ansible/nis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2023-06-16 20:47:41 +02:00
parent 2c476c9955
commit 254fb31978
7 changed files with 253 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ansible_dependencies-bookworm.yml Normal file
View File

@ -0,0 +1,20 @@
---
# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.
# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass
- hosts: all
roles:
- ansible_dependencies-bookworm

10
group_vars/akb.yml
View File

@ -316,6 +316,13 @@ nis_user:
is_samba_user: true
password: '20_thomas/19-!'
- name: sascha
groups:
- ab
- scans
is_samba_user: true
password: '20.sas_23.cha!'
- name: stefan
groups:
- ab
@ -379,7 +386,6 @@ samba_shares:
- julia
- frauke
- fsj
- romana
- stefan
- thomas
- name: AB
@ -400,6 +406,7 @@ samba_shares:
- frauke
- fsj
- romana
- sascha
- stefan
- thomas
- name: Scans
@ -421,6 +428,7 @@ samba_shares:
- fsj
- romana
- stefan
- sascha
- thomas
- name: Buero_Scans
path: /data/samba/Scans/Buero_Scans

118
group_vars/all/main.yml
View File

@ -501,6 +501,124 @@ apt_initial_install_bullseye:
- btrfs-progs
- fdisk
apt_initial_install_bookworm:
- apt-transport-https
- cryptsetup
- dbus
- openssh-server
- rush
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- cron
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- universal-ctags
- mime-support
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.32
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- libreadline-dev
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
- socat
- zsh
- lua5.4
- btrfs-progs
- fdisk
apt_initial_install_xenial:
- apt-transport-https
- dbus

52
group_vars/mbr.yml
View File

@ -257,6 +257,26 @@ nis_user:
is_samba_user: true
password: '20_axis_16'
# ---
# Technik
# ---
- name: leah.vauth
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'cgsRq9-IP.X2'
- name: pierre.ahrent
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'GYiI3-s/_7wG'
# ---
# Verwaltung
# ---
@ -300,14 +320,6 @@ nis_user:
is_samba_user: true
password: '73_BiBole_29'
- name: pierre.ahrent
groups:
- all-users
- buero-scan
- technik
is_samba_user: true
password: 'GYiI3-s/_7wG'
- name: birgit.erhardt
groups:
- all-users
@ -418,6 +430,7 @@ nis_user:
- name: laura.berner
groups:
- all-users
- betriebsrat
- buero-scan
- bgn
- bgn-finanzen-personal
@ -466,7 +479,6 @@ nis_user:
- all-users
- buero-scan
- technik
- betriebsrat
- mbr-buero
is_samba_user: true
password: '5xp5ll9ar13us!'
@ -498,6 +510,7 @@ nis_user:
- name: felix.mueller
groups:
- all-users
- betriebsrat
- buero-scan
- technik
- mbr-buero
@ -548,7 +561,6 @@ nis_user:
groups:
- all-users
- buero-scan
- betriebsrat
- mbr-buero
is_samba_user: true
password: 't32_aHxV.'
@ -573,6 +585,7 @@ nis_user:
- name: manja.kasten
groups:
- all-users
- betriebsrat
- buero-scan
- mbr-buero
is_samba_user: true
@ -592,7 +605,6 @@ nis_user:
- all-users
- buero-scan
- ag-antisem
- betriebsrat
- mbr-buero
is_samba_user: true
password: 'V1v@H@f3rdr1nk'
@ -600,6 +612,7 @@ nis_user:
- name: michael.sulies
groups:
- all-users
- betriebsrat
- buero-scan
- ag-antisem
- mbr-buero
@ -609,6 +622,7 @@ nis_user:
- name: nina.rink
groups:
- all-users
- betriebsrat
- buero-scan
- mbr-buero
is_samba_user: true
@ -651,6 +665,14 @@ nis_user:
# RIAS Berlin und Bund
# ---
- name: andreas.nowak
groups:
- all-users
- buero-scan
- rias-bund
is_samba_user: true
password: 'N/m3/UM/362b'
- name: alexander.rasumny
groups:
- all-users
@ -863,6 +885,14 @@ nis_user:
is_samba_user: true
password: '3/+v_7AGivxc'
- name: vanessa.gelardo
groups:
- all-users
- buero-scan
- rias-bund
is_samba_user: true
password: 'Vr.6v/4hWZEm'
# ---
# Regishut

47
roles/ansible_dependencies-bookworm/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- ansible-dependencies
- name: apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- ansible-dependencies
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies }}"
state: "{{ apt_install_state }}"
tags:
- ansible-dependencies

16
roles/common/tasks/apt.yml
View File

@ -96,6 +96,18 @@
- apt-initial-install
- name: (apt.yml) Initial install debian packages (bookworm)
apt:
name: "{{ apt_initial_install_bookworm }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_bookworm is defined and apt_initial_install_bookworm|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "12"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (bionic)
apt:
name: "{{ apt_initial_install_bionic }}"
@ -146,7 +158,7 @@
- apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster/bullseye)
- name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm)
apt:
name: "{{ microcode_intel_package }}"
state: present
@ -154,7 +166,7 @@
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"or ansible_facts['distribution_major_version'] == "12"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install

6
roles/common/tasks/nis-install-server.yml
View File

@ -66,18 +66,20 @@
when:
- ansible_facts['distribution'] == "Debian"
- ansible_distribution_major_version|int >= 11
- ansible_distribution_major_version|int <= 12
- file_etc_pam_d_common_password.stat.exists == True
#- ansible_distribution_major_version|int <= 12
- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version']|int >= 11
- ansible_facts['distribution_major_version']|int <= 12
- file_etc_pam_d_common_password.stat.exists == True
- presence_of_passwprd_hashing_yescrypt is changed
#- ansible_facts['distribution_major_version']|int <= 12
# ---
# /etc/default/nis