crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Crans adpatation

certbot_on_virtu
Alexandre Iooss 2019-04-14 11:05:02 +02:00
parent 5564f48e0d
commit ec238c1abb
No known key found for this signature in database
GPG Key ID: 6C79278F3FCDCC02
4 changed files with 49 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ldap.yml
View File

@ -4,7 +4,10 @@
vars: vars:
# LDAP binding # LDAP binding
ldap_base: 'dc=crans,dc=org' ldap_base: 'dc=crans,dc=org'
ldap_master_ipv4: '10.128.0.11' # TODO ldap_master_ipv4: '10.231.136.19'
ldap_local_replica_uri:
- "ldpa://10.231.136.38"
- "ldpa://10.231.136.4"
ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
@ -13,9 +16,6 @@
# Scripts will tell users to go there to manage their account # Scripts will tell users to go there to manage their account
intranet_url: 'https://intranet.crans.org/' intranet_url: 'https://intranet.crans.org/'
# Users in that group will be able to `sudo`
sudo_group: 'sudoldap' # TODO
# SSH keys for root account to use when LDAP is broken # SSH keys for root account to use when LDAP is broken
ssh_pub_keys: "{{ vault_ssh_pub_keys }}" ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
roles: roles:

9
roles/ldap-client/tasks/group_security.yml
View File

@ -18,9 +18,8 @@
# Set sudo group # Set sudo group
- name: Configure sudoers sudo group - name: Configure sudoers sudo group
lineinfile: template:
src: sudoers.j2
dest: /etc/sudoers dest: /etc/sudoers
regexp: ^%{{ sudo_group }} mode: 0440
line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL" validate: /usr/sbin/visudo -cf %s
state: present
validate: /usr/sbin/visudo -cf %s

8
roles/ldap-client/templates/nslcd.conf.j2
View File

@ -21,6 +21,12 @@ base group ou=posix,ou=groups,{{ ldap_base }}
# The LDAP protocol version to use. # The LDAP protocol version to use.
ldap_version 3 ldap_version 3
# Time limit to wait for an answer
timelimit 5
# Time limit to wait for a bind
bind_timelimit 5
# The DN to bind with for normal lookups. # The DN to bind with for normal lookups.
binddn {{ ldap_nslcd_bind_dn }} binddn {{ ldap_nslcd_bind_dn }}
bindpw {{ ldap_nslcd_passwd }} bindpw {{ ldap_nslcd_passwd }}
@ -30,7 +36,7 @@ bindpw {{ ldap_nslcd_passwd }}
# SSL options # SSL options
#ssl off #ssl off
#tls_reqcert never tls_reqcert allow
tls_cacertfile /etc/ssl/certs/ca-certificates.crt tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope. # The search scope.

34
roles/ldap-client/templates/sudoers.j2 100644
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_keep += "DARCS_EMAIL EDITOR PYTHONIOENCODING GIT_*"
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults passprompt_override
Defaults passprompt="[sudo] password for %p on %h: "
# Host alias specification
# User alias specification
User_Alias NOUNOUS= %nounou
User_Alias CABLEUR= %cableur
User_Alias ANCIEN= %ancien
User_Alias IMPRIMEURS= %imprimeurs
User_Alias BUREAU= %bureau
Runas_Alias USERS= %users
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
NOUNOUS ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d