Split ldap role and reorder base.yml
parent
9115cbd23c
commit
23d29500e7
62
base.yml
62
base.yml
|
|
@ -1,34 +1,11 @@
|
|||
---
|
||||
# Deploy common Crans configuration and tools
|
||||
- hosts: server,test_vm,!ovh_physical
|
||||
# Common CRANS configuration for all servers
|
||||
- hosts: server
|
||||
vars:
|
||||
# Debian mirror on adm
|
||||
debian_mirror: http://mirror.adm.crans.org/debian
|
||||
debian_components: main non-free
|
||||
|
||||
# NTP servers
|
||||
# TODO get this list with re2o
|
||||
ntp_servers:
|
||||
- charybde.adm.crans.org
|
||||
- silice.adm.crans.org
|
||||
roles:
|
||||
- debian-apt-sources
|
||||
- common-security
|
||||
- common-tools
|
||||
- ntp-client
|
||||
- nfs-common
|
||||
|
||||
# Deploy backup system
|
||||
- hosts: server
|
||||
vars:
|
||||
# Backup password
|
||||
backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
|
||||
roles:
|
||||
- rsync-client
|
||||
|
||||
# Plug LDAP on all servers
|
||||
- hosts: server
|
||||
vars:
|
||||
# LDAP binding
|
||||
ldap_base: 'dc=crans,dc=org'
|
||||
ldap_master_ipv4: '10.231.136.19'
|
||||
|
|
@ -46,15 +23,30 @@
|
|||
# Scripts will tell users to go there to manage their account
|
||||
intranet_url: 'https://intranet.crans.org/'
|
||||
|
||||
# SSH keys for root account to use when LDAP is broken
|
||||
ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
|
||||
roles:
|
||||
- ldap-client
|
||||
# Backup password
|
||||
backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
|
||||
|
||||
# Install scripts on all servers
|
||||
- hosts: server
|
||||
# Will be in /usr/scripts/
|
||||
crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
|
||||
|
||||
# NTP servers
|
||||
ntp_servers:
|
||||
- charybde.adm.crans.org
|
||||
- silice.adm.crans.org
|
||||
roles:
|
||||
- scripts
|
||||
- common-tools
|
||||
- debian-apt-sources
|
||||
- ldap-client
|
||||
- openssh
|
||||
- sudo
|
||||
- rsync-client
|
||||
- ntp-client
|
||||
- crans-scripts
|
||||
|
||||
# Deploy NFS only on campus
|
||||
- hosts: crans_server
|
||||
roles:
|
||||
- nfs-common
|
||||
|
||||
# Document servers
|
||||
- hosts: voyager.adm.crans.org # test only on voyager for now
|
||||
|
|
@ -70,13 +62,12 @@
|
|||
roles: [] # TODO
|
||||
|
||||
# Playbook to deploy autofs NFS
|
||||
- hosts: crans_physical,crans_vm,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
|
||||
- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
|
||||
roles:
|
||||
- nfs-autofs
|
||||
|
||||
# Redirect local mail to mailserver
|
||||
# Should be on server,!redisdead.adm.crans.org
|
||||
- hosts: prometheus.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,sitesweb.adm.crans.org,cochon.adm.crans.org,gateau.adm.crans.org,test_vm
|
||||
- hosts: crans_server,test_vm,!redisdead.adm.crans.org
|
||||
vars:
|
||||
mail_root: root@crans.org
|
||||
mail_snmp_server: smtp.adm.crans.org
|
||||
|
|
@ -96,6 +87,7 @@
|
|||
roles:
|
||||
- ansible
|
||||
|
||||
# Tools for memebers
|
||||
- hosts: zamok.adm.crans.org
|
||||
roles:
|
||||
- zamok-tools
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Delete authorized SSH keys for root account
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /root/.ssh/authorized_keys
|
||||
- /root/.ssh/authorized_keys2
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
file:
|
||||
path: /usr/scripts
|
||||
state: directory
|
||||
mode: '2775'
|
||||
mode: "2775"
|
||||
owner: root
|
||||
group: nounou
|
||||
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
|
||||
- name: Clone scripts repository
|
||||
git:
|
||||
repo: 'http://gitlab.adm.crans.org/nounous/scripts.git'
|
||||
repo: "{{ crans_scripts_git }}"
|
||||
dest: /usr/scripts
|
||||
version: master
|
||||
umask: '002'
|
||||
umask: "002"
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
---
|
||||
# Install LDAP client packages
|
||||
- name: Install LDAP client packages
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- nslcd
|
||||
- libnss-ldapd
|
||||
- libpam-ldapd
|
||||
- nscd # local cache
|
||||
state: present
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
# Configure /etc/nslcd.conf
|
||||
- name: Configure nslcd LDAP credentials
|
||||
template:
|
||||
src: nslcd.conf.j2
|
||||
dest: /etc/nslcd.conf
|
||||
mode: 0600
|
||||
notify: Restart nslcd service
|
||||
|
||||
# Configure /etc/nsswitch.conf
|
||||
- name: Configure NSS to use LDAP
|
||||
lineinfile:
|
||||
dest: /etc/nsswitch.conf
|
||||
regexp: "^{{ item }}:"
|
||||
line: "{{ item }}: files ldap"
|
||||
loop:
|
||||
- passwd
|
||||
- group
|
||||
- shadow
|
||||
notify: Restart nslcd service
|
||||
|
|
@ -1,6 +1,37 @@
|
|||
---
|
||||
# Install and configure main LDAP tools
|
||||
- include_tasks: install_ldap.yml
|
||||
# Install LDAP client packages
|
||||
- name: Install LDAP client packages
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- nslcd
|
||||
- libnss-ldapd
|
||||
- libpam-ldapd
|
||||
- nscd # local cache
|
||||
state: present
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
# Configure /etc/nslcd.conf
|
||||
- name: Configure nslcd LDAP credentials
|
||||
template:
|
||||
src: nslcd.conf.j2
|
||||
dest: /etc/nslcd.conf
|
||||
mode: 0600
|
||||
notify: Restart nslcd service
|
||||
|
||||
# Configure /etc/nsswitch.conf
|
||||
- name: Configure NSS to use LDAP
|
||||
lineinfile:
|
||||
dest: /etc/nsswitch.conf
|
||||
regexp: "^{{ item }}:"
|
||||
line: "{{ item }}: files ldap"
|
||||
loop:
|
||||
- passwd
|
||||
- group
|
||||
- shadow
|
||||
notify: Restart nslcd service
|
||||
|
||||
# Disable passwd and chsh
|
||||
- name: Copy passwd and chsh scripts
|
||||
|
|
@ -12,20 +43,3 @@
|
|||
- chsh
|
||||
- chsh.ldap
|
||||
- passwd
|
||||
|
||||
- name: Filter SSH on groups
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: ^AllowGroups
|
||||
line: "AllowGroups {{ ssh_allow_groups }}"
|
||||
state: present
|
||||
|
||||
- name: Configure sudoers
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/{{ item }}"
|
||||
mode: 0440
|
||||
loop:
|
||||
- sudoers.d/custom_passprompt
|
||||
- sudoers.d/group_privilege
|
||||
- sudoers
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Restart sshd service
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: Filter SSH on groups
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: ^AllowGroups
|
||||
line: "AllowGroups {{ ssh_allow_groups }}"
|
||||
state: present
|
||||
notify: Restart sshd service
|
||||
|
||||
- name: Delete authorized SSH keys for root account
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /root/.ssh/authorized_keys
|
||||
- /root/.ssh/authorized_keys2
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Configure sudoers
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/{{ item }}"
|
||||
mode: 0440
|
||||
loop:
|
||||
- sudoers.d/custom_passprompt
|
||||
- sudoers.d/group_privilege
|
||||
- sudoers
|
||||
Loading…
Reference in New Issue