ansible/nis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2022-02-20 12:07:59 +01:00
commit 42c3774ca6
114 changed files with 27589 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

320
roles/common/tasks/apt.yml Normal file
View File

@ -0,0 +1,320 @@
---
- name: (apt.yml) update configuration file - /etc/apt/sources.list
template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
register: apt_config_updated
when:
- ansible_facts['distribution'] == "Debian"
- apt_manage_sources_list|bool
tags:
- apt-configuration
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
tags:
- apt-update
- apt-upgrade
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- apt-upgrade
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) Initial install debian packages (stretch)
apt:
name: "{{ apt_initial_install_stretch }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_stretch is defined and apt_initial_install_stretch|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (buster)
apt:
name: "{{ apt_initial_install_buster }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_buster is defined and apt_initial_install_buster|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (bullseye)
apt:
name: "{{ apt_initial_install_bullseye }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_bullseye is defined and apt_initial_install_bullseye|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "11"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (bionic)
apt:
name: "{{ apt_initial_install_bionic }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (xenial)
apt:
name: "{{ apt_initial_install_xenial }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
tags:
- apt-initial-install
# ---
# Microcode
# ---
- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- apt_backports_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster/bullseye)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
# ---
# Firmware
# ---
- name: (apt.yml) Install Firmware packages (Ubuntu)
apt:
name: "{{ firmware_packages_ubuntu }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
tags:
- apt-initial-install
- apt-firmware
- name: (apt.yml) Install Firmware packages (Debian)
apt:
name: "{{ firmware_packages_debian }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
tags:
- apt-initial-install
- apt-firmware
- name: (apt.yml) Install non-free Firmware packages (Debian)
apt:
name: "{{ firmware_non_free_packages_debian }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
- apt_debian_contrib_nonfree_enable
tags:
- apt-initial-install
- apt-firmware
# ---
# unwanted packages
# ---
- name: (apt.yml) Remove unwanted packages
apt:
name: "{{ apt_remove }}"
state: absent
purge: "{{ apt_remove_purge }}"
tags:
- apt-remove
- name: (apt.yml) Remove unwanted packages Ubuntu bionic
apt:
name: "{{ apt_remove_bionic }}"
state: absent
purge: "{{ apt_remove_purge }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
tags:
- apt-remove
- name: (apt.yml) Remove unwanted packages Ubuntu xenial
apt:
name: "{{ apt_remove_xenial }}"
state: absent
purge: "{{ apt_remove_purge }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
tags:
- apt-remove
- name: (apt.yml) autoremove
apt:
autoremove: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_autoremove|bool
tags:
- apt-autoremove
- apt-initial-install
- apt-microcode
- name: (apt.yml) clean
command: apt-get -y clean
args:
warn: false
changed_when: false
when: apt_clean|bool
tags:
- apt-clean
- apt-initial-install
- apt-microcode

105
roles/common/tasks/basic.yml Normal file
View File

@ -0,0 +1,105 @@
---
- name: (basic.yml) Ensure timezone is is correct
timezone: name={{ time_zone }}
tags:
- timezone
- name: (basic.yml) Ensure locales are present
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ locales }}"
tags:
- locales
- name: (basic.yml) Create a symbolic link /bin/sh -> bash
file:
src: bash
dest: /bin/sh
owner: root
group: root
state: link
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- symlink-sh
- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
stat:
path: /etc/systemd/system
register: etc_systemd_system_conf
when:
- set_default_limit_nofile|bool == true
- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: '^DefaultLimitNOFILE'
line: 'DefaultLimitNOFILE=1048576'
insertafter: '^#DefaultLimitNOFILE'
when:
- set_default_limit_nofile|bool == true
- etc_systemd_system_conf.stat.exists == true
tags:
- systemd-nofiles
- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
stat:
path: /etc/security/limits.conf.ORIG
register: etc_security_limits_conf_ORIG
tags:
- limits-conf
- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
when: etc_security_limits_conf_ORIG.stat.exists == False
tags:
- limits-conf
- name: (basic.yml) Create new sshd_config from template limits.conf.j2
template:
src: etc/security/limits.conf.j2
dest: /etc/security/limits.conf
owner: root
group: root
mode: 0644
tags:
- limits-conf
# - /etc/hosts
- name: (basic.yml) Check file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_hosts
- name: (basic.yml) Backup installation version of file '/etc/hosts'
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_hosts_ORIG.stat.exists == False
tags:
- etc_hosts
- name: (basic.yml) addjust '/etc/hosts' add nis-server ..
lineinfile:
path: /etc/hosts
regexp: '^192\.168\.'
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
when:
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- etc_hosts

152
roles/common/tasks/cups-install.yml Normal file
View File

@ -0,0 +1,152 @@
---
# ---
# Cups Server
# ---
- name: (cups-install.yml) Ensure CUPS packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_cups_buster }}'
state: present
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- cups-server
# ---
# Cups clients
# ---
- name: (cups.yml) Ensure CUPS packages clients are installed.
package:
pkg: "{{ apt_install_client_cups }}"
state: present
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
tags:
- cups-client
# -- file /etc/cups/cups-browsed.conf
- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIGi' exists
stat:
path: /etc/cups/cups-browsed.conf.ORIG
register: cups_browsed_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-browsed.conf file
command: cp /etc/cups/cups-browsed.conf /etc/cups/cups-browsed.conf.ORIG
when: cups_browsed_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.server.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.client.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-client
# -- file /etc/cups/cupsd.conf
- name: (cups.yml) Check if file '/etc/cups/cupsd.conf.ORIG' exists
stat:
path: /etc/cups/cupsd.conf.ORIG
register: cupsd_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cupsd.conf file
command: cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.ORIG
when: cupsd_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.server.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.client.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-server
# -- file /etc/cups/cups-files.conf
- name: (cups.yml) Check if file '/etc/cups/cups-files.conf.ORIGi' exists
stat:
path: /etc/cups/cups-files.conf.ORIG
register: cups_files_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-files.conf file
command: cp /etc/cups/cups-files.conf /etc/cups/cups-files.conf.ORIG
when: cups_files_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-files.conf
template:
src: "etc/cups/cups-files.conf.j2"
dest: /etc/cups/cups-files.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
tags:
- cups-server
- cups-client

66
roles/common/tasks/git.yml Normal file
View File

@ -0,0 +1,66 @@
---
# ---
# Default reposotories
# ---
- name: (git.yml) Install/Update default repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_default_repositories }}'
loop_control:
label: "{{ item.name }}"
tags:
- git-default-repositories
# ---
# Group [file_server] reposotories
# ---
- name: (git.yml) Install/Update file_server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_oopen_server_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- git-file-server-repositories
# ---
# Group [samba_server] reposotories
# ---
- name: (git.yml) Install/Update samba server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_samba_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['samba_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
- git-samba-server-repositories
# ---
# Group [gateway_server] reposotories
# ---
- name: (git.yml) Install/Update gateway repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_gateway_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['gateway_server']|string is search(inventory_hostname)"
tags:
- git-gateway-server-repositories

6
roles/common/tasks/luks.yml Normal file
View File

@ -0,0 +1,6 @@
- name: (luks.ym) add new key to the LUKS container (container has to exist)
luks_device:
device: "{{ luks_device }}"
keyfile: "{{ role_path + '/files/vault/luks_default_passwd' }}"
new_keyfile: "{{ role_path + '/files/vault/luks_chris_passwd' }}"

254
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,254 @@
---
# tags supported inside basic.yml
#
# timezone
# locales
# systemd-nofiles
- import_tasks: basic.yml
tags:
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update
# apt-upgrade
# apt-dpkg-configure
# apt-initial-install
# apt-microcode
# apt-remove
# apt-autoremove
# apt-clean
- import_tasks: apt.yml
tags: apt
# tags supportetd inside git.yml
#
# git-default-repositories
# git-file-server-repositories
# git-gateway-server-repositories
- import_tasks: git.yml
tags: git
# tags supported inside nis-user.yml:
#
# nis-user
- import_tasks: nis-user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-user
# tags supported inside ntp.yml:
#
# ntp-server
- import_tasks: ntp.yml
tags:
- ntp
# tags supported inside cups-install.yml:
#
# cups-server
# cups-client
- import_tasks: cups-install.yml
tags:
- cups
# tags supported inside pure-ftpd-install.yml:
#
- import_tasks: pure-ftpd-install.yml
when:
- groups['ftp_server']|string is search(inventory_hostname)
tags:
- pure-ftpd
# tags supported inside nfs.yml:
#
# nfs-server
# nfs-client
- import_tasks: nfs.yml
tags:
- nfs
# tags supported inside samba-install.yml:
#
# samba-server
# samba-client
- import_tasks: samba-install.yml
tags:
- samba-install
- samba
# tags supported inside samba-remove-user.yml:
#
- import_tasks: samba-remove-user.yml
tags:
- samba-remove-user
# tags supported inside system-remove-user.yml:
#
- import_tasks: system-remove-user.yml
tags:
- system-remove-user
# tags supported inside system-user.yml:
#
# system-user
- import_tasks: system-user.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- system-user
# tags supported inside nis-install-server.yml:
#
# nis-install-server
- import_tasks: nis-install-server.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server
# tags supported inside nis-install-client.yml:
#
# nis-install-client
- import_tasks: nis-install-client.yml
when: "groups['nis_client']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-client
# tags supported inside samba-user.yml:
#
# samba-user
- import_tasks: samba-user.yml
when: "groups['samba_server']|string is search(inventory_hostname)"
tags:
- nis-samba-user
# tags supported system-user-systemfiles.yml:
#
# profile
# bashrc
# vimrc
- import_tasks: system-user-systemfiles.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported nis-user-systemfiles.yml:
#
# profile
# bashrc
# vimrc
- import_tasks: nis-user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
- nis-user-systemfiles
# tags supported root-files-scripts.yml:
# wakeup_lan
- import_tasks: root-files-scripts.yml
tags:
- root-files-scripts
# tags supported inside sudoers-pc.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-pc.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
# tags supported inside sudoers-server.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-server.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- sudoers
# tags supported inside mount_samba_shares.yml:
#
#- import_tasks: mount_samba_shares.yml
# when: "groups['client_pc']|string is search(inventory_hostname)"
# tags:
# - samba-shares
# Tasks: Configure VNC (x11vnc) for Ubuntu systems
#
# Supported OS:
# - Ubuntu 16.04LTSi
# - Ubuntu 18.04LTSi
- name: "For OS: Ubuntu 16.04LTS, Arch: amd64"
import_tasks: ubuntu-x11vnc-1604-amd64.yml
when:
- ansible_distribution_version == "16.04"
- ansible_architecture == "x86_64"
tags:
- x11vnc
- x11vnc-1604
- finish-client-install
- name: "For OS: Ubuntu 18.04LTS, Arch: amd64"
import_tasks: ubuntu-x11vnc-1804-amd64.yml
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
tags:
- x11vnc
- x11vnc-1804
- finish-client-install
- name: "For OS: Ubuntu 20.04LTS, Arch: amd64"
import_tasks: ubuntu-x11vnc-2004-amd64.yml
when:
- ansible_distribution_version == "20.04"
- ansible_architecture == "x86_64"
tags:
- x11vnc
- x11vnc-2004
- finish-client-install
#- name: "Configure LUKS"
# import_tasks: luks.yml
# when: "groups['client_pc']|string is search(inventory_hostname)"
# tags:
# - luks

28
roles/common/tasks/mount_samba_shares.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (mount_samba_shares.yml) Ensure (user separated) base mount directories for samba shares exists
file:
path: "/mnt/{{ item.name }}"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: '0700'
state: directory
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- name: (mount_samba_shares.yml) Ensure (user separated) mount directories for samba shares exists
file:
path: "/mnt/{{ item.1 }}/{{ item.0.name }}"
owner: "{{ item.1 }}"
group: "{{ item.1 }}"
mode: '0770'
state: directory
with_subelements:
- "{{ samba_shares }}"
- user
loop_control:
label: '{{ item.1 }} share: {{ item.0.name }}'

96
roles/common/tasks/nfs.yml Normal file
View File

@ -0,0 +1,96 @@
---
# ---
# NFS Server
# ---
- name: (nfs.yml) Ensure NFS utilities (server) are installed.
apt:
name:
- nfs-common
- nfs-kernel-server
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Ensure directories to export exist
file:
path: '{{ item.src.split(":")[1] }}'
owner: root
group: root
mode: '0755'
state: directory
with_items: "{{ nfs_exports }}"
loop_control:
label: '{{ item.path }}'
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Copy exports file.
template:
src: etc/exports.j2
dest: /etc/exports
owner: root
group: root
mode: 0644
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
notify: Reload nfs
tags:
- nfs-server
- name: Enable service rpc-statd and ensure it is not masked
systemd:
name: rpc-statd
enabled: yes
masked: no
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- name: Make sure service rpc-statd is running
systemd:
state: started
name: rpc-statd
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
# ---
# NFS clients
# ---
- name: (nfs.yml) Ensure NFS utilities (clients) are installed.
apt:
pkg: nfs-common
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client
- name: (nfs.yml) NFS Mount exports from nfs server
mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
fstype: nfs
opts: "{{ item.mount_opts }}"
dump: "{{ item.dump | default(omit) }}"
passno: "{{ item.passno | default(omit) }}"
state: mounted
loop: "{{ nfs_exports }}"
loop_control:
label: '{{ item.src }}'
when:
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client

312
roles/common/tasks/nis-install-client.yml Normal file
View File

@ -0,0 +1,312 @@
---
# ---
# Install nis
# ---
- name: (nis-install-client.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
src: etc/defaultdomain.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
tags:
- nis-install
- nis-install-client
# ---
# /etc/default/nis
# ---
- name: (nis-install-client.yml) Check if file '/etc/default/nis.ORIG' exists
stat:
path: /etc/default/nis.ORIG
register: default_nis_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/default/nis
command: cp -a /etc/default/nis /etc/default/nis.ORIG
when:
- default_nis_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISSERVER' (client)
replace:
path: /etc/default/nis
regexp: '^NISSERVER=.*'
replace: 'NISSERVER=false'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (client)
replace:
path: /etc/default/nis
regexp: '^NISCLIENT=.*'
replace: 'NISCLIENT=true'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'YPBINDARGS' (client)
replace:
path: /etc/default/nis
regexp: '^YPBINDARGS=.*'
replace: 'YPBINDARGS='
tags:
- nis-install
- nis-install-client
# ---
# /etc/{passwd,group,shadow}
# ---
- name: (nis-install-client.yml) Add '+::::::' to file /etc/passwd
lineinfile:
path: /etc/passwd
line: '+::::::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+:::' to file /etc/group
lineinfile:
path: /etc/group
line: '+:::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+::::::::' to file /etc/shadow
lineinfile:
path: /etc/shadow
line: '+::::::::'
insertafter: EOF
state: present
owner: root
group: shadow
mode: '0640'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
# ---
# /etc/hosts
# ---
- name: (nis-install-client.yml) Check if file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_orig_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/hosts
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- etc_hosts_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add nis-server to file /etc/hosts
lineinfile:
path: /etc/hosts
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-client
# ---
# /etc/nsswitch.conf
# ---
- name: (nis-install-client.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
stat:
path: /etc/nsswitch.conf.ORIG
register: nsswitch_conf_orig_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/nsswitch.conf
command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG
when:
- nsswitch_conf_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set hosts)
replace:
path: /etc/nsswitch.conf
regexp: '(hosts:\s+files)\s+((?!nis).*)$'
replace: '\1 nis \2'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set passwd/group/shadow)
replace:
path: /etc/nsswitch.conf
regexp: '^({{ item }}:\s+((?!nis).)*)$'
replace: '\1 nis'
with_items:
- passwd
- group
- shadow
tags:
- nis-install
- nis-install-client
# ---
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# ---
# - !! Using NIS client in Ubuntu 18.04 crashes both Gnome and Unity !!
# - ===================================================================
#
# - Unter NIS in Ubuntu 18.04 stütrzt Gnome und Unity ab
# -
# - Abhilfe schafft:
# -
#
# - Create a new directory in /etc/systemd/system/ named exactly after the
# - service you want to extend including a '.d', here this would be:
# - systemd-logind.service.d
# -
# - mkdir /etc/systemd/system/systemd-logind.service.d
#
# - Create a new file choose_an_appropriate_name.conf (e.g. nis_allow_network.conf)
# - inside the newly created directory with the following content, which specifies
# - the IP or IP range you want to be allowed:
# -
# - cat <<EOF > /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# - [Service]
# - IPAddressAllow=192.168.0.0/16
# - EOF
# -
# - systemctl daemon-reload
# - systemctl restart systemd-logind.service
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/systemd-logind.service.d exists
file:
path: /etc/systemd/system/systemd-logind.service.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf' }}"
dest: /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 18"
notify:
- Restart systemd-logind.service
tags:
- nis-install
- nis-install-client
# - Seit Ubuntu 16.04 startet nis vor dem portmapper (rpcbind). Das Starten
# - schlägt deshalb fehl und nis steht nicht zur Verfügung.
# -
# - Abhilfe:
# -
# - Run "systemctl edit rpcbind.socket" and add the following:
# -
# - [Unit]
# - DefaultDependencies=no
# - Wants=rpcbind.target
# - Before=rpcbind.target
# -
# - You can see your changes:
# - cat /etc/systemd/system/rpcbind.socket.d/override.conf
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/rpcbind.socket.d exists
file:
path: /etc/systemd/system/rpcbind.socket.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 16"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/rpcbind.socket.d/override.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/rpcbind.socket.d/override.conf' }}"
dest: /etc/systemd/system/rpcbind.socket.d/override.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 16"
notify:
- Restart rpcbind
tags:
- nis-install
- nis-install-client
# TODO:
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# /etc/systemd/system/rpcbind.socket.d/override.conf

268
roles/common/tasks/nis-install-server.yml Normal file
View File

@ -0,0 +1,268 @@
---
# ---
# Install nis
# ---
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
src: etc/defaultdomain.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
# ---
# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default.
#
# Note:
# 'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller
#
# ---
- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists
stat:
path: /etc/pam.d/common-password
register: file_etc_pam_d_common_password
tags:
- nis-install
- nis-install-server
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version']|int >= 11
- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt'
shell: "grep -i -q -E '^password.+yescrypt' /etc/pam.d/common-password"
register: presence_of_passwprd_hashing_yescrypt
changed_when:
- presence_of_passwprd_hashing_yescrypt.rc < 1
failed_when:
- presence_of_passwprd_hashing_yescrypt.rc >= 2
when:
- ansible_facts['distribution'] == "Debian"
- ansible_distribution_major_version|int >= 11
- ansible_distribution_major_version|int <= 12
- file_etc_pam_d_common_password.stat.exists == True
- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version']|int >= 11
- ansible_facts['distribution_major_version']|int <= 12
- file_etc_pam_d_common_password.stat.exists == True
- presence_of_passwprd_hashing_yescrypt is changed
# ---
# /etc/default/nis
# ---
- name: (nis-install-server.yml) Check if file '/etc/default/nis.ORIG' exists
stat:
path: /etc/default/nis.ORIG
register: default_nis_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/default/nis
command: cp -a /etc/default/nis /etc/default/nis.ORIG
when:
- default_nis_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISSERVER' (server)
replace:
path: /etc/default/nis
regexp: '^NISSERVER=.*'
replace: 'NISSERVER=master'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (server)
replace:
path: /etc/default/nis
regexp: '^NISCLIENT=.*'
replace: 'NISCLIENT=false'
tags:
- nis-install
- nis-install-server
# ---
# /etc/ypserv.securenets
# ---
- name: (nis-install-server.yml) Check if file '/etc/ypserv.securenets.ORIG' exists
stat:
path: /etc/ypserv.securenets.ORIG
register: ypserv_securenets_orig_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/ypserv.securenets
command: cp -a /etc/ypserv.securenets /etc/ypserv.securenets.ORIG
when:
- ypserv_securenets_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
replace:
path: /etc/ypserv.securenets
regexp: '^(0.0.0.0\s+.*)'
replace: '#\1'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets
lineinfile:
path: /etc/ypserv.securenets
line: '255.255.0.0 192.168.0.0'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets
lineinfile:
path: /etc/ypserv.securenets
line: '255.0.0.0 10.0.0.0'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Trigger '/usr/lib/yp/ypinit -m'
shell: printf '\n' | /usr/lib/yp/ypinit -m
when: nis_installed.changed
tags:
- nis-install
- nis-install-server
# ---
# Base directory containing users' home directory
# ---
- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
file:
path: '{{ nis_base_home }}'
owner: root
group: root
mode: '0755'
state: directory
when:
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server
# ---
# /etc/adduser.conf
# ---
- name: (nis-install-server.yml) Check if file '/etc/adduser.conf.ORIG exists'
stat:
path: /etc/adduser.conf.ORIG
register: adduser_conf_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /etc/adduser.conf
command: cp -a /etc/adduser.conf /etc/adduser.conf.ORIG
when:
- adduser_conf_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file '/etc/adduser.conf' - set 'DHOME'
replace:
path: /etc/adduser.conf
regexp: '^#?DHOME=.*'
replace: 'DHOME={{ nis_base_home }}'
tags:
- nis-install
- nis-install-server
# ---
# /var/yp/Makefile
# ---
- name: (nis-install-server.yml) Check if file '/var/yp/Makefile.ORIG exists'
stat:
path: /var/yp/Makefile.ORIG
register: adduser_conf_exists
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Backup existing file /var/yp/Makefile
command: cp -a /var/yp/Makefile /var/yp/Makefile.ORIG
when:
- adduser_conf_exists.stat.exists == False
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Adjust file '/var/yp/Makefile'
replace:
path: /var/yp/Makefile
regexp: '^#?{{ item }}=.*'
replace: '{{ item }}=true'
with_items:
- MERGE_PASSWD
- MERGE_GROUP
notify:
- Renew nis databases
tags:
- nis-install
- nis-install-server
# TODO:
# /var/yp/Makefile

183
roles/common/tasks/nis-user-systemfiles.yml Normal file
View File

@ -0,0 +1,183 @@
---
# ---
# Check if local template directories exists
# ---
# nis_users
- name: (nis-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_nis_user
# --
# Copy .profile
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (nis-user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (nis-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (nis-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile.j2
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (nis-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# --
# Copy .vimrc
# ---
- name: (nis-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (nis-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (nis-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (nis-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc

175
roles/common/tasks/nis-user.yml Normal file
View File

@ -0,0 +1,175 @@
---
## # ---
## # - Remove unwanted users
## # ---
##
## - name: (nis_user.yml) Remove (old) users from system
## user:
## name: '{{ item.name }}'
## state: absent
## with_items:
## - "{{ remove_nis_users }}"
## loop_control:
## label: '{{ item.name }}'
## tags:
## - nis-user
## - system-user
##
## - name: (nis_user.yml) Remove home directory from deleted users
## file:
## path: '{{ nis_base_home }}/{{ item.name }}'
## state: absent
## with_items:
## - "{{ remove_nis_users }}"
## loop_control:
## label: '{{ item.name }}'
## tags:
## - nis-user
## - system-user
# ---
# - default user/groups
# ---
- name: (nis_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- nis-user
- system-user
- name: (nis_user.yml) Add nis (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_user.yml) Check if directory ~/.config/autostart exists
stat:
path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart'
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: home_config_autostart
tags:
- nis-user
- x11vnc
- name: (nis_user.yml) Ensure directory ~/.config/autostart if not exists
file:
path: '{{ nis_base_home }}/{{ item.item.name }}/.config/autostart'
state: directory
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0700
recurse: yes
loop: "{{ home_config_autostart.results }}"
loop_control:
label: '{{ item.item.name }}'
when : not item.stat.exists|bool
tags:
- nis-user
- x11vnc
#- name: (nis_user.yml) Ensure directory ~/.config/autostart if not exists
# file:
# path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart'
# state: directory
# owner: "{{ item.name }}"
# group: "{{ item.name }}"
# mode: 0700
# recurse: yes
# loop: "{{ nis_user }}"
# loop_control:
# label: '{{ item.name }}'
# tags:
# - nis-user
# - x11vnc
- name: (nis_user.yml) Check if file ~/.config/autostart/x11vnc.desktop exists
stat:
path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart/x11vnc.desktop'
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: home_config_autostart_x11vnc
tags:
- nis-user
- x11vnc
- name: (nis_user.yml) Ensure file ~/.config/autostart/x11vnc.desktop exists
copy:
src: "{{ role_path + '/files/USER_HOME/.config/autostart/x11vnc.desktop' }}"
dest: '{{ nis_base_home }}/{{ item.item.name }}/.config/autostart/x11vnc.desktop'
owner: '{{ item.item.name }}'
group: '{{ item.item.name }}'
mode: 0600
loop: "{{ home_config_autostart_x11vnc.results }}"
loop_control:
label: '{{ item.item.name }}'
tags:
- nis-user
- x11vnc
#- name: (nis_user.yml) Ensure file ~/.config/autostart/x11vnc.desktop exists
# copy:
# src: "{{ role_path + '/files/USER_HOME/.config/autostart/x11vnc.desktop' }}"
# dest: '{{ nis_base_home }}/{{ item.name }}/.config/autostart/x11vnc.desktop'
# owner: '{{ item.name }}'
# group: '{{ item.name }}'
# mode: 0600
# loop: "{{ nis_user }}"
# loop_control:
# label: '{{ item.name }}'
# tags:
# - nis-user
# - x11vnc

47
roles/common/tasks/ntp.yml Normal file
View File

@ -0,0 +1,47 @@
---
# ---
# NTP Server
# ---
- name: (ntp.yml) Ensure ntp package is installed.
apt:
name:
- ntp
state: present
when:
- ansible_os_family == "Debian"
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
stat:
path: /etc/ntp.conf.ORIG
register: etc_ntp_conf_ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
- etc_ntp_conf_ORIG.stat.exists == False
tags:
- ntp-server
- name: (ntp.yml) Update '/etc/ntp.conf'
template:
src: "etc/ntp.conf.j2"
dest: /etc/ntp.conf
owner: root
group: root
mode: 0644
notify: Restart ntp
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server

52
roles/common/tasks/pure-ftpd-install.yml Normal file
View File

@ -0,0 +1,52 @@
---
# ==========
#
# mostly copied from:
# https://github.com/gcoop-libre/ansible-role-pure-ftpd
#
# git clone https://github.com/gcoop-libre/ansible-role-pure-ftpd.git
#
# ==========
# ---
# Install PureFTP Daemon
# ---
- include: pure-ftpd/setup.yml
# ---
# Configure PureFTP Daemon
# ---
- include: pure-ftpd/configure.yml
# ---
# Authentication Configuration
# ---
- include: pure-ftpd/authentication.yml
# ---
# Virtual user
# ---
- include: pure-ftpd/virtual-users.yml
# ---
# TLS Certificate
# ---
- include: pure-ftpd/tls-certificate.yml
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd service is started enabled on startup.
service:
name: pure-ftpd
state: started
enabled: yes

66
roles/common/tasks/pure-ftpd/authentication.yml Normal file
View File

@ -0,0 +1,66 @@
---
# ---
# Authentication Configuration
# ---
- name: (pure-ftpd-install.yml) Get current authentications.
command: ls -1 {{ pureftpd_config_auth_dir }}
register: pureftpd_current_auth
changed_when: false
- name: (pure-ftpd-install.yml) Define empty pureftpd_authentications variable.
set_fact:
pureftpd_authentications: []
- name: (pure-ftpd-install.yml) Enable PureDB authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/PureDB"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_puredb }}pure"
state: link
when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Add PureDB to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_puredb }}pure']"
when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
- name: (pure-ftpd-install.yml) Add PAM to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_pam }}pam']"
when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
- name: (pure-ftpd-install.yml) Enable UNIX authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/UnixAuthentication"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_unix }}unix"
state: link
when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Add UnixAuthentication to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_unix }}unix']"
when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
- name: (pure-ftpd-install.yml) Enable PAM authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/PAMAuthentication"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_pam }}pam"
state: link
when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
notify: restart Pure-FTPd
# Delete unused authentification if exists
- name: (pure-ftpd-install.yml) Delete old authentications.
file:
path: "{{ pureftpd_config_auth_dir }}/{{ item }}"
state: absent
when: item not in pureftpd_authentications
with_items: "{{ pureftpd_current_auth.stdout_lines }}"
notify: restart Pure-FTPd

45
roles/common/tasks/pure-ftpd/configure.yml Normal file
View File

@ -0,0 +1,45 @@
---
# ---
# Configure PureFTP Daemon
# ---
# Remove old current configurations if exists
- name: Upload Pure-FTPd global configuration file.
template:
src: etc/default/pure-ftpd-common.j2
dest: "{{ pureftpd_global_config_file }}"
owner: root
group: root
mode: '0644'
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Compile Pure-FTPd configurations (set fact..).
set_fact:
pureftpd_config_compiled: "{{ pureftpd_config }}"
- name: (pure-ftpd-install.yml) Get current configuration.
command: ls -1 {{ pureftpd_config_conf_dir }}
register: pureftpd_current_config
changed_when: false
- name: (pure-ftpd-install.yml) Delete old configuration.
file:
path: "{{ pureftpd_config_conf_dir }}/{{ item }}"
state: absent
when: pureftpd_config_compiled[item] is not defined
with_items: "{{ pureftpd_current_config.stdout_lines }}"
notify: restart Pure-FTPd
# write new configuration
- name: (pure-ftpd-install.yml) Write configuration.
template:
src: etc/pure-ftpd/conf/config.j2
dest: "{{ pureftpd_config_conf_dir }}/{{ item.key }}"
owner: root
group: root
mode: '0644'
with_dict: '{{ pureftpd_config_compiled }}'
notify: restart Pure-FTPd

34
roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml Normal file
View File

@ -0,0 +1,34 @@
---
# ---
# Add virtual ftp users
# ---
- name: "(create-virtual-ftp-user.yml) Verify if virtual ftp user {{ user.name }} exists"
command: pure-pw show {{ user.name }}
register: pureftpd_virtual_user_exists
changed_when: "pureftpd_virtual_user_exists.rc != 0"
failed_when:
- "pureftpd_virtual_user_exists.rc != 0"
- "pureftpd_virtual_user_exists.rc != 16"
ignore_errors: true
loop_control:
label: '{{ user.name }}'
- name: "(create-virtual-ftp-user.yml) Create virtual ftp user {{ user.name }} ."
shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw useradd {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
#when: pureftpd_virtual_user_exists.failed is defined and pureftpd_virtual_user_exists.failed
when: pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users
- name: "User {{ user.name }}: Update virtual user"
command: "pure-pw usermod {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
#when: pureftpd_virtual_user_exists.failed is defined and not pureftpd_virtual_user_exists.failed
when: not pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users
- name: "User {{ user.name }}: Update virtual user password"
shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw passwd {{ user.name }}"
when: not pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users

19
roles/common/tasks/pure-ftpd/remove-virtual-user.yml Normal file
View File

@ -0,0 +1,19 @@
---
# ---
# Remove virtual ftp users
# ---
- name: "User {{ user.name }}: Verify if it exists"
command: pure-pw show {{ user.name }}
register: pureftpd_virtual_user_exists
changed_when: "pureftpd_virtual_user_exists.rc == 0"
failed_when:
- "pureftpd_virtual_user_exists.rc != 0"
- "pureftpd_virtual_user_exists.rc != 16"
ignore_errors: true
- name: "User {{ user.name }}: Remove virtual user"
shell: "pure-pw userdel {{ user.name }}"
when: pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users

21
roles/common/tasks/pure-ftpd/setup.yml Normal file
View File

@ -0,0 +1,21 @@
---
# ---
# Install PureFTP Daemon
# ---
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd is installed.
apt:
name: "{{ pureftpd_packages }}"
state: present
cache_valid_time: 3600
update_cache: yes
- name: (pure-ftpd-install.yml) Upload Pure-FTPd global configuration file.
template:
src: etc/default/pure-ftpd-common.j2
dest: "{{ pureftpd_global_config_file }}"
owner: root
group: root
mode: '0644'
notify: restart Pure-FTPd

40
roles/common/tasks/pure-ftpd/tls-certificate.yml Normal file
View File

@ -0,0 +1,40 @@
---
# ---
# TLS Certificate
# ---
# - method 'generate'
- name: Generate Pure-FTPd TLS certificate.
command: openssl req -x509 -nodes -newkey rsa:{{ pureftpd_tls_certificate_openssl.size | default(4096) }} -sha256 -days {{ pureftpd_tls_certificate_openssl.days | default(365) }} -keyout {{ pureftpd_tls_certificate_pem }} -out {{ pureftpd_tls_certificate_pem }} -subj "/C={{ pureftpd_tls_certificate_openssl.country | default('') }}/ST={{ pureftpd_tls_certificate_openssl.state | default('') }}/L={{ pureftpd_tls_certificate_openssl.locality | default('') }}/O={{ pureftpd_tls_certificate_openssl.organization | default('') }}/OU={{ pureftpd_tls_certificate_openssl.unit | default('') }}/CN={{ pureftpd_tls_certificate_openssl.fqdn }}"
args:
creates: "{{ pureftpd_tls_certificate_pem }}"
when:
- pureftpd_tls_certificate_method == 'generate'
- pureftpd_tls_certificate_openssl | length > 0
notify: restart Pure-FTPd
- name: Ensure Pure-FTPd TLS certificate permissions.
file:
path: "{{ pureftpd_tls_certificate_pem }}"
owner: root
group: root
mode: '0600'
state: file
when:
- pureftpd_tls_certificate_method == 'generate'
- pureftpd_tls_certificate_openssl | length > 0
# - final checks
- name: (pure-ftpd-install.yml) Verify TLS certificate exists.
stat:
path: "{{ pureftpd_tls_certificate_pem }}"
register: pureftpd_tls_certificate
- name: (pure-ftpd-install.yml) Fail when no certificate is found.
fail:
msg: |
The certificate file was not found at {{ pureftpd_tls_certificate_pem }}
when: not pureftpd_tls_certificate.stat.exists | default(False)

57
roles/common/tasks/pure-ftpd/virtual-users.yml Normal file
View File

@ -0,0 +1,57 @@
---
# Default virtual users/group
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd group exists.
group:
name: "{{ pureftpd_virtual_users_group }}"
gid: "{{ pureftpd_virtual_users_gid | default(omit) }}"
system: no
state: present
when: pureftpd_virtual_users | length > 0
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd user exists.
user:
name: "{{ pureftpd_virtual_users_user }}"
uid: "{{ pureftpd_virtual_users_uid | default(omit) }}"
group: "{{ pureftpd_virtual_users_group }}"
home: /dev/null
shell: /usr/sbin/nologin
system: no
state: present
when: pureftpd_virtual_users | length > 0
# user databas
- name: (pure-ftpd-install.yml) Verify virtual users database existence.
stat:
path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
register: pureftpd_virtual_users_database
- name: (pure-ftpd-install.yml) Ensure virtual users database exists.
file:
path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
owner: root
group: root
mode: '0600'
state: touch
when: (pureftpd_virtual_users | length > 0) and not pureftpd_virtual_users_database.stat.exists | default(False)
# - Cretate virtual user
- include_tasks: create-virtual-ftp-user.yml
vars:
user: "{{ item }}"
with_items: "{{ pureftpd_virtual_users }}"
when: pureftpd_virtual_users | length > 0
no_log: true
# Remove virtual user
# -
- include_tasks: remove-virtual-user.yml
vars:
user: "{{ item }}"
with_items: "{{ pureftpd_virtual_deleted_users }}"
when: pureftpd_virtual_deleted_users | length > 0

51
roles/common/tasks/root-files-scripts.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: (root_files_scripts.yml) Ensure directory /root/bin exists
file:
path: /root/bin
owner: root
group: root
mode: '0700'
state: directory
when:
- groups['file_server']|string is search(inventory_hostname)
- name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present
template:
src: "root/bin/wakeup_lan.sh.j2"
dest: /root/bin/wakeup_lan.sh
owner: root
group: root
mode: 0755
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- wakeup_lan
- name: (root_files_scripts.yml) Check file '/etc/motd.ORIG' exists
stat:
path: /etc/motd.ORIG
register: etc_motd_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_motd
- name: (basic.yml) Backup installation version of file '/etc/motd'
command: cp -a /etc/motd /etc/motd.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd
- name: (root_files_scripts.yml) Write new '/etc/motd' file..
shell: >
figlet '{{ nis_server_name.split(".")[0] }}' > /etc/motd
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd

185
roles/common/tasks/samba-install.yml Normal file
View File

@ -0,0 +1,185 @@
---
# ---
# Samba Server
# ---
- name: (samba-install.yml) Ensure samba packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_samba }}'
state: present
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Ensure samba share directories exists
file:
path: "{{ item.path }}"
owner: "root"
group: "{{ item.group_write_list }}"
mode: '2770'
state: directory
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-shares
# ---
# /etc/samba/smb.conf
# ---
- name: (samba-install.yml) Check if file '/etc/samba/smb.conf.ORIG exists'
stat:
path: /etc/samba/smb.conf.ORIG
register: smb_conf_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Backup existing file /etc/samba/smb.conf
command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- smb_conf_exists.stat.exists == False
tags:
- samba-server
- name: (samba-install.yml) /etc/samba/smb.conf
template:
dest: /etc/samba/smb.conf
src: etc/samba/smb.conf.j2
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
- name: (samba-install.yml) Ensure file /etc/samba/users.map exists
copy:
src: "{{ role_path + '/files/etc/samba/users.map' }}"
dest: /etc/samba/users.map
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
# ---
# Cronjob for cleaning up samba trash dirs
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat:
path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: (samba-install.yml) Adjust configuration for script 'clean_samba_trash.sh'
template:
dest: /root/bin/samba/conf/clean_samba_trash.conf
src: root/bin/samba/conf/clean_samba_trash.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_exists.stat.exists|bool
tags:
- samba-server
- name: (samba-install.yml) Check if cleaning up trash dirs is configured
lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
state: absent
check_mode: yes
changed_when: false
register: clean_samba_trash_dirs
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: (samba-install.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_trash_dirs.name }}'
minute: '{{ samba_cronjob_trash_dirs.minute }}'
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
# ---
# Cronjob for setting permissions on samba shares
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat:
path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: (samba-install.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- set_permissions_on_samba_shares_exists.stat.exists|bool
tags:
- samba-server
- name: (samba-install.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_permissions.name }}'
minute: '{{ samba_cronjob_permissions.minute }}'
hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month| default('*') }}"
weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}"
user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
# ---
# Samba clients
# ---
- name: (samba-install.yml) Ensure samba packages clients are installed.
package:
pkg: "{{ apt_install_client_samba }}"
state: present
when:
- "groups['nis_client']|string is search(inventory_hostname)"
- ansible_distribution == "Ubuntu"
tags:
- samba-client

57
roles/common/tasks/samba-remove-user.yml Normal file
View File

@ -0,0 +1,57 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba-remove-user.yml) Check if samba user exists for removable system user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_system_users_present
changed_when: "samba_remove_system_users_present.rc == 0"
failed_when: "samba_remove_system_users_present.rc > 1"
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) system users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_system_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user
- name: (samba-remove-user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_nis_users_present
changed_when: "samba_remove_nis_users_present.rc == 0"
failed_when: "samba_remove_nis_users_present.rc > 1"
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) nis users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_nis_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user

30
roles/common/tasks/samba-user.yml Normal file
View File

@ -0,0 +1,30 @@
---
# ---
# - default user/groups
# ---
- name: (samba-user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc == 1"
failed_when: "samba_nis_user_present.rc > 1"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (samba-user.yml) Add nis user to samba (with nis users password)
shell: >
(echo '{{ item.item.password }}'; echo '{{ item.item.password }}')
| smbpasswd -s -a {{ item.item.name }}
loop: "{{ samba_nis_user_present.results }}"
when: item.changed
loop_control:
label: '{{ item.item.name }}'
tags:
- samba-user

29
roles/common/tasks/sshd.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
register: etc_sshd_sshd_config_ORIG
tags:
- sshd-config
- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
when: etc_sshd_sshd_config_ORIG.stat.exists == False
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
tags:
- sshd-config

32
roles/common/tasks/sudoers-pc.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: (sudoers-pc.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.pc.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers-pc.yml) update global sudoers configuration file
template:
src: etc/sudoers.pc.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers-pc.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_pc_users }}"
tags:
- sudo-users

57
roles/common/tasks/sudoers-server.yml Normal file
View File

@ -0,0 +1,57 @@
---
#- name: (sudoers-server.yml) include variables
# include_vars: "{{ item }}"
# with_first_found:
# - "sudoers-{{ inventory_hostname }}.yml"
# - "sudoers-{{ ansible_distribution_release }}.yml"
# - "sudoers-{{ ansible_distribution | lower }}.yml"
# - "sudoers-default.yml"
# tags:
# - sudoers-remove
# - sudoers-file-configuration
# - sudoers-global-configuration
- name: (sudoers-server.yml) Remove user entries in file /etc/sudoers
lineinfile:
dest: /etc/sudoers
state: absent
regexp: '^{{ item }}'
owner: root
group: root
mode: 0440
validate: visudo -cf %s
with_items: '{{ sudoers_server_remove_user }}'
tags:
- sudoers-remove
- name: (sudoers-server.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.server.j2
dest: /etc/sudoers.d/50-user
#validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers-server.yml) update global sudoers configuration file
template:
src: etc/sudoers.server.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers-server.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_server_users }}"
tags:
- sudo-users

29
roles/common/tasks/system-remove-user.yml Normal file
View File

@ -0,0 +1,29 @@
---
# ---
# - Remove unwanted users
# ---
- name: (system-remove-user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (system-remove-user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user

278
roles/common/tasks/system-user-systemfiles.yml Normal file
View File

@ -0,0 +1,278 @@
---
# ---
# Check if local template directories exists
# ---
# system_user
- name: (system-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_system_users
# root
- name: (system-user-systemfiles.yml) Check if local template directory exists for root
local_action: stat path={{ inventory_dir }}/files/homedirs/root
register: local_template_dir_root
# --
# Copy .profile
# ---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (system-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
- lookup('fileglob', inventory_dir + '/files/homedirs/DEFAULT/_profile')
tags:
- profile
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
path: /root/.profile.ORIG
register: profile_root_orig_exists
tags:
- profile
- name: (system-user-systemfiles.yml) Backup existing users .profile file
command: cp -a /root/.profile /root/.profile.ORIG
when: profile_root_orig_exists.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}"
dest: "/root/.profile"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (system-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (system-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
register: bashrc_root_orig_exists
tags:
- bash
- name: (system-user-systemfiles.yml) Backup /root/.bashrc file
command: cp /root/.bashrc /root/.bashrc.ORIG
when: bashrc_root_orig_exists.stat.exists == False
tags:
- bash
- name: (system-user-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}"
dest: "/root/.bashrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
tags:
- bash
# --
# Copy .vimrc
# ---
- name: (system-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (system-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}"
dest: "/root/.vimrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if local template directory .vim exists for user root
local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim
register: local_template_dir_vim_root
with_items: 'root'
loop_control:
label: 'root'
- name: (system-user-systemfiles.yml) copy .vim directory for user root if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}"
dest: "/root"
owner: "root"
group: "root"
mode: 0644
with_items: "{{ local_template_dir_vim_root.results }}"
loop_control:
label: 'root'
when:
- item.stat.exists
tags:
- vim

64
roles/common/tasks/system-user.yml Normal file
View File

@ -0,0 +1,64 @@
---
# ---
# - Remove unwanted users
# ---
- name: (user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- name: (user.yml) Remove home directory from deleted users
file:
path: '{{ base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
# ---
# - default user/groups
# ---
- name: (user.yml) Ensure system groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ system_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- system-user
#- meta: end_host
- name: (system-user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- system-user
- name: (system-user.yml) Add (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- system-user

55
roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml Normal file
View File

@ -0,0 +1,55 @@
---
# Title: app-x11vnc-server
#
# Author: Luc Rutten
# Version: 1.0
# File: tasks/main.yml
#
# Description:
# Remote support
#
# Source:
# - http://c-nergy.be/blog/?p=8984
- name: "(ubuntu-x11vnc-1604-amd64.yml) check if x11vnc is already installed, if not found skipping...."
stat:
path: /usr/bin/x11vnc
register: x11vnc_active
- name: "(ubuntu-x11vnc-1604-amd64.yml) Install packages"
apt:
name: ['x11vnc']
update_cache: yes
state: present
when: x11vnc_active.stat.exists == False
- name: "(ubuntu-x11vnc-1604-amd64.yml) Store password"
shell: "x11vnc -storepasswd {{ vnc_password }} /etc/x11vnc.pass"
- name: "(ubuntu-x11vnc-1604-amd64.yml) Set permissions on /etc/x11vnc.pass"
file:
path: /etc/x11vnc.pass
mode: 0644
- name: "(ubuntu-x11vnc-1604-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service"
template:
src: lib/systemd/system/x11vnc.service.j2
dest: /lib/systemd/system/x11vnc.service
- name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service"
shell: service x11vnc start
- name: "(ubuntu-x11vnc-1604-amd64.yml) Enable x11vnc service on boot"
systemd:
name: x11vnc.service
daemon_reload: yes
enabled: yes
state: started
# - name: "(ubuntu-x11vnc-1604-amd64.yml) Blocks x11vnc in GreenOS Desktop Environment for enduser "
# file:
# path: "/usr/share/applications/x11vnc.desktop"
# mode: 0740
# owner: root
# group: administrator

61
roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml Normal file
View File

@ -0,0 +1,61 @@
---
# Title: app-x11vnc-server
#
# Author: Luc Rutten
# Version: 1.0
# File: tasks/main.yml
#
# Description:
# Remote support
#
# Source:
# - http://c-nergy.be/blog/?p=8984
- name: "(ubuntu-x11vnc-1804-amd64.yml) Install packages"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- x11vnc
- name: "(ubuntu-x11vnc-1804-amd64.yml) get numeric id for group 'gdm'"
shell: echo "$(id -u gdm)"
register: grp_id_gdm
- name: Check if file '/etc/gdm3/custom.conf' exists
stat:
path: /etc/gdm3/custom.conf
register: etc_gdm_custom_conf_exists
- name: Adjust file '/etc/gdm3/custom.conf'
lineinfile:
dest: /etc/gdm3/custom.conf
state: present
regexp: '^WaylandEnable'
line: 'WaylandEnable=false'
insertafter: '^#?\s*WaylandEnable'
when:
- etc_gdm_custom_conf_exists.stat.exists
- name: "(ubuntu-x11vnc-1804-amd64.yml) Store password"
raw: "x11vnc -storepasswd {{ vnc_password }} /etc/x11vnc.pass"
- name: "(ubuntu-x11vnc-1804-amd64.yml) Set permissions on /etc/x11vnc.pass"
file:
path: "/etc/x11vnc.pass"
mode: 0644
- name: "(ubuntu-x11vnc-1804-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service"
template:
src: lib/systemd/system/x11vnc-gdm3.service.j2
dest: /lib/systemd/system/x11vnc.service
- name: "(ubuntu-x11vnc-1804-amd64.yml) Enable service"
systemd:
name: x11vnc.service
daemon_reload: yes
enabled: yes
state: restarted

71
roles/common/tasks/ubuntu-x11vnc-2004-amd64.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Title: app-x11vnc-server
#
# Author: Luc Rutten
# Version: 1.0
# File: tasks/main.yml
#
# Description:
# Remote support
#
# Source:
# - http://c-nergy.be/blog/?p=8984
- name: "(ubuntu-x11vnc-2004-amd64.yml) Install packages"
apt:
name: "{{ packages }}"
update_cache: yes
state: present
vars:
packages:
- x11vnc
- name: "(ubuntu-x11vnc-2004-amd64.yml) get numeric id for group 'gdm'"
shell: echo "$(id -u gdm)"
register: grp_id_gdm
- name: "(ubuntu-x11vnc-2004-amd64.yml) Store password"
raw: "x11vnc -storepasswd {{ vnc_password }} /etc/x11vnc.pass"
- name: Check if file '/etc/gdm3/custom.conf' exists
stat:
path: /etc/gdm3/custom.conf
register: etc_gdm_custom_conf_exists
- name: Adjust file '/etc/gdm3/custom.conf'
lineinfile:
dest: /etc/gdm3/custom.conf
state: present
regexp: '^WaylandEnable'
line: 'WaylandEnable=false'
insertafter: '^#?\s*WaylandEnable'
when:
- etc_gdm_custom_conf_exists.stat.exists
- name: "(ubuntu-x11vnc-2004-amd64.yml) Set permissions on /etc/x11vnc.pass"
file:
path: /etc/x11vnc.pass
owner: root
group: root
mode: 0644
- name: "(ubuntu-x11vnc-2004-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service"
template:
src: lib/systemd/system/x11vnc-gdm3.service.j2
dest: /lib/systemd/system/x11vnc.service
- name: "(ubuntu-x11vnc-2004-amd64.yml) Enable service"
systemd:
name: x11vnc.service
daemon_reload: yes
enabled: yes
state: restarted
# - name: "(ubuntu-x11vnc-2004-amd64.yml) Remove whisker menu entry for allusers (except owner and group)"
# file:
# path: "/usr/share/applications/x11vnc.desktop"
# mode: 0750
# owner: root
# group: root