From 254fb3197858020ccf5ea2d175bd210d4a6cd198 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 16 Jun 2023 20:47:41 +0200 Subject: [PATCH] update.. --- ansible_dependencies-bookworm.yml | 20 +++ group_vars/akb.yml | 10 +- group_vars/all/main.yml | 118 ++++++++++++++++++ group_vars/mbr.yml | 52 ++++++-- .../tasks/main.yml | 47 +++++++ roles/common/tasks/apt.yml | 16 ++- roles/common/tasks/nis-install-server.yml | 6 +- 7 files changed, 253 insertions(+), 16 deletions(-) create mode 100644 ansible_dependencies-bookworm.yml create mode 100644 roles/ansible_dependencies-bookworm/tasks/main.yml diff --git a/ansible_dependencies-bookworm.yml b/ansible_dependencies-bookworm.yml new file mode 100644 index 0000000..3b418ec --- /dev/null +++ b/ansible_dependencies-bookworm.yml @@ -0,0 +1,20 @@ +--- + +# Intended to be run once for every new server to secure the ssh connection allowing the team access +# with their public keys. This script will lock itself out from every server it is run on. +# Further playbooks are intended to be run by logging in as one of the created users. +# It also ensures python2 is installed as it's necessary for the modules used in this playbook at +# the time of this writing. + +# The used login data depends on the used server provider. In most cases the ansible_user will be +# root, but we can't safely assume anything. +# The following line is an example for securing a new vagrant maching, after running `vagrant up`: +# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key' +# For real providers it could look like: +# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa' +# If you don't have a ssh-key on the server and the server expects password authentication use: +# ansible-playbook first_run.yml -i hosts -u root --ask-pass + +- hosts: all + roles: + - ansible_dependencies-bookworm diff --git a/group_vars/akb.yml b/group_vars/akb.yml index 129a878..02c6050 100644 --- a/group_vars/akb.yml +++ b/group_vars/akb.yml @@ -316,6 +316,13 @@ nis_user: is_samba_user: true password: '20_thomas/19-!' + - name: sascha + groups: + - ab + - scans + is_samba_user: true + password: '20.sas_23.cha!' + - name: stefan groups: - ab @@ -379,7 +386,6 @@ samba_shares: - julia - frauke - fsj - - romana - stefan - thomas - name: AB @@ -400,6 +406,7 @@ samba_shares: - frauke - fsj - romana + - sascha - stefan - thomas - name: Scans @@ -421,6 +428,7 @@ samba_shares: - fsj - romana - stefan + - sascha - thomas - name: Buero_Scans path: /data/samba/Scans/Buero_Scans diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index b509008..0f2d94b 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -501,6 +501,124 @@ apt_initial_install_bullseye: - btrfs-progs - fdisk +apt_initial_install_bookworm: + - apt-transport-https + - cryptsetup + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.32 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline-dev + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + apt_initial_install_xenial: - apt-transport-https - dbus diff --git a/group_vars/mbr.yml b/group_vars/mbr.yml index ee31786..44efc7f 100644 --- a/group_vars/mbr.yml +++ b/group_vars/mbr.yml @@ -257,6 +257,26 @@ nis_user: is_samba_user: true password: '20_axis_16' +# --- +# Technik +# --- + + - name: leah.vauth + groups: + - all-users + - buero-scan + - technik + is_samba_user: true + password: 'cgsRq9-IP.X2' + + - name: pierre.ahrent + groups: + - all-users + - buero-scan + - technik + is_samba_user: true + password: 'GYiI3-s/_7wG' + # --- # Verwaltung # --- @@ -300,14 +320,6 @@ nis_user: is_samba_user: true password: '73_BiBole_29' - - name: pierre.ahrent - groups: - - all-users - - buero-scan - - technik - is_samba_user: true - password: 'GYiI3-s/_7wG' - - name: birgit.erhardt groups: - all-users @@ -418,6 +430,7 @@ nis_user: - name: laura.berner groups: - all-users + - betriebsrat - buero-scan - bgn - bgn-finanzen-personal @@ -466,7 +479,6 @@ nis_user: - all-users - buero-scan - technik - - betriebsrat - mbr-buero is_samba_user: true password: '5xp5ll9ar13us!' @@ -498,6 +510,7 @@ nis_user: - name: felix.mueller groups: - all-users + - betriebsrat - buero-scan - technik - mbr-buero @@ -548,7 +561,6 @@ nis_user: groups: - all-users - buero-scan - - betriebsrat - mbr-buero is_samba_user: true password: 't32_aHxV.' @@ -573,6 +585,7 @@ nis_user: - name: manja.kasten groups: - all-users + - betriebsrat - buero-scan - mbr-buero is_samba_user: true @@ -592,7 +605,6 @@ nis_user: - all-users - buero-scan - ag-antisem - - betriebsrat - mbr-buero is_samba_user: true password: 'V1v@H@f3rdr1nk' @@ -600,6 +612,7 @@ nis_user: - name: michael.sulies groups: - all-users + - betriebsrat - buero-scan - ag-antisem - mbr-buero @@ -609,6 +622,7 @@ nis_user: - name: nina.rink groups: - all-users + - betriebsrat - buero-scan - mbr-buero is_samba_user: true @@ -651,6 +665,14 @@ nis_user: # RIAS Berlin und Bund # --- + - name: andreas.nowak + groups: + - all-users + - buero-scan + - rias-bund + is_samba_user: true + password: 'N/m3/UM/362b' + - name: alexander.rasumny groups: - all-users @@ -863,6 +885,14 @@ nis_user: is_samba_user: true password: '3/+v_7AGivxc' + - name: vanessa.gelardo + groups: + - all-users + - buero-scan + - rias-bund + is_samba_user: true + password: 'Vr.6v/4hWZEm' + # --- # Regishut diff --git a/roles/ansible_dependencies-bookworm/tasks/main.yml b/roles/ansible_dependencies-bookworm/tasks/main.yml new file mode 100644 index 0000000..e01ece5 --- /dev/null +++ b/roles/ansible_dependencies-bookworm/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3) + +- name: Ensure python-apt-common is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: dpkg --configure -a + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - ansible-dependencies + +- name: apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: "{{ apt_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index c7606a8..f687c42 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -96,6 +96,18 @@ - apt-initial-install +- name: (apt.yml) Initial install debian packages (bookworm) + apt: + name: "{{ apt_initial_install_bookworm }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_bookworm is defined and apt_initial_install_bookworm|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "12" + tags: + - apt-initial-install + + - name: (apt.yml) Initial install ubuntu packages (bionic) apt: name: "{{ apt_initial_install_bionic }}" @@ -146,7 +158,7 @@ - apt-microcode -- name: (apt.yml) Install CPU microcode (debian buster/bullseye) +- name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm) apt: name: "{{ microcode_intel_package }}" state: present @@ -154,7 +166,7 @@ when: - apt_debian_contrib_nonfree_enable - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" + - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"or ansible_facts['distribution_major_version'] == "12" - ansible_facts['processor']|string is search("Intel") tags: - apt-initial-install diff --git a/roles/common/tasks/nis-install-server.yml b/roles/common/tasks/nis-install-server.yml index ecfca9b..6b7e79c 100644 --- a/roles/common/tasks/nis-install-server.yml +++ b/roles/common/tasks/nis-install-server.yml @@ -66,18 +66,20 @@ when: - ansible_facts['distribution'] == "Debian" - ansible_distribution_major_version|int >= 11 - - ansible_distribution_major_version|int <= 12 - file_etc_pam_d_common_password.stat.exists == True + #- ansible_distribution_major_version|int <= 12 + - name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password when: - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version']|int >= 11 - - ansible_facts['distribution_major_version']|int <= 12 - file_etc_pam_d_common_password.stat.exists == True - presence_of_passwprd_hashing_yescrypt is changed + #- ansible_facts['distribution_major_version']|int <= 12 + # --- # /etc/default/nis