From 7ee9460bffd725aecd172ebc489f8ac724c394db Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 15 Feb 2022 16:46:22 +0100 Subject: [PATCH] update.. --- ansible-dependencies-bullseye-sudo.yml | 8 ++++ group_vars/all/main.yml | 11 ++++- .../tasks/main.yml | 47 +++++++++++++++++++ roles/common/tasks/nis-install-server.yml | 42 +++++++++++++++++ .../templates/etc/apt/sources.list.Debian.j2 | 20 +++++++- .../templates/etc/apt/sources.list.Ubuntu.j2 | 11 +++++ 6 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 ansible-dependencies-bullseye-sudo.yml create mode 100644 roles/ansible_dependencies-bullseye/tasks/main.yml create mode 100644 roles/common/templates/etc/apt/sources.list.Ubuntu.j2 diff --git a/ansible-dependencies-bullseye-sudo.yml b/ansible-dependencies-bullseye-sudo.yml new file mode 100644 index 0000000..b52ca42 --- /dev/null +++ b/ansible-dependencies-bullseye-sudo.yml @@ -0,0 +1,8 @@ +--- + +- hosts: initial_setup + gather_facts: false + + roles: + - ansible_dependencies-bullseye + - ansible_user diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index a7f1c74..7dd1382 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -946,6 +946,13 @@ nis_user: is_samba_user: true password: 'Y7ef%9+V_LoE' + - name: henrike + groups: + - amif + - team + is_samba_user: true + password: '20%-hen-rike.22-!' + - name: kamue groups: - team @@ -1071,6 +1078,7 @@ samba_shares: - chris - flr - hannah + - henrike - kamue - kirstin - mara @@ -1090,6 +1098,7 @@ samba_shares: user: - chris - hannah + - henrike - kamue - pierre - vincent @@ -1350,7 +1359,7 @@ sudoers_server_file_group_privileges: [] apt_ansible_dependencies: - python - - python-apt + - python-apt-common - python3 - python3-apt - lsb-release diff --git a/roles/ansible_dependencies-bullseye/tasks/main.yml b/roles/ansible_dependencies-bullseye/tasks/main.yml new file mode 100644 index 0000000..2e522a8 --- /dev/null +++ b/roles/ansible_dependencies-bullseye/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python-is-python2) + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-apt-common is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt-common) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: dpkg --configure -a + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - ansible-dependencies + +- name: apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: "{{ apt_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/common/tasks/nis-install-server.yml b/roles/common/tasks/nis-install-server.yml index b86cf2a..ecfca9b 100644 --- a/roles/common/tasks/nis-install-server.yml +++ b/roles/common/tasks/nis-install-server.yml @@ -37,6 +37,48 @@ - nis-install-client +# --- +# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. +# +# Note: +# 'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller +# +# --- + +- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists + stat: + path: /etc/pam.d/common-password + register: file_etc_pam_d_common_password + tags: + - nis-install + - nis-install-server + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version']|int >= 11 + +- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt' + shell: "grep -i -q -E '^password.+yescrypt' /etc/pam.d/common-password" + register: presence_of_passwprd_hashing_yescrypt + changed_when: + - presence_of_passwprd_hashing_yescrypt.rc < 1 + failed_when: + - presence_of_passwprd_hashing_yescrypt.rc >= 2 + when: + - ansible_facts['distribution'] == "Debian" + - ansible_distribution_major_version|int >= 11 + - ansible_distribution_major_version|int <= 12 + - file_etc_pam_d_common_password.stat.exists == True + +- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt + shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version']|int >= 11 + - ansible_facts['distribution_major_version']|int <= 12 + - file_etc_pam_d_common_password.stat.exists == True + - presence_of_passwprd_hashing_yescrypt is changed + + # --- # /etc/default/nis # --- diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index 8e79f45..5284dbb 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -3,8 +3,24 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main -deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main -{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% if not apt_src_enable %} +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% else %} +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% endif %} # {{ ansible_lsb.codename }}-updates, previously known as 'volatile' deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main diff --git a/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 new file mode 100644 index 0000000..896a6c5 --- /dev/null +++ b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse + +deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse + +{% if apt_backports_enable %} +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse +{% endif %} +