tcp # Nessus vulnerability +nessus 1241/udp # assessment scanner +lotusnote 1352/tcp lotusnotes # Lotus Note +lotusnote 1352/udp lotusnotes +ms-sql-s 1433/tcp # Microsoft SQL Server +ms-sql-s 1433/udp +ms-sql-m 1434/tcp # Microsoft SQL Monitor +ms-sql-m 1434/udp +ingreslock 1524/tcp +ingreslock 1524/udp +prospero-np 1525/tcp # Prospero non-privileged +prospero-np 1525/udp +datametrics 1645/tcp old-radius +datametrics 1645/udp old-radius +sa-msg-port 1646/tcp old-radacct +sa-msg-port 1646/udp old-radacct +kermit 1649/tcp +kermit 1649/udp +l2f 1701/tcp l2tp +l2f 1701/udp l2tp +radius 1812/tcp +radius 1812/udp +radius-acct 1813/tcp radacct # Radius Accounting +radius-acct 1813/udp radacct +msnp 1863/tcp # MSN Messenger +msnp 1863/udp +unix-status 1957/tcp # remstats unix-status server +log-server 1958/tcp # remstats log server +remoteping 1959/tcp # remstats remoteping server +cisco-sccp 2000/tcp # Cisco SCCP +cisco-sccp 2000/udp +search 2010/tcp ndtp +pipe_server 2010/tcp +nfs 2049/tcp # Network File System +nfs 2049/udp # Network File System +gnunet 2086/tcp +gnunet 2086/udp +rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99 +rtcm-sc104 2101/udp +gsigatekeeper 2119/tcp +gsigatekeeper 2119/udp +gris 2135/tcp # Grid Resource Information Server +gris 2135/udp # Grid Resource Information Server +cvspserver 2401/tcp # CVS client/server operations +cvspserver 2401/udp +venus 2430/tcp # codacon port +venus 2430/udp # Venus callback/wbc interface +venus-se 2431/tcp # tcp side effects +venus-se 2431/udp # udp sftp side effect +codasrv 2432/tcp # not used +codasrv 2432/udp # server port +codasrv-se 2433/tcp # tcp side effects +codasrv-se 2433/udp # udp sftp side effect +mon 2583/tcp # MON traps +mon 2583/udp +dict 2628/tcp # Dictionary server +dict 2628/udp +gsiftp 2811/tcp +gsiftp 2811/udp +gpsd 2947/tcp +gpsd 2947/udp +gds_db 3050/tcp # InterBase server +gds_db 3050/udp +icpv2 3130/tcp icp # Internet Cache Protocol +icpv2 3130/udp icp +mysql 3306/tcp +mysql 3306/udp +nut 3493/tcp # Network UPS Tools +nut 3493/udp +distcc 3632/tcp # distributed compiler +distcc 3632/udp +daap 3689/tcp # Digital Audio Access Protocol +daap 3689/udp +svn 3690/tcp subversion # Subversion protocol +svn 3690/udp subversion +suucp 4031/tcp # UUCP over SSL +suucp 4031/udp # UUCP over SSL +sysrqd 4094/tcp # sysrq daemon +sysrqd 4094/udp # sysrq daemon +sieve 4190/tcp # ManageSieve Protocol +epmd 4369/tcp # Erlang Port Mapper Daemon +epmd 4369/udp # Erlang Port Mapper Daemon +remctl 4373/tcp # Remote Authenticated Command Service +remctl 4373/udp # Remote Authenticated Command Service +iax 4569/tcp # Inter-Asterisk eXchange +iax 4569/udp +mtn 4691/tcp # monotone Netsync Protocol +mtn 4691/udp # monotone Netsync Protocol +radmin-port 4899/tcp # RAdmin Port +radmin-port 4899/udp +rfe 5002/udp # Radio Free Ethernet +rfe 5002/tcp +mmcc 5050/tcp # multimedia conference control tool (Yahoo IM) +mmcc 5050/udp +sip 5060/tcp # Session Initiation Protocol +sip 5060/udp +sip-tls 5061/tcp +sip-tls 5061/udp +aol 5190/tcp # AIM +aol 5190/udp +xmpp-client 5222/tcp jabber-client # Jabber Client Connection +xmpp-client 5222/udp jabber-client +xmpp-server 5269/tcp jabber-server # Jabber Server Connection +xmpp-server 5269/udp jabber-server +cfengine 5308/tcp +cfengine 5308/udp +mdns 5353/tcp # Multicast DNS +mdns 5353/udp # Multicast DNS +postgresql 5432/tcp postgres # PostgreSQL Database +postgresql 5432/udp postgres +freeciv 5556/tcp rptp # Freeciv gameplay +freeciv 5556/udp +amqp 5672/tcp +amqp 5672/udp +amqp 5672/sctp +ggz 5688/tcp # GGZ Gaming Zone +ggz 5688/udp # GGZ Gaming Zone +x11 6000/tcp x11-0 # X Window System +x11 6000/udp x11-0 +x11-1 6001/tcp +x11-1 6001/udp +x11-2 6002/tcp +x11-2 6002/udp +x11-3 6003/tcp +x11-3 6003/udp +x11-4 6004/tcp +x11-4 6004/udp +x11-5 6005/tcp +x11-5 6005/udp +x11-6 6006/tcp +x11-6 6006/udp +x11-7 6007/tcp +x11-7 6007/udp +gnutella-svc 6346/tcp # gnutella +gnutella-svc 6346/udp +gnutella-rtr 6347/tcp # gnutella +gnutella-rtr 6347/udp +sge_qmaster 6444/tcp # Grid Engine Qmaster Service +sge_qmaster 6444/udp # Grid Engine Qmaster Service +sge_execd 6445/tcp # Grid Engine Execution Service +sge_execd 6445/udp # Grid Engine Execution Service +mysql-proxy 6446/tcp # MySQL Proxy +mysql-proxy 6446/udp # MySQL Proxy +afs3-fileserver 7000/tcp bbs # file server itself +afs3-fileserver 7000/udp bbs +afs3-callback 7001/tcp # callbacks to cache managers +afs3-callback 7001/udp +afs3-prserver 7002/tcp # users & groups database +afs3-prserver 7002/udp +afs3-vlserver 7003/tcp # volume location database +afs3-vlserver 7003/udp +afs3-kaserver 7004/tcp # AFS/Kerberos authentication +afs3-kaserver 7004/udp +afs3-volser 7005/tcp # volume managment server +afs3-volser 7005/udp +afs3-errors 7006/tcp # error interpretation service +afs3-errors 7006/udp +afs3-bos 7007/tcp # basic overseer process +afs3-bos 7007/udp +afs3-update 7008/tcp # server-to-server updater +afs3-update 7008/udp +afs3-rmtsys 7009/tcp # remote cache manager service +afs3-rmtsys 7009/udp +font-service 7100/tcp xfs # X Font Service +font-service 7100/udp xfs +http-alt 8080/tcp webcache # WWW caching service +http-alt 8080/udp # WWW caching service +bacula-dir 9101/tcp # Bacula Director +bacula-dir 9101/udp +bacula-fd 9102/tcp # Bacula File Daemon +bacula-fd 9102/udp +bacula-sd 9103/tcp # Bacula Storage Daemon +bacula-sd 9103/udp +xmms2 9667/tcp # Cross-platform Music Multiplexing System +xmms2 9667/udp # Cross-platform Music Multiplexing System +nbd 10809/tcp # Linux Network Block Device +zabbix-agent 10050/tcp # Zabbix Agent +zabbix-agent 10050/udp # Zabbix Agent +zabbix-trapper 10051/tcp # Zabbix Trapper +zabbix-trapper 10051/udp # Zabbix Trapper +amanda 10080/tcp # amanda backup services +amanda 10080/udp +hkp 11371/tcp # OpenPGP HTTP Keyserver +hkp 11371/udp # OpenPGP HTTP Keyserver +bprd 13720/tcp # VERITAS NetBackup +bprd 13720/udp +bpdbm 13721/tcp # VERITAS NetBackup +bpdbm 13721/udp +bpjava-msvc 13722/tcp # BP Java MSVC Protocol +bpjava-msvc 13722/udp +vnetd 13724/tcp # Veritas Network Utility +vnetd 13724/udp +bpcd 13782/tcp # VERITAS NetBackup +bpcd 13782/udp +vopied 13783/tcp # VERITAS NetBackup +vopied 13783/udp +dcap 22125/tcp # dCache Access Protocol +gsidcap 22128/tcp # GSI dCache Access Protocol +wnn6 22273/tcp # wnn6 +wnn6 22273/udp + +# +# Datagram Delivery Protocol services +# +rtmp 1/ddp # Routing Table Maintenance Protocol +nbp 2/ddp # Name Binding Protocol +echo 4/ddp # AppleTalk Echo Protocol +zip 6/ddp # Zone Information Protocol + +#========================================================================= +# The remaining port numbers are not as allocated by IANA. +#========================================================================= + +# Kerberos (Project Athena/MIT) services +# Note that these are for Kerberos v4, and are unofficial. Sites running +# v4 should uncomment these and comment out the v5 entries above. +# +kerberos4 750/udp kerberos-iv kdc # Kerberos (server) +kerberos4 750/tcp kerberos-iv kdc +kerberos_master 751/udp # Kerberos authentication +kerberos_master 751/tcp +passwd_server 752/udp # Kerberos passwd server +krb_prop 754/tcp krb5_prop hprop # Kerberos slave propagation +krbupdate 760/tcp kreg # Kerberos registration +swat 901/tcp # swat +kpop 1109/tcp # Pop with Kerberos +knetd 2053/tcp # Kerberos de-multiplexor +zephyr-srv 2102/udp # Zephyr server +zephyr-clt 2103/udp # Zephyr serv-hm connection +zephyr-hm 2104/udp # Zephyr hostmanager +eklogin 2105/tcp # Kerberos encrypted rlogin +# Hmmm. Are we using Kv4 or Kv5 now? Worrying. +# The following is probably Kerberos v5 --- ajt@debian.org (11/02/2000) +kx 2111/tcp # X over Kerberos +iprop 2121/tcp # incremental propagation +# +# Unofficial but necessary (for NetBSD) services +# +supfilesrv 871/tcp # SUP server +supfiledbg 1127/tcp # SUP debugging + +# +# Services added for the Debian GNU/Linux distribution +# +linuxconf 98/tcp # LinuxConf +poppassd 106/tcp # Eudora +poppassd 106/udp +ssmtp 465/tcp smtps # SMTP over SSL +moira_db 775/tcp # Moira database +moira_update 777/tcp # Moira update protocol +moira_ureg 779/udp # Moira user registration +spamd 783/tcp # spamassassin daemon +omirr 808/tcp omirrd # online mirror +omirr 808/udp omirrd +customs 1001/tcp # pmake customs server +customs 1001/udp +skkserv 1178/tcp # skk jisho server port +predict 1210/udp # predict -- satellite tracking +rmtcfg 1236/tcp # Gracilis Packeten remote config server +wipld 1300/tcp # Wipl network monitor +xtel 1313/tcp # french minitel +xtelw 1314/tcp # french minitel +support 1529/tcp # GNATS +cfinger 2003/tcp # GNU Finger +frox 2121/tcp # frox: caching ftp proxy +ninstall 2150/tcp # ninstall service +ninstall 2150/udp +zebrasrv 2600/tcp # zebra service +zebra 2601/tcp # zebra vty +ripd 2602/tcp # ripd vty (zebra) +ripngd 2603/tcp # ripngd vty (zebra) +ospfd 2604/tcp # ospfd vty (zebra) +bgpd 2605/tcp # bgpd vty (zebra) +ospf6d 2606/tcp # ospf6d vty (zebra) +ospfapi 2607/tcp # OSPF-API +isisd 2608/tcp # ISISd vty (zebra) +afbackup 2988/tcp # Afbackup system +afbackup 2988/udp +afmbackup 2989/tcp # Afmbackup system +afmbackup 2989/udp +xtell 4224/tcp # xtell server +fax 4557/tcp # FAX transmission service (old) +hylafax 4559/tcp # HylaFAX client-server protocol (new) +distmp3 4600/tcp # distmp3host daemon +munin 4949/tcp lrrd # Munin +enbd-cstatd 5051/tcp # ENBD client statd +enbd-sstatd 5052/tcp # ENBD server statd +pcrd 5151/tcp # PCR-1000 Daemon +noclog 5354/tcp # noclogd with TCP (nocol) +noclog 5354/udp # noclogd with UDP (nocol) +hostmon 5355/tcp # hostmon uses TCP (nocol) +hostmon 5355/udp # hostmon uses UDP (nocol) +rplay 5555/udp # RPlay audio service +nrpe 5666/tcp # Nagios Remote Plugin Executor +nsca 5667/tcp # Nagios Agent - NSCA +mrtd 5674/tcp # MRT Routing Daemon +bgpsim 5675/tcp # MRT Routing Simulator +canna 5680/tcp # cannaserver +sane-port 6566/tcp sane saned # SANE network scanner daemon +ircd 6667/tcp # Internet Relay Chat +zope-ftp 8021/tcp # zope management by ftp +tproxy 8081/tcp # Transparent Proxy +omniorb 8088/tcp # OmniORB +omniorb 8088/udp +clc-build-daemon 8990/tcp # Common lisp build daemon +xinetd 9098/tcp +mandelspawn 9359/udp mandelbrot # network mandelbrot +git 9418/tcp # Git Version Control System +zope 9673/tcp # zope server +webmin 10000/tcp +kamanda 10081/tcp # amanda backup services (Kerberos) +kamanda 10081/udp +amandaidx 10082/tcp # amanda backup services +amidxtape 10083/tcp # amanda backup services +smsqp 11201/tcp # Alamin SMS gateway +smsqp 11201/udp +xpilot 15345/tcp # XPilot Contact Port +xpilot 15345/udp +sgi-cmsd 17001/udp # Cluster membership services daemon +sgi-crsd 17002/udp +sgi-gcd 17003/udp # SGI Group membership daemon +sgi-cad 17004/tcp # Cluster Admin daemon +isdnlog 20011/tcp # isdn logging system +isdnlog 20011/udp +vboxd 20012/tcp # voice box system +vboxd 20012/udp +binkp 24554/tcp # binkp fidonet protocol +asp 27374/tcp # Address Search Protocol +asp 27374/udp +csync2 30865/tcp # cluster synchronization tool +dircproxy 57000/tcp # Detachable IRC Proxy +tfido 60177/tcp # fidonet EMSI over telnet +fido 60179/tcp # fidonet EMSI over TCP + +###-------------------------------------------------------------------------- +### Local services. + +## VPN. This one is allocated by IANA. +tripe 4090/udp # Trivial IP Encryption (VPN) + +## Kerberos. +kerberos-adm 749/tcp # Kerberos 5 admin/changepw +kerberos-adm 749/udp # Kerberos 5 admin/changepw + +## Web proxy. +wwwcache 3128/tcp # Squid proxy port + +## Remote management. +ipmi 623/udp # IPMI network protocol + +## NFS-related services, as recommended in http://wiki.debian.org/SecuringNFS +rpc.statd-bc 32765/tcp # RPC statd broadcast +rpc.statd-bc 32765/udp # RPC statd broadcast +rpc.statd 32766/tcp # RPC statd listen +rpc.statd 32766/udp # RPC statd listen +rpc.mountd 32767/tcp # RPC mountd +rpc.mountd 32767/udp # RPC mountd +rcp.lockd 32768/tcp # RPC lockd/nlockmgr +rcp.lockd 32768/udp # RPC lockd/nlockmgr +rpc.quotad 32769/tcp # RPC quotad +rpc.quotad 32769/udp # RPC quotad diff --git a/roles/common/files/pki/ca.cert b/roles/common/files/pki/ca.cert new file mode 100644 index 0000000..4aff3dd --- /dev/null +++ b/roles/common/files/pki/ca.cert @@ -0,0 +1,110 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 16570956933538312940 (0xe5f7dd88cbd8f2ec) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk + Validity + Not Before: Dec 1 14:27:13 2012 GMT + Not After : Nov 29 14:27:13 2022 GMT + Subject: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:ba:88:24:78:37:a2:42:8b:1a:03:88:28:46:d8: + dc:ad:3a:20:ba:2e:d0:fd:3b:b1:09:64:4a:63:35: + cb:ff:ab:c4:b3:31:19:80:00:ca:67:b8:90:86:3d: + fd:2c:72:c4:31:40:99:00:e8:cf:4e:72:54:9a:6e: + b1:11:ed:0b:c5:de:9d:88:f2:03:93:f1:ee:3a:d9: + 56:4e:cb:c7:5c:2e:c3:41:e4:d8:d3:a9:cd:54:b1: + 43:e4:4f:24:f4:1c:d6:3d:11:f1:12:b4:a5:89:4a: + d5:8e:99:6c:ef:85:ca:64:23:07:3b:f6:91:fa:86: + e9:db:55:5f:8d:2c:5f:8b:dd:0e:02:49:59:4a:31: + b9:57:6a:97:f9:50:e4:5a:f6:df:20:53:4f:53:bb: + 01:08:f6:2c:59:08:db:6b:ee:b9:e2:ef:db:f6:35: + 24:12:29:e7:10:49:52:80:8e:9f:d3:16:96:94:ae: + 68:bc:40:c9:a7:9a:08:9c:7e:4f:d0:c1:ae:45:b0: + 8a:da:a6:60:5d:29:06:8f:a3:af:ed:72:1a:ef:c6: + cf:bf:2b:3f:c0:2f:26:30:85:63:04:4b:61:8c:20: + da:0a:f9:c1:4a:10:66:bf:ab:fe:ef:41:55:d3:c9: + ab:29:a9:03:94:f0:13:08:a2:14:f3:e8:50:c4:01: + 31:41:61:06:e9:14:13:3b:52:bb:01:ef:09:40:4f: + 27:78:7b:6e:13:61:6c:24:ce:bf:60:c0:06:eb:87: + 31:ac:00:b0:f1:0a:5c:3b:72:92:3a:3c:ee:8a:69: + 22:25:af:87:21:5e:47:98:62:86:0e:2b:72:87:ad: + 7d:a9:79:5f:80:3b:52:1c:f8:9b:09:72:ce:9a:e9: + d2:07:3e:1e:58:d9:1c:5b:3f:e3:cc:4e:ef:9d:54: + 45:91:83:6a:99:92:9a:42:b1:54:ff:67:9d:fc:49: + 02:9f:b0:cd:7d:3a:d1:8f:5b:d3:69:dd:ba:eb:08: + c6:7e:4a:80:58:d6:0f:10:c5:3f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign + X509v3 Subject Key Identifier: + 73:9C:A1:60:E2:B2:1B:D0:F2:10:33:C1:11:97:73:9A:6E:5B:AB:CA + X509v3 Subject Alternative Name: + email:ca@distorted.org.uk + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.distorted.org.uk/ca/crl + + Signature Algorithm: sha256WithRSAEncryption + 6b:1f:b0:49:bc:07:25:8a:75:47:03:b4:85:47:c8:b6:9b:93: + 6b:7c:aa:c9:15:74:eb:d2:81:57:10:e2:6c:b6:42:4a:4b:18: + 11:80:04:1b:1e:67:63:41:70:a1:b3:2a:6c:e6:82:77:9d:a4: + 83:9e:f0:e4:c7:0e:56:0f:f1:1e:61:ff:a3:27:f1:4b:aa:9a: + fd:27:a7:ba:13:f9:9a:b6:b8:e6:6d:78:fc:2b:21:5f:62:b7: + 73:3a:38:94:30:4e:80:b7:1f:84:dc:1a:68:da:fa:99:19:08: + c3:e0:7f:d2:08:8b:25:c1:69:e5:d5:24:5e:33:4c:5c:cc:d2: + a7:27:2b:01:da:3c:50:c3:58:64:73:f7:7f:88:12:b5:6e:41: + eb:07:8e:c5:79:e7:3d:e1:da:e6:9b:3c:c8:c4:b9:92:71:a1: + 5d:01:95:4e:92:9e:e5:7f:ed:71:e4:27:3e:97:10:de:5d:1a: + a1:37:a3:1f:f0:fe:09:fe:ce:72:e7:f5:a0:5c:54:19:6f:f7: + 62:a8:c8:66:09:77:6c:d8:73:d9:1d:c0:cd:65:c9:bd:27:9a: + 8a:10:dc:0b:1e:08:ec:39:99:50:89:2f:bc:ca:a2:13:55:c6: + 7f:2c:96:f1:2b:46:cf:9c:70:31:9d:7f:11:72:18:67:5d:a7: + c9:03:a7:1f:6b:cc:ac:a3:ae:e2:2e:01:bd:7f:a3:8d:ca:aa: + 20:72:9c:81:84:5b:34:c5:93:1a:bd:e7:52:4f:00:9a:dd:c3: + af:0a:a1:e4:64:aa:d9:62:80:ce:b9:c8:57:38:03:54:d0:e1: + ae:0c:a9:09:da:44:88:32:58:0d:58:1f:6d:f5:c8:9b:65:fe: + 02:57:44:ea:e1:ae:42:5f:63:24:b6:f2:99:d8:e0:3d:35:6c: + 64:da:f7:7f:1c:f7:31:96:a4:38:93:ca:10:bc:e6:bf:d8:92: + ae:bc:e2:c1:df:57:45:6b:71:7b:d0:ea:43:8e:c7:87:61:77: + 16:17:10:01:ef:6b +-----BEGIN CERTIFICATE----- +MIIFcjCCA9qgAwIBAgIJAOX33YjL2PLsMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD +VQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxEjAQBgNVBAcTCUNhbWJy +aWRnZTEZMBcGA1UEChMQZGlzdG9ydGVkLm9yZy51azEvMC0GA1UEAxMmZGlzdG9y +dGVkLm9yZy51ayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW +E2NhQGRpc3RvcnRlZC5vcmcudWswHhcNMTIxMjAxMTQyNzEzWhcNMjIxMTI5MTQy +NzEzWjCBqjELMAkGA1UEBhMCR0IxFzAVBgNVBAgTDkNhbWJyaWRnZXNoaXJlMRIw +EAYDVQQHEwlDYW1icmlkZ2UxGTAXBgNVBAoTEGRpc3RvcnRlZC5vcmcudWsxLzAt +BgNVBAMTJmRpc3RvcnRlZC5vcmcudWsgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIw +IAYJKoZIhvcNAQkBFhNjYUBkaXN0b3J0ZWQub3JnLnVrMIIBojANBgkqhkiG9w0B +AQEFAAOCAY8AMIIBigKCAYEAuogkeDeiQosaA4goRtjcrTogui7Q/TuxCWRKYzXL +/6vEszEZgADKZ7iQhj39LHLEMUCZAOjPTnJUmm6xEe0Lxd6diPIDk/HuOtlWTsvH +XC7DQeTY06nNVLFD5E8k9BzWPRHxErSliUrVjpls74XKZCMHO/aR+obp21VfjSxf +i90OAklZSjG5V2qX+VDkWvbfIFNPU7sBCPYsWQjba+654u/b9jUkEinnEElSgI6f +0xaWlK5ovEDJp5oInH5P0MGuRbCK2qZgXSkGj6Ov7XIa78bPvys/wC8mMIVjBEth +jCDaCvnBShBmv6v+70FV08mrKakDlPATCKIU8+hQxAExQWEG6RQTO1K7Ae8JQE8n +eHtuE2FsJM6/YMAG64cxrACw8QpcO3KSOjzuimkiJa+HIV5HmGKGDityh619qXlf +gDtSHPibCXLOmunSBz4eWNkcWz/jzE7vnVRFkYNqmZKaQrFU/2ed/EkCn7DNfTrR +j1vTad266wjGfkqAWNYPEMU/AgMBAAGjgZgwgZUwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFHOcoWDishvQ8hAzwRGXc5puW6vKMB4G +A1UdEQQXMBWBE2NhQGRpc3RvcnRlZC5vcmcudWswMwYDVR0fBCwwKjAooCagJIYi +aHR0cDovL3d3dy5kaXN0b3J0ZWQub3JnLnVrL2NhL2NybDANBgkqhkiG9w0BAQsF +AAOCAYEAax+wSbwHJYp1RwO0hUfItpuTa3yqyRV069KBVxDibLZCSksYEYAEGx5n +Y0FwobMqbOaCd52kg57w5McOVg/xHmH/oyfxS6qa/SenuhP5mra45m14/CshX2K3 +czo4lDBOgLcfhNwaaNr6mRkIw+B/0giLJcFp5dUkXjNMXMzSpycrAdo8UMNYZHP3 +f4gStW5B6weOxXnnPeHa5ps8yMS5knGhXQGVTpKe5X/tceQnPpcQ3l0aoTejH/D+ +Cf7Ocuf1oFxUGW/3YqjIZgl3bNhz2R3AzWXJvSeaihDcCx4I7DmZUIkvvMqiE1XG +fyyW8StGz5xwMZ1/EXIYZ12nyQOnH2vMrKOu4i4BvX+jjcqqIHKcgYRbNMWTGr3n +Uk8Amt3Drwqh5GSq2WKAzrnIVzgDVNDhrgypCdpEiDJYDVgfbfXIm2X+AldE6uGu +Ql9jJLbymdjgPTVsZNr3fxz3MZakOJPKELzmv9iSrrziwd9XRWtxe9DqQ47Hh2F3 +FhcQAe9r +-----END CERTIFICATE----- diff --git a/roles/common/files/pki/dh-param-2048.pem b/roles/common/files/pki/dh-param-2048.pem new file mode 100644 index 0000000..5f0e35e --- /dev/null +++ b/roles/common/files/pki/dh-param-2048.pem @@ -0,0 +1,53 @@ +### key add -adh-param -Asha256-mgf -n128 -LS -b2053 -B224 tls-param +keyid: 1d275741 +tag: +type: tls-param +expiry: 2014-02-09 12:54:55 GMT +delete: 2014-02-09 12:54:55 GMT +comment: +attributes: + genseed = wi+aoJDdKOFT6dWEU4kI2Q== + seedalg = sha256-mgf + factors = 25628173794965459148662154755507710741791028195724330392802159422363, + 23811438124381247217321230401533611940976915392825052997536081610507, + 26275640499985683069419899154277340447423514251466047604672441535359, + 15744921865728376733504714056932687844736336554772813867027917373369, + 14571722492400529289497370737312585068735319010775321956515864166347, + 21818144882486013845852086942457160224413719464451247588201008896789, + 17162867383501409601861420964333397219709230017882544459910683886593, + 24864351326571479769690396762702924550061869223096319281017678709539, + 332484314929097640929322655956464533664591816173441051661092105906161372022243 +key: { + p = 22776865583712030790367384668088221584543419673920166884379692662984252870029859921034405747249167040667056325234151341282361256792042947039044164901553881759256888545670437638183519848216861454689725824445732202608093522096528797209029707704715051673914754751199015894007649263132043295955899305099369111705233363264874492115584860564160940283158668074340077531066436014005054259363495043312216798971787474791288757088129447384713646105528914634725020007328931507087348770461048545136523608574722819552686860923334787408823896388056590057944405567188617916405496780795175946735233906210408927704061739282164790656387 + g = 6535512044329258663746685839550485727558099773690539635801549184488020961476332224800626537814730025495792072150140201611996005821244919688021282275232298087775965396463825259078046405157417614973898692445438447309185015577240016525153526431414428085869925456074716544216492418857668693561751830412213845544012946512175262020475004426125263500284425565949677587260328578319141926318492592560209940965848698920497777749069204212173216554124353412328082212662992818436664252025501254804880731042804592969527846247819850879366739906103217554952601493934303970385819986220354980965783318612371961374595592603464626324070 + q = 25628173794965459148662154755507710741791028195724330392802159422363 +} + PKCS#3 DH Parameters: (2048 bit) + prime: + 00:b4:6d:72:9e:c8:db:21:69:96:34:f0:53:c8:5a: + e6:d0:0b:99:81:1d:ba:43:e1:7a:c8:48:96:00:6b: + cc:e8:f6:dc:be:a2:a4:ae:55:04:74:6f:91:b9:b2: + d4:48:9f:d6:77:d7:74:0b:b4:30:7b:c1:1a:45:6c: + 97:9d:0d:aa:5f:94:a8:ec:4a:f6:31:92:19:ef:13: + 65:6d:d9:fa:16:da:91:d9:80:5c:56:3b:58:77:47: + b3:58:ce:3a:3e:72:9b:c5:5d:17:ad:d1:ca:0a:57: + c4:ec:d7:ee:35:50:5d:24:b7:b8:bf:54:98:db:97: + 97:ee:c1:94:cf:e0:69:c8:04:bd:80:ff:3c:23:4e: + aa:e1:3f:b8:55:ae:df:f3:0a:d6:0c:8c:12:59:71: + 0e:1a:e2:52:f0:ac:7f:18:7a:fc:36:61:ab:77:9e: + 3c:33:84:cd:61:e6:2d:34:3e:9f:7d:17:0c:88:66: + c9:9e:90:db:f0:66:24:79:a3:c9:9d:96:5d:ee:d9: + aa:dc:74:43:b5:23:66:72:37:e3:04:74:a9:97:a3: + d4:41:94:9f:87:3a:3e:e7:b0:81:00:63:29:91:48: + d0:6a:dc:e2:5f:43:64:0a:eb:8f:1e:81:91:03:1a: + a1:d5:e9:32:d7:b0:1b:d8:fe:99:21:b2:51:9e:f4: + fd:83 + generator: 2 (0x2) +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAtG1ynsjbIWmWNPBTyFrm0AuZgR26Q+F6yEiWAGvM6PbcvqKkrlUE +dG+RubLUSJ/Wd9d0C7Qwe8EaRWyXnQ2qX5So7Er2MZIZ7xNlbdn6FtqR2YBcVjtY +d0ezWM46PnKbxV0XrdHKClfE7NfuNVBdJLe4v1SY25eX7sGUz+BpyAS9gP88I06q +4T+4Va7f8wrWDIwSWXEOGuJS8Kx/GHr8NmGrd548M4TNYeYtND6ffRcMiGbJnpDb +8GYkeaPJnZZd7tmq3HRDtSNmcjfjBHSpl6PUQZSfhzo+57CBAGMpkUjQatziX0Nk +CuuPHoGRAxqh1eky17Ab2P6ZIbJRnvT9gwIBAg== +-----END DH PARAMETERS----- diff --git a/roles/common/files/pki/dh-param.pem b/roles/common/files/pki/dh-param.pem new file mode 100644 index 0000000..7085ec1 --- /dev/null +++ b/roles/common/files/pki/dh-param.pem @@ -0,0 +1,68 @@ +### key add -adh-param -Asha256-mgf -n128 -LS -b3076 -B256 tls-param +keyid: 0241383a +tag: +type: tls-param +expiry: 2013-12-22 10:06:11 GMT +delete: 2013-12-22 10:06:11 GMT +comment: +attributes: + genseed = pmweI8TM8z97V5cMz4SxDw== + seedalg = sha256-mgf + factors = 76299672778585109227586065196249212078992548341882943096782659243409653858497, + 106903045773099875882710785046140136819321506108162412296688492762767548829253, + 103310011398334117850930711721790004717141991550731127510694599169210821154023, + 99804578699726663269664694004275215226052726441353242410431647509530422034749, + 109484260470875557519197828122260999595187616678246431195204478993922816483233, + 81910940141774088385926192272675341931808229422367067813481469672581662142449, + 78606395202673908605947290407730593907739810566754966671697770613580491969649, + 80233163018087394422493792459040510162632368175639082356993879272039858219171, + 60159484928028940229225637221687274639298282972458447117280310277994132829599, + 75333669283284144307719796310662061239471651079367770009826444327394649758349, + 61251876138930860888115739163978926628102666477542263877214306662534076129263, + 1703179010696044263906647663968752539806092657149536496044465707327663091986047 +key: { + p = 4497942938077873944425784618179827542237908003253752562448339127374337963339173762617167196593229056860981254852713354733150705016182121938157177099047797445952986544291728480506397810603716727582305708672246127016820686421039708003869632545374570778838193193653681987900197918264100644961404725742553728356758333762011972683455259277701265102348157894161679372345534271640171051704947847398664849540519114215430391883201139553487057243412219058944800228773431290081683289297551838860242423437300134326373978229574732053865317058316111231485398464882049385817132653104586614851574232122654802645405582810439488131396226472241200725681050288328548572718882115709228124057076604983380586967622808776365872349087844872079863912081981895749467076688435792247130013663105446904895498189663326586916135669162483431024008793117922671682696173929229421254914410849008384382400893167293948750619359569709195938261074036355642151422623 + g = 4457305826154257890994837352846221000668547232771645349088105755729753535847065063871700989400379053703020868777776266229974100915565927638724808182369055966244413764305911426991692015981299184658681032074105368610736959558172581784430387524865954707013807524263592377900502489192272536286759497194012518932125689991702802383827937037704335949874249310793725165094655979093528678359319121511302499570771186712089259419662727297634887534518177922943995902656134867348829436485687386774595480597822952662719420611236295245974521549563124261912998312537637725225206343040203842528687055109100017875863997044182932356190341834865952893475699357135542012580224524776421622407614156924688023051208862785836798330892014189779227965088771245786143709214913494585661278201101968140934348912691533063187928261912391218363446650076697251000946020982809324463125191097399228754391008655057230057511830170366722450504534570604356113235339 + q = 76299672778585109227586065196249212078992548341882943096782659243409653858497 +} + + PKCS#3 DH Parameters: (3072 bit) + prime: + 00:c6:33:9e:2f:17:90:97:ef:6f:2d:6c:3b:a1:89: + 3b:2f:d6:d1:1e:51:1e:35:07:1e:0f:44:86:32:6f: + 4a:c8:bd:a6:76:99:a6:48:be:fa:10:fd:2b:64:73: + cd:bb:18:e4:26:28:84:ee:6f:bc:51:23:65:b1:18: + 46:40:67:bc:f3:6d:29:ef:12:6f:4b:5f:9d:45:72: + a4:04:e4:8d:de:ba:fc:de:4d:94:7d:90:91:5f:41: + 2d:6d:fd:dc:30:be:51:8e:a7:b5:98:ed:51:5e:50: + 2a:98:47:3c:03:56:c9:5b:73:d8:ec:4e:c9:98:e3: + 56:ef:18:57:d8:01:8d:ab:69:9f:fc:c6:62:ef:8f: + f0:8a:7d:53:44:92:6c:07:5e:81:d8:b5:46:b4:37: + 85:f9:ea:29:e0:f8:e6:50:90:6e:59:df:c6:ec:b4: + 48:16:f3:6c:2a:32:49:59:8c:a4:c1:7b:7d:83:55: + c6:f7:d2:e5:cb:eb:29:ca:0e:82:8c:28:ad:24:57: + 6f:de:e4:62:b9:f3:4c:ae:a8:2b:55:3c:73:c5:7a: + 40:d2:79:eb:bf:cb:68:f9:cb:df:03:51:98:97:23: + 05:09:69:80:44:3e:6b:d9:e2:5c:5c:21:72:02:52: + fc:97:d1:b5:1f:5c:36:4c:36:19:ec:29:ce:8b:b3: + b4:3b:ca:c5:5b:d0:e7:c3:c1:8b:5a:b6:2e:f3:51: + c4:a1:d9:83:2e:d1:8e:3c:e7:e7:09:03:a1:94:6d: + 70:6b:e4:3a:ce:8e:e7:e7:1f:b2:77:9e:86:ac:60: + 33:37:0c:8f:c8:55:a4:42:8f:57:46:f9:86:b3:67: + 55:b8:a7:f9:78:01:0b:c6:76:1d:48:20:59:ce:e5: + b4:3f:51:e1:a4:02:4f:f0:16:ea:dd:2c:d5:c4:60: + 27:3f:ed:37:22:3b:5a:b7:80:b4:76:e4:d4:99:65: + 80:b7:b8:9c:48:20:9c:9c:5a:ac:38:4c:49:c3:da: + 95:85:b7:de:a2:ef:ce:0c:4a:9f + generator: 5 (0x5) +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEAxjOeLxeQl+9vLWw7oYk7L9bRHlEeNQceD0SGMm9KyL2mdpmmSL76 +EP0rZHPNuxjkJiiE7m+8USNlsRhGQGe8820p7xJvS1+dRXKkBOSN3rr83k2UfZCR +X0Etbf3cML5Rjqe1mO1RXlAqmEc8A1bJW3PY7E7JmONW7xhX2AGNq2mf/MZi74/w +in1TRJJsB16B2LVGtDeF+eop4PjmUJBuWd/G7LRIFvNsKjJJWYykwXt9g1XG99Ll +y+spyg6CjCitJFdv3uRiufNMrqgrVTxzxXpA0nnrv8to+cvfA1GYlyMFCWmARD5r +2eJcXCFyAlL8l9G1H1w2TDYZ7CnOi7O0O8rFW9Dnw8GLWrYu81HEodmDLtGOPOfn +CQOhlG1wa+Q6zo7n5x+yd56GrGAzNwyPyFWkQo9XRvmGs2dVuKf5eAELxnYdSCBZ +zuW0P1HhpAJP8Bbq3SzVxGAnP+03Ijtat4C0duTUmWWAt7icSCCcnFqsOExJw9qV +hbfeou/ODEqfAgEF +-----END DH PARAMETERS----- diff --git a/roles/common/files/pki/openssl.conf b/roles/common/files/pki/openssl.conf new file mode 100644 index 0000000..1accc80 --- /dev/null +++ b/roles/common/files/pki/openssl.conf @@ -0,0 +1,114 @@ +### -*-conf-*- +### +### OpenSSL configuration for distorted.org.uk CA. + +###-------------------------------------------------------------------------- +### Defaults. + +RANDFILE = /dev/random +db_suffix = + +###-------------------------------------------------------------------------- +### Certificate request configuration. + +[req] +default_bits = 3072 +encrypt_key = no +default_md = sha256 +utf8 = yes +x509_extensions = ca-extensions +distinguished_name = req-dn +prompt = yes + +[req-dn] + +countryName = "Country name" +countryName_default = "GB" +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = "State, province, or county" +stateOrProvinceName_default = "Cambridgeshire" +stateOrProvinceName_max = 64 + +localityName = "Locality (e.g., city)" +localityName_default = "Cambridge" +localityName_max = 64 + +organizationName = "Organization" +organizationName_default = "distorted.org.uk" +organizationName_max = 64 +organizationalUnitName = "Organizational unit" +organizationalUnitName_max = 64 + +commonName = "Common name" +commonName_max = 64 + +emailAddress = "Email address" +emailAddress_max = 64 + +###-------------------------------------------------------------------------- +### CA configuration. + +[ca] +default_ca = distorted-ca +preserve = yes + +[distorted-ca] +default_days = 1825 +default_md = sha256 +unique_subject = no +email_in_dn = no +private_key = private/ca.key +certificate = ca.cert +database = state/db$ENV::db_suffix +serial = state/serial +crlnumber = state/crlnumber +default_crl_hours = 28 +x509_extensions = tls-server-extensions +crl_extensions = crl-extensions +policy = distorted-policy +name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align +cert_opt = no_header, ext_parse, no_pubkey +copy_extensions = copy + +[distorted-policy] +countryName = supplied +stateOrProvinceName = optional +localityName = optional +organizationName = supplied +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[crl-extensions] +issuerAltName = email:ca@distorted.org.uk +crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl + +[ca-extensions] +basicConstraints = critical, CA:TRUE +keyUsage = critical, keyCertSign +subjectKeyIdentifier = hash +subjectAltName = email:ca@distorted.org.uk +crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl + +[tls-server-extensions] +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +issuerAltName = issuer:copy +crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl + +[tls-client-extensions] +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +issuerAltName = issuer:copy +subjectAltName = email:copy +crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl + +###----- That's all, folks -------------------------------------------------- diff --git a/roles/common/files/root/gitconfig b/roles/common/files/root/gitconfig new file mode 100644 index 0000000..25ae8af --- /dev/null +++ b/roles/common/files/root/gitconfig @@ -0,0 +1,3 @@ +[user] + name = root + email = root@distorted.org.uk diff --git a/roles/common/files/scripts/fetch-unpack-archive b/roles/common/files/scripts/fetch-unpack-archive new file mode 100755 index 0000000..e9b3d3e --- /dev/null +++ b/roles/common/files/scripts/fetch-unpack-archive @@ -0,0 +1,46 @@ +#! /bin/sh +### +### Fetch an archive, and unpack it into a directory in a safe manner. + +set -e + +## Parse the command line. +case $# in + 3) ;; + *) echo >&2 "usage: $0 DIR LABEL URL"; exit 1 ;; +esac +dir=$1 label=$2 url=$3 +cd "$dir" + +## Fetch the archive. +rm -rf tmp; mkdir tmp +curl -s -o tmp/"$label.tar.gz" "$url" + +## Check the archive for unpleasantness. The GNU and FreeBSD versions of +## tar(1) do something vaguely sensible with `..' components in the pathnames +## of archive members. (Specifically, FreeBSD simply ignores the affected +## members; GNU strips leading components in a bizarre way.) But OpenBSD +## gets a special security award for cheerily following the `..' components. +## So we have to do this complicated laundering thing. +## +## The archive ought to unpack everything into a single directory and not +## contain anythig weird. So check. Actually, this won't catch newlines in +## member names, so we'll have to be careful about those. The regular +## expression insists that everything be in a single directory identified by +## the LABEL, and that the rest of the name contains no two adjacent dots. +## We use the LABEL as part of an ERE, so it ought not contain bad things. +if + tar tzf tmp/"$label.tar.gz" | + grep -Ev "^$label/([^.]+|\.[^.])*$" >&2 +then + echo >&2 "$0: archive has bad member pathnames" + exit 1 +fi + +## Unpack the archive now that we know it's safe. +(cd tmp; tar xzf "$label.tar.gz") + +## Replace any existing tree with the new one. +rm -rf "$label" +mv tmp/"$label" . +rm -rf tmp diff --git a/roles/common/files/scripts/genx509 b/roles/common/files/scripts/genx509 new file mode 100755 index 0000000..7009026 --- /dev/null +++ b/roles/common/files/scripts/genx509 @@ -0,0 +1,56 @@ +#! /bin/sh -e + +unset email unit key ext extra +config=/etc/ca/openssl.conf +good=t +while getopts e:u:k:x: opt; do + case $opt in + e) email=$OPTARG ;; + u) unit=$OPTARG ;; + k) key=$OPTARG ;; + x) ext=$OPTARG ;; + *) good=nil ;; + esac +done +shift $(( $OPTIND - 1 )) + +case $#,$good in + 2,t) ;; + *) echo >&2 "usage: $0 [-e EMAIL] [-k KEY] [-u UNIT] [-x EXT] LABEL CN"; exit 1 ;; +esac +label=$1 cn=$2 + +if [ ! -d private ]; then + mkdir -m700 private +fi + +case ${ext+t} in + t) + { cat "$config" + echo + echo "[genx509-custom]" + cat "$ext"; } >"tmp.$label.conf" + config=tmp.$label.conf + extra="$extra -reqexts genx509-custom" + ;; +esac + +name="/C=GB/ST=Cambridgeshire/L=Cambridge/O=distorted.org.uk" +name="$name/${unit+OU=$unit/}CN=$cn${email+/emailAddress=$email}" +case ${key+t} in + t) + openssl req -batch -config "$config" \ + -new -subj "$name" -text -out "$label.req.new" \ + -key "$key" $extra + ;; + *) + openssl req -batch -config "$config" \ + -new -subj "$name" -text -out "$label.req.new" \ + -nodes -keyout "private/$label.key.new" $extra + chmod 600 "private/$label.key.new" + mv "private/$label.key.new" "private/$label.key" + ;; +esac +rm -f "tmp.$label.conf" +mv "$label.req.new" "$label.req" +sha256sum "$label.req" diff --git a/roles/common/files/sudo/sudoers b/roles/common/files/sudo/sudoers new file mode 100644 index 0000000..7676429 --- /dev/null +++ b/roles/common/files/sudo/sudoers @@ -0,0 +1,62 @@ +### -*-conf-*- +### sudoers file for distorted.org.uk +### +### This file is maintained on ibanez: edit it there and run `update-slaves'. + +###-------------------------------------------------------------------------- +### Thoughts. +### +### I'm not using `sudo' to give people limited access to privileged +### commands. That's a mug's game, and anyway `userv' does it better. +### So I'm not going to try to restrict what administrators can do. + +###-------------------------------------------------------------------------- +### Defaults. + +## The `authentication' -- making people type in their passwords -- will +## only thwart an unimaginitive attacker. We have to face up to the fact +## that `sudo' basically deals in `at-least-as-powerful-as' relationships: +## if Alice can `sudo' to Bob, then Alice is at least as powerful as Bob, +## and all of the molly guards and password typing won't help that. +Defaults !authenticate + +## Again, with the idea that we're trusting the calling users, we don't +## to scrub the environment. +Defaults !always_set_home, !env_reset, !secure_path + +## Allow any editor with `visudo'. The idea that allowing a user to edit +## the `sudoers' file is OK but letting him choose which editor he uses +## isn't is obviously crazy. After all, he can change the editor list +## if he likes. +Defaults env_editor + +## Don't spam me with reports of people being turned away. I have logs for +## that. +Defaults !mailto + +## I'm going to assume that administrators already know how to behave +## responsibly. +Defaults lecture = never + +## Passing file descriptors into a program seems OK to me, given that +## I'm assuming that the target user trusts the caller anyway. +Defaults !closefrom_override + +###-------------------------------------------------------------------------- +### Administration. +### +### Summary: +### FROM HOSTS = (TO-USERS [: TO-GROUPS]) [TAGS] COMMAND +### +### LIST ::= [!] ITEM, ... +### USER ::= NAME | #UID | %GROUP +### HOST ::= HOSTNAME | ADDR | NET/MASK +### COMMAND ::= CMD | DIR/ | sudoedit +### TAG ::= NOPASSWD: | PASSWD: | NOEXEC: | EXEC: | SETENV: | NOSETENV: | +### LOG_INPUT: | NOLOG_INPUT: | LOG_OUTPUT: | NOLOG_OUTPUT: + +## Allow `root' and members of the `sudo' and `root' groups to do their +## things. +root, %sudo, %root, %wheel ALL = (ALL : ALL) ALL + +###----- That's all, folks -------------------------------------------------- diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f26ef68..a264715 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -15,12 +15,25 @@ ### PKI machinery. - name: install PKI maintenance scripts - tags: [pki] + tags: [pki, pki-scripts] copy: src=pki/{{ item }} dest=/etc/cron.daily with_items: - update-ca-certs - check-x509-certs +- name: install common PKI files + tags: [pki, pki-keys] + copy: src=pki/{{ item }} dest=/etc/ca + with_items: + - ca.cert + - dh-param.pem + - dh-param-2048.pem + - openssl.conf + +- name: install /etc/pki/CA link + tags: [pki, pki-link] + file: path=/etc/pki/CA/cacert.pem state=link src=../../ca/ca.cert + ###-------------------------------------------------------------------------- ### NTP configuration. @@ -30,6 +43,17 @@ when: server is not defined or 'ntp' not in server notify: restart ntpd +###-------------------------------------------------------------------------- +### Network databases. + +- name: install netdb files + tags: netdb + copy: src=netdb/{{ item }} dest=/etc + with_items: + - hosts + - networks + - services + ###-------------------------------------------------------------------------- ### SSH configuration. @@ -57,4 +81,37 @@ - config.m4 - known_hosts.extra +###-------------------------------------------------------------------------- +### Backup machinery. + +- name: install backup filters + tags: [backup, backup-filters] + copy: src=backup/filter.{{ item.label }} dest={{ item.dest }}/.rsync-backup + with_items: + - { label: 'home', dest: '/home' } + - { label: 'var-spool', dest: '/var/spool' } + +- name: install required backup scripts on non-Debian hosts + tags: [backup, backup-scripts] + copy: src=backup/fshash dest=/usr/local/bin + when: os != 'debian' + +###-------------------------------------------------------------------------- +### Other miscellaneous files. + +- name: install sudo configuration + tags: [sudo] + copy: src=sudo/sudoers dest=/etc + +- name: install common scripts + tags: [scripts] + copy: src=scripts/{{ item }} dest=/usr/local/bin + with_items: + - fetch-unpack-archive + - genx509 + +- name: install root Git configuration + tags: [root-files] + copy: src=root/gitconfig dest=/root/.gitconfig + ###----- That's all, folks -------------------------------------------------- -- [mdw]