Fixes and improvements, NFS/KDC/LDAP related.

2019-11-21 19:15:22 +01:00 · 2019-11-21 19:15:22 +01:00 · fbf48f44f3
commit fbf48f44f3
parent 5d5f75e0c8
11 changed files with 134 additions and 46 deletions
--- a/kerberox-client.yml
+++ b/kerberox-client.yml
@ -0,0 +1,26 @@
 ---
 # This playbook deploys a client for the kerberox LAN.
 - name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    deb_release: "buster"
    extra_pkgs:
      - webext-privacy-badger
      - webext-ublock-origin
      - krb5-auth-dialog
    extra_pkgs_bpo: []  # [ libreoffice ]
  vars_prompt:
    - name: "kadmin_pwd"
      prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already"
      private: yes
  roles:
    - up2date-debian
    - lan-client
    ## Choose either gnome or KDE:
    - gnome
    #- kde
--- a/kerberox.yml
+++ b/kerberox.yml
@ -0,0 +1,46 @@
 ---
 # This playbook deploys the kerberox server.
 - name: apply configuration to the installbox
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    ## This interface provides the default route:
    if_wan: "{{ ansible_default_ipv4.interface }}"
    ## Use the first remaining interface for the LAN:
    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first }}"
    ## Add 'hostname=XXX' to the installer boot parameters if necessary:
    hostname: "{{ ansible_hostname }}"
    ipaddr_lan: 192.168.0.10
    dhcp_range: 192.168.0.50,192.168.0.150,2h
    dhcp_list: "{{ lookup('sequence', 'start=50 end=150 format=192.168.0.%d', wantlist=True) }}"
    tftp_root: "/var/lib/tftpboot"
    deb_mirror: "deb.debian.org"
    di_dist: "buster"
    di_version: "10"
    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
    ansible_user: ansible
    repo_dir: "/home/{{ ansible_user }}/debian-lan"
    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
  vars_prompt:
    - name: "foo_pwd"
      prompt: "Provide a non-empty password for the test user 'foo'.\nLeave empty to continue without test user"
      private: yes
  pre_tasks:
    - name: validate if interfaces are available
      fail:
        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
      when: (if_lan not in ansible_interfaces) or (if_wan not in ansible_interfaces) or (if_lan == if_wan)
  roles:
    - up2date-debian
    - two-interface-firewalld
    - dhcp-dns-dnsmasq
    - tftp-netboot-installer
    - preseed-installer
    - apt-cacher
    - krb5-kdc-ldap
    - nfs-server
--- a/mainserver.yml
+++ b/mainserver.yml
@ -1,14 +0,0 @@
 ---
 # This playbook deploys the mainserver
 - name: apply configuration to the mainserver
  hosts: all
  remote_user: andi
  become: yes
  vars:
    foo_pwd: 123
  roles:
 #    - ldap
    - krb5-kdc-ldap
--- a/roles/kde/tasks/main.yml
+++ b/roles/kde/tasks/main.yml
@ -2,6 +2,7 @@
  apt:
    name:
      - task-kde-desktop
      - sddm-theme-debian-breeze
      - cups
    state: latest
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@ -2,7 +2,7 @@
 ##  run most tasks only on krb5-kdc-ldap installation.
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 - name: check if slapd is already there
  stat: path=/usr/sbin/krb5kdc
@ -142,35 +142,38 @@
  notify: "restart krb5-kdc"
  when: not krb5kdc.stat.exists
- name: add root/admin as kadmin  
+- name: add root/admin as kadmin
-  command: kadmin.local -q "addprinc -pw {{ kadmin_pwd }} root/admin"
+  command: kadmin.local -q 'addprinc -pw "{{ kadmin_pwd }}" root/admin'
  when: not krb5kdc.stat.exists
 - name: dump kadmin password
  shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
  no_log: true
  when: not krb5kdc.stat.exists
-  
+
 - name: add default policy to silence warning when using kadmin
  command: kadmin.local -q "add_policy default"
  when: not krb5kdc.stat.exists
 - name: create machine principals
-  command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q 'addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
  with_items:
    - host
    - ldap
  when: not krb5kdc.stat.exists
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q 'ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
  with_items:
    - host
    - ldap
  when: not krb5kdc.stat.exists
 ##############
-  
+
 - name: kerberize dummy user foo
-  command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
+  command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
-  when: foo_pwd is defined
+  register: kerberize_result
  changed_when: kerberize_result.stderr is not search('already exists while creating')
  no_log: true
  when: foo_pwd is defined and foo_pwd | length > 0
--- a/roles/lan-client/tasks/main.yml
+++ b/roles/lan-client/tasks/main.yml
@ -33,6 +33,8 @@
      - nfs-common
    state: latest
 ## oddjob-mkhomedir works only with sec=sys for the NFSv4 share
 - name: provide identities from directory
  template:
    src: sssd.conf.j2
@ -46,17 +48,19 @@
 ## Activate machine after installation:
 - name: create machine principal
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
  register: kerberize_result
  changed_when: kerberize_result.stderr is not search('already exists while creating')
  no_log: true
-  when: not run_in_installer|default(false)|bool
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
 - name: add principal to keytab
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
  args:
    creates: /etc/krb5.keytab
  no_log: true
  notify: "restart rpc-gssd"
-  when: not run_in_installer|default(false)|bool
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
 - name: automount
  lineinfile:
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@ -1,4 +1,4 @@
 ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
-ldap_pwd_file: "/root/ldap-admin.pwd"
+ldap_admin_pwd_file: "/root/ldap-admin.pwd"
 basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
 lan_homes:  /home/lan
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@ -2,7 +2,7 @@
 ##  run most tasks only on slapd installation.
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 - name: check if slapd is already there
  stat: path=/usr/sbin/slapd
@ -35,7 +35,7 @@
  when: not slapd.stat.exists
 - name: dump admin password
-  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_pwd_file }}" ; chmod 0600 "{{ ldap_pwd_file }}"
+  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
  no_log: true
  when: not slapd.stat.exists
@ -80,6 +80,11 @@
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
 - name: provide simple script to add/delete users
  template:
    src: debian-lan.j2
    dest: /usr/local/sbin/debian-lan
    mode: 0744
 ## Add user
 - name: add dummy user foo
@ -98,7 +103,7 @@
      loginShell: /bin/bash
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
 - name: add dummy group foo
  ldap_entry:
@ -109,7 +114,7 @@
      gidNumber: 10000
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
 ## ldapaddgroup tom
 ## ldapadduser tom tom
--- a/roles/nfs-server/handlers/main.yml
+++ b/roles/nfs-server/handlers/main.yml
@ -1,3 +1,12 @@
 - name: bind mount exported dir
  mount:
    path: "{{ export_root }}/home/"
    src: "{{ lan_homes }}"
    fstype: none
    state: mounted
    opts: bind
  listen: "bind mount exported dirs"
 - name: restart nfs-kernel-server
  service: name=nfs-kernel-server state=restarted enabled=yes
  listen: "restart nfs-kernel-server"
@ -9,3 +18,7 @@
 - name: restart sssd
  service: name=sssd state=restarted enabled=yes
  listen: "restart sssd"
 - name: restart dnsmasq
  service: name=dnsmasq state=restarted enabled=yes
  listen: "restart dnsmasq"
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@ -1,7 +1,7 @@
 ## Install and configure nfs-server
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 - name: check if there are installing
  stat: path=/etc/exports
@ -13,19 +13,12 @@
      - nfs-kernel-server
    state: latest
- name: make sure the export exists
+- name: make sure the export paths exists
  file: path={{ export_root }}/home/ state=directory recurse=yes
- name: make sure the export exists
+- name: make sure the lan homes exists
  file: path={{ lan_homes }} state=directory recurse=yes
-
+  notify: "bind mount exported dirs"
 - name: bind mount exported dir
  mount:
    path: "{{ export_root }}/home/"
    src: "{{ lan_homes }}"
    fstype: none
    state: mounted
    opts: bind
 - name: configure exports
  blockinfile:
@ -36,8 +29,6 @@
      {{ export_root }}/home/   *(sec=krb5p,rw,no_subtree_check)
  notify: "restart nfs-kernel-server"
 - name: check if there is a local kadmin
  stat: path=/usr/sbin/kadmin.local
  register: kadmin
@ -71,4 +62,15 @@
  shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
  args:
    creates: "{{ lan_homes }}/foo"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
 - name: check if our dnsmasq is used
  stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
  register: dnsmasq
 - name: send domain to clients
  template:
    src: dhcp-send-domain.j2
    dest: /etc/dnsmasq.d/dhcp-send-domain
  notify: "restart dnsmasq"
  when: dnsmasq.stat.exists
--- a/roles/nfs-server/templates/dhcp-send-domain.j2
+++ b/roles/nfs-server/templates/dhcp-send-domain.j2
@ -0,0 +1,2 @@
 expand-hosts
 domain={{ ansible_domain }}