update..

ansible-dependencies-bullseye-sudo.yml

@@ -0,0 +1,8 @@
+---
+
+- hosts: initial_setup
+  gather_facts: false
+
+  roles:
+     - ansible_dependencies-bullseye
+     - ansible_user

group_vars/all/main.yml

@@ -946,6 +946,13 @@ nis_user:
     is_samba_user: true
     password: 'Y7ef%9+V_LoE'
 
+  - name: henrike
+    groups:
+      - amif
+      - team
+    is_samba_user: true
+    password: '20%-hen-rike.22-!'
+
   - name: kamue
     groups:
       - team
@@ -1071,6 +1078,7 @@ samba_shares:
       - chris
       - flr
       - hannah
+      - henrike
       - kamue
       - kirstin
       - mara
@@ -1090,6 +1098,7 @@ samba_shares:
     user:
       - chris
       - hannah
+      - henrike
       - kamue
       - pierre
       - vincent
@@ -1350,7 +1359,7 @@ sudoers_server_file_group_privileges: []
 
 apt_ansible_dependencies:
   - python
-  - python-apt
+  - python-apt-common
   - python3
   - python3-apt
   - lsb-release

roles/ansible_dependencies-bullseye/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: re-synchronize the package index files from their sources
+  raw: apt-get update
+  
+- name: Ensure aptitude is present
+  raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
+
+- name: Ensure python2 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python-is-python2)
+
+- name: Ensure python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
+
+- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
+  raw: test -e  /usr/bin/python2 && (apt -y update && apt install -y python-apt-common)
+
+- name: Ensure python-apt is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
+
+- name: dpkg --configure -a
+  command: >
+    dpkg --configure -a
+  args:
+    warn: false
+  changed_when: _dpkg_configure.stdout_lines | length
+  register: _dpkg_configure
+  when: apt_dpkg_configure|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt upgrade
+  apt:
+    upgrade: "{{ apt_upgrade_type }}"
+    update_cache: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_upgrade|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt install ansible dependencies
+  apt:
+    name: "{{ apt_ansible_dependencies }}"
+    state: "{{ apt_install_state }}"
+  tags:
+    - ansible-dependencies
+

roles/common/tasks/nis-install-server.yml

@@ -37,6 +37,48 @@
     - nis-install-client
 
 
+# ---
+# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. 
+#
+# Note:
+#    'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller
+#
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists 
+  stat:
+    path: /etc/pam.d/common-password
+  register: file_etc_pam_d_common_password
+  tags:
+    - nis-install
+    - nis-install-server
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+
+- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt'
+  shell: "grep -i -q -E  '^password.+yescrypt' /etc/pam.d/common-password"
+  register: presence_of_passwprd_hashing_yescrypt
+  changed_when: 
+    - presence_of_passwprd_hashing_yescrypt.rc < 1
+  failed_when:
+    - presence_of_passwprd_hashing_yescrypt.rc >= 2
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_distribution_major_version|int >= 11
+    - ansible_distribution_major_version|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+
+- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
+  shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+    - ansible_facts['distribution_major_version']|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+    - presence_of_passwprd_hashing_yescrypt is changed
+
+
 # ---
 # /etc/default/nis
 # ---

roles/common/templates/etc/apt/sources.list.Debian.j2

@@ -3,8 +3,24 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 
-deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
-{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% if not apt_src_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% else %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% endif %}
 
 # {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main

roles/common/templates/etc/apt/sources.list.Ubuntu.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse
+
+deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse
+
+{% if apt_backports_enable %}
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse
+{% endif %}
+