diff --git a/backup.yml b/backup.yml deleted file mode 100644 index 1b991d86..00000000 --- a/backup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# Playbook to deploy backup client -- hosts: all - vars: - backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}" - roles: - - rsync-client diff --git a/base.yml b/base.yml index fcaee722..8aadb4a9 100644 --- a/base.yml +++ b/base.yml @@ -1,9 +1,46 @@ --- -# Playbook to deploy common Crans configuration and tools +# Deploy common Crans configuration and tools - hosts: all vars: # Debian mirror on adm debian_mirror: http://mirror.adm.crans.org/debian + + # Backup password + backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}" roles: - debian-apt-sources - common-tools + - rsync-client + +# Plug LDAP on all servers +- hosts: all + vars: + # LDAP binding + ldap_base: 'dc=crans,dc=org' + ldap_master_ipv4: '10.231.136.19' + ldap_local_replica_uri: + - "ldpa://10.231.136.38" + - "ldpa://10.231.136.4" + ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" + ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" + ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" + ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" + + # Group permissions + ssh_allow_groups: ssh nounou apprenti cableur root + + # Scripts will tell users to go there to manage their account + intranet_url: 'https://intranet.crans.org/' + + # SSH keys for root account to use when LDAP is broken + ssh_pub_keys: "{{ vault_ssh_pub_keys }}" + roles: + - ldap-client + +# Deploy LDAP replica +- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org + roles: [] # TODO + +# Playbook to deploy NFS +- hosts: crans,!odlyd.adm.crans.org + roles: [] # TODO diff --git a/dns.yml b/dns.yml deleted file mode 100644 index e23c4e2f..00000000 --- a/dns.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Playbook to deploy DNS server -- hosts: odlyd.adm.crans.org - roles: [] # TODO diff --git a/firewall.yml b/firewall.yml deleted file mode 100644 index 8c335cf4..00000000 --- a/firewall.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Playbook to firewall -- hosts: gulp.adm.crans.org - roles: [] # TODO diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml new file mode 100644 index 00000000..748e5f95 --- /dev/null +++ b/group_vars/all/vars.yml @@ -0,0 +1,3 @@ +--- +# Use Python 3 +ansible_python_interpreter: /usr/bin/python3 diff --git a/hosts b/hosts index ab4125d8..2a474e93 100644 --- a/hosts +++ b/hosts @@ -65,6 +65,7 @@ boeing.adm.crans.org [ovh-physical] #soyouz.adm.crans.org +sputnik.adm.crans.org # everything at crans [crans:children] diff --git a/ldap.yml b/ldap.yml deleted file mode 100644 index 08a890fa..00000000 --- a/ldap.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# Plug LDAP on all servers -- hosts: all - vars: - # LDAP binding - ldap_base: 'dc=crans,dc=org' - ldap_master_ipv4: '10.231.136.19' - ldap_local_replica_uri: - - "ldpa://10.231.136.38" - - "ldpa://10.231.136.4" - ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" - ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" - ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" - ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" - - # Group permissions - ssh_allow_groups: ssh nounou apprenti cableur root - - # Scripts will tell users to go there to manage their account - intranet_url: 'https://intranet.crans.org/' - - # SSH keys for root account to use when LDAP is broken - ssh_pub_keys: "{{ vault_ssh_pub_keys }}" - roles: - - ldap-client - -# Deploy LDAP replica -- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org - roles: [] # TODO diff --git a/network.yml b/network.yml index 72875d35..cfa53495 100644 --- a/network.yml +++ b/network.yml @@ -6,3 +6,11 @@ debian_mirror: http://mirror.adm.crans.org/debian roles: - wireguard + +# Deploy DNS server +- hosts: odlyd.adm.crans.org + roles: [] # TODO + +# Deploy firewall +- hosts: gulp.adm.crans.org + roles: [] # TODO diff --git a/nfs.yml b/nfs.yml deleted file mode 100644 index 11f950da..00000000 --- a/nfs.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Playbook to deploy NFS -- hosts: crans,!odlyd.adm.crans.org - roles: [] # TODO diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml index 110ce8ac..334b0ff1 100644 --- a/roles/ldap-client/tasks/main.yml +++ b/roles/ldap-client/tasks/main.yml @@ -2,10 +2,17 @@ # Install and configure main LDAP tools - include_tasks: install_ldap.yml -# Some userland scripts specific to LDAP install -- include_tasks: userland_scripts.yml +# Disable passwd and chsh +- name: Copy passwd and chsh scripts + template: + src: bin/passwd.j2 + dest: "/usr/local/bin/{{ item }}" + mode: 0755 + loop: + - chsh + - chsh.ldap + - passwd -# Filter SSH on groups - name: Filter SSH on groups lineinfile: dest: /etc/ssh/sshd_config @@ -13,6 +20,16 @@ line: "AllowGroups {{ ssh_allow_groups }}" state: present +- name: Configure sudoers + template: + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + mode: 0440 + loop: + - sudoers.d/custom_passprompt + - sudoers.d/group_privilege + - sudoers + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577 - name: Ensure home directories are created upon login lineinfile: diff --git a/roles/ldap-client/tasks/userland_scripts.yml b/roles/ldap-client/tasks/userland_scripts.yml deleted file mode 100644 index fa41780b..00000000 --- a/roles/ldap-client/tasks/userland_scripts.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Disable passwd and chsh -- name: Copy passwd and chsh scripts - template: - src: "{{ item }}.j2" - dest: /usr/local/bin/{{ item }} - mode: 0755 - loop: - - chsh - - passwd - -# We do not want password change this way -- name: Symlink chsh.ldap to chsh - file: - src: /usr/local/bin/chsh - dest: /usr/local/bin/chsh.ldap - state: link diff --git a/roles/ldap-client/templates/passwd.j2 b/roles/ldap-client/templates/bin/passwd.j2 similarity index 100% rename from roles/ldap-client/templates/passwd.j2 rename to roles/ldap-client/templates/bin/passwd.j2 diff --git a/roles/ldap-client/templates/chsh.j2 b/roles/ldap-client/templates/chsh.j2 deleted file mode 100644 index 9e6f30f3..00000000 --- a/roles/ldap-client/templates/chsh.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# {{ ansible_managed }} -echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}" diff --git a/roles/ldap-client/templates/sudoers.d/custom_passprompt.j2 b/roles/ldap-client/templates/sudoers.d/custom_passprompt.j2 new file mode 100644 index 00000000..27e69564 --- /dev/null +++ b/roles/ldap-client/templates/sudoers.d/custom_passprompt.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +# Change prompt +Defaults passprompt_override +Defaults passprompt="[sudo] mot de passe pour %p sur %h: " diff --git a/roles/ldap-client/templates/sudoers.d/group_privilege.j2 b/roles/ldap-client/templates/sudoers.d/group_privilege.j2 new file mode 100644 index 00000000..0239609b --- /dev/null +++ b/roles/ldap-client/templates/sudoers.d/group_privilege.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +# Group privilege specification +%nounou ALL=(ALL:ALL) ALL diff --git a/roles/ldap-client/templates/sudoers.j2 b/roles/ldap-client/templates/sudoers.j2 new file mode 100644 index 00000000..9ad07f35 --- /dev/null +++ b/roles/ldap-client/templates/sudoers.j2 @@ -0,0 +1,20 @@ +# {{ ansible_managed }} +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d