ansible/mbr-bln
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph 2019-12-15 19:02:18 +01:00
commit c051eb091f
34 changed files with 3695 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.swp

12
README.create_vault_string Normal file
View File

@ -0,0 +1,12 @@
# Create entcypted string
#
# ansible-vault encrypt_string '<string-to-encrypt>' --name 'password'
#
$ ansible-vault encrypt_string 'test100' --name 'password'
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33663235396237373338323536643030393235323266656333323934663431323531316638383962
3536333065363364653561366464393262663832376339630a353236316431636338373034343566
31373136613434636562353237653230633162613531313466366437663730633931346131396531
3632653737643363350a306435656633343132366461346262623131323337633663363135313563

47
ansible.cfg Normal file
View File

@ -0,0 +1,47 @@
# config file for ansible -- http://ansible.com/
# ==============================================
# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg
#
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
#ansible_managed = ** Ansible managed: DO NOT EDIT DIRECTLY **
ansible_managed = ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
#gathering = smart
#fact_caching = jsonfile
#fact_caching_connection = ~/.cache/
#fact_caching_timeout = 86400
#forks = 20
inventory = ./hosts
remote_user = lokaladmin
#remote_user = root
#ask_pass=True
roles_path = ./roles
vault_password_file = mbr-bln_the_vault.sh
#retry_files_enabled = False
#allow_world_readable_tmpfiles = True
interpreter_python: auto
#interpreter_python: /usr/bin/python3
[privilege_escalation]
#become=False
become=True
become_method=sudo
become_ask_pass=True
[ssh_connection]
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = True

20
common.yml Normal file
View File

@ -0,0 +1,20 @@
---
# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.
# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass
- hosts: all
roles:
- common

758
group_vars/all/main.yml Normal file
View File

@ -0,0 +1,758 @@
---
# ---
# NFS
# ---
nfs_server: 192.168.112.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.112.10:/data/home
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.112.10:/data/shares
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
# ---
# Samba / NIS
# ---
samba_server: file-mbr.mbr-bln.netz
samba_shares:
- name: Arbeitsrechtliches
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Ausschreibungen
user:
- anne
- bianca
- chris
- matthias.mueller
- sysadm
- name: BGN-Finanzen-Personal
user:
- anne
- bianca
- carolin
- christina.wendt
- chris
- sysadm
- ulf.balmer
- name: BVV-Projekt
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Finanzen
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Install
user:
- chris
- sysadm
- lokaladmin
- name: Kamera
user:
- anne
- axis
- bianca
- chris
- sysadm
- name: MBR
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Mobilisierungsplattform
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS-Finanzen-Personal
user:
- anne
- bianca
- benjamin
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: SCAN
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: VDK
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Video
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
nis_domain: mbr-bln.netz
#nis_domain: local.netz
nis_server_address: 192.168.112.10
nis_server_name: file-mbr.mbr-bln.netz
#nis_server_name: luna.local.netz
nis_common_packages:
- nis
- nscd
nis_deleted_user: []
nis_base_home: /data/home
nis_groups:
- name: mbr-buero
group_id: 1200
- name: mbr-finanzen
group_id: 1210
- name: mbr-personal
group_id: 1220
- name: mbr-kamera
group_id: 1250
- name: mbr-admins
group_id: 1260
- name: vdk
group_id: 1300
- name: rias
group_id: 1400
- name: rias-finanzen-personal
group_id: 1410
- name: bgn
group_id: 1500
- name: bgn-finanzen-personal
group_id: 1510
nis_user:
- name: chris
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38643435653764393333613564393733666139656264343833333632373938323230393036303234
3633303562636465643930643961663165646237386664370a386362346162313037353163383365
61343263386239316164613935633062343165363863376462653165306464633136313839343962
3865353333373661390a643564386432643532396632323664383330646430613033643130626430
6139
- name: lokaladmin
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'd4r1usz'
- name: sysadm
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'KPk_Wf2F'
- name: alexander.rasumny
groups:
- mbr-buero
is_samba_user: true
password: 'twT9Rjbv9mjq'
- name: anna.mueller1
groups:
- mbr-buero
is_samba_user: true
password: '5xp5ll9ar13us!'
- name: anne
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'YA!LiLiC0MP5'
- name: axis
groups:
- mbr-buero
is_samba_user: true
password: '20_axis_16'
- name: benjamin
groups:
- mbr-buero
- vdk
- rias
- rias-finanzen-personal
is_samba_user: true
password: 'C2-0U#ch'
- name: bianca
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: '73_BiBole_29'
- name: birgit.erhardt
groups:
- mbr-buero
- mbr-finanzen
- vdk
is_samba_user: true
password: '20_purpel!rain_17'
- name: bjoern.renkewitz
groups:
- mbr-buero
is_samba_user: true
password: 'Tz9-Wq-51'
- name: carolin
groups:
- mbr-buero
- bgn-finanzen-personal
is_samba_user: true
password: '20_carol1n_14'
- name: christina.wendt
groups:
- mbr-buero
- mbr-finanzen
- vdk
- rias-finanzen-personal
- bgn-finanzen-personal
is_samba_user: true
password: '8!Varianten'
- name: daniel.poensgen
groups:
- mbr-buero
is_samba_user: true
password: 'rcMRCm7jcpbp'
- name: doku_4
groups:
- mbr-buero
is_samba_user: true
password: 'PwmNvPh9KM4T'
- name: doku_7
groups:
- mbr-buero
is_samba_user: true
password: 'TFhCW9J4Vn4F'
- name: dorina.feldmann
groups:
- mbr-buero
is_samba_user: true
password: '17?4XPQ_!abc'
- name: franziska
groups:
- mbr-buero
is_samba_user: true
password: 'f49mCjbj3Jh7'
- name: frederick.kannenberg
groups:
- mbr-buero
is_samba_user: true
password: 'riasFK2019!#'
- name: doku2
groups:
- mbr-buero
is_samba_user: true
password: '*M0ss4d*'
- name: johannes.radke
groups:
- mbr-buero
is_samba_user: true
password: 'Furzf4brik!'
- name: judith.heinmueller
groups:
- mbr-buero
is_samba_user: true
password: 't32_aHxV.'
- name: kristina.holzapfel
groups:
- mbr-buero
is_samba_user: true
password: 'c7PvX_39.'
- name: lavinia.schwedersky
groups:
- mbr-buero
is_samba_user: true
password: 'xJw.3R9vKf/N'
- name: manja.kasten
groups:
- mbr-buero
is_samba_user: true
password: 'Rasili_&n'
- name: mathias
groups:
- mbr-buero
is_samba_user: true
password: 'p3r*45p3r4*4d*45tr4m'
- name: matthias.mueller
groups:
- mbr-buero
- mbr-personal
is_samba_user: true
password: 'V1v@H@f3rdr1nk'
- name: michael.sulies
groups:
- mbr-buero
is_samba_user: true
password: 'Cryst4lp4l4c3'
- name: michael.trube
groups:
- mbr-buero
- mbr-kamera
is_samba_user: true
password: '*R13sl1ng*'
- name: pia.lamberty
groups:
- mbr-buero
is_samba_user: true
password: 'oasd31*as+Q%'
- name: praktikum
groups:
- mbr-buero
is_samba_user: true
password: '_F313r4b3nd*'
- name: praktikum_rias
groups:
- mbr-buero
is_samba_user: true
password: '7z7F%d3cv_dfjz'
- name: praktikum2
groups:
- mbr-buero
is_samba_user: true
password: '20praktikum213'
- name: praktikum2_rias
groups:
- mbr-buero
is_samba_user: true
password: 'ctnrk3CczcJ9'
- name: sabine.kritter
groups:
- mbr-buero
is_samba_user: true
password: '#17_abc_?!'
- name: samuel.signer
groups:
- mbr-buero
is_samba_user: true
password: 'S4mmyC0mput3r!'
- name: scan
groups:
- mbr-buero
is_samba_user: true
password: '20scan13'
- name: simon
groups:
- mbr-buero
is_samba_user: true
password: 'S4u3rkr4ut!'
- name: ulf.balmer
groups:
- mbr-buero
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'ALL3_e6ene#'
# ---
# vars used by roles/ansible_dependencies
# ---
apt_ansible_dependencies:
- python
- python-apt
- python3
- python3-apt
- lsb-release
- apt-transport-https
- dbus
- sudo
- vim
- net-tools
- vlan
# ---
# vars used by roles/ansible_user
# ---
ssh_keys_admin:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
ansible_remote_user:
- name: lokaladmin
password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/
shell: /bin/bash
# ---
# vars used by roles/common/tasks/basic.yml
# ---
time_zone: Europe/Berlin
locales:
- en_US.UTF-8
- de_DE.UTF-8
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudo_users:
- lokaladmin
- chris
- sysadm
- localadmin
# /etc/sudoers
#
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount'
sudoers_file_runas_aliases: []

556
group_vars/all/main.yml.00 Normal file
View File

@ -0,0 +1,556 @@
---
# ---
# NFS
# ---
nfs_server: 192.168.112.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.112.10:/data/home
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.112.10:/data/shares
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
# ---
# Samba / NIS
# ---
samba_server: file-mbr.mbr-bln.netz
samba_shares:
- name: Arbeitsrechtliches
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Ausschreibungen
user:
- anne
- bianca
- chris
- matthias.mueller
- sysadm
- name: BGN-Finanzen-Personal
user:
- anne
- bianca
- carolin
- christina.wendt
- chris
- sysadm
- ulf.balmer
- name: BVV-Projekt
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Finanzen
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Install
user:
- chris
- sysadm
- lokaladmin
- name: Kamera
user:
- anne
- axis
- bianca
- chris
- sysadm
- name: MBR
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Mobilisierungsplattform
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS-Finanzen-Personal
user:
- anne
- bianca
- benjamin
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: SCAN
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: VDK
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Video
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
nis_domain: mbr-bln.netz
#nis_domain: local.netz
nis_server_address: 192.168.112.10
nis_server_name: file-mbr.mbr-bln.netz
#nis_server_name: luna.local.netz
nis_common_packages:
- nis
- nscd
nis_deleted_user: []
nis_base_home: /data/home
nis_groups:
- name: mbr-buero
group_id: 1200
- name: mbr-finanzen
group_id: 1210
- name: mbr-personal
group_id: 1220
- name: mbr-kamera
group_id: 1250
- name: mbr-admins
group_id: 1260
- name: vdk
group_id: 1300
- name: rias
group_id: 1400
- name: rias-finanzen-personal
group_id: 1410
- name: bgn
group_id: 1500
- name: bgn-finanzen-personal
group_id: 1510
nis_user:
- name: chris
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38643435653764393333613564393733666139656264343833333632373938323230393036303234
3633303562636465643930643961663165646237386664370a386362346162313037353163383365
61343263386239316164613935633062343165363863376462653165306464633136313839343962
3865353333373661390a643564386432643532396632323664383330646430613033643130626430
6139
- name: lokaladmin
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'd4r1usz'
- name: sysadm
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'KPk_Wf2F'
- name: alexander.rasumny
groups:
- mbr-buero
is_samba_user: true
password: 'twT9Rjbv9mjq'
- name: anna.mueller1
groups:
- mbr-buero
is_samba_user: true
password: '5xp5ll9ar13us!'
# ---
# vars used by roles/ansible_dependencies
# ---
apt_ansible_dependencies:
- python
- python-apt
- python3
- python3-apt
- lsb-release
- apt-transport-https
- dbus
- sudo
- vim
- net-tools
- vlan
# ---
# vars used by roles/ansible_user
# ---
ssh_keys_admin:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
ansible_remote_user:
- name: lokaladmin
password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/
shell: /bin/bash
# ---
# vars used by roles/common/tasks/basic.yml
# ---
time_zone: Europe/Berlin
locales:
- en_US.UTF-8
- de_DE.UTF-8
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudo_users:
- lokaladmin
- chris
- sysadm
- localadmin
# /etc/sudoers
#
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount'
sudoers_file_runas_aliases: []

753
group_vars/all/main.yml.BAK Normal file
View File

@ -0,0 +1,753 @@
---
# ---
# NFS
# ---
nfs_server: 192.168.112.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.112.10:/data/home
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.112.10:/data/shares
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
# ---
# Samba / NIS
# ---
samba_server: file-mbr.mbr-bln.netz
samba_shares:
- name: Arbeitsrechtliches
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Ausschreibungen
user:
- anne
- bianca
- chris
- matthias.mueller
- sysadm
- name: BGN-Finanzen-Personal
user:
- anne
- bianca
- carolin
- christina.wendt
- chris
- sysadm
- ulf.balmer
- name: BVV-Projekt
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Finanzen
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Install
user:
- chris
- sysadm
- lokaladmin
- name: Kamera
user:
- anne
- axis
- bianca
- chris
- sysadm
- name: MBR
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Mobilisierungsplattform
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS-Finanzen-Personal
user:
- anne
- bianca
- benjamin
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: SCAN
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: VDK
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Video
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
nis_domain: mbr-bln.netz
#nis_domain: local.netz
nis_server_address: 192.168.112.10
nis_server_name: file-mbr.mbr-bln.netz
#nis_server_name: luna.local.netz
nis_common_packages:
- nis
- nscd
nis_deleted_user: []
nis_base_home: /data/home
nis_groups:
- name: mbr-buero
group_id: 1200
- name: mbr-finanzen
group_id: 1210
- name: mbr-personal
group_id: 1220
- name: mbr-kamera
group_id: 1250
- name: mbr-admins
group_id: 1260
- name: vdk
group_id: 1300
- name: rias
group_id: 1400
- name: rias-finanzen-personal
group_id: 1410
- name: bgn
group_id: 1500
- name: bgn-finanzen-personal
group_id: 1510
nis_user:
- name: chris
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38643435653764393333613564393733666139656264343833333632373938323230393036303234
3633303562636465643930643961663165646237386664370a386362346162313037353163383365
61343263386239316164613935633062343165363863376462653165306464633136313839343962
3865353333373661390a643564386432643532396632323664383330646430613033643130626430
6139
- name: lokaladmin
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'd4r1usz'
- name: sysadm
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'KPk_Wf2F'
- name: alexander.rasumny
groups:
- mbr-buero
is_samba_user: true
password: 'twT9Rjbv9mjq'
- name: anna.mueller1
groups:
- mbr-buero
is_samba_user: true
password: '5xp5ll9ar13us!'
- name: anne
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'YA!LiLiC0MP5'
- name: benjamin
groups:
- mbr-buero
- vdk
- rias
- rias-finanzen-personal
is_samba_user: true
password: 'C2-0U#ch'
- name: bianca
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: '73_BiBole_29'
- name: birgit.erhardt
groups:
- mbr-buero
- mbr-finanzen
- vdk
is_samba_user: true
password: '20_purpel!rain_17'
- name: bjoern.renkewitz
groups:
- mbr-buero
is_samba_user: true
password: 'Tz9-Wq-51'
- name: carolin
groups:
- mbr-buero
- bgn-finanzen-personal
is_samba_user: true
password: '20_carol1n_14'
- name: christina.wendt
groups:
- mbr-buero
- mbr-finanzen
- vdk
- rias-finanzen-personal
- bgn-finanzen-personal
is_samba_user: true
password: '8!Varianten'
- name: daniel.poensgen
groups:
- mbr-buero
is_samba_user: true
password: 'rcMRCm7jcpbp'
- name: doku_4
groups:
- mbr-buero
is_samba_user: true
password: 'PwmNvPh9KM4T'
- name:
groups: doku_7
- mbr-buero
is_samba_user: true
password: 'TFhCW9J4Vn4F'
- name: dorina.feldmann
groups:
- mbr-buero
is_samba_user: true
password: '17?4XPQ_!abc'
- name: franziska
groups:
- mbr-buero
is_samba_user: true
password: 'f49mCjbj3Jh7'
- name: frederick.kannenberg
groups:
- mbr-buero
is_samba_user: true
password: 'riasFK2019!#'
- name: doku2
groups:
- mbr-buero
is_samba_user: true
password: '*M0ss4d*'
- name: johannes.radke
groups:
- mbr-buero
is_samba_user: true
password: 'Furzf4brik!'
- name: judith.heinmueller
groups:
- mbr-buero
is_samba_user: true
password: 't32_aHxV.'
- name: kristina.holzapfel
groups:
- mbr-buero
is_samba_user: true
password: 'c7PvX_39.'
- name: lavinia.schwedersky
groups:
- mbr-buero
is_samba_user: true
password: 'xJw.3R9vKf/N'
- name:
groups: manja.kasten
- mbr-buero
is_samba_user: true
password: 'Rasili_&n'
- name: mathias
groups:
- mbr-buero
is_samba_user: true
password: 'p3r*45p3r4*4d*45tr4m'
- name: matthias.mueller
groups:
- mbr-buero
- mbr-personal
is_samba_user: true
password: 'V1v@H@f3rdr1nk'
- name: michael.sulies
groups:
- mbr-buero
is_samba_user: true
password: 'Cryst4lp4l4c3'
- name: michael.trube
groups:
- mbr-buero
- mbr-kamera
is_samba_user: true
password: '*R13sl1ng*'
- name: pia.lamberty
groups:
- mbr-buero
is_samba_user: true
password: 'oasd31*as+Q%'
- name: praktikum
groups:
- mbr-buero
is_samba_user: true
password: '_F313r4b3nd*'
- name: praktikum_rias
groups:
- mbr-buero
is_samba_user: true
password: '7z7F%d3cv_dfjz'
- name: praktikum2
groups:
- mbr-buero
is_samba_user: true
password: '20praktikum213'
- name: praktikum2_rias
groups:
- mbr-buero
is_samba_user: true
password: 'ctnrk3CczcJ9'
- name: sabine.kritter
groups:
- mbr-buero
is_samba_user: true
password: '#17_abc_?!'
- name: samuel.signer
groups:
- mbr-buero
is_samba_user: true
password: 'S4mmyC0mput3r!'
- name: scan
groups:
- mbr-buero
is_samba_user: true
password: '20scan13'
- name: simon
groups:
- mbr-buero
is_samba_user: true
password: 'S4u3rkr4ut!'
- name: ulf.balmer
groups:
- mbr-buero
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'ALL3_e6ene#'
# ---
# vars used by roles/ansible_dependencies
# ---
apt_ansible_dependencies:
- python
- python-apt
- python3
- python3-apt
- lsb-release
- apt-transport-https
- dbus
- sudo
- vim
- net-tools
- vlan
# ---
# vars used by roles/ansible_user
# ---
ssh_keys_admin:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
ansible_remote_user:
- name: lokaladmin
password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/
shell: /bin/bash
# ---
# vars used by roles/common/tasks/basic.yml
# ---
time_zone: Europe/Berlin
locales:
- en_US.UTF-8
- de_DE.UTF-8
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudo_users:
- lokaladmin
- chris
- sysadm
- localadmin
# /etc/sudoers
#
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount'
sudoers_file_runas_aliases: []

3
host_vars/file-mbr.mbr-bln.netz.yml Normal file
View File

@ -0,0 +1,3 @@
---
ansible_python_interpreter: /usr/bin/python3

21
hosts Normal file
View File

@ -0,0 +1,21 @@
[initial_setup]
file-mbr.mbr-bln.netz ansible_user=root
[client_pc]
[nfs_client]
[nis_client]
[file_server]
file-mbr.mbr-bln.netz ansible_user=root
[nfs_server]
file-mbr.mbr-bln.netz ansible_user=root
[nis_server]
file-mbr.mbr-bln.netz ansible_user=root
[samba_server]
#file-mbr.mbr-bln.netz ansible_user=root

16
initialize-ansible.yml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: initial_setup
#remote_user: root
#become: false
gather_facts: false
# vars_prompt:
#
# - name: ansible_ssh_pass
# prompt: "Give root's password here"
roles:
- ansible_dependencies
- ansible_user

38
mbr-bln_the_vault.sh Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env bash
echoerr() { echo "$@" 1>&2; }
PWFILE="$HOME/.private/ansible/ansible-mbr-vault-passphrase"
if test ! -f "$PWFILE"
then
echoerr "File doesn't exist!"
exit 1
fi
perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}')
owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}')
group=$(/bin/ls -l "$PWFILE" | awk '{print $4}')
#not everyone is using debian based foo. get primary group of user and test file group permission against it
pgroup=$(id -gn)
if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]]
then
echoerr "Wrong permissions!"
exit 1
fi
if test "$USER" != "$owner"
then
echoerr "Wrong owner!"
exit 1
fi
if test "$pgroup" != "$group"
then
echoerr "Wrong group!"
exit 1
fi
cat "$PWFILE"
exit 0

10
poweroff-clients.yml Normal file
View File

@ -0,0 +1,10 @@
---
- hosts: client_pc
gather_facts: false
tasks:
- name: Power off client pcs
command: "/sbin/shutdown -h +1 >/dev/null 2>&1 &"

35
roles/ansible_dependencies/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python2 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt)
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: apt upgrade
apt:
upgrade: dist
update_cache: true
dpkg_options: force-confdef,force-confold
tags:
- ansible-dependencies
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies }}"
state: latest
tags:
- ansible-dependencies

48
roles/ansible_user/tasks/main.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Ensure remote users for ansible exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.name | default(omit) }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ ansible_remote_user }}'
loop_control:
label: ' user "{{ item.name }}" exists'
tags:
- ansible-remote-user
- name: Ensure ansible user is part of sudo group
user:
name: "{{ item.name }}"
groups: sudo
append: yes
with_items: "{{ ansible_remote_user }}"
loop_control:
label: ' user "{{ item.name }}" is part of sudo group'
tags:
- sudo-users
- name: Ensure authorized_key files are present for ansible user
authorized_key:
user: "{{ item.name }}"
key: "{{ ssh_keys_admin|join('\n') }}"
state: present
with_items:
- '{{ ansible_remote_user }}'
loop_control:
label: ' authorized_key of user "{{ item.name }}" is present'
tags:
- authorized_key
- name: Ensure authorized_key files are present for user root
authorized_key:
user: root
key: "{{ ssh_keys_admin|join('\n') }}"
state: present
tags:
- authorized_key

4
roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf Normal file
View File

@ -0,0 +1,4 @@
[Unit]
DefaultDependencies=no
Wants=rpcbind.target
Before=rpcbind.target

3
roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
IPAddressAllow=192.168.0.0/16

26
roles/common/handlers/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Renew nis databases
shell: make -C /var/yp
when:
- "groups['nis_server']|string is search(inventory_hostname)"
- name: Reload nfs
service:
name: nfs-kernel-server
state: reloaded
enabled: yes
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- name: Restart systemd-logind.service
service:
name: systemd-logind
daemon_reload: yes
state: restarted
- name: Restart rpcbind
service:
name: rpcbind
daemon_reload: yes
state: restarted

64
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,64 @@
---
# tags supported inside nfs.yml:
#
# nfs-server
# nfs-client
- import_tasks: nfs.yml
tags:
- nfs
# tags supported inside nfs.yml:
#
# nis-install-server
- import_tasks: nis-install-server.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
# tags supported inside nfs.yml:
#
# nis-install-client
- import_tasks: nis-install-client.yml
when: "groups['nis_client']|string is search(inventory_hostname)"
tags:
- nis-install
# tags supported inside nis_user.yml:
#
# nis-user
# system-user
- import_tasks: nis_user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-user
# tags supported inside samba_user.yml:
#
# samba-user
- import_tasks: samba_user.yml
when: "groups['samba_server']|string is search(inventory_hostname)"
tags:
- nis-samba-user
- import_tasks: user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported inside sudoers.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
#- import_tasks: mount_samba_shares.yml
# when: "groups['client_pc']|string is search(inventory_hostname)"
# tags:
# - samba-shares

28
roles/common/tasks/mount_samba_shares.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (mount_samba_shares.yml) Ensure (user separated) base mount directories for samba shares exists
file:
path: "/mnt/{{ item.name }}"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: '0700'
state: directory
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- name: (mount_samba_shares.yml) Ensure (user separated) mount directories for samba shares exists
file:
path: "/mnt/{{ item.1 }}/{{ item.0.name }}"
owner: "{{ item.1 }}"
group: "{{ item.1 }}"
mode: '0770'
state: directory
with_subelements:
- "{{ samba_shares }}"
- user
loop_control:
label: '{{ item.1 }} share: {{ item.0.name }}'

79
roles/common/tasks/nfs.yml Normal file
View File

@ -0,0 +1,79 @@
---
# ---
# NFS Server
# ---
- name: (nfs.yml) Ensure NFS utilities (server) are installed.
apt:
name:
- nfs-common
- nfs-kernel-server
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Ensure directories to export exist
file:
path: '{{ item.src.split(":")[1] }}'
owner: root
group: root
mode: '0755'
state: directory
with_items: "{{ nfs_exports }}"
loop_control:
label: '{{ item.path }}'
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Copy exports file.
template:
src: etc/exports.j2
dest: /etc/exports
owner: root
group: root
mode: 0644
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
notify: Reload nfs
tags:
- nfs-server
# ---
# NFS clients
# ---
- name: (nfs.yml) Ensure NFS utilities (clients) are installed.
apt:
pkg: nfs-common
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client
- name: (nfs.yml) NFS Mount exports from nfs server
mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
fstype: nfs
opts: "{{ item.mount_opts }}"
dump: "{{ item.dump | default(omit) }}"
passno: "{{ item.passno | default(omit) }}"
state: mounted
loop: "{{ nfs_exports }}"
loop_control:
label: '{{ item.src }}'
when:
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client

303
roles/common/tasks/nis-install-client.yml Normal file
View File

@ -0,0 +1,303 @@
---
# ---
# Install nis
# ---
- name: (nis-install-client.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
src: etc/defaultdomain.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
tags:
- nis-install
- nis-install-client
# ---
# /etc/default/nis
# ---
- name: (nis-install-client.yml) Check if file '/etc/default/nis.ORIG' exists
stat:
path: /etc/default/nis.ORIG
register: default_nis_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/default/nis
command: cp -a /etc/default/nis /etc/default/nis.ORIG
when:
- default_nis_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISSERVER' (client)
replace:
path: /etc/default/nis
regexp: '^NISSERVER=.*'
replace: 'NISSERVER=false'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (client)
replace:
path: /etc/default/nis
regexp: '^NISCLIENT=.*'
replace: 'NISCLIENT=true'
tags:
- nis-install
- nis-install-client
# ---
# /etc/{passwd,group,shadow}
# ---
- name: (nis-install-client.yml) Add '+::::::' to file /etc/passwd
lineinfile:
path: /etc/passwd
line: '+::::::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+:::' to file /etc/group
lineinfile:
path: /etc/group
line: '+:::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+::::::::' to file /etc/shadow
lineinfile:
path: /etc/shadow
line: '+::::::::'
insertafter: EOF
state: present
owner: root
group: shadow
mode: '0640'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
# ---
# /etc/hosts
# ---
- name: (nis-install-client.yml) Check if file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_orig_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/hosts
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- etc_hosts_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add nis-server to file /etc/hosts
lineinfile:
path: /etc/hosts
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-client
# ---
# /etc/nsswitch.conf
# ---
- name: (nis.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
stat:
path: /etc/nsswitch.conf.ORIG
register: nsswitch_conf_orig_exists
tags:
- nis-install
- nis-install-client
- name: (nis.yml) Backup existing file /etc/nsswitch.conf
command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG
when:
- nsswitch_conf_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set hosts)
replace:
path: /etc/nsswitch.conf
regexp: '(hosts:\s+files)\s+([^nis].*)'
replace: '\1 nis \2'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set passwd/group/shadow)
replace:
path: /etc/nsswitch.conf
regexp: '^({{ item }}:\s+.*)'
replace: '\1 nis'
with_items:
- passwd
- group
- shadow
tags:
- nis-install
- nis-install-client
# ---
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# ---
# - !! Using NIS client in Ubuntu 18.04 crashes both Gnome and Unity !!
# - ===================================================================
#
# - Unter NIS in Ubuntu 18.04 stütrzt Gnome und Unity ab
# -
# - Abhilfe schafft:
# -
#
# - Create a new directory in /etc/systemd/system/ named exactly after the
# - service you want to extend including a '.d', here this would be:
# - systemd-logind.service.d
# -
# - mkdir /etc/systemd/system/systemd-logind.service.d
#
# - Create a new file choose_an_appropriate_name.conf (e.g. nis_allow_network.conf)
# - inside the newly created directory with the following content, which specifies
# - the IP or IP range you want to be allowed:
# -
# - cat <<EOF > /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# - [Service]
# - IPAddressAllow=192.168.0.0/16
# - EOF
# -
# - systemctl daemon-reload
# - systemctl restart systemd-logind.service
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/systemd-logind.service.d exists
file:
path: /etc/systemd/system/systemd-logind.service.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf' }}"
dest: /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 18"
notify:
- Restart systemd-logind.service
tags:
- nis-install
- nis-install-client
# - Seit Ubuntu 16.04 startet nis vor dem portmapper (rpcbind). Das Starten
# - schlägt deshalb fehl und nis steht nicht zur Verfügung.
# -
# - Abhilfe:
# -
# - Run "systemctl edit rpcbind.socket" and add the following:
# -
# - [Unit]
# - DefaultDependencies=no
# - Wants=rpcbind.target
# - Before=rpcbind.target
# -
# - You can see your changes:
# - cat /etc/systemd/system/rpcbind.socket.d/override.conf
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/rpcbind.socket.d exists
file:
path: /etc/systemd/system/rpcbind.socket.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 16"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/rpcbind.socket.d/override.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/rpcbind.socket.d/override.conf' }}"
dest: /etc/systemd/system/rpcbind.socket.d/override.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 16"
notify:
- Restart rpcbind
tags:
- nis-install
- nis-install-client
# TODO:
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# /etc/systemd/system/rpcbind.socket.d/override.conf

215
roles/common/tasks/nis-install-server.yml Normal file
View File

@ -0,0 +1,215 @@
---
# ---
# Install nis
# ---
- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
src: etc/defaultdomain.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
tags:
- nis-install
- nis-install-server
# ---
# /etc/default/nis
# ---
- name: (nis-install-server.yml) Check if file '/etc/default/nis.ORIG' exists
stat:
path: /etc/default/nis.ORIG
register: default_nis_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/default/nis
command: cp -a /etc/default/nis /etc/default/nis.ORIG
when:
- default_nis_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISSERVER' (server)
replace:
path: /etc/default/nis
regexp: '^NISSERVER=.*'
replace: 'NISSERVER=master'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (server)
replace:
path: /etc/default/nis
regexp: '^NISCLIENT=.*'
replace: 'NISCLIENT=false'
tags:
- nis-install
- nis-install-server
# ---
# /etc/ypserv.securenets
# ---
- name: (nis-install-server.yml) Check if file '/etc/ypserv.securenets.ORIG' exists
stat:
path: /etc/ypserv.securenets.ORIG
register: ypserv_securenets_orig_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/ypserv.securenets
command: cp -a /etc/ypserv.securenets /etc/ypserv.securenets.ORIG
when:
- ypserv_securenets_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-client.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
replace:
path: /etc/ypserv.securenets
regexp: '^(0.0.0.0\s+.*)'
replace: '#\1'
tags:
- nis-install
- nis-install-client
- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets
lineinfile:
path: /etc/ypserv.securenets
line: '255.255.0.0 192.168.0.0'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-client
- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets
lineinfile:
path: /etc/ypserv.securenets
line: '255.0.0.0 10.0.0.0'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Trigger '/usr/lib/yp/ypinit -m'
shell: printf '\n' | /usr/lib/yp/ypinit -m
when: nis_installed.changed
tags:
- nis-install
- nis-install-server
# ---
# Base directory containing users' home directory
# ---
- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
file:
path: '{{ nis_base_home}}'
owner: root
group: root
mode: '0755'
state: directory
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server
# ---
# /etc/adduser.conf
# ---
- name: (nis-install-server.yml) Check if file '/etc/adduser.conf.ORIG exists'
stat:
path: /etc/adduser.conf.ORIG
register: adduser_conf_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/adduser.conf
command: cp -a /etc/adduser.conf /etc/adduser.conf.ORIG
when:
- adduser_conf_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file '/etc/adduser.conf' - set 'DHOME'
replace:
path: /etc/adduser.conf
regexp: '^#?DHOME=.*'
replace: 'DHOME={{ nis_base_home }}'
tags:
- nis-install
- nis-install-server
# ---
# /var/yp/Makefile
# ---
- name: (nis-install-server.yml) Check if file '/var/yp/Makefile.ORIG exists'
stat:
path: /var/yp/Makefile.ORIG
register: adduser_conf_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /var/yp/Makefile
command: cp -a /var/yp/Makefile /var/yp/Makefile.ORIG
when:
- adduser_conf_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file '/var/yp/Makefile'
replace:
path: /var/yp/Makefile
regexp: '^#?{{ item }}=.*'
replace: '{{ item }}=true'
with_items:
- MERGE_PASSWD
- MERGE_GROUP
notify:
- Renew nis databases
tags:
- nis-install
- nis-install-server
# TODO:
# /var/yp/Makefile

121
roles/common/tasks/nis_samba_user.yml Normal file
View File

@ -0,0 +1,121 @@
---
# ---
# - Remove unwanted users
# ---
- name: (nis_samba_user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_deleted_user_present
changed_when: "samba_deleted_user_present.rc == 0"
failed_when: "samba_deleted_user_present.rc > 1"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from samba
shell: "smbpasswd -s -x {{ item.name }}"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
when: samba_deleted_user_present is changed
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
# ---
# - default user/groups
# ---
- name: (nis_samba_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_samba_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc > 0"
failed_when: "samba_nis_user_present.rc > 1"
with_items:
- "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (nis_samba_user.yml) Add nis user to samba (with nis users password)
shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- samba_nis_user_present is changed
notify: Renew nis databases
tags:
- samba-user

95
roles/common/tasks/nis_user.yml Normal file
View File

@ -0,0 +1,95 @@
---
# ---
# - Remove unwanted users
# ---
- name: (nis_user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (nis_user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
# ---
# - default user/groups
# ---
- name: (nis_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_user.yml) Check if nis (system) user exists
shell: "getent passwd {{ item.name }}"
register: nis_user_exists
changed_when: "nis_user_exists.rc == 2"
failed_when: "nis_user_exists.rc > 2"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
ignore_errors: true
tags:
- nis-user
- system-user
- name: (nis_user.yml) Add nis (system) users
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when: nis_user_exists is changed
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user

60
roles/common/tasks/samba_user.yml Normal file
View File

@ -0,0 +1,60 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba_user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_deleted_user_present
changed_when: "samba_deleted_user_present.rc == 0"
failed_when: "samba_deleted_user_present.rc > 1"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba_user.yml) Remove (old) users from samba
shell: "smbpasswd -s -x {{ item.name }}"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
when: samba_deleted_user_present is changed
tags:
- samba-user
# ---
# - default user/groups
# ---
- name: (samba_user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc > 0"
failed_when: "samba_nis_user_present.rc > 1"
with_items:
- "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (samba_user.yml) Add nis user to samba (with nis users password)
shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- samba_nis_user_present is changed
notify: Renew nis databases
tags:
- samba-user

32
roles/common/tasks/sudoers.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
template:
src: etc/sudoers.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_users }}"
tags:
- sudo-users

39
roles/common/tasks/user-systemfiles.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- item.stat.exists == False
tags:
- profile
- name: (user-systemfiles.yml) Create new users .profile file
template:
src: user_homedirs/dot.profile.j2
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile

1
roles/common/templates/etc/defaultdomain.j2 Normal file
View File

@ -0,0 +1 @@
{{ nis_domain }}

31
roles/common/templates/etc/exports.j2 Normal file
View File

@ -0,0 +1,31 @@
# {{ ansible_managed }}
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{% set count = namespace(nfs_exports=100) %}
{% for export in nfs_exports %}
{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %}
{% set count.nfs_exports = count.nfs_exports + 10 %}
{% for network in export.export_networks %}
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
{% else %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }})
{% endif %}
{% endfor %}
{{ export_str.nfs_exports }}
{% endfor %}

34
roles/common/templates/etc/sudoers.d/50-user.j2 Normal file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
{% for item in sudoers_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rules for nis users #}
{% for item in nis_user | default([]) %}
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
{% endfor %}
# Group privilege specification

56
roles/common/templates/etc/sudoers.j2 Normal file
View File

@ -0,0 +1,56 @@
# {{ ansible_managed }}
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Group privilege specification
{% for item in sudoers_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

24
roles/common/templates/etc/yp.conf.j2 Normal file
View File

@ -0,0 +1,24 @@
# {{ ansible_managed }}
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
# Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
# Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
# Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
# Use server HOSTNAME for the local domain. The
# IP-address of server must be listed in /etc/hosts.
#
# broadcast
# If no server for the default domain is specified or
# none of them is rechable, try a broadcast call to
# find a server.
#
domain {{ nis_domain }} server {{ nis_server_address }}

36
roles/common/templates/user_homedirs/dot.profile.j2 Normal file
View File

@ -0,0 +1,36 @@
# {{ ansible_managed }}
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
#. /usr/lib/mc/bin/mc.sh
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
export LANG="de_DE.utf8"

126
roles/common/templates/user_homedirs/dot.profile.j2.with_samba_mounts Normal file
View File

@ -0,0 +1,126 @@
# {{ ansible_managed }}
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
#. /usr/lib/mc/bin/mc.sh
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
export LANG="de_DE.utf8"
# ---
# Mmount samba shares
# ---
# Don't try to mount samba shares if login at samba server
#
[[ "$(hostname --long)" = "{{ samba_server }}" ]] && return
SERVER="{{ samba_server }}"
USER="{{ item.name }}"
PASSWORD='{{ item.password }}'
VERSION="1.0"
# Use NTLMv2 password hashing and force packet signing
#
# SEC="ntlmv2i"
#
# Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
#
# SEC="ntlmsspi"
#
SEC="ntlmsspi"
# - uid/guid of the user at fielserver
# -
_UID="$(id -u)"
_GID="$(id -g)"
# Logfile to see what happened..
#
_logfile=/tmp/profile_${USER}.log
echo "" > $_logfile
echo "$(date +"%Y-%m-%d-%H%M")" >> $_logfile
# Network present
#
_network=false
if [ "X$_addr" = "X" ] ; then
echo "no inet address assigned yet.." >> $_logfile
declare -i count=1
while ! $_network && [[ $count -lt 5 ]] ; do
echo "sleeping 2 seconds.." >> $_logfile
sleep 2
_addr="$(hostname --ip-address)"
if [ "X$_addr" != "X" ] ; then
_network=true
echo "inet address present: $_addr" >> $_logfile
fi
((count++))
done
fi
for dir in $(ls /mnt/$USER) ; do
MOUNT_POINT=/mnt/$USER/$dir
SHARE=$dir
[ ! -d $MOUNT_POINT ] && continue
if ! mount | grep $MOUNT_POINT > /dev/null ; then
echo "Going to mount share '${SHARE}' .." >> $_logfile
if [ -x /usr/bin/smb4k_mount ]; then
## - Ubuntu <= 12.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,vers=1.0 \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,uid=$_UID,gid=$_GID,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
else
## - Ubuntu Version >= 14.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,uid=$USER,sec=${SEC},vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
fi
else
echo "mount point $MOUNT_POINT already exists. nothing left to do.." >> $_logfile
fi
done