Initial commit

2022-02-20 12:07:59 +01:00
commit 42c3774ca6
114 changed files with 27589 additions and 0 deletions
--- a/roles/common/tasks/nis-install-server.yml
+++ b/roles/common/tasks/nis-install-server.yml
@@ -0,0 +1,268 @@
+---
+
+# ---
+# Install nis
+# ---
+
+- name: (nis-install-server.yml) Install nis common packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ nis_common_packages }}"
+  register: nis_installed
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain)
+  template:
+    dest: /etc/defaultdomain  
+    src: etc/defaultdomain.j2
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Create preconfigured /etc/yp.conf on nis clients
+  template:
+    dest: /etc/yp.conf
+    src: etc/yp.conf.j2
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - nis-install
+    - nis-install-client
+
+
+# ---
+# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. 
+#
+# Note:
+#    'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller
+#
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists 
+  stat:
+    path: /etc/pam.d/common-password
+  register: file_etc_pam_d_common_password
+  tags:
+    - nis-install
+    - nis-install-server
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+
+- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt'
+  shell: "grep -i -q -E  '^password.+yescrypt' /etc/pam.d/common-password"
+  register: presence_of_passwprd_hashing_yescrypt
+  changed_when: 
+    - presence_of_passwprd_hashing_yescrypt.rc < 1
+  failed_when:
+    - presence_of_passwprd_hashing_yescrypt.rc >= 2
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_distribution_major_version|int >= 11
+    - ansible_distribution_major_version|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+
+- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
+  shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+    - ansible_facts['distribution_major_version']|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+    - presence_of_passwprd_hashing_yescrypt is changed
+
+
+# ---
+# /etc/default/nis
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/default/nis.ORIG' exists
+  stat:
+    path: /etc/default/nis.ORIG
+  register: default_nis_exists
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Backup existing file /etc/default/nis
+  command: cp -a /etc/default/nis /etc/default/nis.ORIG
+  when:
+    - default_nis_exists.stat.exists == False
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISSERVER' (server)
+  replace:
+    path: /etc/default/nis
+    regexp: '^NISSERVER=.*'
+    replace: 'NISSERVER=master'
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (server)
+  replace:
+    path: /etc/default/nis
+    regexp: '^NISCLIENT=.*'
+    replace: 'NISCLIENT=false'
+  tags:
+    - nis-install
+    - nis-install-server
+
+
+# ---
+# /etc/ypserv.securenets
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/ypserv.securenets.ORIG' exists
+  stat:
+    path: /etc/ypserv.securenets.ORIG
+  register: ypserv_securenets_orig_exists
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Backup existing file /etc/ypserv.securenets
+  command: cp -a /etc/ypserv.securenets /etc/ypserv.securenets.ORIG
+  when:
+    - ypserv_securenets_orig_exists.stat.exists == False
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
+  replace:
+    path: /etc/ypserv.securenets
+    regexp: '^(0.0.0.0\s+.*)'
+    replace: '#\1'
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets
+  lineinfile:
+    path: /etc/ypserv.securenets
+    line: '255.255.0.0 192.168.0.0'
+    insertafter: EOF
+    state: present
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets
+  lineinfile:
+    path: /etc/ypserv.securenets
+    line: '255.0.0.0 10.0.0.0'
+    insertafter: EOF
+    state: present
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Trigger '/usr/lib/yp/ypinit -m'
+  shell: printf '\n' | /usr/lib/yp/ypinit -m
+  when: nis_installed.changed
+  tags:
+    - nis-install
+    - nis-install-server
+
+
+# ---
+# Base directory containing users' home directory
+# ---
+
+- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
+  file:
+    path: '{{ nis_base_home }}'
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+  when:
+    - "groups['nis_server']|string is search(inventory_hostname)"
+  tags:
+    - nis-install
+    - nis-install-server
+
+
+# ---
+# /etc/adduser.conf
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/adduser.conf.ORIG exists'
+  stat:
+    path: /etc/adduser.conf.ORIG
+  register: adduser_conf_exists
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Backup existing file /etc/adduser.conf
+  command: cp -a /etc/adduser.conf /etc/adduser.conf.ORIG
+  when:
+    - adduser_conf_exists.stat.exists == False
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Adjust file  '/etc/adduser.conf' - set 'DHOME'
+  replace:
+    path: /etc/adduser.conf
+    regexp: '^#?DHOME=.*'
+    replace: 'DHOME={{ nis_base_home }}'
+  tags:
+    - nis-install
+    - nis-install-server
+
+
+# ---
+# /var/yp/Makefile
+# ---
+
+- name: (nis-install-server.yml) Check if file '/var/yp/Makefile.ORIG exists'
+  stat:
+    path: /var/yp/Makefile.ORIG
+  register: adduser_conf_exists
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Backup existing file /var/yp/Makefile
+  command: cp -a /var/yp/Makefile /var/yp/Makefile.ORIG
+  when:
+    - adduser_conf_exists.stat.exists == False
+  tags:
+    - nis-install
+    - nis-install-server
+
+- name: (nis-install-server.yml) Adjust file  '/var/yp/Makefile'
+  replace:
+    path: /var/yp/Makefile
+    regexp: '^#?{{ item }}=.*'
+    replace: '{{ item }}=true'
+  with_items:
+    - MERGE_PASSWD
+    - MERGE_GROUP
+  notify: 
+    - Renew nis databases
+  tags:
+    - nis-install
+    - nis-install-server
+
+
+# TODO:
+# /var/yp/Makefile