diff --git a/lmn-desktop.yml b/lmn-desktop.yml index 2dc1795..93dc6a9 100644 --- a/lmn-desktop.yml +++ b/lmn-desktop.yml @@ -4,7 +4,17 @@ hosts: all remote_user: ansible become: yes + pre_tasks: + - pause: + prompt: "Enter global-admin active directory password to join domain:" + minutes: 5 + echo: false + register: adpw + no_log: true + when: "ansible_cmdline.adpw is not defined" + vars: + domain: "pn.steinbeis.schule" extra_pkgs: - webext-privacy-badger - webext-ublock-origin @@ -35,6 +45,7 @@ - console-setup - virt-manager - libreoffice-l10n-de + - krb5-user extra_pkgs_bpo: [ libreoffice ] # [ linux-image-amd64 ] # [ libreoffice ] ansible_python_interpreter: "/usr/bin/python3" @@ -43,8 +54,8 @@ #- gnome - kde - up2date_debian -# - fvs-sssd -# - fvs-mount + - lmn-sssd + - lmn-mount # - fvs-client tasks: @@ -56,17 +67,3 @@ shell: /bin/bash groups: libvirt append: yes - - name: add lmn key - ansible.builtin.apt_key: - url: https://deb.linuxmuster.net/pub.gpg - keyring: /etc/apt/trusted.gpg.d/linuxmuster.net.gpg - - name: add lmn repo - apt_repository: - repo: deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/linuxmuster.net.gpg] http://deb.linuxmuster.net/ lmn71 main - state: present - update_cache: true - - name: install - apt: - name: linuxmuster-linuxclient7 - state: latest - diff --git a/roles/lmn-mount/defaults/main.yml b/roles/lmn-mount/defaults/main.yml new file mode 100644 index 0000000..488b052 --- /dev/null +++ b/roles/lmn-mount/defaults/main.yml @@ -0,0 +1,2 @@ +smb_server: "server" +smb_home: "default-school/teachers/%(DOMAIN_USER)" diff --git a/roles/lmn-mount/tasks/main.yml b/roles/lmn-mount/tasks/main.yml new file mode 100644 index 0000000..294e2f3 --- /dev/null +++ b/roles/lmn-mount/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: install needed packages + apt: + name: + - libpam-mount + - cifs-utils + state: latest + +- name: configure pam_mount + blockinfile: + dest: /etc/security/pam_mount.conf.xml + block: | + rootansibleDebian-gdmsddmvirti + insertafter: "" diff --git a/roles/lmn-sssd/handlers/main.yml b/roles/lmn-sssd/handlers/main.yml new file mode 100644 index 0000000..c7c508b --- /dev/null +++ b/roles/lmn-sssd/handlers/main.yml @@ -0,0 +1,3 @@ +- name: restart sssd + service: name=sssd state=restarted enabled=yes + listen: "restart sssd" diff --git a/roles/lmn-sssd/tasks/main.yml b/roles/lmn-sssd/tasks/main.yml new file mode 100644 index 0000000..04b4f7f --- /dev/null +++ b/roles/lmn-sssd/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: install needed packages + apt: + name: + - sssd-ad + - sssd-tools + - adcli + state: latest + +- name: provide identities from directory + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: 0600 + notify: restart sssd + + ## Either one of the variables is defined: +- name: join the domain + shell: + cmd: echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" | adcli join --stdin-password -U global-admin {{ domain | upper }} + when: ansible_cmdline.adpw | default('') | length > 0 or adpw.user_input | default('') | length > 0 diff --git a/roles/lmn-sssd/templates/sssd.conf.j2 b/roles/lmn-sssd/templates/sssd.conf.j2 new file mode 100644 index 0000000..dc15730 --- /dev/null +++ b/roles/lmn-sssd/templates/sssd.conf.j2 @@ -0,0 +1,19 @@ +[sssd] +domains = {{ domain }} +config_file_version = 2 + +[domain/{{ domain }}] +default_shell = /bin/bash +cache_credentials = True +krb5_store_password_if_offline = True +cache_credentials = True +krb5_realm = {{ domain | upper }} +id_provider = ad +override_homedir = /home/%u +ad_domain = {{ domain }} +use_fully_qualified_names = False +ldap_id_mapping = True +access_provider = ad +ad_gpo_access_control = permissive +ad_gpo_ignore_unreadable = True +ad_maximum_machine_account_password_age = 0