update..

ansible_dependencies-bullseye.yml

@@ -0,0 +1,20 @@
+---
+
+# Intended to be run once for every new server to secure the ssh connection allowing the team access
+# with their public keys. This script will lock itself out from every server it is run on.
+# Further playbooks are intended to be run by logging in as one of the created users.
+# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
+# the time of this writing.
+
+# The used login data depends on the used server provider. In most cases the ansible_user will be
+# root, but we can't safely assume anything.
+# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
+# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
+# For real providers it could look like:
+# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
+# If you don't have a ssh-key on the server and the server expects password authentication use:
+# ansible-playbook first_run.yml -i hosts -u root --ask-pass
+
+- hosts: all
+  roles:
+    - ansible_dependencies-bullseye

ansible_dependencies.yml

@@ -0,0 +1,20 @@
+---
+
+# Intended to be run once for every new server to secure the ssh connection allowing the team access
+# with their public keys. This script will lock itself out from every server it is run on.
+# Further playbooks are intended to be run by logging in as one of the created users.
+# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
+# the time of this writing.
+
+# The used login data depends on the used server provider. In most cases the ansible_user will be
+# root, but we can't safely assume anything.
+# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
+# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
+# For real providers it could look like:
+# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
+# If you don't have a ssh-key on the server and the server expects password authentication use:
+# ansible-playbook first_run.yml -i hosts -u root --ask-pass
+
+- hosts: all
+  roles:
+    - ansible_dependencies

ansible_user.yml

@@ -0,0 +1,20 @@
+---
+
+# Intended to be run once for every new server to secure the ssh connection allowing the team access
+# with their public keys. This script will lock itself out from every server it is run on.
+# Further playbooks are intended to be run by logging in as one of the created users.
+# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
+# the time of this writing.
+
+# The used login data depends on the used server provider. In most cases the ansible_user will be
+# root, but we can't safely assume anything.
+# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
+# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
+# For real providers it could look like:
+# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
+# If you don't have a ssh-key on the server and the server expects password authentication use:
+# ansible-playbook first_run.yml -i hosts -u root --ask-pass
+
+- hosts: all
+  roles:
+    - ansible_user

group_vars/all/main.yml

@@ -2309,8 +2309,8 @@ apt_ansible_dependencies:
 # ---
 
 ssh_keys_admin:
-  - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
+  - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-  - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
+  - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 
 ansible_remote_user:
   - name: lokaladmin

hosts

@@ -25,6 +25,7 @@ pc124.mbr-bln.netz
 pc125.mbr-bln.netz
 pc126.mbr-bln.netz
 pc127.mbr-bln.netz
+pc128.mbr-bln.netz
 pc131.mbr-bln.netz
 pc135.mbr-bln.netz
 
@@ -52,6 +53,7 @@ pc124.mbr-bln.netz
 pc125.mbr-bln.netz
 pc126.mbr-bln.netz
 pc127.mbr-bln.netz
+pc128.mbr-bln.netz
 pc131.mbr-bln.netz
 pc135.mbr-bln.netz
 
@@ -106,6 +108,7 @@ pc124.mbr-bln.netz
 pc125.mbr-bln.netz
 pc126.mbr-bln.netz
 pc127.mbr-bln.netz
+pc128.mbr-bln.netz
 pc131.mbr-bln.netz
 pc135.mbr-bln.netz
 

roles/ansible_dependencies-bullseye/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: re-synchronize the package index files from their sources
+  raw: apt-get update
+  
+- name: Ensure aptitude is present
+  raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
+
+- name: Ensure python2 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python-is-python2)
+
+- name: Ensure python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
+
+- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
+  raw: test -e  /usr/bin/python2 && (apt -y update && apt install -y python-apt-common)
+
+- name: Ensure python-apt is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
+
+- name: dpkg --configure -a
+  command: >
+    dpkg --configure -a
+  args:
+    warn: false
+  changed_when: _dpkg_configure.stdout_lines | length
+  register: _dpkg_configure
+  when: apt_dpkg_configure|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt upgrade
+  apt:
+    upgrade: "{{ apt_upgrade_type }}"
+    update_cache: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_upgrade|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt install ansible dependencies
+  apt:
+    name: "{{ apt_ansible_dependencies }}"
+    state: "{{ apt_install_state }}"
+  tags:
+    - ansible-dependencies
+

roles/common/tasks/main.yml

@@ -223,6 +223,7 @@
     - x11vnc-1604
     - finish-client-install
 
+
 - name: "For OS: Ubuntu 18.04LTS, Arch: amd64"
   import_tasks: ubuntu-x11vnc-1804-amd64.yml
   when:

roles/common/tasks/nis-install-client.yml

@@ -74,6 +74,15 @@
     - nis-install
     - nis-install-client
 
+- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'YPBINDARGS' (client)
+  replace:
+    path: /etc/default/nis
+    regexp: '^YPBINDARGS=.*'
+    replace: 'YPBINDARGS='
+  tags:
+    - nis-install
+    - nis-install-client
+
 
 # ---
 # /etc/{passwd,group,shadow}

roles/common/tasks/nis-install-server.yml

@@ -37,6 +37,48 @@
     - nis-install-client
 
 
+# ---
+# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. 
+#
+# Note:
+#    'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller
+#
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists 
+  stat:
+    path: /etc/pam.d/common-password
+  register: file_etc_pam_d_common_password
+  tags:
+    - nis-install
+    - nis-install-server
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+
+- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt'
+  shell: "grep -i -q -E  '^password.+yescrypt' /etc/pam.d/common-password"
+  register: presence_of_passwprd_hashing_yescrypt
+  changed_when: 
+    - presence_of_passwprd_hashing_yescrypt.rc < 1
+  failed_when:
+    - presence_of_passwprd_hashing_yescrypt.rc >= 2
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_distribution_major_version|int >= 11
+    - ansible_distribution_major_version|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+
+- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
+  shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+    - ansible_facts['distribution_major_version']|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+    - presence_of_passwprd_hashing_yescrypt is changed
+
+
 # ---
 # /etc/default/nis
 # ---