ansible/nis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2023-06-16 20:47:41 +02:00
parent 2c476c9955
commit 254fb31978
7 changed files with 253 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ansible_dependencies-bookworm.yml Normal file
View File

@ -0,0 +1,20 @@
---
# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.
# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass
- hosts: all
roles:
- ansible_dependencies-bookworm

10
group_vars/akb.yml
View File

@ -316,6 +316,13 @@ nis_user:
is_samba_user: true is_samba_user: true
password: '20_thomas/19-!' password: '20_thomas/19-!'
- name: sascha
groups:
- ab
- scans
is_samba_user: true
password: '20.sas_23.cha!'
- name: stefan - name: stefan
groups: groups:
- ab - ab
@ -379,7 +386,6 @@ samba_shares:
- julia - julia
- frauke - frauke
- fsj - fsj
- romana
- stefan - stefan
- thomas - thomas
- name: AB - name: AB
@ -400,6 +406,7 @@ samba_shares:
- frauke - frauke
- fsj - fsj
- romana - romana
- sascha
- stefan - stefan
- thomas - thomas
- name: Scans - name: Scans
@ -421,6 +428,7 @@ samba_shares:
- fsj - fsj
- romana - romana
- stefan - stefan
- sascha
- thomas - thomas
- name: Buero_Scans - name: Buero_Scans
path: /data/samba/Scans/Buero_Scans path: /data/samba/Scans/Buero_Scans

118
group_vars/all/main.yml
View File

@ -501,6 +501,124 @@ apt_initial_install_bullseye:
- btrfs-progs - btrfs-progs
- fdisk - fdisk
apt_initial_install_bookworm:
- apt-transport-https
- cryptsetup
- dbus
- openssh-server
- rush
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- cron
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- universal-ctags
- mime-support
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.32
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- libreadline-dev
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
- socat
- zsh
- lua5.4
- btrfs-progs
- fdisk
apt_initial_install_xenial: apt_initial_install_xenial:
- apt-transport-https - apt-transport-https
- dbus - dbus

52
group_vars/mbr.yml
View File

@ -257,6 +257,26 @@ nis_user:
is_samba_user: true is_samba_user: true
password: '20_axis_16' password: '20_axis_16'
# ---
# Technik
# ---
- name: leah.vauth
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'cgsRq9-IP.X2'
- name: pierre.ahrent
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'GYiI3-s/_7wG'
# --- # ---
# Verwaltung # Verwaltung
# --- # ---
@ -300,14 +320,6 @@ nis_user:
is_samba_user: true is_samba_user: true
password: '73_BiBole_29' password: '73_BiBole_29'
- name: pierre.ahrent
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'GYiI3-s/_7wG'
- name: birgit.erhardt - name: birgit.erhardt
groups: groups:
- all-users - all-users
@ -418,6 +430,7 @@ nis_user:
- name: laura.berner - name: laura.berner
groups: groups:
- all-users - all-users
- betriebsrat
- buero-scan - buero-scan
- bgn - bgn
- bgn-finanzen-personal - bgn-finanzen-personal
@ -466,7 +479,6 @@ nis_user:
- all-users - all-users
- buero-scan - buero-scan
- technik - technik
- betriebsrat
- mbr-buero - mbr-buero
is_samba_user: true is_samba_user: true
password: '5xp5ll9ar13us!' password: '5xp5ll9ar13us!'
@ -498,6 +510,7 @@ nis_user:
- name: felix.mueller - name: felix.mueller
groups: groups:
- all-users - all-users
- betriebsrat
- buero-scan - buero-scan
- technik - technik
- mbr-buero - mbr-buero
@ -548,7 +561,6 @@ nis_user:
groups: groups:
- all-users - all-users
- buero-scan - buero-scan
- betriebsrat
- mbr-buero - mbr-buero
is_samba_user: true is_samba_user: true
password: 't32_aHxV.' password: 't32_aHxV.'
@ -573,6 +585,7 @@ nis_user:
- name: manja.kasten - name: manja.kasten
groups: groups:
- all-users - all-users
- betriebsrat
- buero-scan - buero-scan
- mbr-buero - mbr-buero
is_samba_user: true is_samba_user: true
@ -592,7 +605,6 @@ nis_user:
- all-users - all-users
- buero-scan - buero-scan
- ag-antisem - ag-antisem
- betriebsrat
- mbr-buero - mbr-buero
is_samba_user: true is_samba_user: true
password: 'V1v@H@f3rdr1nk' password: 'V1v@H@f3rdr1nk'
@ -600,6 +612,7 @@ nis_user:
- name: michael.sulies - name: michael.sulies
groups: groups:
- all-users - all-users
- betriebsrat
- buero-scan - buero-scan
- ag-antisem - ag-antisem
- mbr-buero - mbr-buero
@ -609,6 +622,7 @@ nis_user:
- name: nina.rink - name: nina.rink
groups: groups:
- all-users - all-users
- betriebsrat
- buero-scan - buero-scan
- mbr-buero - mbr-buero
is_samba_user: true is_samba_user: true
@ -651,6 +665,14 @@ nis_user:
# RIAS Berlin und Bund # RIAS Berlin und Bund
# --- # ---
- name: andreas.nowak
groups:
- all-users
- buero-scan
- rias-bund
is_samba_user: true
password: 'N/m3/UM/362b'
- name: alexander.rasumny - name: alexander.rasumny
groups: groups:
- all-users - all-users
@ -863,6 +885,14 @@ nis_user:
is_samba_user: true is_samba_user: true
password: '3/+v_7AGivxc' password: '3/+v_7AGivxc'
- name: vanessa.gelardo
groups:
- all-users
- buero-scan
- rias-bund
is_samba_user: true
password: 'Vr.6v/4hWZEm'
# --- # ---
# Regishut # Regishut

47
roles/ansible_dependencies-bookworm/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- ansible-dependencies
- name: apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- ansible-dependencies
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies }}"
state: "{{ apt_install_state }}"
tags:
- ansible-dependencies

16
roles/common/tasks/apt.yml
View File

@ -96,6 +96,18 @@
- apt-initial-install - apt-initial-install
- name: (apt.yml) Initial install debian packages (bookworm)
apt:
name: "{{ apt_initial_install_bookworm }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_bookworm is defined and apt_initial_install_bookworm|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "12"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (bionic) - name: (apt.yml) Initial install ubuntu packages (bionic)
apt: apt:
name: "{{ apt_initial_install_bionic }}" name: "{{ apt_initial_install_bionic }}"
@ -146,7 +158,7 @@
- apt-microcode - apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster/bullseye) - name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm)
apt: apt:
name: "{{ microcode_intel_package }}" name: "{{ microcode_intel_package }}"
state: present state: present
@ -154,7 +166,7 @@
when: when:
- apt_debian_contrib_nonfree_enable - apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"or ansible_facts['distribution_major_version'] == "12"
- ansible_facts['processor']|string is search("Intel") - ansible_facts['processor']|string is search("Intel")
tags: tags:
- apt-initial-install - apt-initial-install

6
roles/common/tasks/nis-install-server.yml
View File

@ -66,18 +66,20 @@
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_distribution_major_version|int >= 11 - ansible_distribution_major_version|int >= 11
- ansible_distribution_major_version|int <= 12
- file_etc_pam_d_common_password.stat.exists == True - file_etc_pam_d_common_password.stat.exists == True
#- ansible_distribution_major_version|int <= 12
- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt - name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version']|int >= 11 - ansible_facts['distribution_major_version']|int >= 11
- ansible_facts['distribution_major_version']|int <= 12
- file_etc_pam_d_common_password.stat.exists == True - file_etc_pam_d_common_password.stat.exists == True
- presence_of_passwprd_hashing_yescrypt is changed - presence_of_passwprd_hashing_yescrypt is changed
#- ansible_facts['distribution_major_version']|int <= 12
# --- # ---
# /etc/default/nis # /etc/default/nis