From e55997a01cf5372888609ae3c5b67d5c35dbc0d0 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Fri, 9 Apr 2021 10:17:45 +0200 Subject: [PATCH] Draft implementation of sambox-client. --- roles/ldap/tasks/setup.yml | 6 -- roles/prepare4clients/tasks/main.yml | 33 +++++++++++ roles/samba-ldap/defaults/main.yml | 2 +- roles/samba-ldap/templates/sssd.conf.j2 | 3 + roles/smb-sshfs-client/defaults/main.yml | 5 ++ roles/smb-sshfs-client/handlers/main.yml | 9 +++ roles/smb-sshfs-client/tasks/main.yml | 58 +++++++++++++++++++ roles/smb-sshfs-client/templates/sssd.conf.j2 | 22 +++++++ sambox-client.yml | 20 +++++++ sambox.yml | 1 + 10 files changed, 152 insertions(+), 7 deletions(-) create mode 100644 roles/smb-sshfs-client/defaults/main.yml create mode 100644 roles/smb-sshfs-client/handlers/main.yml create mode 100644 roles/smb-sshfs-client/tasks/main.yml create mode 100644 roles/smb-sshfs-client/templates/sssd.conf.j2 create mode 100644 sambox-client.yml diff --git a/roles/ldap/tasks/setup.yml b/roles/ldap/tasks/setup.yml index e01f556..d5ccfbe 100644 --- a/roles/ldap/tasks/setup.yml +++ b/roles/ldap/tasks/setup.yml @@ -67,12 +67,6 @@ - name: configure LDAP TLS command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif -- name: "make 'ldap' an alias hostname resolvable from the LAN" - replace: - path: /etc/hosts - regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$" - replace: '\1 ldap' - - name: add URI to ldap.conf lineinfile: dest: /etc/ldap/ldap.conf diff --git a/roles/prepare4clients/tasks/main.yml b/roles/prepare4clients/tasks/main.yml index 8324881..f83ad9b 100644 --- a/roles/prepare4clients/tasks/main.yml +++ b/roles/prepare4clients/tasks/main.yml @@ -135,8 +135,41 @@ notify: "rebuild di-netboot-assistant menu" when: krb5kdc.stat.exists +######## sambox-client ####### + +- name: check if we operate on sambox + stat: path=/etc/samba/smb.conf + register: samba + +- name: add sambox-client auto pxe boot entry to di-netboot-assistant + blockinfile: + dest: /etc/di-netboot-assistant/pxelinux.HEAD + insertbefore: EOF + block: | + LABEL autoinstall + MENU LABEL Debian {{ di_version }} (amd64) + preseed + sambox-client.yml + kernel ::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux + append initrd=::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical domain={{ ansible_domain }} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml --- + marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client" + notify: "rebuild di-netboot-assistant menu" + when: samba.stat.exists + +- name: add sambox-client auto efi boot entry to di-netboot-assistant + blockinfile: + dest: /etc/di-netboot-assistant/grub.cfg.HEAD + insertbefore: EOF + block: | + menuentry 'Debian {{ di_version }} (amd64) + preseed + sambox-client.yml' { + linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical domain={{ ansible_domain }} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml --- + initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz + } + marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client" + notify: "rebuild di-netboot-assistant menu" + when: samba.stat.exists + ###################### + - name: provide git repo if not available already git: repo: 'https://salsa.debian.org/andi/debian-lan-ansible.git' diff --git a/roles/samba-ldap/defaults/main.yml b/roles/samba-ldap/defaults/main.yml index 575579c..37ab18a 100644 --- a/roles/samba-ldap/defaults/main.yml +++ b/roles/samba-ldap/defaults/main.yml @@ -1,4 +1,4 @@ basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" -ldap_server: ldap +ldap_server: sambox min_id_sssd: 5000 max_id_sssd: 20000 diff --git a/roles/samba-ldap/templates/sssd.conf.j2 b/roles/samba-ldap/templates/sssd.conf.j2 index eb6d50e..c5c4187 100644 --- a/roles/samba-ldap/templates/sssd.conf.j2 +++ b/roles/samba-ldap/templates/sssd.conf.j2 @@ -18,3 +18,6 @@ cache_credentials = true min_id = {{ min_id_sssd }} max_id = {{ max_id_sssd }} + +## remove this after providing propper certificates: +ldap_tls_reqcert = allow diff --git a/roles/smb-sshfs-client/defaults/main.yml b/roles/smb-sshfs-client/defaults/main.yml new file mode 100644 index 0000000..120b76a --- /dev/null +++ b/roles/smb-sshfs-client/defaults/main.yml @@ -0,0 +1,5 @@ +basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" +ldap_server: sambox +home_server: sambox +min_id_sssd: 5000 +max_id_sssd: 20000 diff --git a/roles/smb-sshfs-client/handlers/main.yml b/roles/smb-sshfs-client/handlers/main.yml new file mode 100644 index 0000000..3c18dd6 --- /dev/null +++ b/roles/smb-sshfs-client/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart sssd + service: name=sssd state=restarted enabled=yes + listen: "restart sssd" + +- name: reload systemd + systemd: + daemon_reload: yes + listen: "reload systemd" + diff --git a/roles/smb-sshfs-client/tasks/main.yml b/roles/smb-sshfs-client/tasks/main.yml new file mode 100644 index 0000000..0e9391f --- /dev/null +++ b/roles/smb-sshfs-client/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- fail: msg="The machine's domain must not be empty." + when: ansible_domain | length == 0 + +- name: install needed packages + apt: + name: + - sssd-ldap + - libpam-mount + - cifs-utils + - sshfs + state: latest + +- name: add URI to ldap.conf + lineinfile: + dest: /etc/ldap/ldap.conf + line: "URI ldap://ldap/" + insertafter: "#URI.*" + +- name: add BASE to ldap.conf + lineinfile: + dest: /etc/ldap/ldap.conf + line: "BASE {{ basedn }}" + insertafter: "#BASE.*" + +- name: enable pam_umask + lineinfile: + dest: /etc/pam.d/common-session + line: "session optional pam_umask.so usergroups" + +- name: provide identities from directory + template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: 0600 + notify: restart sssd + +- name: configure pam_mount + blockinfile: + dest: /etc/security/pam_mount.conf.xml + block: | + + rootansibleDebian-gdm + insertafter: "" + + diff --git a/roles/smb-sshfs-client/templates/sssd.conf.j2 b/roles/smb-sshfs-client/templates/sssd.conf.j2 new file mode 100644 index 0000000..f39b856 --- /dev/null +++ b/roles/smb-sshfs-client/templates/sssd.conf.j2 @@ -0,0 +1,22 @@ +[sssd] +domains = LDAP +config_file_version = 2 + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://{{ ldap_server }}/ +ldap_search_base = {{ basedn }} + +auth_provider = ldap +cache_credentials = true + +min_id = {{ min_id_sssd }} +max_id = {{ max_id_sssd }} + +ldap_tls_reqcert = allow diff --git a/sambox-client.yml b/sambox-client.yml new file mode 100644 index 0000000..8b63293 --- /dev/null +++ b/sambox-client.yml @@ -0,0 +1,20 @@ +--- +# This playbook deploys a client for the kerberox LAN. + +- name: apply configuration to the machines + hosts: all + remote_user: ansible + become: yes + vars: + extra_pkgs: + - webext-privacy-badger + - webext-ublock-origin + extra_pkgs_bpo: [] # [ libreoffice ] + ansible_python_interpreter: "/usr/bin/python3" + + roles: + - up2date-debian + - smb-sshfs-client + ## Choose either gnome or KDE: + #- gnome + #- kde diff --git a/sambox.yml b/sambox.yml index 6160297..c24d2ee 100644 --- a/sambox.yml +++ b/sambox.yml @@ -53,3 +53,4 @@ - tftp-netboot-installer - apt-cacher - samba-ldap + - prepare4clients