Clean up everything with esum :)

backup.yml

@@ -1,7 +0,0 @@
----
-# Playbook to deploy backup client
-- hosts: all
-  vars:
-    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
-  roles:
-    - rsync-client

base.yml

@@ -1,9 +1,46 @@
 ---
-# Playbook to deploy common Crans configuration and tools
+# Deploy common Crans configuration and tools
 - hosts: all
   vars:
     # Debian mirror on adm
     debian_mirror: http://mirror.adm.crans.org/debian
+
+    # Backup password
+    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
   roles:
     - debian-apt-sources
     - common-tools
+    - rsync-client
+
+# Plug LDAP on all servers
+- hosts: all
+  vars:
+    # LDAP binding
+    ldap_base: 'dc=crans,dc=org'
+    ldap_master_ipv4: '10.231.136.19'
+    ldap_local_replica_uri:
+      - "ldpa://10.231.136.38"
+      - "ldpa://10.231.136.4"
+    ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
+    ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
+    ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
+    ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
+
+    # Group permissions
+    ssh_allow_groups: ssh nounou apprenti cableur root
+
+    # Scripts will tell users to go there to manage their account
+    intranet_url: 'https://intranet.crans.org/'
+
+    # SSH keys for root account to use when LDAP is broken
+    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
+  roles:
+    - ldap-client
+
+# Deploy LDAP replica
+- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
+  roles: []  # TODO
+
+# Playbook to deploy NFS
+- hosts: crans,!odlyd.adm.crans.org
+  roles: []  # TODO

dns.yml

@@ -1,4 +0,0 @@
----
-# Playbook to deploy DNS server
-- hosts: odlyd.adm.crans.org
-  roles: []  # TODO

firewall.yml

@@ -1,4 +0,0 @@
----
-# Playbook to firewall
-- hosts: gulp.adm.crans.org
-  roles: []  # TODO

group_vars/all/vars.yml

@@ -0,0 +1,3 @@
+---
+# Use Python 3
+ansible_python_interpreter: /usr/bin/python3

hosts

@@ -65,6 +65,7 @@ boeing.adm.crans.org
 
 [ovh-physical]
 #soyouz.adm.crans.org
+sputnik.adm.crans.org
 
 # everything at crans
 [crans:children]

ldap.yml

@@ -1,29 +0,0 @@
----
-# Plug LDAP on all servers
-- hosts: all
-  vars:
-    # LDAP binding
-    ldap_base: 'dc=crans,dc=org'
-    ldap_master_ipv4: '10.231.136.19'
-    ldap_local_replica_uri:
-      - "ldpa://10.231.136.38"
-      - "ldpa://10.231.136.4"
-    ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
-    ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
-    ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
-    ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
-
-    # Group permissions
-    ssh_allow_groups: ssh nounou apprenti cableur root
-
-    # Scripts will tell users to go there to manage their account
-    intranet_url: 'https://intranet.crans.org/'
-
-    # SSH keys for root account to use when LDAP is broken
-    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
-  roles:
-    - ldap-client
-
-# Deploy LDAP replica
-- hosts: odlyd.adm.crans.org,soyouz.adm.crans.org,fy.adm.crans.org,thot.adm.crans.org
-  roles: []  # TODO

network.yml

@@ -6,3 +6,11 @@
     debian_mirror: http://mirror.adm.crans.org/debian
   roles:
     - wireguard
+
+# Deploy DNS server
+- hosts: odlyd.adm.crans.org
+  roles: []  # TODO
+
+# Deploy firewall
+- hosts: gulp.adm.crans.org
+  roles: []  # TODO

nfs.yml

@@ -1,4 +0,0 @@
----
-# Playbook to deploy NFS
-- hosts: crans,!odlyd.adm.crans.org
-  roles: []  # TODO

roles/ldap-client/tasks/main.yml

@@ -2,10 +2,17 @@
 # Install and configure main LDAP tools
 - include_tasks: install_ldap.yml
 
-# Some userland scripts specific to LDAP install
-- include_tasks: userland_scripts.yml
+# Disable passwd and chsh
+- name: Copy passwd and chsh scripts
+  template:
+    src: bin/passwd.j2
+    dest: "/usr/local/bin/{{ item }}"
+    mode: 0755
+  loop:
+    - chsh
+    - chsh.ldap
+    - passwd
 
-# Filter SSH on groups
 - name: Filter SSH on groups
   lineinfile:
     dest: /etc/ssh/sshd_config
@@ -13,6 +20,16 @@
     line: "AllowGroups {{ ssh_allow_groups }}"
     state: present
 
+- name: Configure sudoers
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+    mode: 0440
+  loop:
+    - sudoers.d/custom_passprompt
+    - sudoers.d/group_privilege
+    - sudoers
+
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
 - name: Ensure home directories are created upon login
   lineinfile:

roles/ldap-client/tasks/userland_scripts.yml

@@ -1,17 +0,0 @@
----
-# Disable passwd and chsh
-- name: Copy passwd and chsh scripts
-  template:
-    src: "{{ item }}.j2"
-    dest: /usr/local/bin/{{ item }}
-    mode: 0755
-  loop:
-    - chsh
-    - passwd
-
-# We do not want password change this way
-- name: Symlink chsh.ldap to chsh
-  file:
-    src: /usr/local/bin/chsh
-    dest: /usr/local/bin/chsh.ldap
-    state: link

roles/ldap-client/templates/chsh.j2

@@ -1,3 +0,0 @@
-#!/bin/sh
-# {{ ansible_managed }}
-echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"

roles/ldap-client/templates/sudoers.d/custom_passprompt.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+# Change prompt
+Defaults        passprompt_override
+Defaults        passprompt="[sudo] mot de passe pour %p sur %h: "

roles/ldap-client/templates/sudoers.d/group_privilege.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+# Group privilege specification
+%nounou    ALL=(ALL:ALL) ALL

roles/ldap-client/templates/sudoers.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults	env_reset
+Defaults	mail_badpass
+Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root	ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d