Webserver playbook for linuxmuster.

2024-01-24 13:00:59 +01:00 · 2024-01-24 13:00:59 +01:00 · 3c33cde8c6
commit 3c33cde8c6
parent e30a7032a5
2 changed files with 64 additions and 22 deletions
--- a/lmn-www-server.yml
+++ b/lmn-www-server.yml
@ -0,0 +1,43 @@
+## This playbook deploys a FvS web server machine.
+---
+- name: apply configuration to the web server
+  hosts: all
+  remote_user: ansible
+  become: yes
+  pre_tasks:
+    - pause:
+        prompt: "Enter global-admin AD password. Leave empty to skip domain join"
+        echo: false
+      register: adpw
+      no_log: true
+      when: "ansible_cmdline.adpw is not defined"
+  vars:
+    domain: "pn.steinbeis.schule"
+    extra_pkgs:
+      - vim
+      - apache2
+      - python3-flask
+
+    extra_pkgs_bpo: [ ]  # [ libreoffice ]
+
+  roles:
+    - up2date_debian
+    - lmn_sssd
+    - kerberize
+
+  tasks:
+    - name: Override home dir location
+      lineinfile:
+        dest: /etc/sssd/sssd.conf
+        line: override_homedir = /home/%u
+
+    - name: enable pam_mkhomedir.so
+      lineinfile:
+        dest: /etc/pam.d/common-session
+        line: "session	optional	pam_mkhomedir.so  umask=0026"
+        insertbefore: "session	optional	pam_mount.so"
+
+    - name: enable apache mod userdir
+      apache2_module:
+        state: present
+        name: userdir
--- a/roles/kerberize/tasks/main.yml
+++ b/roles/kerberize/tasks/main.yml
@ -1,28 +1,27 @@
- name: kerberize sshd server
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "GSSAPIAuthentication yes"
-    insertafter: "#GSSAPIAuthentication no"
+- name: Install kerberos packages
+  apt:
+    name: krb5-user
+    state: latest
+
+- name: Kerberize sshd server
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/kerberize.conf
+    content: |
+      GSSAPIAuthentication yes
  notify: "reload sshd"

- name: kerberize ssh client, authenticate
-  lineinfile:
-    dest: /etc/ssh/ssh_config
-    line: "GSSAPIAuthentication yes"
-    insertafter: "#   GSSAPIAuthentication no"
+- name: Kerberize ssh client, authenticate and delegate credentials
+  ansible.builtin.copy:
+    dest: /etc/ssh/ssh_config.d/kerberize.conf
+    content: |
+      GSSAPIAuthentication yes
+      GSSAPIDelegateCredentials yes

- name: kerberize ssh client, delegate credentials
-  lineinfile:
-    dest: /etc/ssh/ssh_config
-    line: "GSSAPIDelegateCredentials yes"
-    insertafter: "#   GSSAPIDelegateCredentials no"
-
-
- name: check if firefox is available
+- name: Check if firefox is available
  stat: path=/etc/firefox-esr/firefox-esr.js
  register: firefox

- name: kerberize firefox for sites in the local domain
+- name: Kerberize firefox for sites in the local domain
  lineinfile:
    dest: /etc/firefox-esr/firefox-esr.js
    line: "{{ item }}"
@ -32,12 +31,12 @@
    - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
  when: firefox.stat.exists

- name: ensures /etc/chromium/policies/managed dir exists
-  file: 
+- name: Ensures /etc/chromium/policies/managed dir exists
+  file:
    path: "/etc/chromium/policies/managed"
    state: directory

- name: kerberize chromium for sites in the local domain
+- name: Kerberize chromium for sites in the local domain
  copy:
    dest: /etc/chromium/policies/managed/idam.json
    content: |