24 changed files with 88 additions and 4278 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,8 +1,7 @@
 # Ansible configuration
 [defaults]
-
+ask_vault_pass = True
 # Explicitly redefine some defaults to make subfolder execution work
 roles_path = ./roles
 # Do not create .retry files
--- a/copy-keys.sh
+++ b/copy-keys.sh
@ -1,20 +0,0 @@
 #!/bin/bash
 set -e
 # Grab valid unique hostnames from the Ansible inventory.
 HOSTS=$(grep -ve '^[#\[]' hosts \
 | grep -F adm.auro.re \
 | sort -u)
 # Ask password
 read -s -p "Hello adventurer, what is your LDAP password? " passwd
 echo
 for host in $HOSTS; do
  echo "[+] Handling host $host"
  # sshpass can be used for non-interactive password authentication.
  # place your password in ldap-password.txt.
  SSHPASS=${passwd} sshpass -v -e ssh-copy-id "$host"
 done
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@ -1,10 +1,16 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Put a common configuration on all servers
 - hosts: all,!unifi
  vars:
    locales_default: en_US.UTF-8
    locales_additional:
      - fr_FR.UTF-8
    apt_upgrade_email_address: monitoring.aurore@lists.crans.org
  roles:
-    - baseconfig
+    - debian_common
    - apt_common
    - locales
    - basesecurity
    - ldap_client
    - logrotate
    - update_motd
 ...
--- a/playbooks/ssh.yml
+++ b/playbooks/ssh.yml
@ -1,6 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
- hosts: services-*.pve.auro.re
+- hosts: all,!unifi
  vars:
    openssh_users_ca_public_key:
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\
@ -9,6 +9,10 @@
    openssh_authorized_principals:
      - any
      - "{{ inventory_hostname }}"
    openssh_whitelist_groups: "{{ ['adherent']
                                  if inventory_hostname == 'camelot.adm.auro.re'
                                  else [] }}"
    openssh_allow_passwords: "{{ inventory_hostname == 'camelot.adm.auro.re' }}"
  roles:
    - openssh_server
 ...
--- a/roles/baseconfig/tasks/apt-unattended.yml
+++ b/roles/baseconfig/tasks/apt-unattended.yml
@ -1,21 +1,19 @@
 ---
 - name: Install unattended-upgrades
  when: ansible_os_family == "Debian"
  apt:
    name: unattended-upgrades
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Configure unattended-upgrades
  template:
-    src: "apt/{{ item }}.j2"
+    src: "{{ item }}.j2"
    dest: "/etc/apt/apt.conf.d/{{ item }}"
    owner: root
    mode: u=rw,g=r,o=r
  loop:
    - 50unattended-upgrades
    - 20auto-upgrades
    - 50unattended-upgrades
 - name: Install debsums
  apt:
    name: debsums
 ...
--- a/roles/baseconfig/templates/apt/20auto-upgrades.j2
+++ b/roles/baseconfig/templates/apt/20auto-upgrades.j2
@ -1,4 +1,4 @@
-// {{ ansible_managed }}
+{{ ansible_managed | comment("c") }}
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
--- a/roles/baseconfig/templates/apt/50unattended-upgrades.j2
+++ b/roles/baseconfig/templates/apt/50unattended-upgrades.j2
@ -1,4 +1,4 @@
-// {{ ansible_managed }}
+{{ ansible_managed | comment("c") }}
 Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
@ -9,8 +9,10 @@ Unattended-Upgrade::Package-Blacklist {};
 Unattended-Upgrade::MinimalSteps "true";
 Unattended-Upgrade::InstallOnShutdown "false";
-Unattended-Upgrade::Mail "{{ monitoring_mail }}";
+{% if apt_upgrade_email_address | default(False) %}
-// Unattended-Upgrade::MailOnlyOnError "false";
+Unattended-Upgrade::Mail "{{ apt_upgrade_email_address }}";
 Unattended-Upgrade::MailOnlyOnError "false";
 {% endif %}
 Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
 Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
--- a/roles/baseconfig/files/skel/dot_zshrc
+++ b/roles/baseconfig/files/skel/dot_zshrc
--- a/roles/baseconfig/files/skel/dot_zshrc.local
+++ b/roles/baseconfig/files/skel/dot_zshrc.local
@ -1,326 +0,0 @@
 # Filename:      /etc/skel/.zshrc
 # Purpose:       config file for zsh (z shell)
 # Authors:       (c) grml-team (grml.org)
 # Bug-Reports:   see http://grml.org/bugs/
 # License:       This file is licensed under the GPL v2 or any later version.
 ################################################################################
 # Nowadays, grml's zsh setup lives in only *one* zshrc file.
 # That is the global one: /etc/zsh/zshrc (from grml-etc-core).
 # It is best to leave *this* file untouched and do personal changes to
 # your zsh setup via ${HOME}/.zshrc.local which is loaded at the end of
 # the global zshrc.
 #
 # That way, we enable people on other operating systems to use our
 # setup, too, just by copying our global zshrc to their ${HOME}/.zshrc.
 # Adjustments would still go to the .zshrc.local file.
 ################################################################################
 ## Aurore host color and white user
 zstyle ':prompt:grml:left:items:host' pre '%B%F{red}'
 zstyle ':prompt:grml:left:items:host' post '%f%b'
 zstyle ':prompt:grml:left:items:user' pre '%B'
 zstyle ':prompt:grml:left:items:user' post '%b'
 ## Settings for umask
 #if (( EUID == 0 )); then
 #    umask 002
 #else
 #    umask 022
 #fi
 ## Now, we'll give a few examples of what you might want to use in your
 ## .zshrc.local file (just copy'n'paste and uncomment it there):
 ## Prompt theme extension ##
 # Virtualenv support
 #function virtual_env_prompt () {
 #    REPLY=${VIRTUAL_ENV+(${VIRTUAL_ENV:t}) }
 #}
 #grml_theme_add_token  virtual-env -f virtual_env_prompt '%F{magenta}' '%f'
 #zstyle ':prompt:grml:left:setup' items rc virtual-env change-root user at host path vcs percent
 ## ZLE tweaks ##
 ## use the vi navigation keys (hjkl) besides cursor keys in menu completion
 #bindkey -M menuselect 'h' vi-backward-char        # left
 #bindkey -M menuselect 'k' vi-up-line-or-history   # up
 #bindkey -M menuselect 'l' vi-forward-char         # right
 #bindkey -M menuselect 'j' vi-down-line-or-history # bottom
 ## set command prediction from history, see 'man 1 zshcontrib'
 #is4 && zrcautoload predict-on && \
 #zle -N predict-on         && \
 #zle -N predict-off        && \
 #bindkey "^X^Z" predict-on && \
 #bindkey "^Z" predict-off
 ## press ctrl-q to quote line:
 #mquote () {
 #      zle beginning-of-line
 #      zle forward-word
 #      # RBUFFER="'$RBUFFER'"
 #      RBUFFER=${(q)RBUFFER}
 #      zle end-of-line
 #}
 #zle -N mquote && bindkey '^q' mquote
 ## define word separators (for stuff like backward-word, forward-word, backward-kill-word,..)
 #WORDCHARS='*?_-.[]~=/&;!#$%^(){}<>' # the default
 #WORDCHARS=.
 #WORDCHARS='*?_[]~=&;!#$%^(){}'
 #WORDCHARS='${WORDCHARS:s@/@}'
 # just type '...' to get '../..'
 #rationalise-dot() {
 #local MATCH
 #if [[ $LBUFFER =~ '(^|/| |	|'$'\n''|\||;|&)\.\.$' ]]; then
 #  LBUFFER+=/
 #  zle self-insert
 #  zle self-insert
 #else
 #  zle self-insert
 #fi
 #}
 #zle -N rationalise-dot
 #bindkey . rationalise-dot
 ## without this, typing a . aborts incremental history search
 #bindkey -M isearch . self-insert
 #bindkey '\eq' push-line-or-edit
 ## some popular options ##
 ## add `|' to output redirections in the history
 #setopt histallowclobber
 ## try to avoid the 'zsh: no matches found...'
 #setopt nonomatch
 ## warning if file exists ('cat /dev/null > ~/.zshrc')
 #setopt NO_clobber
 ## don't warn me about bg processes when exiting
 #setopt nocheckjobs
 ## alert me if something failed
 #setopt printexitvalue
 ## with spelling correction, assume dvorak kb
 #setopt dvorak
 ## Allow comments even in interactive shells
 #setopt interactivecomments
 ## compsys related snippets ##
 ## changed completer settings
 #zstyle ':completion:*' completer _complete _correct _approximate
 #zstyle ':completion:*' expand prefix suffix
 ## another different completer setting: expand shell aliases
 #zstyle ':completion:*' completer _expand_alias _complete _approximate
 ## to have more convenient account completion, specify your logins:
 #my_accounts=(
 # {grml,grml1}@foo.invalid
 # grml-devel@bar.invalid
 #)
 #other_accounts=(
 # {fred,root}@foo.invalid
 # vera@bar.invalid
 #)
 #zstyle ':completion:*:my-accounts' users-hosts $my_accounts
 #zstyle ':completion:*:other-accounts' users-hosts $other_accounts
 ## add grml.org to your list of hosts
 #hosts+=(grml.org)
 #zstyle ':completion:*:hosts' hosts $hosts
 ## telnet on non-default ports? ...well:
 ## specify specific port/service settings:
 #telnet_users_hosts_ports=(
 #  user1@host1:
 #  user2@host2:
 #  @mail-server:{smtp,pop3}
 #  @news-server:nntp
 #  @proxy-server:8000
 #)
 #zstyle ':completion:*:*:telnet:*' users-hosts-ports $telnet_users_hosts_ports
 ## the default grml setup provides '..' as a completion. it does not provide
 ## '.' though. If you want that too, use the following line:
 #zstyle ':completion:*' special-dirs true
 ## aliases ##
 ## translate
 #alias u='translate -i'
 ## ignore ~/.ssh/known_hosts entries
 #alias insecssh='ssh -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" -o "PreferredAuthentications=keyboard-interactive"'
 ## global aliases (for those who like them) ##
 #alias -g '...'='../..'
 #alias -g '....'='../../..'
 #alias -g BG='& exit'
 #alias -g C='|wc -l'
 #alias -g G='|grep'
 #alias -g H='|head'
 #alias -g Hl=' --help |& less -r'
 #alias -g K='|keep'
 #alias -g L='|less'
 #alias -g LL='|& less -r'
 #alias -g M='|most'
 #alias -g N='&>/dev/null'
 #alias -g R='| tr A-z N-za-m'
 #alias -g SL='| sort | less'
 #alias -g S='| sort'
 #alias -g T='|tail'
 #alias -g V='| vim -'
 ## instead of global aliase it might be better to use grmls $abk assoc array, whose contents are expanded after pressing ,.
 #$abk[SnL]="| sort -n | less"
 ## get top 10 shell commands:
 #alias top10='print -l ${(o)history%% *} | uniq -c | sort -nr | head -n 10'
 ## Execute \kbd{./configure}
 #alias CO="./configure"
 ## Execute \kbd{./configure --help}
 #alias CH="./configure --help"
 ## miscellaneous code ##
 ## Use a default width of 80 for manpages for more convenient reading
 #export MANWIDTH=${MANWIDTH:-80}
 ## Set a search path for the cd builtin
 #cdpath=(.. ~)
 ## variation of our manzsh() function; pick you poison:
 #manzsh()  { /usr/bin/man zshall |  most +/"$1" ; }
 ## Switching shell safely and efficiently? http://www.zsh.org/mla/workers/2001/msg02410.html
 #bash() {
 #    NO_SWITCH="yes" command bash "$@"
 #}
 #restart () {
 #    exec $SHELL $SHELL_ARGS "$@"
 #}
 ## Handy functions for use with the (e::) globbing qualifier (like nt)
 #contains() { grep -q "$*" $REPLY }
 #sameas() { diff -q "$*" $REPLY &>/dev/null }
 #ot () { [[ $REPLY -ot ${~1} ]] }
 ## get_ic() - queries imap servers for capabilities; real simple. no imaps
 #ic_get() {
 #    emulate -L zsh
 #    local port
 #    if [[ ! -z $1 ]] ; then
 #        port=${2:-143}
 #        print "querying imap server on $1:${port}...\n";
 #        print "a1 capability\na2 logout\n" | nc $1 ${port}
 #    else
 #        print "usage:\n  $0 <imap-server> [port]"
 #    fi
 #}
 ## List all occurrences of programm in current PATH
 #plap() {
 #    emulate -L zsh
 #    if [[ $# = 0 ]] ; then
 #        echo "Usage:    $0 program"
 #        echo "Example:  $0 zsh"
 #        echo "Lists all occurrences of program in the current PATH."
 #    else
 #        ls -l ${^path}/*$1*(*N)
 #    fi
 #}
 ## Find out which libs define a symbol
 #lcheck() {
 #    if [[ -n "$1" ]] ; then
 #        nm -go /usr/lib/lib*.a 2>/dev/null | grep ":[[:xdigit:]]\{8\} . .*$1"
 #    else
 #        echo "Usage: lcheck <function>" >&2
 #    fi
 #}
 ## Download a file and display it locally
 #uopen() {
 #    emulate -L zsh
 #    if ! [[ -n "$1" ]] ; then
 #        print "Usage: uopen \$URL/\$file">&2
 #        return 1
 #    else
 #        FILE=$1
 #        MIME=$(curl --head $FILE | \
 #               grep Content-Type | \
 #               cut -d ' ' -f 2 | \
 #               cut -d\; -f 1)
 #        MIME=${MIME%$'\r'}
 #        curl $FILE | see ${MIME}:-
 #    fi
 #}
 ## Memory overview
 #memusage() {
 #    ps aux | awk '{if (NR > 1) print $5;
 #                   if (NR > 2) print "+"}
 #                   END { print "p" }' | dc
 #}
 ## print hex value of a number
 #hex() {
 #    emulate -L zsh
 #    if [[ -n "$1" ]]; then
 #        printf "%x\n" $1
 #    else
 #        print 'Usage: hex <number-to-convert>'
 #        return 1
 #    fi
 #}
 ## log out? set timeout in seconds...
 ## ...and do not log out in some specific terminals:
 #if [[ "${TERM}" == ([Exa]term*|rxvt|dtterm|screen*) ]] ; then
 #    unset TMOUT
 #else
 #    TMOUT=1800
 #fi
 ## associate types and extensions (be aware with perl scripts and anwanted behaviour!)
 #check_com zsh-mime-setup || { autoload zsh-mime-setup && zsh-mime-setup }
 #alias -s pl='perl -S'
 ## ctrl-s will no longer freeze the terminal.
 #stty erase "^?"
 ## you want to automatically use a bigger font on big terminals?
 #if [[ "$TERM" == "xterm" ]] && [[ "$LINES" -ge 50 ]] && [[ "$COLUMNS" -ge 100 ]] && [[ -z "$SSH_CONNECTION" ]] ; then
 #    large
 #fi
 ## Some quick Perl-hacks aka /useful/ oneliner
 #bew() { perl -le 'print unpack "B*","'$1'"' }
 #web() { perl -le 'print pack "B*","'$1'"' }
 #hew() { perl -le 'print unpack "H*","'$1'"' }
 #weh() { perl -le 'print pack "H*","'$1'"' }
 #pversion()    { perl -M$1 -le "print $1->VERSION" } # i. e."pversion LWP -> 5.79"
 #getlinks ()   { perl -ne 'while ( m/"((www|ftp|http):\/\/.*?)"/gc ) { print $1, "\n"; }' $* }
 #gethrefs ()   { perl -ne 'while ( m/href="([^"]*)"/gc ) { print $1, "\n"; }' $* }
 #getanames ()  { perl -ne 'while ( m/a name="([^"]*)"/gc ) { print $1, "\n"; }' $* }
 #getforms ()   { perl -ne 'while ( m:(\</?(input|form|select|option).*?\>):gic ) { print $1, "\n"; }' $* }
 #getstrings () { perl -ne 'while ( m/"(.*?)"/gc ) { print $1, "\n"; }' $*}
 #showINC ()    { perl -e 'for (@INC) { printf "%d %s\n", $i++, $_ }' }
 #vimpm ()      { vim `perldoc -l $1 | sed -e 's/pod$/pm/'` }
 #vimhelp ()    { vim -c "help $1" -c on -c "au! VimEnter *" }
 ## END OF FILE #################################################################
--- a/roles/baseconfig/tasks/apt-listchanges.yml
+++ b/roles/baseconfig/tasks/apt-listchanges.yml
@ -1,32 +0,0 @@
 ---
 # Install apt-listchanges
 - name: Install apt-listchanges
  when: ansible_os_family == "Debian"
  apt:
    name: apt-listchanges
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 # Send email when there is something new
 - name: Configure apt-listchanges
  ini_file:
    path: /etc/apt/listchanges.conf
    no_extra_spaces: true
    section: apt
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    state: present
    mode: 0644
  loop:
    - option: confirm
      value: "true"
    - option: email_address
      value: "{{ monitoring_mail }}"
    - option: which
      value: both
 ...
--- a/roles/basesecurity/handlers/main.yml
+++ b/roles/basesecurity/handlers/main.yml
@ -1,10 +0,0 @@
 ---
 - name: Restart sshd service
  service:
    name: sshd
    state: restarted
 - name: Restart fail2ban service
  service:
    name: fail2ban
    state: restarted
--- a/roles/basesecurity/tasks/main.yml
+++ b/roles/basesecurity/tasks/main.yml
@ -23,65 +23,4 @@
    - /bin/mount  # Only root should mount
    - /bin/umount  # Only root should umount
  ignore_errors: true  # Sometimes file won't exist
-
+...
 # Only SSH keys to log on root
 - name: Prohibit root SSH with password
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^{{ item.0 }}'
    insertafter: '^#{{ item.0 }}'
    line: '{{ item.0 }} {{ item.1 }}'
  loop:
    - ["PermitRootLogin", "prohibit-password"]
    - ["AllowAgentForwarding", "no"]
    - ["X11Forwarding", "no"]
    - ["TCPKeepAlive", "yes"]
  notify: Restart sshd service
 # See banned client with `fail2ban-client status sshd`
 - name: Install fail2ban
  apt:
    name: fail2ban
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Configure fail2ban
  ini_file:
    path: /etc/fail2ban/jail.d/local.conf
    section: "{{ item.section }}"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    state: present
    mode: 0644
  notify: Restart fail2ban service
  loop:
    - section: sshd
      option: ignoreip
      value: 10.128.0.254  # Whitelist bastion
    - section: sshd
      option: enabled
      value: "true"
    - section: sshd
      option: bantime
      value: 600
    - section: sshd
      option: findtime
      value: 600
    - section: sshd
      option: maxretry
      value: 5
 # See altered packages and configurations with `debsums -ca`
 - name: Install debsums
  apt:
    name: debsums
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
--- a/roles/debian_common/tasks/main.yml
+++ b/roles/debian_common/tasks/main.yml
@ -39,37 +39,6 @@
    dest: /etc/apt/sources.list
    mode: 0644
 # Patriotisme
 - name: Ensure French UTF-8 locale exists
  locale_gen:
    name: fr_FR.UTF-8
    state: present
 # Fix LC_CTYPE="C"
 - name: Select default locale
  debconf:
    name: locales
    question: locales/default_environment_locale
    value: fr_FR.UTF-8
    vtype: select
  notify: Reconfigure locales
 # APT-List Changes : send email with changelog
 - include_tasks: apt-listchanges.yml
 # APT Unattended upgrades
 - include_tasks: apt-unattended.yml
 # User skeleton
 - name: Configure user skeleton
  copy:
    src: "skel/dot_{{ item }}"
    dest: "/etc/skel/.{{ item }}"
    mode: 0644
  loop:
    - zshrc
    - zshrc.local
 - name: Configure resolvconf
  template:
    src: resolv.conf
@ -90,3 +59,4 @@
 - name: Remove dependencies that are no longer required
  apt:
    autoremove: true
 ...
--- a/roles/debian_common/templates/apt/sources.list.j2
+++ b/roles/debian_common/templates/apt/sources.list.j2
--- a/roles/debian_common/templates/resolv.conf
+++ b/roles/debian_common/templates/resolv.conf
--- a/roles/ldap_client/tasks/1_group_security.yml
+++ b/roles/ldap_client/tasks/1_group_security.yml
@ -1,13 +1,4 @@
 ---
 # Filter SSH on groups
 - name: Filter SSH on groups
  when: ansible_facts['hostname'] != "camelot"  # Camelot is accessible for everyone
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ^AllowGroups
    line: AllowGroups root sudoldap aurore ssh
    state: present
 # To gain root access with ldap rights
 - name: Install SUDO package
  package:
--- a/roles/ldap_client/tasks/main.yml
+++ b/roles/ldap_client/tasks/main.yml
@ -2,9 +2,6 @@
 # Install and configure main LDAP tools
 - include_tasks: install_ldap.yml
 # Filter who can access server and sudo on groups
 - include_tasks: 1_group_security.yml
 # Some userland scripts specific to LDAP install
 - include_tasks: 2_userland_scripts.yml
@ -14,11 +11,3 @@
    dest: /etc/pam.d/common-account
    regexp: 'pam_mkhomedir\.so'
    line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077"
 # If LDAP crashes
 - name: Install SSH keys for root account
  authorized_key:
    user: root
    key: "{{ ssh_pub_keys }}"
    state: present
    exclusive: true
--- a/roles/locales/defaults/main.yml
+++ b/roles/locales/defaults/main.yml
@ -0,0 +1,4 @@
 ---
 locales_default: en_US.UTF-8
 locales_additional: []
 ...
--- a/roles/baseconfig/handlers/main.yml
+++ b/roles/baseconfig/handlers/main.yml
@ -1,4 +1,4 @@
 ---
 # Reconfigure locales when conf changes
 - name: Reconfigure locales
  command: dpkg-reconfigure locales -f noninteractive
 ...
--- a/roles/locales/tasks/main.yml
+++ b/roles/locales/tasks/main.yml
@ -0,0 +1,15 @@
 ---
 - name: Install locales
  locale_gen:
    name: "{{ item }}"
    state: present
  loop: "{{ [locales_default] + locales_additional }}"
 - name: Select default locale
  debconf:
    name: locales
    question: locales/default_environment_locale
    value: "{{ locales_default }}"
    vtype: select
  notify: Reconfigure locales
 ...
--- a/roles/openssh_server/defaults/main.yml
+++ b/roles/openssh_server/defaults/main.yml
@ -1,4 +1,7 @@
 ---
 openssh_authorized_principals:
  - any
 openssh_allow_passwords: false
 openssh_whitelist_users: []
 openssh_whitelist_groups: []
 ...
--- a/roles/openssh_server/templates/sshd_config.j2
+++ b/roles/openssh_server/templates/sshd_config.j2
@ -20,14 +20,19 @@ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 {% if openssh_allow_passwords %}
 AuthenticationMethods password publickey
 UsePAM yes
 {% else %}
 AuthenticationMethods publickey
 UsePAM no
 {% endif %}
 TrustedUserCAKeys /etc/ssh/users_ca.pub
 AuthorizedPrincipalsFile /etc/ssh/authorized_principals
 StrictModes yes
-UsePAM no
+PermitRootLogin without-password
 PermitRootLogin yes
 PermitUserRC no
 PermitUserEnvironment no
 AllowAgentForwarding no
@ -43,3 +48,10 @@ UseDNS no
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
 AllowUsers {{ openssh_whitelist_users | default(['root'], true) | join(' ') }}
 {% for group in openssh_whitelist_groups %}
 Match group {{ group }}
 	AllowUsers *
 {% endfor %}
--- a/roles/qemu_guest_agent/tasks/main.yml
+++ b/roles/qemu_guest_agent/tasks/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Install qemu-guest-agent
  apt:
    name: qemu-guest-agent
 ...
--- a/roles/ulogd2/templates/ulogd.conf.j2
+++ b/roles/ulogd2/templates/ulogd.conf.j2
@ -0,0 +1,17 @@
 {{ ansible_managed | comment }}
 [global]
 logfile="syslog"
 loglevel=3
 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
 stack=ct:NFCT,ip2str:IP2STR,print:PRINTFLOW,sys:SYSLOG
 [ct]
 #reliable=1
 hash_enable=0
 [sys]
 facility=LOG_LOCAL2