it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix some ansible-lint complaints.

Browse source
This commit is contained in:
Andreas B. Mundt 2022-06-11 12:42:02 +02:00 committed by Andreas B. Mundt
parent c7030c9245
commit 2cf34e8e55
64 changed files with 357 additions and 297 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.kerberox
View file

@ -5,7 +5,7 @@
sudo cat /root/kadmin.pwd
## Then:
cd /home/ansible/debian-lan/
cd /home/ansible/debian-lan/
ansible-playbook --ask-become-pass kerberox-client.yml
## Enter the 'BECOME' password and the kadmin password obtained above.
## Enter the 'BECOME' password and the kadmin password obtained above.

14
cloudbox.yml
View file

@ -4,12 +4,12 @@
- name: apply configuration to the cloudbox
hosts: cloudboxes
remote_user: ansible
become: Yes
become: true
vars:
if_lan: "enp1s0"
ipaddr: "192.168.2.50/24"
gateway: "192.168.2.1"
DNS: "192.168.2.1"
dns: "192.168.2.1"
ddns_domain: "something.ddnss.de"
ddns_updkey: "138638.some.key.here.635620"
## 'nc_download' and 'nc_checksum' are only
@ -32,17 +32,16 @@
# - low-power
- nextcloud
- nextcloud-upgrade
- backup
# - backup
## Hosts in the the 'only_nextcloud'-group are only upgraded:
## Hosts in the the 'only_nextcloud'-group are only upgraded:
- name: upgrade nextcloud only
hosts: only_nextcloud
remote_user: ansible
become: Yes
become: true
vars:
nc_dir: "/var/www/nextcloud"
nc_dir: "/var/www/nextcloud"
nc_apps:
- calendar
- notes
@ -51,4 +50,3 @@
roles:
- up2date-debian
- nextcloud-upgrade

8
edubox.yml
View file

@ -23,7 +23,7 @@
- name: apply configuration to the edubox
hosts: all # eduboxes
remote_user: ansible
become: yes
become: true
vars:
contname: cont
## User name for the user in the container:
@ -52,19 +52,19 @@
- name: install apt-cacher-ng
apt:
name: apt-cacher-ng
state: latest
state: latest # noqa package-latest
- name: enable apt-cacher-ng
lineinfile:
path: /etc/apt/apt.conf.d/30proxy
line: 'Acquire::http::Proxy "http://localhost:3142/";'
create: yes
create: true
- name: enable and start systemd-networkd on the host
systemd:
name: systemd-networkd
state: started
enabled: yes
enabled: true
roles:
- up2date-debian

2
host_vars/blackbox.yml
View file

@ -1,4 +1,4 @@
allow_download: True
allow_download: true
backup_dirs_extra:
- /home
backup_opts_extra: ""

2
host_vars/bluebox.yml
View file

@ -1 +1 @@
allow_download: True
allow_download: true

2
installbox.yml
View file

@ -6,7 +6,7 @@
- name: apply configuration to the installbox
hosts: all
remote_user: ansible
become: yes
become: true
vars:
## This interface provides the default route:

8
kerberox-client.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines
hosts: all
remote_user: ansible
become: yes
become: true
vars:
extra_pkgs:
- webext-privacy-badger
@ -16,12 +16,12 @@
vars_prompt:
- name: "kadmin_pwd"
prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already"
private: yes
private: true
roles:
- up2date-debian
- lan-client
- kerberize
## Choose either gnome or KDE:
#- gnome
#- kde
# - gnome
# - kde

10
kerberox.yml
View file

@ -5,7 +5,7 @@
- name: apply configuration to the kerberox server
hosts: all
remote_user: ansible
become: yes
become: true
vars:
## This interface provides the default route:
@ -34,7 +34,7 @@
In case you would like to prepare a test user 'foo' and have
not done so yet, provide foo's password here. Leave empty to
just continue
private: yes
private: true
pre_tasks:
@ -50,7 +50,9 @@
- netboot-installer
- dnsmasq
- apt-cacher
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
- { role: nfs-server, when: not run_in_installer|default(false)|bool }
- role: krb5-kdc-ldap
when: not run_in_installer|default(false)|bool
- role: nfs-server
when: not run_in_installer|default(false)|bool
- prepare4clients
- kerberize

4
kiosk.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines
hosts: all
remote_user: ansible
become: yes
become: true
vars:
auto_user: debi
wifi_ssid: "YOUR SSID HERE"
@ -18,5 +18,5 @@
- up2date-debian
## Choose either gnome or KDE:
- gnome
#- kde
# - kde
- kiosk

2
minimal-krb5.yml
View file

@ -4,7 +4,7 @@
- name: apply a minimal configuration with kerberos LAN integration
hosts: all
remote_user: ansible
become: yes
become: true
roles:
- up2date-debian
- lan-client

2
minimal.yml
View file

@ -4,6 +4,6 @@
- name: apply a minimal configuration to the machine
hosts: all
remote_user: ansible
become: yes
become: true
roles:
- up2date-debian

14
roles/apt-cacher/tasks/main.yml
View file

@ -1,17 +1,17 @@
- name: install apt-cacher-ng package
apt:
name: apt-cacher-ng
state: latest
state: latest # noqa package-latest
- name: enable apt-cacher-ng for localhost
copy:
src: apt.conf
dest: /etc/apt/apt.conf
force: no
force: false
mode: 0644
notify: "start apt-cacher-ng"
when: not run_in_installer|default(false)|bool ## do not enable apt-cacher during installation
- name: check if preseeded installer is available
stat: path={{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg
register: preseedcfg
@ -27,8 +27,8 @@
firewalld:
zone: internal
port: 3142/tcp
permanent: yes
immediate: yes
permanent: true
immediate: true
state: enabled
when: not run_in_installer|default(false)|bool
@ -36,5 +36,5 @@
command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp"
when: run_in_installer|default(false)|bool
- meta: flush_handlers
- name: flush handler to make apt-cacher available
meta: flush_handlers

2
roles/backup/handlers/main.yml
View file

@ -2,5 +2,5 @@
systemd:
name: backup.timer
state: started
enabled: True
enabled: true
listen: "enable backup.timer"

5
roles/backup/tasks/main.yml
View file

@ -1,7 +1,7 @@
- name: install borg
apt:
name: borgbackup
state: latest
state: latest # noqa package-latest
- name: check if borg password is available
stat: path="{{ borg_pwd_file }}"
@ -9,7 +9,7 @@
- name: dump borg password
shell: echo -n "{{ borg_pwd }}" > "{{ borg_pwd_file }}" ; chmod 0600 "{{ borg_pwd_file }}"
no_log: True
no_log: true
when: not borg.stat.exists
- name: provide backup script
@ -22,6 +22,7 @@
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- backup.service
- backup.timer

4
roles/ddns-update/handlers/main.yml
View file

@ -2,6 +2,6 @@
systemd:
name: ddns-update.timer
state: restarted
daemon_reload: yes
enabled: yes
daemon_reload: true
enabled: true
listen: "enable ddns-update timer"

3
roles/ddns-update/tasks/main.yml
View file

@ -5,6 +5,7 @@
template:
src: ddns-update.conf.j2
dest: /etc/ddns-update/ddns-update.conf
mode: 0644
- name: install ddns-update script
copy:
@ -16,9 +17,11 @@
copy:
src: ddns-update.service
dest: /etc/systemd/system/ddns-update.service
mode: 0644
- name: install ddns-update.timer
copy:
src: ddns-update.timer
dest: /etc/systemd/system/ddns-update.timer
mode: 0644
notify: enable ddns-update timer

23
roles/dns-dhcp-tftp/tasks/main.yml
View file

@ -12,7 +12,7 @@
- isc-dhcp-server
- tftpd-hpa
- bind9
state: latest
state: latest # noqa package-latest
## FIXME: preseeding seems to be ignored
- name: configure TFTP root directory
@ -22,7 +22,7 @@
replace: 'TFTP_DIRECTORY="/var/lib/tftpboot"'
notify: restart tftpd-hpa
- name: serve dhcp on LAN interface
- name: serve dhcp on LAN interface
replace:
path: /etc/default/isc-dhcp-server
regexp: '^INTERFACESv4=".*"$'
@ -33,13 +33,15 @@
template:
src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
backup: yes
mode: 0644
backup: true
notify: restart isc-dhcp-server
- name: deploy config files for bind9
- name: deploy config files for bind9
template:
src: "{{ item }}.j2"
dest: "/etc/bind/{{ item }}"
mode: 0644
loop:
- db.intern
- localzones
@ -49,6 +51,7 @@
template:
src: db.lan.j2
dest: "/etc/bind/db.{{ ipaddr_lan_threeoct }}"
mode: 0644
notify: restart bind
- name: link zone files to writeable directory for DDNS
@ -71,6 +74,7 @@
template:
src: resolv.conf.j2
dest: /etc/resolv.conf
mode: 0644
notify: restart isc-dhcp-server
## stop dhclient from overwriting /etc/resolv.conf:
@ -80,7 +84,7 @@
block: |
supersede domain-search "{{ ansible_domain }}";
supersede domain-name-servers 127.0.0.1;
insertbefore: "#send dhcp-client-identifier.*"
insertbefore: "#send dhcp-client-identifier.*"
notify: restart dhcp-client
- name: generate rndc key
@ -90,11 +94,10 @@
- name: copy rndc key
copy:
src: /etc/bind/rndc.key
src: /etc/bind/rndc.key
dest: /etc/dhcp/
owner: root
owner: root
group: root
mode: '0640'
remote_src: yes
mode: 0640
remote_src: true
notify: restart isc-dhcp-server

2
roles/dns-dhcp-tftp/templates/dhcpd.conf.j2
View file

@ -56,7 +56,7 @@ subnet {{ ipaddr_lan | ipaddr("network") }} netmask {{ ipaddr_lan | ipaddr("netm
}
# No service will be given on this subnet, but declaring it helps the
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {

4
roles/dnsmasq/tasks/main.yml
View file

@ -7,16 +7,18 @@
name:
- dnsmasq
- resolvconf
state: latest
state: latest # noqa package-latest
- name: configure dnsmasq dhcp
template:
src: dnsmasq-dhcp.j2
dest: /etc/dnsmasq.d/dnsmasq-dhcp
mode: 0644
notify: "restart dnsmasq"
- name: configure dnsmasq tftp
template:
src: dnsmasq-tftp-netboot-installer.j2
dest: /etc/dnsmasq.d/tftp-netboot-installer
mode: 0644
notify: "restart dnsmasq"

2
roles/educontainer/handlers/main.yml
View file

@ -2,6 +2,6 @@
systemd:
name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
state: restarted
enabled: yes
enabled: true
loop: "{{ containers }}"
listen: enable and restart containers

4
roles/educontainer/tasks/main.yml
View file

@ -2,8 +2,8 @@
##
## Port mapping to the host:
##
## container 0: ssh → host port 10000, HTTP → 10100
## container 1: ssh → host port 10001, HTTP → 10101
## container 0: ssh → host port 10000, HTTP → 10100
## container 1: ssh → host port 10001, HTTP → 10101
## ... ... ...
##
## User '{{ contuser }}' in the sudo group. Password is '{{ contpwd }}'.

45
roles/educontainer/tasks/setup.yml
View file

@ -5,7 +5,7 @@
name:
- systemd-container
- debootstrap
state: latest
state: latest # noqa package-latest
- name: prepare machine directory
file:
@ -23,7 +23,7 @@
args:
chdir: /var/lib/machines/
creates: /var/lib/machines/{{ contname }}00
environment:
environment:
http_proxy: "{{ '' if run_in_installer|default(false) else 'http://localhost:3142' }}"
notify: enable and restart containers
@ -31,7 +31,8 @@
copy:
src: /etc/apt/sources.list
dest: /var/lib/machines/{{ contname }}00/etc/apt/sources.list
remote_src: yes
mode: 0644
remote_src: true
- name: configure locale
lineinfile:
@ -57,7 +58,7 @@
- name: provide {{ contuser }} user account
command:
cmd: >
chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash
chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash
-c "User {{ contuser }},,," -G sudo {{ contuser }}'
args:
chdir: /var/lib/machines/{{ contname }}00
@ -89,6 +90,7 @@
file:
path: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item }}
state: directory
mode: 0755
loop:
- multi-user.target.wants
- sockets.target.wants
@ -100,13 +102,17 @@
src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link
follow: False
force: yes
follow: false
force: true
loop:
- { src: systemd-networkd.service, dest: dbus-org.freedesktop.network1.service }
- { src: systemd-networkd.service, dest: multi-user.target.wants/systemd-networkd.service }
- { src: systemd-networkd.socket, dest: sockets.target.wants/systemd-networkd.socket }
- { src: systemd-networkd-wait-online.service, dest: network-online.target.wants/systemd-networkd-wait-online.service }
- src: systemd-networkd.service
dest: dbus-org.freedesktop.network1.service
- src: systemd-networkd.service
dest: multi-user.target.wants/systemd-networkd.service
- src: systemd-networkd.socket
dest: sockets.target.wants/systemd-networkd.socket
- src: systemd-networkd-wait-online.service
dest: network-online.target.wants/systemd-networkd-wait-online.service
notify: enable and restart containers
- name: enable systemd-resolved in containers
@ -114,11 +120,13 @@
src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link
follow: False
force: yes
follow: false
force: true
loop:
- { src: systemd-resolved.service, dest: dbus-org.freedesktop.resolve1.service }
- { src: systemd-resolved.service, dest: multi-user.target.wants/systemd-resolved.service }
- src: systemd-resolved.service
dest: dbus-org.freedesktop.resolve1.service
- src: systemd-resolved.service
dest: multi-user.target.wants/systemd-resolved.service
notify: enable and restart containers
########
@ -126,7 +134,8 @@
copy:
content: "# Avoid 'too many open files' error:"
dest: /etc/sysctl.d/inotify.conf
force: no
mode: 0644
force: false
- name: fix too many open files error
sysctl:
@ -146,11 +155,13 @@
file:
path: /etc/systemd/nspawn
state: directory
mode: 0755
- name: provide container configuration
template:
src: contcfg.nspawn.j2
dest: /etc/systemd/nspawn/{{ contname}}{{ "%02d" | format(item|int) }}.nspawn
dest: /etc/systemd/nspawn/{{ contname }}{{ "%02d" | format(item|int) }}.nspawn
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers
@ -158,6 +169,7 @@
template:
src: hostname.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers
@ -165,5 +177,6 @@
template:
src: hosts.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers

18
roles/gnome/tasks/main.yml
View file

@ -1,5 +1,5 @@
#- name: gnome hibernate by default
# apt: name=gnome-shell-extension-suspend-button state=latest
# - name: gnome hibernate by default
# apt: name=gnome-shell-extension-suspend-button state=latest # noqa package-latest
- name: gnome desktop
apt:
@ -8,24 +8,32 @@
- cups
- ssh-askpass-gnome
- gnome-shell-extension-dashtodock
state: latest
state: latest # noqa package-latest
- name: make sure /etc/dconf/profile/ exists
file: path=/etc/dconf/profile/ state=directory recurse=yes
file:
path: /etc/dconf/profile/
state: directory
recurse: true
- name: prepare for gnome customized defaults
copy:
src: user
dest: /etc/dconf/profile/user
mode: 0644
notify: update dconf
- name: make sure /etc/dconf/db/local.d/ exists
file: path=/etc/dconf/db/local.d/ state=directory recurse=yes
file:
path: /etc/dconf/db/local.d/
state: directory
recurse: true
- name: modify gnome defaults
copy:
src: defaults
dest: /etc/dconf/db/local.d/defaults
mode: 0644
notify: update dconf
## Bug #698504

4
roles/kde/tasks/main.yml
View file

@ -4,9 +4,9 @@
- task-kde-desktop
- sddm-theme-debian-breeze
- cups
state: latest
state: latest # noqa package-latest
## Bug #698504
- name: allow print job management
replace:

23
roles/kiosk/handlers/main.yml
View file

@ -5,26 +5,15 @@
- name: reload NetworkManager
when: not run_in_installer|default(false)|bool
systemd:
daemon_reload: yes
daemon_reload: true
name: NetworkManager
state: reloaded
enabled: yes
enabled: true
listen: reload NetworkManager
# fails in installer with stretch, workaround below:
#- name: enable tmp.mount
# systemd:
# daemon_reload: yes
# name: tmp.mount
# enabled: yes
- name: make sure local-fs.target.wants exists
file: path=/etc/systemd/system/local-fs.target.wants/ state=directory
listen: enable tmp.mount
- name: enable tmp.mount
file:
src: /etc/systemd/system/tmp.mount
dest: /etc/systemd/system/local-fs.target.wants/tmp.mount
state: link
systemd:
daemon_reload: true
name: tmp.mount
enabled: true
listen: enable tmp.mount

35
roles/kiosk/tasks/main.yml
View file

@ -9,37 +9,40 @@
## gdm3:
- name: enable auto login in gdm3
when: gdm3.stat.exists == true
lineinfile:
dest: /etc/gdm3/daemon.conf
insertafter: '^#\s*AutomaticLoginEnable = true'
line: 'AutomaticLoginEnable = true'
when: gdm3.stat.exists
- name: auto login user in gdm3
when: gdm3.stat.exists == true
lineinfile:
dest: /etc/gdm3/daemon.conf
insertafter: '^#\s*AutomaticLogin = '
line: 'AutomaticLogin = {{ auto_user }}'
when: gdm3.stat.exists
## sddm/KDE:
- name: enable auto login in sddm
when: sddm.stat.exists == true
when: sddm.stat.exists
template:
src: sddm.conf.j2
dest: /etc/sddm.conf
mode: 0644
- name: kde global defaults
when: sddm.stat.exists == true
when: sddm.stat.exists
copy:
src: kde5rc
dest: /etc/kde5rc
mode: 0644
- name: modify kde screen lock
when: sddm.stat.exists == true
when: sddm.stat.exists
copy:
src: kscreenlockerrc
dest: /etc/xdg/kscreenlockerrc
mode: 0644
########
@ -49,7 +52,7 @@
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=)""'
line: '\1"video=SVIDEO-1:d"'
backrefs: yes
backrefs: true
notify: update grub
- name: grub timeout
@ -57,7 +60,7 @@
dest: /etc/default/grub
regexp: '^(GRUB_TIMEOUT=).*'
line: '\g<1>1'
backrefs: yes
backrefs: true
notify: update grub
- name: keyboard compose key
@ -65,7 +68,7 @@
dest: /etc/default/keyboard
regexp: '^(XKBOPTIONS=).*'
line: '\1"compose:caps"'
backrefs: yes
backrefs: true
- name: hibernate when lid is closed
lineinfile:
@ -74,9 +77,11 @@
line: 'HandleLidSwitch=hibernate'
- name: tmp on tmpfs
shell: cp /usr/share/systemd/tmp.mount /etc/systemd/system/
args:
creates: /etc/systemd/system/tmp.mount
copy:
src: /usr/share/systemd/tmp.mount
dest: /etc/systemd/system/tmp.mount
mode: 0644
remote_src: true
notify: enable tmp.mount
- name: mount tmpfs on /home/{{ auto_user }}
@ -92,19 +97,19 @@
name: "{{ auto_user }}"
comment: "Autologin Debian User,,,"
shell: /bin/bash
createhome: no
createhome: false
password: '*'
- name: check if NetworkManager is installed
stat: path=/etc/NetworkManager/system-connections
register: NetworkManager
register: networkmanager
- name: add wifi config
when: NetworkManager.stat.exists == true
template:
src: wifi.j2
dest: /etc/NetworkManager/system-connections/{{ wifi_ssid }}
owner: root
group: root
mode: '0600'
mode: 0600
when: networkmanager.stat.exists
notify: reload NetworkManager

2
roles/krb5-kdc-ldap/meta/main.yml
View file

@ -1,3 +1,3 @@
---
dependencies:
dependencies: # noqa meta-no-info
- role: ldap

24
roles/krb5-kdc-ldap/tasks/main.yml
View file

@ -1,7 +1,8 @@
## Install and configure krb5-kdc-ldap (if not done yet),
## run most tasks only on krb5-kdc-ldap installation.
---
- fail: msg="The machine's domain must not be empty."
- name: check that domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if krb5kdc is already there
@ -12,19 +13,26 @@
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
mode: 0644
- name: make sure krb5kdc exists
file: path=/etc/krb5kdc state=directory recurse=yes
file:
path: /etc/krb5kdc
state: directory
recurse: true
mode: 0755
- name: prepare kdc.conf
template:
src: kdc.conf.j2
dest: /etc/krb5kdc/kdc.conf
mode: 0644
- name: prepare kadm5.acl
template:
src: kadm5.acl.j2
dest: /etc/krb5kdc/kadm5.acl
mode: 0644
notify: "restart krb5-admin-server"
- name: install krb5-kdc-ldap and krb5-admin-server
@ -32,7 +40,7 @@
name:
- krb5-kdc-ldap
- krb5-admin-server
state: latest
state: latest # noqa package-latest
- name: prepare kerberos.openldap.ldif
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
@ -126,12 +134,12 @@
- "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
state: exact
- name: prepare password for kdc
- name: prepare password for kdc # noqa risky-shell-pipe
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
no_log: true
when: not krb5kdc.stat.exists
- name: prepare password for kadmin
- name: prepare password for kadmin # noqa risky-shell-pipe
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
no_log: true
when: not krb5kdc.stat.exists
@ -196,7 +204,7 @@
replace:
path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 kerberos'
replace: '\1 kerberos'
when: not krb5kdc.stat.exists
########################
@ -212,8 +220,8 @@
firewalld:
zone: internal
service: "{{ item }}"
permanent: yes
immediate: yes
permanent: true
immediate: true
state: enabled
with_items:
- kerberos

2
roles/lan-client/defaults/main.yml
View file

@ -1,4 +1,4 @@
lan_homes: /home/lan
lan_homes: /home/lan
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
ldap_server: ldap
krb_server: kerberos

4
roles/lan-client/handlers/main.yml
View file

@ -4,12 +4,12 @@
- name: reload systemd
systemd:
daemon_reload: yes
daemon_reload: true
listen: "reload systemd"
- name: restart rpc-gssd
systemd:
name: rpc-gssd
daemon_reload: yes
daemon_reload: true
state: restarted
notify: "restart rpc-gssd"

7
roles/lan-client/tasks/main.yml
View file

@ -1,5 +1,6 @@
---
- fail: msg="The machine's domain must not be empty."
- name: check if domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: preseed krb5-config realm
@ -31,7 +32,7 @@
- sssd-krb5
- sssd-ldap
- nfs-common
state: latest
state: latest # noqa package-latest
- name: add URI to ldap.conf
lineinfile:
@ -48,7 +49,7 @@
- name: enable pam_umask
lineinfile:
dest: /etc/pam.d/common-session
line: "session optional pam_umask.so usergroups"
line: "session optional pam_umask.so usergroups"
## oddjob-mkhomedir works only with sec=sys for the NFSv4 share

6
roles/ldap/defaults/main.yml
View file

@ -1,9 +1,9 @@
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}"
ldap_admin_pwd_file: "/root/ldap-admin.pwd"
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
TLSCertificateFile: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
TLSCertificateKeyFile: "/etc/ssl/private/ssl-cert-snakeoil.key"
lan_homes: /home/lan
certpub: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
certpriv: "/etc/ssl/private/ssl-cert-snakeoil.key"
lan_homes: /home/lan
min_id: 10000
max_id: 20000
ldapuser_gid: 8000

4
roles/ldap/handlers/main.cfg Normal file
View file

@ -0,0 +1,4 @@
---
- name: restart slapd
systemd: name=slapd state=restarted
listen: restart slapd

7
roles/ldap/tasks/main.yml
View file

@ -1,6 +1,7 @@
## Install and configure slapd.
---
- fail: msg="The machine's domain must not be empty."
- name: check if domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if slapd is already set up
@ -87,6 +88,6 @@
firewalld:
zone: internal
service: ldap
permanent: yes
immediate: yes
permanent: true
immediate: true
state: enabled

26
roles/ldap/tasks/setup.yml
View file

@ -3,7 +3,7 @@
- name: preseed ldap domain
debconf:
name: slapd
question: slapd/domain
question: slapd/domain
value: "{{ ansible_domain }}"
vtype: string
@ -24,7 +24,9 @@
no_log: true
- name: dump admin password
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
shell:
cmd: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
creates: "{{ ldap_admin_pwd_file }}"
no_log: true
- name: install packages for LDAP
@ -35,37 +37,35 @@
- ldapvi
- python3-ldap
- ssl-cert
state: latest
state: latest # noqa package-latest
- name: add openldap to the ssl-cert group
user:
name: openldap
groups: ssl-cert
append: yes
register: ssl_cert_group
- name: restart slapd
systemd: name=slapd state=restarted
when: ssl_cert_group.changed
append: true
notify: restart slapd
- name: make initial slapd configuration available
copy:
src: slapd-config.ldif
dest: /etc/ldap/slapd.d/
mode: 0644
- name: make slapd TLS configuration available
template:
src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/
mode: 0644
- name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif # noqa no-changed-when
- name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif # noqa no-changed-when
- name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif # noqa no-changed-when
- name: add URI to ldap.conf
lineinfile:
@ -83,7 +83,7 @@
replace:
path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
replace: '#\1\nTLS_CACERT\t{{ certpub }}'
- name: enable pam-mkhomedir
command: pam-auth-update --enable mkhomedir

4
roles/ldap/templates/slapd-TLS.ldif
View file

@ -2,8 +2,8 @@
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: {{ TLSCertificateFile }}
olcTLSCertificateFile: {{ certpub }}
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ TLSCertificateKeyFile }}
olcTLSCertificateKeyFile: {{ certpriv }}
-

2
roles/low-power/handlers/main.yml
View file

@ -1,5 +1,5 @@
- name: enable powertop timer
systemd:
name: powertop.timer
enabled: yes
enabled: true
listen: "enable powertop timer"

4
roles/low-power/tasks/main.yml
View file

@ -1,5 +1,5 @@
- name: install some packages
apt: name={{ item }} state=latest
apt: name={{ item }} state=latest # noqa package-latest
with_items:
- powertop
@ -7,9 +7,11 @@
copy:
src: powertop.service
dest: /etc/systemd/system/powertop.service
mode: 0644
- name: install powertop.timer
copy:
src: powertop.timer
dest: /etc/systemd/system/powertop.timer
mode: 0644
notify: enable powertop timer

8
roles/netboot-installer/tasks/main.yml
View file

@ -2,6 +2,7 @@
file:
path: "{{ tftp_root }}/d-i/{{ di_dist }}"
state: directory
mode: 0755
- name: install di-netboot-assistant and installer package
apt:
@ -16,11 +17,12 @@
copy:
src: /usr/share/doc/di-netboot-assistant/examples/preseed.cfg
dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
force: no
remote_src: yes
mode: 0644
force: false
remote_src: true
- name: make the hostname resolvable from the LAN
replace:
path: /etc/hosts
regexp: '^(127\.0\.1\.1.*)$'
replace: '#\1\n{{ ipaddr_lan | ipaddr("address") }} {{ ansible_hostname }}.{{ ansible_domain }} {{ ansible_hostname }}'
replace: '#\1\n{{ ipaddr_lan | ipaddr("address") }} {{ ansible_hostname }}.{{ ansible_domain }} {{ ansible_hostname }}'

14
roles/nextcloud-upgrade/handlers/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
## DB fixes (only on upgrade)
- name: add missing indices, columns and convert filecache
command: "{{ item }}"
args:
chdir: "{{ nc_dir }}"
warn: false
register: cmd_result
changed_when: cmd_result.stdout is search("updated successfully")
with_items:
- "sudo -u www-data php ./occ db:add-missing-indices"
- "sudo -u www-data php ./occ db:add-missing-columns"
- "sudo -u www-data php ./occ -n db:convert-filecache-bigint"
listen: update and fix data base

38
roles/nextcloud-upgrade/tasks/main.yml
View file

@ -1,18 +1,18 @@
---
- name: check/run upgrade
command: sudo -u www-data php updater.phar --no-interaction
args:
chdir: "{{ nc_dir }}/updater"
warn: False
warn: false
register: upgrade_result
changed_when: upgrade_result.stdout is not search('Nothing to do.')
notify: update and fix data base
- name: update apps
command: "sudo -u www-data php ./occ app:update --all"
args:
chdir: "{{ nc_dir }}"
warn: False
warn: false
register: cmd_result
changed_when: cmd_result.stdout | length > 0
@ -20,36 +20,8 @@
command: "sudo -u www-data php ./occ app:install {{ item }}"
args:
chdir: "{{ nc_dir }}"
warn: False
warn: false
with_items: "{{ nc_apps }}"
register: cmd_result
changed_when: cmd_result.stdout is not search('already installed')
failed_when: cmd_result.stdout is not search('already installed') and cmd_result.rc != 0
## DB fixes (only on upgrade)
- name: add missing indices
command: "sudo -u www-data php ./occ db:add-missing-indices"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is search('table updated successfully')
when: upgrade_result.changed | default(true)
- name: add missing columns
command: "sudo -u www-data php ./occ db:add-missing-columns"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is search('table updated successfully')
when: upgrade_result.changed | default(true)
- name: convert filecache to bigint
command: "sudo -u www-data php ./occ -n db:convert-filecache-bigint"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is not search('tables already up to date')
when: upgrade_result.changed | default(true)
failed_when: cmd_result.stdout is not search('already installed') and cmd_result.rc != 0

2
roles/nextcloud/defaults/main.yml
View file

@ -4,4 +4,4 @@ nc_admin_pwd_file: "/root/nc-admin.pwd"
www_root: "/var/www"
nc_dir: "{{ www_root }}/nextcloud"
data_dir: "/var/nc-data"
allow_download: False
allow_download: false

2
roles/nextcloud/handlers/main.yml
View file

@ -14,5 +14,5 @@
systemd:
name: nextcloudcron.timer
state: started
enabled: True
enabled: true
listen: "enable nextcloudcron.timer"

58
roles/nextcloud/tasks/main.yml
View file

@ -5,8 +5,10 @@
register: nextcloud
- name: check for nextcloud archive
local_action: stat path=nextcloud.tar.bz2
become: No
stat:
path: nextcloud.tar.bz2
become: false
delegate_to: localhost
register: nc_archive
when: not nextcloud.stat.exists
@ -45,7 +47,7 @@
- php-xml
- php-zip
- unzip
state: latest
state: latest # noqa package-latest
- name: disable apache modules
apache2_module:
@ -68,10 +70,10 @@
- http2
notify: "restart apache2"
- name: find php version
- name: find php version # noqa risky-shell-pipe
shell: ls /etc/php/ | sort | tail -1
register: php_ver
changed_when: False
changed_when: false
- name: enable php-fpm conf
command: a2enconf php{{ php_ver.stdout }}-fpm
@ -85,10 +87,14 @@
regexp: "{{ item.regex }}"
replace: "{{ item.replace }}"
with_items:
- { regex: "^pm.max_children = .*$", replace: "pm.max_children = 10" }
- { regex: "^pm.start_servers = .*$", replace: "pm.start_servers = 4" }
- { regex: "^pm.min_spare_servers = .*$", replace: "pm.min_spare_servers = 2" }
- { regex: "^pm.max_spare_servers = .*$", replace: "pm.max_spare_servers = 6" }
- regex: "^pm.max_children = .*$"
replace: "pm.max_children = 10"
- regex: "^pm.start_servers = .*$"
replace: "pm.start_servers = 4"
- regex: "^pm.min_spare_servers = .*$"
replace: "pm.min_spare_servers = 2"
- regex: "^pm.max_spare_servers = .*$"
replace: "pm.max_spare_servers = 6"
notify: "restart php-fpm"
- name: increase php memory limit
@ -102,6 +108,7 @@
copy:
src: nextcloud.conf
dest: /etc/apache2/sites-available/nextcloud.conf
mode: 0644
notify: "restart apache2"
- name: enable nextcloud site
@ -123,6 +130,7 @@
file:
path: "{{ data_dir }}"
state: directory
mode: 0770
owner: www-data
group: www-data
@ -140,7 +148,7 @@
dest: "{{ www_root }}"
owner: www-data
group: www-data
remote_src: Yes
remote_src: true
when: not nextcloud.stat.exists and run_in_installer|default(false)|bool
- name: unpack provided nextcloud archive
@ -184,19 +192,19 @@
--data-dir "{{ data_dir }}"
args:
chdir: "{{ nc_dir }}"
no_log: True
no_log: true
when: not nextcloud.stat.exists
- name: dump nc-admin password
shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}"
no_log: True
no_log: true
when: not nextcloud.stat.exists
- name: enable APCu memcache
command: sudo -u www-data php ./occ config:system:set memcache.local --value='\OC\Memcache\APCu'
args:
chdir: "{{ nc_dir }}"
warn: False
warn: false
when: not nextcloud.stat.exists
- name: enable acpu for nextcloud updates
@ -208,7 +216,7 @@
command: sudo -u www-data php ./occ config:system:set trusted_domains {{ item[0] }} --value='{{ item[1] }}'
args:
chdir: "{{ nc_dir }}"
warn: False
warn: false
when: not nextcloud.stat.exists
loop:
- [1, '192.168.*.*']
@ -220,6 +228,7 @@
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- nextcloudcron.service
- nextcloudcron.timer
@ -229,8 +238,8 @@
firewalld:
interface: "{{ ansible_default_ipv4.interface }}"
zone: public
permanent: Yes
immediate: Yes
permanent: true
immediate: true
state: enabled
when: not run_in_installer|default(false)|bool
@ -242,8 +251,8 @@
firewalld:
zone: public
service: https
permanent: Yes
immediate: Yes
permanent: true
immediate: true
state: enabled
when: not run_in_installer|default(false)|bool
@ -257,7 +266,7 @@
- name: install libapache2-mod-auth-gssapi
apt:
name: libapache2-mod-auth-gssapi
state: latest
state: latest # noqa package-latest
when: "'kerberize' in role_names"
notify: "restart apache2"
@ -267,8 +276,8 @@
dest: /etc/krb5.keytab.http
group: www-data
mode: "0640"
remote_src: yes
force: no
remote_src: true
force: false
when: "'kerberize' in role_names"
notify: "restart apache2"
@ -276,6 +285,7 @@
copy:
src: krb5-nextcloud.conf
dest: /etc/apache2/sites-available/krb5-nextcloud.conf
mode: 0644
when: "'kerberize' in role_names"
notify: "restart apache2"
@ -290,8 +300,8 @@
firewalld:
zone: internal
service: https
permanent: Yes
immediate: Yes
permanent: true
immediate: true
state: enabled
when: not run_in_installer|default(false)|bool and 'kerberize' in role_names
@ -303,7 +313,7 @@
command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
args:
chdir: "{{ nc_dir }}"
warn: False
warn: false
when: not nextcloud.stat.exists and 'kerberize' in role_names

2
roles/nfs-server/defaults/main.yml
View file

@ -1,5 +1,5 @@
export_root: /srv/nfs4
lan_homes: /home/lan
lan_homes: /home/lan
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
min_id: 10000
min_id_sssd: 5000

14
roles/nfs-server/tasks/main.yml
View file

@ -1,6 +1,7 @@
## Install and configure nfs-server
---
- fail: msg="The machine's domain must not be empty."
- name: check if ansible domain is nonempty
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if we are installing
@ -11,7 +12,7 @@
apt:
name:
- nfs-kernel-server
state: latest
state: latest # noqa package-latest # noqa package-latest
- name: make sure the export paths exists
file: path={{ export_root }}/home/ state=directory recurse=yes
@ -33,7 +34,7 @@
replace:
path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 nfs'
replace: '\1 nfs'
when: not exports.stat.exists
- name: check if there is a local kadmin
@ -55,7 +56,7 @@
- sssd-krb5
- sssd-ldap
- sssd-tools ## sss_cache -U -G
state: latest
state: latest # noqa package-latest
when: kadmin.stat.exists
- name: provide identities from directory
@ -80,6 +81,7 @@
template:
src: dhcp-send-domain.j2
dest: /etc/dnsmasq.d/dhcp-send-domain
mode: 0644
notify: "restart dnsmasq"
when: dnsmasq.stat.exists
@ -87,6 +89,6 @@
firewalld:
zone: internal
service: nfs
permanent: yes
immediate: yes
permanent: true
immediate: true
state: enabled

4
roles/prepare4clients/handlers/main.yml
View file

@ -1,7 +1,7 @@
- name: start git-repo
systemd:
daemon_reload: yes
daemon_reload: true
name: git-repo
state: started
enabled: yes
enabled: true
listen: start git-repo

30
roles/prepare4clients/tasks/main.yml
View file

@ -1,13 +1,13 @@
- name: make sure ansible is available
apt:
name: ansible
state: latest
state: latest # noqa package-latest
- name: generate ssh key
command: "su -l {{ ansible_user }} -c \"ssh-keygen -t rsa -f /home/{{ ansible_user }}/.ssh/id_rsa -P ''\""
args:
creates: "/home/{{ ansible_user }}/.ssh/id_rsa"
warn: False
warn: false
- name: slurp public key
slurp:
@ -15,7 +15,8 @@
register: sshpubkey
# The following seems to be necessary to get rid of a newline:
- set_fact:
- name: define variable
set_fact:
sshpubkey: "{{ sshpubkey['content'] | b64decode | replace('\n', '') }}"
- name: enable backports in preseed file
@ -87,12 +88,15 @@
block: |
# Use a temporary package cache during installation, install etckeeper.
menuentry 'Debian stable (amd64) + temporary package cache' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux mirror/http/proxy?=http://{{ ansible_hostname }}:3142/ pkgsel/include=etckeeper preseed/late_command="rm -fv /target/etc/apt/apt.conf" ---
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
mirror/http/proxy?=http://{{ ansible_hostname }}:3142/ pkgsel/include=etckeeper \
preseed/late_command="rm -fv /target/etc/apt/apt.conf" ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
}
menuentry 'Debian {{ di_version }} (amd64) + preseed + kiosk.yml' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kiosk.yml ---
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kiosk.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
}
@ -128,7 +132,8 @@
insertbefore: EOF
block: |
menuentry 'Debian {{ di_version }} (amd64) + preseed + kerberox-client.yml' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kerberox-client.yml ---
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kerberox-client.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
}
marker: "# {mark} ANSIBLE MANAGED BLOCK kerberox-client"
@ -161,13 +166,16 @@
block: |
menuentry 'Debian {{ di_version }} (amd64) + preseed + sambox-client.yml' {
regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} \
playbook=sambox-client.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
}
menuentry 'Debian daily (amd64) + preseed + sambox-client.yml' {
regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
linux /d-i/n-a/daily/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
linux /d-i/n-a/daily/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} \
url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
initrd /d-i/n-a/daily/amd64/initrd.gz
}
marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client"
@ -181,7 +189,7 @@
git:
repo: 'https://salsa.debian.org/andi/debian-lan-ansible.git'
dest: "{{ repo_dir }}"
update: no
update: false
become_user: "{{ ansible_user }}"
when: not run_in_installer|default(false)|bool
@ -189,6 +197,7 @@
template:
src: git-repo.j2
dest: "/etc/systemd/system/git-repo.service"
mode: 0644
notify: start git-repo
when: not run_in_installer|default(false)|bool
@ -197,7 +206,8 @@
- name: add clients to inventory
blockinfile:
dest: /etc/ansible/hosts
create: yes
create: true
mode: 0644
block: |
[kerberox-client]
{{ in_inventory }}

1
roles/samba-ldap/handlers/main.yml
View file

@ -5,4 +5,3 @@
- name: restart smbd
service: name=smbd state=restarted enabled=yes
listen: "restart smbd"

2
roles/samba-ldap/meta/main.yml
View file

@ -1,3 +1,3 @@
---
dependencies:
dependencies: # noqa meta-no-info
- role: ldap

20
roles/samba-ldap/tasks/main.yml
View file

@ -9,8 +9,7 @@
name:
- samba
- sssd-ldap
state: latest
state: latest # noqa package-latest
- name: provide identities from LDAP
template:
@ -19,8 +18,8 @@
mode: 0600
notify: restart sssd
- meta: flush_handlers
- name: flush all handlers
meta: flush_handlers
- name: prepare samba schema
command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
@ -87,8 +86,8 @@
- name: slurp admin password for samba setup
slurp:
src: "{{ ldap_admin_pwd_file }}"
register: ldap_admin_pwd
no_log: true
register: ldap_admin_pwd
no_log: true
when: not samba_ldap.stat.exists
- name: make samba admin password available to smbd
@ -97,9 +96,10 @@
notify: restart smbd
when: not samba_ldap.stat.exists
- meta: flush_handlers
- name: flush all handlers
meta: flush_handlers
- name: add samba attributes to dummy user foo
- name: add samba attributes to dummy user foo
command:
cmd: smbpasswd -s -a foo
stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
@ -111,8 +111,8 @@
firewalld:
zone: internal
service: "{{ item }}"
permanent: yes
immediate: yes
permanent: true
immediate: true
state: enabled
with_items:
- samba

2
roles/samba-ldap/templates/sssd.conf.j2
View file

@ -19,5 +19,5 @@ cache_credentials = true
min_id = {{ min_id_sssd }}
max_id = {{ max_id_sssd }}
## remove this after providing propper certificates:
## remove this after providing propper certificates:
ldap_tls_reqcert = allow

3
roles/smb-sshfs-client/handlers/main.yml
View file

@ -4,6 +4,5 @@
- name: reload systemd
systemd:
daemon_reload: yes
daemon_reload: true
listen: "reload systemd"

12
roles/smb-sshfs-client/tasks/main.yml
View file

@ -3,10 +3,10 @@
apt:
name:
- sssd-ldap
- libpam-mount
- libpam-mount
- cifs-utils
- sshfs
state: latest
- sshfs
state: latest # noqa package-latest
- name: add URI to ldap.conf
lineinfile:
@ -23,7 +23,7 @@
- name: enable pam_umask
lineinfile:
dest: /etc/pam.d/common-session
line: "session optional pam_umask.so usergroups"
line: "session optional pam_umask.so usergroups"
- name: provide identities from directory
template:
@ -65,4 +65,6 @@
## gnome-keyring fails with sshfs:
- name: disable gnome-keyring-daemon
command: dpkg-divert --divert /usr/bin/gnome-keyring-daemon.distrib --rename /usr/bin/gnome-keyring-daemon
command:
cmd: dpkg-divert --divert /usr/bin/gnome-keyring-daemon.distrib --rename /usr/bin/gnome-keyring-daemon
creates: /usr/bin/gnome-keyring-daemon.distrib

6
roles/systemd-networkd-resolved/handlers/main.yml
View file

@ -1,14 +1,14 @@
- name: restart and enable systemd-networkd
systemd:
name: systemd-networkd
enabled: yes
enabled: true
state: restarted
daemon_reload: yes
daemon_reload: true
listen: "start and enable systemd-networkd"
- name: start and enable systemd-resolved
systemd:
name: systemd-resolved
enabled: yes
enabled: true
state: started
listen: "start and enable systemd-resolved"

15
roles/systemd-networkd-resolved/tasks/main.yml
View file

@ -7,19 +7,20 @@
copy:
src: all-eth.network
dest: /etc/systemd/network/all-eth.network
mode: 0644
notify: "start and enable systemd-networkd"
#- name: install static configuration for networkd
# template:
# src: 20-static.network.j2
# dest: /etc/systemd/network/20-static.network
# notify: "enable systemd-networkd"
# - name: install static configuration for networkd
# template:
# src: 20-static.network.j2
# dest: /etc/systemd/network/20-static.network
# notify: "enable systemd-networkd"
- name: enable local stub resolver
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link
follow: False
force: yes
follow: false
force: true
notify: "start and enable systemd-resolved"

2
roles/systemd-networkd-resolved/templates/20-static.network.j2
View file

@ -4,4 +4,4 @@ Name={{ if_lan }}
[Network]
Address={{ ipaddr }}
Gateway={{ gateway }}
DNS={{ DNS }}
DNS={{ dns }}

20
roles/transparent-squid/tasks/main.yml
View file

@ -1,7 +1,7 @@
- name: install squid package
apt:
name: squid
state: latest
state: latest # noqa package-latest
- name: configure squid extra lines
lineinfile:
@ -9,11 +9,16 @@
line: "{{ item.line }}"
insertafter: "{{ item.insertafter }}"
with_items:
- { line: "http_access allow localnet", insertafter: "#http_access allow localnet" }
- { line: "http_port 3129 intercept", insertafter: "http_port 3128" }
- { line: "maximum_object_size_in_memory 10240 KB", insertafter: "# maximum_object_size_in_memory" }
- { line: "maximum_object_size 512 MB", insertafter: "# maximum_object_size" }
- { line: "cache_dir aufs /var/spool/squid 20000 16 256", insertafter: "#cache_dir ufs /var/spool/squid" }
- line: "http_access allow localnet"
insertafter: "#http_access allow localnet"
- line: "http_port 3129 intercept"
insertafter: "http_port 3128"
- line: "maximum_object_size_in_memory 10240 KB"
insertafter: "# maximum_object_size_in_memory"
- line: "maximum_object_size 512 MB"
insertafter: "# maximum_object_size"
- line: "cache_dir aufs /var/spool/squid 20000 16 256"
insertafter: "#cache_dir ufs /var/spool/squid"
notify: "restart squid"
- name: configure squid store IDs
@ -29,6 +34,7 @@
copy:
src: store_id_regex.conf
dest: /etc/squid/store_id_regex.conf
mode: 0644
notify: "restart squid"
- name: configure squid as package cache
@ -53,5 +59,5 @@
- name: redirect www traffic in shorewall
lineinfile:
dest: /etc/shorewall/rules
line: "REDIRECT loc 3129 tcp www"
line: "REDIRECT loc 3129 tcp www"
notify: "restart shorewall"

14
roles/two-interface-firewalld/tasks/main.yml
View file

@ -2,13 +2,15 @@
template:
src: interfaces-static.j2
dest: /etc/network/interfaces.d/static
mode: 0644
notify: "bring up LAN interface"
- name: install firewalld package
apt: name=firewalld state=latest
apt: name=firewalld state=latest # noqa package-latest
notify: "start firewalld"
- meta: flush_handlers
- name: flush all handlers
meta: flush_handlers
## Do not run the following in the installer:
@ -17,7 +19,7 @@
firewalld:
zone: public
interface: "{{ if_wan }}"
permanent: yes
permanent: true
state: enabled
immediate: true
when: not run_in_installer|default(false)|bool
@ -26,7 +28,7 @@
firewalld:
zone: public
masquerade: 'yes'
permanent: yes
permanent: true
state: enabled
immediate: true
when: not run_in_installer|default(false)|bool
@ -35,7 +37,7 @@
firewalld:
zone: internal
interface: "{{ if_lan }}"
permanent: yes
permanent: true
state: enabled
immediate: true
when: not run_in_installer|default(false)|bool
@ -44,7 +46,7 @@
firewalld:
zone: internal
service: "{{ item }}"
permanent: yes
permanent: true
state: enabled
immediate: true
with_items:

15
roles/two-interface-shorewall/tasks/main.yml
View file

@ -2,10 +2,11 @@
template:
src: interfaces-static.j2
dest: /etc/network/interfaces.d/static
mode: 0644
notify: restart networking
- name: install shorewall packages
apt: name=shorewall state=latest
apt: name=shorewall state=latest # noqa package-latest
- name: copy shorewall configuration
command: cp {{ item }} /etc/shorewall/
@ -24,7 +25,7 @@
- name: find files in /etc/shorewall/
find:
paths: /etc/shorewall/
use_regex: yes
use_regex: true
pattern: '.+[^~]$'
contains: '.*(eth0|eth1).*'
register: find_result
@ -35,7 +36,7 @@
dest: "{{ item.path }}"
regexp: 'eth0'
replace: "{{ if_wan }}"
backup: yes
backup: true
with_items: "{{ find_result.files }}"
notify: restart shorewall
@ -44,7 +45,7 @@
dest: "{{ item.path }}"
regexp: 'eth1'
replace: "{{ if_lan }}"
backup: yes
backup: true
with_items: "{{ find_result.files }}"
notify: restart shorewall
@ -53,7 +54,7 @@
dest: /etc/shorewall/shorewall.conf
regexp: 'IP_FORWARDING=Keep'
replace: 'IP_FORWARDING=Yes'
backup: yes
backup: true
notify: restart shorewall
- name: configure shorewall policy
@ -61,7 +62,7 @@
dest: /etc/shorewall/policy
regexp: 'loc(\s+)net(\s+)ACCEPT'
replace: 'loc\1all\2ACCEPT\n$FW\1all\2ACCEPT'
backup: yes
backup: true
notify: restart shorewall
- name: configure shorewall rules
@ -69,5 +70,5 @@
dest: /etc/shorewall/rules
regexp: '(SSH\(ACCEPT\)\s+)loc(\s+\$FW)'
replace: '\1all\2'
backup: yes
backup: true
notify: restart shorewall

14
roles/up2date-debian/tasks/main.yml
View file

@ -2,36 +2,36 @@
- name: update apt package lists
apt:
update_cache: yes
update_cache: true
cache_valid_time: 86400
- name: upgrade packages
apt:
upgrade: dist
autoremove: yes
autoclean: yes
autoremove: true
autoclean: true
- name: install etckeeper
apt:
name: etckeeper
state: latest
state: latest # noqa package-latest
- name: install extra packages from stable
apt:
name: "{{ extra_pkgs }}"
state: latest
state: latest # noqa package-latest
when: extra_pkgs|length
- name: add {{ ansible_distribution_release }}-backports
apt_repository:
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main
state: present
update_cache: yes
update_cache: true
when: extra_pkgs_bpo|length
- name: install extra packages from backports
apt:
name: "{{ extra_pkgs_bpo }}"
state: latest
state: latest # noqa package-latest
default_release: "{{ ansible_distribution_release }}-backports"
when: extra_pkgs_bpo|length

2
roles/web-server/tasks/main.yml
View file

@ -1,5 +1,5 @@
- name: install some packages
apt: name={{ item }} state=latest
apt: name={{ item }} state=latest # noqa package-latest
with_items:
- unattended-upgrades
- screen

6
sambox-client.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines
hosts: all
remote_user: ansible
become: yes
become: true
vars:
extra_pkgs:
- webext-privacy-badger
@ -16,5 +16,5 @@
- up2date-debian
- smb-sshfs-client
## Choose either gnome or KDE:
#- gnome
#- kde
# - gnome
# - kde

10
sambox.yml
View file

@ -1,13 +1,13 @@
---
## This playbook deploys the sambox server. Add 'hostname=XXX' and 'domain=YYY'
## to the installer boot parameters to set hostname and domain.
##
##
- name: apply configuration to the sambox server
hosts: all
remote_user: ansible
become: yes
become: true
vars:
## This interface provides the default route:
@ -22,11 +22,11 @@
ipaddr_lan_ptr: "{{ (ipaddr_lan | ipaddr('revdns')).split('.')[1:] | join('.') }}"
ipaddr_lan_ptr_threeoct: "{{ ipaddr_lan_ptr.split('.')[0:3] | join('.') }}"
dhcp_start: 192.168.0.50
dhcp_stop: 192.168.0.150
dhcp_stop: 192.168.0.150
in_inventory: 192.168.0.[50:150]
di_dist: "{{ ansible_distribution_release }}"
di_version: 10 #"{{ ansible_distribution_major_version }}"
di_version: 10 # "{{ ansible_distribution_major_version }}"
di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
ansible_user: ansible
@ -40,7 +40,7 @@
In case you would like to prepare a test user 'foo' and have
not done so yet, provide foo's password here. Leave empty to
just continue
private: yes
private: true
pre_tasks: