Split ldap role and reorder base.yml

base.yml

@@ -1,34 +1,11 @@
 ---
-# Deploy common Crans configuration and tools
+# Common CRANS configuration for all servers
-- hosts: server,test_vm,!ovh_physical
+- hosts: server
   vars:
     # Debian mirror on adm
     debian_mirror: http://mirror.adm.crans.org/debian
     debian_components: main non-free
 
-    # NTP servers
-    # TODO get this list with re2o
-    ntp_servers:
-      - charybde.adm.crans.org
-      - silice.adm.crans.org
-  roles:
-    - debian-apt-sources
-    - common-security
-    - common-tools
-    - ntp-client
-    - nfs-common
-
-# Deploy backup system
-- hosts: server
-  vars:
-    # Backup password
-    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
-  roles:
-    - rsync-client
-
-# Plug LDAP on all servers
-- hosts: server
-  vars:
     # LDAP binding
     ldap_base: 'dc=crans,dc=org'
     ldap_master_ipv4: '10.231.136.19'
@@ -46,15 +23,30 @@
     # Scripts will tell users to go there to manage their account
     intranet_url: 'https://intranet.crans.org/'
 
-    # SSH keys for root account to use when LDAP is broken
+    # Backup password
-    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
+    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
-  roles:
-    - ldap-client
 
-# Install scripts on all servers
+    # Will be in /usr/scripts/
-- hosts: server
+    crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+
+    # NTP servers
+    ntp_servers:
+      - charybde.adm.crans.org
+      - silice.adm.crans.org
   roles:
-    - scripts
+    - common-tools
+    - debian-apt-sources
+    - ldap-client
+    - openssh
+    - sudo
+    - rsync-client
+    - ntp-client
+    - crans-scripts
+
+# Deploy NFS only on campus
+- hosts: crans_server
+  roles:
+    - nfs-common
 
 # Document servers
 - hosts: voyager.adm.crans.org  # test only on voyager for now
@@ -70,13 +62,12 @@
   roles: []  # TODO
 
 # Playbook to deploy autofs NFS
-- hosts: crans_physical,crans_vm,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
+- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
   roles:
     - nfs-autofs
 
 # Redirect local mail to mailserver
-# Should be on server,!redisdead.adm.crans.org
+- hosts: crans_server,test_vm,!redisdead.adm.crans.org
-- hosts: prometheus.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,sitesweb.adm.crans.org,cochon.adm.crans.org,gateau.adm.crans.org,test_vm
   vars:
     mail_root: root@crans.org
     mail_snmp_server: smtp.adm.crans.org
@@ -96,6 +87,7 @@
   roles:
     - ansible
 
+# Tools for memebers
 - hosts: zamok.adm.crans.org
   roles:
     - zamok-tools

roles/common-security/tasks/main.yml

@@ -1,8 +0,0 @@
----
-- name: Delete authorized SSH keys for root account
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /root/.ssh/authorized_keys
-    - /root/.ssh/authorized_keys2

roles/crans-scripts/tasks/main.yml

@@ -3,7 +3,7 @@
   file:
     path: /usr/scripts
     state: directory
-    mode: '2775'
+    mode: "2775"
     owner: root
     group: nounou
 
@@ -18,7 +18,7 @@
 
 - name: Clone scripts repository
   git:
-    repo: 'http://gitlab.adm.crans.org/nounous/scripts.git'
+    repo: "{{ crans_scripts_git }}"
     dest: /usr/scripts
     version: master
-    umask: '002'
+    umask: "002"

roles/ldap-client/tasks/install_ldap.yml

@@ -1,34 +0,0 @@
----
-# Install LDAP client packages
-- name: Install LDAP client packages
-  apt:
-    update_cache: true
-    name:
-      - nslcd
-      - libnss-ldapd
-      - libpam-ldapd
-      - nscd  # local cache
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-# Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
-  template:
-    src: nslcd.conf.j2
-    dest: /etc/nslcd.conf
-    mode: 0600
-  notify: Restart nslcd service
-
-# Configure /etc/nsswitch.conf
-- name: Configure NSS to use LDAP
-  lineinfile:
-    dest: /etc/nsswitch.conf
-    regexp: "^{{ item }}:"
-    line: "{{ item }}:         files ldap"
-  loop:
-    - passwd
-    - group
-    - shadow
-  notify: Restart nslcd service

roles/ldap-client/tasks/main.yml

@@ -1,6 +1,37 @@
 ---
-# Install and configure main LDAP tools
+# Install LDAP client packages
-- include_tasks: install_ldap.yml
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - nslcd
+      - libnss-ldapd
+      - libpam-ldapd
+      - nscd  # local cache
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd LDAP credentials
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}:         files ldap"
+  loop:
+    - passwd
+    - group
+    - shadow
+  notify: Restart nslcd service
 
 # Disable passwd and chsh
 - name: Copy passwd and chsh scripts
@@ -12,20 +43,3 @@
     - chsh
     - chsh.ldap
     - passwd
-
-- name: Filter SSH on groups
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: ^AllowGroups
-    line: "AllowGroups {{ ssh_allow_groups }}"
-    state: present
-
-- name: Configure sudoers
-  template:
-    src: "{{ item }}.j2"
-    dest: "/etc/{{ item }}"
-    mode: 0440
-  loop:
-    - sudoers.d/custom_passprompt
-    - sudoers.d/group_privilege
-    - sudoers

roles/openssh/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart sshd service
+  service:
+    name: sshd
+    state: restarted

roles/openssh/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: "AllowGroups {{ ssh_allow_groups }}"
+    state: present
+  notify: Restart sshd service
+
+- name: Delete authorized SSH keys for root account
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /root/.ssh/authorized_keys
+    - /root/.ssh/authorized_keys2

roles/sudo/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Configure sudoers
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+    mode: 0440
+  loop:
+    - sudoers.d/custom_passprompt
+    - sudoers.d/group_privilege
+    - sudoers