commit c051eb091f62a47a163610ad497faf78cc9d96a7 Author: Christoph Date: Sun Dec 15 19:02:18 2019 +0100 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/README.create_vault_string b/README.create_vault_string new file mode 100644 index 0000000..aad081b --- /dev/null +++ b/README.create_vault_string @@ -0,0 +1,12 @@ + +# Create entcypted string +# +# ansible-vault encrypt_string '' --name 'password' +# +$ ansible-vault encrypt_string 'test100' --name 'password' +password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33663235396237373338323536643030393235323266656333323934663431323531316638383962 + 3536333065363364653561366464393262663832376339630a353236316431636338373034343566 + 31373136613434636562353237653230633162613531313466366437663730633931346131396531 + 3632653737643363350a306435656633343132366461346262623131323337633663363135313563 diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..3453ac3 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,47 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== +# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg +# +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + + +[defaults] +#ansible_managed = ** Ansible managed: DO NOT EDIT DIRECTLY ** +ansible_managed = ############################################ # + # -------------------------- # + # ** DO NOT EDIT DIRECTLY ** # + # -------------------------- # + # Ansible managed file # + # ############################################ # +#gathering = smart +#fact_caching = jsonfile +#fact_caching_connection = ~/.cache/ +#fact_caching_timeout = 86400 +#forks = 20 +inventory = ./hosts +remote_user = lokaladmin +#remote_user = root +#ask_pass=True +roles_path = ./roles +vault_password_file = mbr-bln_the_vault.sh +#retry_files_enabled = False +#allow_world_readable_tmpfiles = True +interpreter_python: auto +#interpreter_python: /usr/bin/python3 + +[privilege_escalation] +#become=False +become=True +become_method=sudo +become_ask_pass=True + +[ssh_connection] + +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = True diff --git a/common.yml b/common.yml new file mode 100644 index 0000000..016774b --- /dev/null +++ b/common.yml @@ -0,0 +1,20 @@ +--- + +# Intended to be run once for every new server to secure the ssh connection allowing the team access +# with their public keys. This script will lock itself out from every server it is run on. +# Further playbooks are intended to be run by logging in as one of the created users. +# It also ensures python2 is installed as it's necessary for the modules used in this playbook at +# the time of this writing. + +# The used login data depends on the used server provider. In most cases the ansible_user will be +# root, but we can't safely assume anything. +# The following line is an example for securing a new vagrant maching, after running `vagrant up`: +# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key' +# For real providers it could look like: +# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa' +# If you don't have a ssh-key on the server and the server expects password authentication use: +# ansible-playbook first_run.yml -i hosts -u root --ask-pass + +- hosts: all + roles: + - common diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml new file mode 100644 index 0000000..b01b5f2 --- /dev/null +++ b/group_vars/all/main.yml @@ -0,0 +1,758 @@ +--- + +# --- +# NFS +# --- + +nfs_server: 192.168.112.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +nfs_exports: + - src: 192.168.112.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + + - src: 192.168.112.10:/data/shares + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + +# --- +# Samba / NIS +# --- + +samba_server: file-mbr.mbr-bln.netz + +samba_shares: + - name: Arbeitsrechtliches + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Ausschreibungen + user: + - anne + - bianca + - chris + - matthias.mueller + - sysadm + - name: BGN-Finanzen-Personal + user: + - anne + - bianca + - carolin + - christina.wendt + - chris + - sysadm + - ulf.balmer + - name: BVV-Projekt + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Finanzen + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Install + user: + - chris + - sysadm + - lokaladmin + - name: Kamera + user: + - anne + - axis + - bianca + - chris + - sysadm + - name: MBR + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Mobilisierungsplattform + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS-Finanzen-Personal + user: + - anne + - bianca + - benjamin + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: SCAN + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: VDK + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Video + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + +nis_domain: mbr-bln.netz +#nis_domain: local.netz + +nis_server_address: 192.168.112.10 + +nis_server_name: file-mbr.mbr-bln.netz +#nis_server_name: luna.local.netz + +nis_common_packages: + - nis + - nscd + +nis_deleted_user: [] + + +nis_base_home: /data/home + +nis_groups: + - name: mbr-buero + group_id: 1200 + - name: mbr-finanzen + group_id: 1210 + - name: mbr-personal + group_id: 1220 + - name: mbr-kamera + group_id: 1250 + - name: mbr-admins + group_id: 1260 + - name: vdk + group_id: 1300 + - name: rias + group_id: 1400 + - name: rias-finanzen-personal + group_id: 1410 + - name: bgn + group_id: 1500 + - name: bgn-finanzen-personal + group_id: 1510 + +nis_user: + - name: chris + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38643435653764393333613564393733666139656264343833333632373938323230393036303234 + 3633303562636465643930643961663165646237386664370a386362346162313037353163383365 + 61343263386239316164613935633062343165363863376462653165306464633136313839343962 + 3865353333373661390a643564386432643532396632323664383330646430613033643130626430 + 6139 + - name: lokaladmin + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'd4r1usz' + - name: sysadm + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'KPk_Wf2F' + - name: alexander.rasumny + groups: + - mbr-buero + is_samba_user: true + password: 'twT9Rjbv9mjq' + - name: anna.mueller1 + groups: + - mbr-buero + is_samba_user: true + password: '5xp5ll9ar13us!' + - name: anne + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'YA!LiLiC0MP5' + - name: axis + groups: + - mbr-buero + is_samba_user: true + password: '20_axis_16' + - name: benjamin + groups: + - mbr-buero + - vdk + - rias + - rias-finanzen-personal + is_samba_user: true + password: 'C2-0U#ch' + - name: bianca + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: '73_BiBole_29' + - name: birgit.erhardt + groups: + - mbr-buero + - mbr-finanzen + - vdk + is_samba_user: true + password: '20_purpel!rain_17' + - name: bjoern.renkewitz + groups: + - mbr-buero + is_samba_user: true + password: 'Tz9-Wq-51' + - name: carolin + groups: + - mbr-buero + - bgn-finanzen-personal + is_samba_user: true + password: '20_carol1n_14' + - name: christina.wendt + groups: + - mbr-buero + - mbr-finanzen + - vdk + - rias-finanzen-personal + - bgn-finanzen-personal + is_samba_user: true + password: '8!Varianten' + - name: daniel.poensgen + groups: + - mbr-buero + is_samba_user: true + password: 'rcMRCm7jcpbp' + - name: doku_4 + groups: + - mbr-buero + is_samba_user: true + password: 'PwmNvPh9KM4T' + - name: doku_7 + groups: + - mbr-buero + is_samba_user: true + password: 'TFhCW9J4Vn4F' + - name: dorina.feldmann + groups: + - mbr-buero + is_samba_user: true + password: '17?4XPQ_!abc' + - name: franziska + groups: + - mbr-buero + is_samba_user: true + password: 'f49mCjbj3Jh7' + - name: frederick.kannenberg + groups: + - mbr-buero + is_samba_user: true + password: 'riasFK2019!#' + - name: doku2 + groups: + - mbr-buero + is_samba_user: true + password: '*M0ss4d*' + - name: johannes.radke + groups: + - mbr-buero + is_samba_user: true + password: 'Furzf4brik!' + - name: judith.heinmueller + groups: + - mbr-buero + is_samba_user: true + password: 't32_aHxV.' + - name: kristina.holzapfel + groups: + - mbr-buero + is_samba_user: true + password: 'c7PvX_39.' + - name: lavinia.schwedersky + groups: + - mbr-buero + is_samba_user: true + password: 'xJw.3R9vKf/N' + - name: manja.kasten + groups: + - mbr-buero + is_samba_user: true + password: 'Rasili_&n' + - name: mathias + groups: + - mbr-buero + is_samba_user: true + password: 'p3r*45p3r4*4d*45tr4m' + - name: matthias.mueller + groups: + - mbr-buero + - mbr-personal + is_samba_user: true + password: 'V1v@H@f3rdr1nk' + - name: michael.sulies + groups: + - mbr-buero + is_samba_user: true + password: 'Cryst4lp4l4c3' + - name: michael.trube + groups: + - mbr-buero + - mbr-kamera + is_samba_user: true + password: '*R13sl1ng*' + - name: pia.lamberty + groups: + - mbr-buero + is_samba_user: true + password: 'oasd31*as+Q%' + - name: praktikum + groups: + - mbr-buero + is_samba_user: true + password: '_F313r4b3nd*' + - name: praktikum_rias + groups: + - mbr-buero + is_samba_user: true + password: '7z7F%d3cv_dfjz' + - name: praktikum2 + groups: + - mbr-buero + is_samba_user: true + password: '20praktikum213' + - name: praktikum2_rias + groups: + - mbr-buero + is_samba_user: true + password: 'ctnrk3CczcJ9' + - name: sabine.kritter + groups: + - mbr-buero + is_samba_user: true + password: '#17_abc_?!' + - name: samuel.signer + groups: + - mbr-buero + is_samba_user: true + password: 'S4mmyC0mput3r!' + - name: scan + groups: + - mbr-buero + is_samba_user: true + password: '20scan13' + - name: simon + groups: + - mbr-buero + is_samba_user: true + password: 'S4u3rkr4ut!' + - name: ulf.balmer + groups: + - mbr-buero + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'ALL3_e6ene#' + + + +# --- +# vars used by roles/ansible_dependencies +# --- + +apt_ansible_dependencies: + - python + - python-apt + - python3 + - python3-apt + - lsb-release + - apt-transport-https + - dbus + - sudo + - vim + - net-tools + - vlan + + +# --- +# vars used by roles/ansible_user +# --- + +ssh_keys_admin: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + +ansible_remote_user: + - name: lokaladmin + password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/ + shell: /bin/bash + + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +time_zone: Europe/Berlin + +locales: + - en_US.UTF-8 + - de_DE.UTF-8 + +set_default_limit_nofile: false + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +sudo_users: + - lokaladmin + - chris + - sysadm + - localadmin + + +# /etc/sudoers +# +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: + - name: MOUNT + entry: '/bin/mount,/bin/umount' + +sudoers_file_runas_aliases: [] + diff --git a/group_vars/all/main.yml.00 b/group_vars/all/main.yml.00 new file mode 100644 index 0000000..0575652 --- /dev/null +++ b/group_vars/all/main.yml.00 @@ -0,0 +1,556 @@ +--- + +# --- +# NFS +# --- + +nfs_server: 192.168.112.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +nfs_exports: + - src: 192.168.112.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + + - src: 192.168.112.10:/data/shares + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + +# --- +# Samba / NIS +# --- + +samba_server: file-mbr.mbr-bln.netz + +samba_shares: + - name: Arbeitsrechtliches + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Ausschreibungen + user: + - anne + - bianca + - chris + - matthias.mueller + - sysadm + - name: BGN-Finanzen-Personal + user: + - anne + - bianca + - carolin + - christina.wendt + - chris + - sysadm + - ulf.balmer + - name: BVV-Projekt + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Finanzen + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Install + user: + - chris + - sysadm + - lokaladmin + - name: Kamera + user: + - anne + - axis + - bianca + - chris + - sysadm + - name: MBR + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Mobilisierungsplattform + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS-Finanzen-Personal + user: + - anne + - bianca + - benjamin + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: SCAN + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: VDK + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Video + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + +nis_domain: mbr-bln.netz +#nis_domain: local.netz + +nis_server_address: 192.168.112.10 + +nis_server_name: file-mbr.mbr-bln.netz +#nis_server_name: luna.local.netz + +nis_common_packages: + - nis + - nscd + +nis_deleted_user: [] + + +nis_base_home: /data/home + +nis_groups: + - name: mbr-buero + group_id: 1200 + - name: mbr-finanzen + group_id: 1210 + - name: mbr-personal + group_id: 1220 + - name: mbr-kamera + group_id: 1250 + - name: mbr-admins + group_id: 1260 + - name: vdk + group_id: 1300 + - name: rias + group_id: 1400 + - name: rias-finanzen-personal + group_id: 1410 + - name: bgn + group_id: 1500 + - name: bgn-finanzen-personal + group_id: 1510 + +nis_user: + - name: chris + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38643435653764393333613564393733666139656264343833333632373938323230393036303234 + 3633303562636465643930643961663165646237386664370a386362346162313037353163383365 + 61343263386239316164613935633062343165363863376462653165306464633136313839343962 + 3865353333373661390a643564386432643532396632323664383330646430613033643130626430 + 6139 + - name: lokaladmin + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'd4r1usz' + - name: sysadm + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'KPk_Wf2F' + - name: alexander.rasumny + groups: + - mbr-buero + is_samba_user: true + password: 'twT9Rjbv9mjq' + - name: anna.mueller1 + groups: + - mbr-buero + is_samba_user: true + password: '5xp5ll9ar13us!' + + + +# --- +# vars used by roles/ansible_dependencies +# --- + +apt_ansible_dependencies: + - python + - python-apt + - python3 + - python3-apt + - lsb-release + - apt-transport-https + - dbus + - sudo + - vim + - net-tools + - vlan + + +# --- +# vars used by roles/ansible_user +# --- + +ssh_keys_admin: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + +ansible_remote_user: + - name: lokaladmin + password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/ + shell: /bin/bash + + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +time_zone: Europe/Berlin + +locales: + - en_US.UTF-8 + - de_DE.UTF-8 + +set_default_limit_nofile: false + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +sudo_users: + - lokaladmin + - chris + - sysadm + - localadmin + + +# /etc/sudoers +# +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: + - name: MOUNT + entry: '/bin/mount,/bin/umount' + +sudoers_file_runas_aliases: [] + diff --git a/group_vars/all/main.yml.BAK b/group_vars/all/main.yml.BAK new file mode 100644 index 0000000..09e5284 --- /dev/null +++ b/group_vars/all/main.yml.BAK @@ -0,0 +1,753 @@ +--- + +# --- +# NFS +# --- + +nfs_server: 192.168.112.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +nfs_exports: + - src: 192.168.112.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + + - src: 192.168.112.10:/data/shares + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + fs_encrypted: false + +# --- +# Samba / NIS +# --- + +samba_server: file-mbr.mbr-bln.netz + +samba_shares: + - name: Arbeitsrechtliches + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Ausschreibungen + user: + - anne + - bianca + - chris + - matthias.mueller + - sysadm + - name: BGN-Finanzen-Personal + user: + - anne + - bianca + - carolin + - christina.wendt + - chris + - sysadm + - ulf.balmer + - name: BVV-Projekt + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Finanzen + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: Install + user: + - chris + - sysadm + - lokaladmin + - name: Kamera + user: + - anne + - axis + - bianca + - chris + - sysadm + - name: MBR + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Mobilisierungsplattform + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: RIAS-Finanzen-Personal + user: + - anne + - bianca + - benjamin + - birgit.erhardt + - christina.wendt + - chris + - sysadm + - name: SCAN + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: VDK + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + - name: Video + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - carolin + - christina.wendt + - chris + - daniel.poensgen + - doku2 + - doku_4 + - doku_7 + - dorina.feldmann + - franziska + - johannes.radke + - judith.heinmueller + - kristina.holzapfel + - lavinia.schwedersky + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - michael.trube + - pia.lamberty + - praktikum + - praktikum_rias + - praktikum2 + - praktikum2_rias + - sabine.kritter + - samuel.signer + - scan + - simon + - sysadm + - ulf.balmer + +nis_domain: mbr-bln.netz +#nis_domain: local.netz + +nis_server_address: 192.168.112.10 + +nis_server_name: file-mbr.mbr-bln.netz +#nis_server_name: luna.local.netz + +nis_common_packages: + - nis + - nscd + +nis_deleted_user: [] + + +nis_base_home: /data/home + +nis_groups: + - name: mbr-buero + group_id: 1200 + - name: mbr-finanzen + group_id: 1210 + - name: mbr-personal + group_id: 1220 + - name: mbr-kamera + group_id: 1250 + - name: mbr-admins + group_id: 1260 + - name: vdk + group_id: 1300 + - name: rias + group_id: 1400 + - name: rias-finanzen-personal + group_id: 1410 + - name: bgn + group_id: 1500 + - name: bgn-finanzen-personal + group_id: 1510 + +nis_user: + - name: chris + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38643435653764393333613564393733666139656264343833333632373938323230393036303234 + 3633303562636465643930643961663165646237386664370a386362346162313037353163383365 + 61343263386239316164613935633062343165363863376462653165306464633136313839343962 + 3865353333373661390a643564386432643532396632323664383330646430613033643130626430 + 6139 + - name: lokaladmin + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'd4r1usz' + - name: sysadm + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'KPk_Wf2F' + - name: alexander.rasumny + groups: + - mbr-buero + is_samba_user: true + password: 'twT9Rjbv9mjq' + - name: anna.mueller1 + groups: + - mbr-buero + is_samba_user: true + password: '5xp5ll9ar13us!' + - name: anne + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'YA!LiLiC0MP5' + - name: benjamin + groups: + - mbr-buero + - vdk + - rias + - rias-finanzen-personal + is_samba_user: true + password: 'C2-0U#ch' + - name: bianca + groups: + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: '73_BiBole_29' + - name: birgit.erhardt + groups: + - mbr-buero + - mbr-finanzen + - vdk + is_samba_user: true + password: '20_purpel!rain_17' + - name: bjoern.renkewitz + groups: + - mbr-buero + is_samba_user: true + password: 'Tz9-Wq-51' + - name: carolin + groups: + - mbr-buero + - bgn-finanzen-personal + is_samba_user: true + password: '20_carol1n_14' + - name: christina.wendt + groups: + - mbr-buero + - mbr-finanzen + - vdk + - rias-finanzen-personal + - bgn-finanzen-personal + is_samba_user: true + password: '8!Varianten' + - name: daniel.poensgen + groups: + - mbr-buero + is_samba_user: true + password: 'rcMRCm7jcpbp' + - name: doku_4 + groups: + - mbr-buero + is_samba_user: true + password: 'PwmNvPh9KM4T' + - name: + groups: doku_7 + - mbr-buero + is_samba_user: true + password: 'TFhCW9J4Vn4F' + - name: dorina.feldmann + groups: + - mbr-buero + is_samba_user: true + password: '17?4XPQ_!abc' + - name: franziska + groups: + - mbr-buero + is_samba_user: true + password: 'f49mCjbj3Jh7' + - name: frederick.kannenberg + groups: + - mbr-buero + is_samba_user: true + password: 'riasFK2019!#' + - name: doku2 + groups: + - mbr-buero + is_samba_user: true + password: '*M0ss4d*' + - name: johannes.radke + groups: + - mbr-buero + is_samba_user: true + password: 'Furzf4brik!' + - name: judith.heinmueller + groups: + - mbr-buero + is_samba_user: true + password: 't32_aHxV.' + - name: kristina.holzapfel + groups: + - mbr-buero + is_samba_user: true + password: 'c7PvX_39.' + - name: lavinia.schwedersky + groups: + - mbr-buero + is_samba_user: true + password: 'xJw.3R9vKf/N' + - name: + groups: manja.kasten + - mbr-buero + is_samba_user: true + password: 'Rasili_&n' + - name: mathias + groups: + - mbr-buero + is_samba_user: true + password: 'p3r*45p3r4*4d*45tr4m' + - name: matthias.mueller + groups: + - mbr-buero + - mbr-personal + is_samba_user: true + password: 'V1v@H@f3rdr1nk' + - name: michael.sulies + groups: + - mbr-buero + is_samba_user: true + password: 'Cryst4lp4l4c3' + - name: michael.trube + groups: + - mbr-buero + - mbr-kamera + is_samba_user: true + password: '*R13sl1ng*' + - name: pia.lamberty + groups: + - mbr-buero + is_samba_user: true + password: 'oasd31*as+Q%' + - name: praktikum + groups: + - mbr-buero + is_samba_user: true + password: '_F313r4b3nd*' + - name: praktikum_rias + groups: + - mbr-buero + is_samba_user: true + password: '7z7F%d3cv_dfjz' + - name: praktikum2 + groups: + - mbr-buero + is_samba_user: true + password: '20praktikum213' + - name: praktikum2_rias + groups: + - mbr-buero + is_samba_user: true + password: 'ctnrk3CczcJ9' + - name: sabine.kritter + groups: + - mbr-buero + is_samba_user: true + password: '#17_abc_?!' + - name: samuel.signer + groups: + - mbr-buero + is_samba_user: true + password: 'S4mmyC0mput3r!' + - name: scan + groups: + - mbr-buero + is_samba_user: true + password: '20scan13' + - name: simon + groups: + - mbr-buero + is_samba_user: true + password: 'S4u3rkr4ut!' + - name: ulf.balmer + groups: + - mbr-buero + - bgn + - bgn-finanzen-personal + is_samba_user: true + password: 'ALL3_e6ene#' + + + +# --- +# vars used by roles/ansible_dependencies +# --- + +apt_ansible_dependencies: + - python + - python-apt + - python3 + - python3-apt + - lsb-release + - apt-transport-https + - dbus + - sudo + - vim + - net-tools + - vlan + + +# --- +# vars used by roles/ansible_user +# --- + +ssh_keys_admin: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + +ansible_remote_user: + - name: lokaladmin + password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/ + shell: /bin/bash + + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +time_zone: Europe/Berlin + +locales: + - en_US.UTF-8 + - de_DE.UTF-8 + +set_default_limit_nofile: false + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +sudo_users: + - lokaladmin + - chris + - sysadm + - localadmin + + +# /etc/sudoers +# +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: + - name: MOUNT + entry: '/bin/mount,/bin/umount' + +sudoers_file_runas_aliases: [] + diff --git a/host_vars/file-mbr.mbr-bln.netz.yml b/host_vars/file-mbr.mbr-bln.netz.yml new file mode 100644 index 0000000..165337e --- /dev/null +++ b/host_vars/file-mbr.mbr-bln.netz.yml @@ -0,0 +1,3 @@ +--- + +ansible_python_interpreter: /usr/bin/python3 diff --git a/hosts b/hosts new file mode 100644 index 0000000..37173dc --- /dev/null +++ b/hosts @@ -0,0 +1,21 @@ + +[initial_setup] +file-mbr.mbr-bln.netz ansible_user=root + +[client_pc] + +[nfs_client] + +[nis_client] + +[file_server] +file-mbr.mbr-bln.netz ansible_user=root + +[nfs_server] +file-mbr.mbr-bln.netz ansible_user=root + +[nis_server] +file-mbr.mbr-bln.netz ansible_user=root + +[samba_server] +#file-mbr.mbr-bln.netz ansible_user=root diff --git a/initialize-ansible.yml b/initialize-ansible.yml new file mode 100644 index 0000000..c3a46f3 --- /dev/null +++ b/initialize-ansible.yml @@ -0,0 +1,16 @@ +--- + +- hosts: initial_setup + #remote_user: root + #become: false + gather_facts: false + +# vars_prompt: +# +# - name: ansible_ssh_pass +# prompt: "Give root's password here" + + + roles: + - ansible_dependencies + - ansible_user diff --git a/mbr-bln_the_vault.sh b/mbr-bln_the_vault.sh new file mode 100755 index 0000000..b171d95 --- /dev/null +++ b/mbr-bln_the_vault.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +echoerr() { echo "$@" 1>&2; } + +PWFILE="$HOME/.private/ansible/ansible-mbr-vault-passphrase" + +if test ! -f "$PWFILE" +then + echoerr "File doesn't exist!" + exit 1 +fi + +perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}') +owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}') +group=$(/bin/ls -l "$PWFILE" | awk '{print $4}') +#not everyone is using debian based foo. get primary group of user and test file group permission against it +pgroup=$(id -gn) + +if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]] +then + echoerr "Wrong permissions!" + exit 1 +fi + +if test "$USER" != "$owner" +then + echoerr "Wrong owner!" + exit 1 +fi + +if test "$pgroup" != "$group" +then + echoerr "Wrong group!" + exit 1 +fi + +cat "$PWFILE" +exit 0 diff --git a/poweroff-clients.yml b/poweroff-clients.yml new file mode 100644 index 0000000..0056775 --- /dev/null +++ b/poweroff-clients.yml @@ -0,0 +1,10 @@ +--- + +- hosts: client_pc + gather_facts: false + + tasks: + - name: Power off client pcs + command: "/sbin/shutdown -h +1 >/dev/null 2>&1 &" + + diff --git a/roles/ansible_dependencies/tasks/main.yml b/roles/ansible_dependencies/tasks/main.yml new file mode 100644 index 0000000..749fd65 --- /dev/null +++ b/roles/ansible_dependencies/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt) + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: apt upgrade + apt: + upgrade: dist + update_cache: true + dpkg_options: force-confdef,force-confold + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: latest + tags: + - ansible-dependencies + diff --git a/roles/ansible_user/tasks/main.yml b/roles/ansible_user/tasks/main.yml new file mode 100644 index 0000000..01de5d3 --- /dev/null +++ b/roles/ansible_user/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: Ensure remote users for ansible exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.name | default(omit) }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password }}" + update_password: on_create + with_items: '{{ ansible_remote_user }}' + loop_control: + label: ' user "{{ item.name }}" exists' + tags: + - ansible-remote-user + +- name: Ensure ansible user is part of sudo group + user: + name: "{{ item.name }}" + groups: sudo + append: yes + with_items: "{{ ansible_remote_user }}" + loop_control: + label: ' user "{{ item.name }}" is part of sudo group' + tags: + - sudo-users + +- name: Ensure authorized_key files are present for ansible user + authorized_key: + user: "{{ item.name }}" + key: "{{ ssh_keys_admin|join('\n') }}" + state: present + with_items: + - '{{ ansible_remote_user }}' + loop_control: + label: ' authorized_key of user "{{ item.name }}" is present' + tags: + - authorized_key + +- name: Ensure authorized_key files are present for user root + authorized_key: + user: root + key: "{{ ssh_keys_admin|join('\n') }}" + state: present + tags: + - authorized_key + diff --git a/roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf b/roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf new file mode 100644 index 0000000..480847b --- /dev/null +++ b/roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf @@ -0,0 +1,4 @@ +[Unit] +DefaultDependencies=no +Wants=rpcbind.target +Before=rpcbind.target diff --git a/roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf b/roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf new file mode 100644 index 0000000..20d1465 --- /dev/null +++ b/roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf @@ -0,0 +1,3 @@ +[Service] +IPAddressAllow=192.168.0.0/16 + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..6f0d681 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,26 @@ +--- + +- name: Renew nis databases + shell: make -C /var/yp + when: + - "groups['nis_server']|string is search(inventory_hostname)" + +- name: Reload nfs + service: + name: nfs-kernel-server + state: reloaded + enabled: yes + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + +- name: Restart systemd-logind.service + service: + name: systemd-logind + daemon_reload: yes + state: restarted + +- name: Restart rpcbind + service: + name: rpcbind + daemon_reload: yes + state: restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..a4d6e2a --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,64 @@ +--- + + +# tags supported inside nfs.yml: +# +# nfs-server +# nfs-client +- import_tasks: nfs.yml + tags: + - nfs + +# tags supported inside nfs.yml: +# +# nis-install-server +- import_tasks: nis-install-server.yml + when: "groups['nis_server']|string is search(inventory_hostname)" + tags: + - nis-install + +# tags supported inside nfs.yml: +# +# nis-install-client +- import_tasks: nis-install-client.yml + when: "groups['nis_client']|string is search(inventory_hostname)" + tags: + - nis-install + +# tags supported inside nis_user.yml: +# +# nis-user +# system-user +- import_tasks: nis_user.yml + when: "groups['nis_server']|string is search(inventory_hostname)" + tags: + - nis-user + +# tags supported inside samba_user.yml: +# +# samba-user +- import_tasks: samba_user.yml + when: "groups['samba_server']|string is search(inventory_hostname)" + tags: + - nis-samba-user + +- import_tasks: user-systemfiles.yml + when: "groups['nis_server']|string is search(inventory_hostname)" + tags: + - user-systemfiles + +# tags supported inside sudoers.yml: +# +# sudoers-remove +# sudoers-file-configuration +# sudoers-global-configuration +- import_tasks: sudoers.yml + when: "groups['client_pc']|string is search(inventory_hostname)" + tags: + - sudoers + +#- import_tasks: mount_samba_shares.yml +# when: "groups['client_pc']|string is search(inventory_hostname)" +# tags: +# - samba-shares + diff --git a/roles/common/tasks/mount_samba_shares.yml b/roles/common/tasks/mount_samba_shares.yml new file mode 100644 index 0000000..0c5ac8f --- /dev/null +++ b/roles/common/tasks/mount_samba_shares.yml @@ -0,0 +1,28 @@ +--- + + +- name: (mount_samba_shares.yml) Ensure (user separated) base mount directories for samba shares exists + file: + path: "/mnt/{{ item.name }}" + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: '0700' + state: directory + with_items: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + +- name: (mount_samba_shares.yml) Ensure (user separated) mount directories for samba shares exists + file: + path: "/mnt/{{ item.1 }}/{{ item.0.name }}" + owner: "{{ item.1 }}" + group: "{{ item.1 }}" + mode: '0770' + state: directory + with_subelements: + - "{{ samba_shares }}" + - user + loop_control: + label: '{{ item.1 }} share: {{ item.0.name }}' diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml new file mode 100644 index 0000000..00bf1c0 --- /dev/null +++ b/roles/common/tasks/nfs.yml @@ -0,0 +1,79 @@ +--- + +# --- +# NFS Server +# --- + +- name: (nfs.yml) Ensure NFS utilities (server) are installed. + apt: + name: + - nfs-common + - nfs-kernel-server + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Ensure directories to export exist + file: + path: '{{ item.src.split(":")[1] }}' + owner: root + group: root + mode: '0755' + state: directory + with_items: "{{ nfs_exports }}" + loop_control: + label: '{{ item.path }}' + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Copy exports file. + template: + src: etc/exports.j2 + dest: /etc/exports + owner: root + group: root + mode: 0644 + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + notify: Reload nfs + tags: + - nfs-server + +# --- +# NFS clients +# --- + +- name: (nfs.yml) Ensure NFS utilities (clients) are installed. + apt: + pkg: nfs-common + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + +- name: (nfs.yml) NFS Mount exports from nfs server + mount: + path: "{{ item.path }}" + src: "{{ item.src }}" + fstype: nfs + opts: "{{ item.mount_opts }}" + dump: "{{ item.dump | default(omit) }}" + passno: "{{ item.passno | default(omit) }}" + state: mounted + loop: "{{ nfs_exports }}" + loop_control: + label: '{{ item.src }}' + when: + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + + + diff --git a/roles/common/tasks/nis-install-client.yml b/roles/common/tasks/nis-install-client.yml new file mode 100644 index 0000000..2234415 --- /dev/null +++ b/roles/common/tasks/nis-install-client.yml @@ -0,0 +1,303 @@ +--- + +# --- +# Install nis +# --- + +- name: (nis-install-client.yml) Set (nis) default domain (/etc/defaultdomain) + template: + dest: /etc/defaultdomain + src: etc/defaultdomain.j2 + owner: root + group: root + mode: 0644 + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Create preconfigured /etc/yp.conf on nis clients + template: + dest: /etc/yp.conf + src: etc/yp.conf.j2 + owner: root + group: root + mode: 0644 + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Install nis common packages + package: + name: "{{ item }}" + state: present + with_items: "{{ nis_common_packages }}" + tags: + - nis-install + - nis-install-client + + +# --- +# /etc/default/nis +# --- + +- name: (nis-install-client.yml) Check if file '/etc/default/nis.ORIG' exists + stat: + path: /etc/default/nis.ORIG + register: default_nis_exists + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Backup existing file /etc/default/nis + command: cp -a /etc/default/nis /etc/default/nis.ORIG + when: + - default_nis_exists.stat.exists == False + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISSERVER' (client) + replace: + path: /etc/default/nis + regexp: '^NISSERVER=.*' + replace: 'NISSERVER=false' + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (client) + replace: + path: /etc/default/nis + regexp: '^NISCLIENT=.*' + replace: 'NISCLIENT=true' + tags: + - nis-install + - nis-install-client + + +# --- +# /etc/{passwd,group,shadow} +# --- + +- name: (nis-install-client.yml) Add '+::::::' to file /etc/passwd + lineinfile: + path: /etc/passwd + line: '+::::::' + insertafter: EOF + state: present + owner: root + group: root + mode: '0644' + when: "ansible_distribution_major_version|int < 18" + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Add '+:::' to file /etc/group + lineinfile: + path: /etc/group + line: '+:::' + insertafter: EOF + state: present + owner: root + group: root + mode: '0644' + when: "ansible_distribution_major_version|int < 18" + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Add '+::::::::' to file /etc/shadow + lineinfile: + path: /etc/shadow + line: '+::::::::' + insertafter: EOF + state: present + owner: root + group: shadow + mode: '0640' + when: "ansible_distribution_major_version|int < 18" + tags: + - nis-install + - nis-install-client + + +# --- +# /etc/hosts +# --- + +- name: (nis-install-client.yml) Check if file '/etc/hosts.ORIG' exists + stat: + path: /etc/hosts.ORIG + register: etc_hosts_orig_exists + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Backup existing file /etc/hosts + command: cp -a /etc/hosts /etc/hosts.ORIG + when: + - etc_hosts_orig_exists.stat.exists == False + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Add nis-server to file /etc/hosts + lineinfile: + path: /etc/hosts + line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}' + insertafter: EOF + state: present + owner: root + group: root + mode: '0644' + tags: + - nis-install + - nis-install-client + + +# --- +# /etc/nsswitch.conf +# --- + +- name: (nis.yml) Check if file '/etc/nsswitch.conf.ORIG' exists + stat: + path: /etc/nsswitch.conf.ORIG + register: nsswitch_conf_orig_exists + tags: + - nis-install + - nis-install-client + +- name: (nis.yml) Backup existing file /etc/nsswitch.conf + command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG + when: + - nsswitch_conf_orig_exists.stat.exists == False + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set hosts) + replace: + path: /etc/nsswitch.conf + regexp: '(hosts:\s+files)\s+([^nis].*)' + replace: '\1 nis \2' + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set passwd/group/shadow) + replace: + path: /etc/nsswitch.conf + regexp: '^({{ item }}:\s+.*)' + replace: '\1 nis' + with_items: + - passwd + - group + - shadow + tags: + - nis-install + - nis-install-client + + +# --- +# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf +# --- + +# - !! Using NIS client in Ubuntu 18.04 crashes both Gnome and Unity !! +# - =================================================================== +# +# - Unter NIS in Ubuntu 18.04 stütrzt Gnome und Unity ab +# - +# - Abhilfe schafft: +# - +# +# - Create a new directory in /etc/systemd/system/ named exactly after the +# - service you want to extend including a '.d', here this would be: +# - systemd-logind.service.d +# - +# - mkdir /etc/systemd/system/systemd-logind.service.d +# +# - Create a new file choose_an_appropriate_name.conf (e.g. nis_allow_network.conf) +# - inside the newly created directory with the following content, which specifies +# - the IP or IP range you want to be allowed: +# - +# - cat < /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf +# - [Service] +# - IPAddressAllow=192.168.0.0/16 +# - EOF +# - +# - systemctl daemon-reload +# - systemctl restart systemd-logind.service + +- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/systemd-logind.service.d exists + file: + path: /etc/systemd/system/systemd-logind.service.d + owner: root + group: root + mode: '0755' + state: directory + when: "ansible_distribution_major_version|int >= 18" + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf exists + copy: + src: "{{ role_path + '/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf' }}" + dest: /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf + owner: root + group: root + mode: '0755' + when: "ansible_distribution_major_version|int >= 18" + notify: + - Restart systemd-logind.service + tags: + - nis-install + - nis-install-client + + +# - Seit Ubuntu 16.04 startet nis vor dem portmapper (rpcbind). Das Starten +# - schlägt deshalb fehl und nis steht nicht zur Verfügung. +# - +# - Abhilfe: +# - +# - Run "systemctl edit rpcbind.socket" and add the following: +# - +# - [Unit] +# - DefaultDependencies=no +# - Wants=rpcbind.target +# - Before=rpcbind.target +# - +# - You can see your changes: +# - cat /etc/systemd/system/rpcbind.socket.d/override.conf + +- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/rpcbind.socket.d exists + file: + path: /etc/systemd/system/rpcbind.socket.d + owner: root + group: root + mode: '0755' + state: directory + when: "ansible_distribution_major_version|int >= 16" + tags: + - nis-install + - nis-install-client + +- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/rpcbind.socket.d/override.conf exists + copy: + src: "{{ role_path + '/files/etc/systemd/system/rpcbind.socket.d/override.conf' }}" + dest: /etc/systemd/system/rpcbind.socket.d/override.conf + owner: root + group: root + mode: '0755' + when: "ansible_distribution_major_version|int >= 16" + notify: + - Restart rpcbind + tags: + - nis-install + - nis-install-client + + +# TODO: +# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf +# /etc/systemd/system/rpcbind.socket.d/override.conf diff --git a/roles/common/tasks/nis-install-server.yml b/roles/common/tasks/nis-install-server.yml new file mode 100644 index 0000000..9f9ad72 --- /dev/null +++ b/roles/common/tasks/nis-install-server.yml @@ -0,0 +1,215 @@ +--- + +# --- +# Install nis +# --- + +- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain) + template: + dest: /etc/defaultdomain + src: etc/defaultdomain.j2 + owner: root + group: root + mode: 0644 + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Install nis common packages + package: + name: "{{ item }}" + state: present + with_items: "{{ nis_common_packages }}" + register: nis_installed + tags: + - nis-install + - nis-install-server + + +# --- +# /etc/default/nis +# --- + +- name: (nis-install-server.yml) Check if file '/etc/default/nis.ORIG' exists + stat: + path: /etc/default/nis.ORIG + register: default_nis_exists + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Backup existing file /etc/default/nis + command: cp -a /etc/default/nis /etc/default/nis.ORIG + when: + - default_nis_exists.stat.exists == False + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISSERVER' (server) + replace: + path: /etc/default/nis + regexp: '^NISSERVER=.*' + replace: 'NISSERVER=master' + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (server) + replace: + path: /etc/default/nis + regexp: '^NISCLIENT=.*' + replace: 'NISCLIENT=false' + tags: + - nis-install + - nis-install-server + + +# --- +# /etc/ypserv.securenets +# --- + +- name: (nis-install-server.yml) Check if file '/etc/ypserv.securenets.ORIG' exists + stat: + path: /etc/ypserv.securenets.ORIG + register: ypserv_securenets_orig_exists + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Backup existing file /etc/ypserv.securenets + command: cp -a /etc/ypserv.securenets /etc/ypserv.securenets.ORIG + when: + - ypserv_securenets_orig_exists.stat.exists == False + tags: + - nis-install + - nis-install-server + +- name: (nis-install-client.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets + replace: + path: /etc/ypserv.securenets + regexp: '^(0.0.0.0\s+.*)' + replace: '#\1' + tags: + - nis-install + - nis-install-client + +- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets + lineinfile: + path: /etc/ypserv.securenets + line: '255.255.0.0 192.168.0.0' + insertafter: EOF + state: present + owner: root + group: root + mode: '0644' + tags: + - nis-install + - nis-install-client + +- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets + lineinfile: + path: /etc/ypserv.securenets + line: '255.0.0.0 10.0.0.0' + insertafter: EOF + state: present + owner: root + group: root + mode: '0644' + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Trigger '/usr/lib/yp/ypinit -m' + shell: printf '\n' | /usr/lib/yp/ypinit -m + when: nis_installed.changed + tags: + - nis-install + - nis-install-server + + +# --- +# Base directory containing users' home directory +# --- + +- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists + file: + path: '{{ nis_base_home}}' + owner: root + group: root + mode: '0755' + state: directory + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nis-install + - nis-install-server + + +# --- +# /etc/adduser.conf +# --- + +- name: (nis-install-server.yml) Check if file '/etc/adduser.conf.ORIG exists' + stat: + path: /etc/adduser.conf.ORIG + register: adduser_conf_exists + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Backup existing file /etc/adduser.conf + command: cp -a /etc/adduser.conf /etc/adduser.conf.ORIG + when: + - adduser_conf_exists.stat.exists == False + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Adjust file '/etc/adduser.conf' - set 'DHOME' + replace: + path: /etc/adduser.conf + regexp: '^#?DHOME=.*' + replace: 'DHOME={{ nis_base_home }}' + tags: + - nis-install + - nis-install-server + + +# --- +# /var/yp/Makefile +# --- + +- name: (nis-install-server.yml) Check if file '/var/yp/Makefile.ORIG exists' + stat: + path: /var/yp/Makefile.ORIG + register: adduser_conf_exists + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Backup existing file /var/yp/Makefile + command: cp -a /var/yp/Makefile /var/yp/Makefile.ORIG + when: + - adduser_conf_exists.stat.exists == False + tags: + - nis-install + - nis-install-server + +- name: (nis-install-server.yml) Adjust file '/var/yp/Makefile' + replace: + path: /var/yp/Makefile + regexp: '^#?{{ item }}=.*' + replace: '{{ item }}=true' + with_items: + - MERGE_PASSWD + - MERGE_GROUP + notify: + - Renew nis databases + tags: + - nis-install + - nis-install-server + + +# TODO: +# /var/yp/Makefile diff --git a/roles/common/tasks/nis_samba_user.yml b/roles/common/tasks/nis_samba_user.yml new file mode 100644 index 0000000..31fe77b --- /dev/null +++ b/roles/common/tasks/nis_samba_user.yml @@ -0,0 +1,121 @@ +--- + +# --- +# - Remove unwanted users +# --- + +- name: (nis_samba_user.yml) Check if samba user exists for removable nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_deleted_user_present + changed_when: "samba_deleted_user_present.rc == 0" + failed_when: "samba_deleted_user_present.rc > 1" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-user + + +- name: (nis_samba_user.yml) Remove (old) users from samba + shell: "smbpasswd -s -x {{ item.name }}" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + when: samba_deleted_user_present is changed + tags: + - samba-user + + +- name: (nis_samba_user.yml) Remove (old) users from system + user: + name: '{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +- name: (nis_samba_user.yml) Remove home directory from deleted users + file: + path: '{{ nis_base_home }}/{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +# --- +# - default user/groups +# --- + +- name: (nis_samba_user.yml) Ensure nis groups exists + group: + name: '{{ item.name }}' + state: present + gid: '{{ item.group_id | default(omit) }}' + loop: "{{ nis_groups }}" + loop_control: + label: '{{ item.name }}' + when: item.group_id is defined + notify: Renew nis databases + tags: + - nis-user + - system-user + +#- meta: end_host + +- name: (nis_samba_user.yml) Ensure nis users exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.0.name | default(omit) }}' + groups: "{{ item.groups|join(', ') }}" + home: '{{ nis_base_home }}/{{ item.name }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password | password_hash('sha512') }}" + update_password: on_create + append: yes + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + notify: Renew nis databases + tags: + - nis-user + - system-user + + +- name: (nis_samba_user.yml) Check if samba user exists for nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_nis_user_present + changed_when: "samba_nis_user_present.rc > 0" + failed_when: "samba_nis_user_present.rc > 1" + with_items: + - "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - samba-user + +- name: (nis_samba_user.yml) Add nis user to samba (with nis users password) + shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}" + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + - samba_nis_user_present is changed + notify: Renew nis databases + tags: + - samba-user + diff --git a/roles/common/tasks/nis_user.yml b/roles/common/tasks/nis_user.yml new file mode 100644 index 0000000..11a5d67 --- /dev/null +++ b/roles/common/tasks/nis_user.yml @@ -0,0 +1,95 @@ +--- + +# --- +# - Remove unwanted users +# --- + +- name: (nis_user.yml) Remove (old) users from system + user: + name: '{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +- name: (nis_user.yml) Remove home directory from deleted users + file: + path: '{{ nis_base_home }}/{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +# --- +# - default user/groups +# --- + +- name: (nis_user.yml) Ensure nis groups exists + group: + name: '{{ item.name }}' + state: present + gid: '{{ item.group_id | default(omit) }}' + loop: "{{ nis_groups }}" + loop_control: + label: '{{ item.name }}' + when: item.group_id is defined + notify: Renew nis databases + tags: + - nis-user + - system-user + +#- meta: end_host + +- name: (nis_user.yml) Check if nis (system) user exists + shell: "getent passwd {{ item.name }}" + register: nis_user_exists + changed_when: "nis_user_exists.rc == 2" + failed_when: "nis_user_exists.rc > 2" + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + ignore_errors: true + tags: + - nis-user + - system-user + +- name: (nis_user.yml) Add nis (system) users + shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'" + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: nis_user_exists is changed + notify: Renew nis databases + tags: + - nis-user + - system-user + +- name: (nis_user.yml) Ensure nis users exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.0.name | default(omit) }}' + groups: "{{ item.groups|join(', ') }}" + home: '{{ nis_base_home }}/{{ item.name }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password | password_hash('sha512') }}" + update_password: on_create + append: yes + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + notify: Renew nis databases + tags: + - nis-user + - system-user + + diff --git a/roles/common/tasks/samba_user.yml b/roles/common/tasks/samba_user.yml new file mode 100644 index 0000000..22eaf28 --- /dev/null +++ b/roles/common/tasks/samba_user.yml @@ -0,0 +1,60 @@ +--- + +# --- +# - Remove unwanted users +# --- + +- name: (samba_user.yml) Check if samba user exists for removable nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_deleted_user_present + changed_when: "samba_deleted_user_present.rc == 0" + failed_when: "samba_deleted_user_present.rc > 1" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-user + + +- name: (samba_user.yml) Remove (old) users from samba + shell: "smbpasswd -s -x {{ item.name }}" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + when: samba_deleted_user_present is changed + tags: + - samba-user + + +# --- +# - default user/groups +# --- + +- name: (samba_user.yml) Check if samba user exists for nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_nis_user_present + changed_when: "samba_nis_user_present.rc > 0" + failed_when: "samba_nis_user_present.rc > 1" + with_items: + - "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - samba-user + +- name: (samba_user.yml) Add nis user to samba (with nis users password) + shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}" + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + - samba_nis_user_present is changed + notify: Renew nis databases + tags: + - samba-user + diff --git a/roles/common/tasks/sudoers.yml b/roles/common/tasks/sudoers.yml new file mode 100644 index 0000000..fb277a6 --- /dev/null +++ b/roles/common/tasks/sudoers.yml @@ -0,0 +1,32 @@ +--- + +- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/) + template: + src: etc/sudoers.d/50-user.j2 + dest: /etc/sudoers.d/50-user + validate: visudo -cf %s + owner: root + group: root + mode: 0440 + tags: + - sudoers-file-configuration + +- name: (sudoers.yml) update global sudoers configuration file + template: + src: etc/sudoers.j2 + dest: /etc/sudoers + owner: root + group: root + mode: 0440 + validate: visudo -cf %s + tags: + - sudoers-global-configuration + +- name: (sudoers.yml) Ensure all sudo_users are in sudo group + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudo_users }}" + tags: + - sudo-users diff --git a/roles/common/tasks/user-systemfiles.yml b/roles/common/tasks/user-systemfiles.yml new file mode 100644 index 0000000..8ae8fe2 --- /dev/null +++ b/roles/common/tasks/user-systemfiles.yml @@ -0,0 +1,39 @@ +--- + +- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists + stat: + path: "~{{ item.name }}/.profile.ORIG" + register: profile_user_orig_exists + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - profile + +- name: (user-systemfiles.yml) Backup existing users .profile file + command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG + loop: "{{ profile_user_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + - item.stat.exists == False + tags: + - profile + +- name: (user-systemfiles.yml) Create new users .profile file + template: + src: user_homedirs/dot.profile.j2 + dest: "~{{ item.name }}/.profile" + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: 0644 + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - profile diff --git a/roles/common/templates/etc/defaultdomain.j2 b/roles/common/templates/etc/defaultdomain.j2 new file mode 100644 index 0000000..a016d89 --- /dev/null +++ b/roles/common/templates/etc/defaultdomain.j2 @@ -0,0 +1 @@ +{{ nis_domain }} diff --git a/roles/common/templates/etc/exports.j2 b/roles/common/templates/etc/exports.j2 new file mode 100644 index 0000000..62161dc --- /dev/null +++ b/roles/common/templates/etc/exports.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} + +# /etc/exports: the access control list for filesystems which may be exported +# to NFS clients. See exports(5). +# +# Example for NFSv2 and NFSv3: +# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) +# +# Example for NFSv4: +# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) +# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) +# + +{% set count = namespace(nfs_exports=100) %} +{% for export in nfs_exports %} + +{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %} + +{% set count.nfs_exports = count.nfs_exports + 10 %} +{% for network in export.export_networks %} +{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }}) +{% else %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }}) +{% endif %} +{% endfor %} + +{{ export_str.nfs_exports }} +{% endfor %} diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.j2 new file mode 100644 index 0000000..ed81711 --- /dev/null +++ b/roles/common/templates/etc/sudoers.d/50-user.j2 @@ -0,0 +1,34 @@ +# {{ ansible_managed }} + +{% for item in sudoers_file_defaults | default([]) %} +Defaults {{ item }} +{% endfor %} + +# Host alias specification +{% for item in sudoers_file_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_file_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_file_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_file_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification + +{# rules for nis users #} +{% for item in nis_user | default([]) %} +{{ item.name }} ALL=(root)NOPASSWD: MOUNT +{% endfor %} + +# Group privilege specification diff --git a/roles/common/templates/etc/sudoers.j2 b/roles/common/templates/etc/sudoers.j2 new file mode 100644 index 0000000..d8ea85b --- /dev/null +++ b/roles/common/templates/etc/sudoers.j2 @@ -0,0 +1,56 @@ +# {{ ansible_managed }} + +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +{% for item in sudoers_defaults %} +{% if item != '' %} +Defaults {{ item }} +{% endif %} +{% endfor %} + +# Host alias specification +{% for item in sudoers_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification +{% for item in sudoers_user_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# Members of the admin group may gain root privileges +%admin ALL=(ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# Group privilege specification + +{% for item in sudoers_group_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d + diff --git a/roles/common/templates/etc/yp.conf.j2 b/roles/common/templates/etc/yp.conf.j2 new file mode 100644 index 0000000..257e70c --- /dev/null +++ b/roles/common/templates/etc/yp.conf.j2 @@ -0,0 +1,24 @@ +# {{ ansible_managed }} + +# /etc/yp.conf - ypbind configuration file +# Valid entries are +# +# domain NISDOMAIN server HOSTNAME +# Use server HOSTNAME for the domain NISDOMAIN. +# +# domain NISDOMAIN broadcast +# Use broadcast on the local net for domain NISDOMAIN +# +# domain NISDOMAIN slp +# Query local SLP server for ypserver supporting NISDOMAIN +# +# ypserver HOSTNAME +# Use server HOSTNAME for the local domain. The +# IP-address of server must be listed in /etc/hosts. +# +# broadcast +# If no server for the default domain is specified or +# none of them is rechable, try a broadcast call to +# find a server. +# +domain {{ nis_domain }} server {{ nis_server_address }} diff --git a/roles/common/templates/user_homedirs/dot.profile.j2 b/roles/common/templates/user_homedirs/dot.profile.j2 new file mode 100644 index 0000000..1c95543 --- /dev/null +++ b/roles/common/templates/user_homedirs/dot.profile.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} + +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. + +# the default umask is set in /etc/profile; for setting the umask +# for ssh logins, install and configure the libpam-umask package. +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +#. /usr/lib/mc/bin/mc.sh +# +if [ -f "/usr/share/mc/bin/mc.sh" ] ; then + source /usr/share/mc/bin/mc.sh +fi + +export LANG="de_DE.utf8" diff --git a/roles/common/templates/user_homedirs/dot.profile.j2.with_samba_mounts b/roles/common/templates/user_homedirs/dot.profile.j2.with_samba_mounts new file mode 100644 index 0000000..7817c0a --- /dev/null +++ b/roles/common/templates/user_homedirs/dot.profile.j2.with_samba_mounts @@ -0,0 +1,126 @@ +# {{ ansible_managed }} + +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. + +# the default umask is set in /etc/profile; for setting the umask +# for ssh logins, install and configure the libpam-umask package. +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +#. /usr/lib/mc/bin/mc.sh +# +if [ -f "/usr/share/mc/bin/mc.sh" ] ; then + source /usr/share/mc/bin/mc.sh +fi + +export LANG="de_DE.utf8" + +# --- +# Mmount samba shares +# --- + +# Don't try to mount samba shares if login at samba server +# +[[ "$(hostname --long)" = "{{ samba_server }}" ]] && return + +SERVER="{{ samba_server }}" +USER="{{ item.name }}" +PASSWORD='{{ item.password }}' +VERSION="1.0" + +# Use NTLMv2 password hashing and force packet signing +# +# SEC="ntlmv2i" +# +# Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing +# +# SEC="ntlmsspi" +# +SEC="ntlmsspi" + +# - uid/guid of the user at fielserver +# - +_UID="$(id -u)" +_GID="$(id -g)" + + +# Logfile to see what happened.. +# +_logfile=/tmp/profile_${USER}.log + + +echo "" > $_logfile +echo "$(date +"%Y-%m-%d-%H%M")" >> $_logfile + +# Network present +# +_network=false + +if [ "X$_addr" = "X" ] ; then + echo "no inet address assigned yet.." >> $_logfile + declare -i count=1 + while ! $_network && [[ $count -lt 5 ]] ; do + echo "sleeping 2 seconds.." >> $_logfile + sleep 2 + _addr="$(hostname --ip-address)" + if [ "X$_addr" != "X" ] ; then + _network=true + echo "inet address present: $_addr" >> $_logfile + fi + ((count++)) + done +fi + +for dir in $(ls /mnt/$USER) ; do + MOUNT_POINT=/mnt/$USER/$dir + SHARE=$dir + + [ ! -d $MOUNT_POINT ] && continue + + if ! mount | grep $MOUNT_POINT > /dev/null ; then + echo "Going to mount share '${SHARE}' .." >> $_logfile + if [ -x /usr/bin/smb4k_mount ]; then + ## - Ubuntu <= 12.04 + if [[ "$VERSION" = "1.0" ]]; then + sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,vers=1.0 \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + else + sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,uid=$_UID,gid=$_GID,vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + fi + else + ## - Ubuntu Version >= 14.04 + if [[ "$VERSION" = "1.0" ]]; then + sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + else + sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,uid=$USER,sec=${SEC},vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + fi + fi + else + echo "mount point $MOUNT_POINT already exists. nothing left to do.." >> $_logfile + fi + +done +