ansible/sprachenatelier
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph 2019-08-27 18:46:32 +02:00
commit 059d158680
23 changed files with 1296 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.swp

12
README.create_vault_string Normal file
View File

@ -0,0 +1,12 @@
# Create entcypted string
#
# ansible-vault encrypt_string '<string-to-encrypt>' --name 'password'
#
$ ansible-vault encrypt_string 'test100' --name 'password'
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33663235396237373338323536643030393235323266656333323934663431323531316638383962
3536333065363364653561366464393262663832376339630a353236316431636338373034343566
31373136613434636562353237653230633162613531313466366437663730633931346131396531
3632653737643363350a306435656633343132366461346262623131323337633663363135313563

43
ansible.cfg Normal file
View File

@ -0,0 +1,43 @@
# config file for ansible -- http://ansible.com/
# ==============================================
# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg
#
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
#ansible_managed = ** Ansible managed: DO NOT EDIT DIRECTLY **
ansible_managed = ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
#gathering = smart
#fact_caching = jsonfile
#fact_caching_connection = ~/.cache/
#fact_caching_timeout = 86400
#forks = 20
inventory = ./hosts
remote_user = root
ask_pass=True
roles_path = ./roles
vault_password_file = sprachenatelier_the_vault.sh
#retry_files_enabled = False
#allow_world_readable_tmpfiles = True
interpreter_python: auto
#interpreter_python: /usr/bin/python3
[privilege_escalation]
become=False
[ssh_connection]
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = True

20
common.yml Normal file
View File

@ -0,0 +1,20 @@
---
# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.
# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass
- hosts: all
roles:
- common

419
group_vars/all/main.yml Normal file
View File

@ -0,0 +1,419 @@
---
# ---
# NFS
# ---
nfs_server: 192.168.92.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.92.10:/data/home
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.92.0/24
- 10.0.92.0/24
- 10.1.92.0/24
- 192.168.63.0/24
fs_encrypted: false
# ---
# Samba / NIS
# ---
samba_server: file-spr.sprachenatelier.netz
samba_shares:
- name: Transfer
user:
- alina
- anahit
- andrea
- bueropraktikum
- chema
- chris
- eva
- hannah
- isadora
- konstantin
- kristin
- lara
- linda
- marei
- margit
- matija
- musa
- praktikant1
- praktikant2
- praktikant3
- praktikant4
- praktikant5
- praktikant6
- saravic
- sysadm
- tali
- thea
- name: Verwaltung
user:
- alina
- anahit
- andrea
- bueropraktikum
- chema
- chris
- eva
- hannah
- isadora
- konstantin
- kristin
- lara
- linda
- marei
- margit
- matija
- musa
- saravic
- sysadm
- tali
- thea
- name: Multimedia
user:
- chris
- margit
- musa
nis_deleted_user:
- name: test-user
- name: gast
- name: s7
nis_base_home: /data/home
nis_groups:
- name: intern
group_id: 1100
- name: buero
group_id: 1110
- name: no-backup
group_id: 1120
nis_user:
- name: chris
groups:
- buero
- intern
- no-backup
is_samba_user: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38643435653764393333613564393733666139656264343833333632373938323230393036303234
3633303562636465643930643961663165646237386664370a386362346162313037353163383365
61343263386239316164613935633062343165363863376462653165306464633136313839343962
3865353333373661390a643564386432643532396632323664383330646430613033643130626430
6139
- name: alina
groups:
- intern
- buero
is_samba_user: true
password: '140686'
- name: anahit
groups:
- intern
- buero
is_samba_user: true
password: '150290'
- name: andrea
groups:
- intern
- buero
- lpadmin
is_samba_user: true
password: 'kurse2010'
- name: bueropraktikum
groups:
- intern
- buero
is_samba_user: true
password: 's2016bp'
- name: chema
groups:
- intern
- buero
is_samba_user: true
password: 'spa2014'
- name: elke
groups:
- intern
- buero
is_samba_user: true
password: 'luis11'
- name: hannah
groups:
- intern
- buero
is_samba_user: true
password: '28031973'
- name: isadora
groups:
- intern
- buero
is_samba_user: true
password: '270988'
- name: konstantin
groups:
- intern
- buero
is_samba_user: true
password: '100978'
- name: kristin
groups:
- intern
- buero
is_samba_user: true
password: '49371'
- name: lara
groups:
- intern
- buero
- lpadmin
is_samba_user: true
password: 'sommer13'
- name: linda
groups:
- intern
- buero
is_samba_user: true
password: '050381'
- name: marei
groups:
- intern
- buero
is_samba_user: true
password: '220792'
- name: margit
groups:
- intern
- buero
- no-backup
- lpadmin
is_samba_user: true
password: 'beelen10'
- name: matija
groups:
- intern
- buero
is_samba_user: true
password: '010985'
- name: musa
groups:
- intern
- buero
- no-backup
- lpadmin
is_samba_user: true
password: 'bermu18'
- name: praktikant1
groups:
- buero
is_samba_user: true
password: 'praktikant1'
- name: praktikant2
groups:
- buero
is_samba_user: true
password: 'praktikant2'
- name: praktikant3
groups:
- buero
is_samba_user: true
password: 'praktikant3'
- name: praktikant4
groups:
- buero
is_samba_user: true
password: 'praktikant4'
- name: praktikant5
groups:
- buero
is_samba_user: true
password: 'praktikant5'
- name: praktikant6
groups:
- buero
is_samba_user: true
password: 'praktikant6'
- name: s1
groups: []
is_samba_user: false
password: 's1'
- name: s2
groups: []
is_samba_user: false
password: 's2'
- name: s3
groups: []
is_samba_user: false
password: 's3'
- name: s4
groups: []
is_samba_user: false
password: 's4'
- name: s5
groups: []
is_samba_user: false
password: 's5'
- name: s6
groups: []
is_samba_user: false
password: 's6'
- name: saravic
groups:
- intern
- buero
is_samba_user: true
password: '2408'
- name: tali
groups:
- intern
- buero
is_samba_user: true
password: '220686'
- name: thea
groups:
- intern
- buero
is_samba_user: true
password: '060995'
# ---
# vars used by roles/ansible_dependencies
# ---
apt_ansible_dependencies:
- python
- python-apt
- python3
- python3-apt
- lsb-release
- apt-transport-https
- dbus
- sudo
- vim
- net-tools
- vlan
# ---
# vars used by roles/ansible_user
# ---
ssh_keys_admin:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
ansible_remote_user:
- name: local
password: $6$hJSDt2xM$mWlfc6Ve11Y7F9J3KRapYGpN7KCD1IlbelYq/jd/xuG.UfK04nl2VOHJXVPYqC3H6q3VToAyD3yPqEcwT.KPA0
shell: /bin/bash
# ---
# vars used by roles/common/tasks/basic.yml
# ---
time_zone: Europe/Berlin
locales:
- en_US.UTF-8
- de_DE.UTF-8
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudo_users:
- local
- chris
- sysadm
# /etc/sudoers
#
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount'
sudoers_file_runas_aliases: []

3
host_vars/file-spr.sprachenatelier.netz.yml Normal file
View File

@ -0,0 +1,3 @@
---
ansible_python_interpreter: /usr/bin/python3

54
hosts Normal file
View File

@ -0,0 +1,54 @@
[initial_setup]
cl101.sprachenatelier.netz
cl102.sprachenatelier.netz
cl103.sprachenatelier.netz
cl104.sprachenatelier.netz
cl105.sprachenatelier.netz
cl106.sprachenatelier.netz
cl107.sprachenatelier.netz
cl108.sprachenatelier.netz
cl109.sprachenatelier.netz
file-spr.sprachenatelier.netz
[client_pc]
cl101.sprachenatelier.netz
cl102.sprachenatelier.netz
cl103.sprachenatelier.netz
cl104.sprachenatelier.netz
cl105.sprachenatelier.netz
cl106.sprachenatelier.netz
cl107.sprachenatelier.netz
cl108.sprachenatelier.netz
cl109.sprachenatelier.netz
[nfs_client]
cl101.sprachenatelier.netz
cl102.sprachenatelier.netz
cl103.sprachenatelier.netz
cl104.sprachenatelier.netz
cl105.sprachenatelier.netz
cl106.sprachenatelier.netz
cl107.sprachenatelier.netz
cl108.sprachenatelier.netz
cl109.sprachenatelier.netz
[nis_client]
cl101.sprachenatelier.netz
cl102.sprachenatelier.netz
cl103.sprachenatelier.netz
cl104.sprachenatelier.netz
cl105.sprachenatelier.netz
cl106.sprachenatelier.netz
cl107.sprachenatelier.netz
cl108.sprachenatelier.netz
cl109.sprachenatelier.netz
[file_server]
file-spr.sprachenatelier.netz
[nfs_server]
file-spr.sprachenatelier.netz
[nis_server]
file-spr.sprachenatelier.netz

16
initialize-ansible.yml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: initial_setup
#remote_user: root
#become: false
gather_facts: false
# vars_prompt:
#
# - name: ansible_ssh_pass
# prompt: "Give root's password here"
roles:
- ansible_dependencies
- ansible_user

10
poweroff-clients.yml Normal file
View File

@ -0,0 +1,10 @@
---
- hosts: client_pc
gather_facts: false
tasks:
- name: Power off client pcs
command: "/sbin/shutdown -h +1 >/dev/null 2>&1 &"

35
roles/ansible_dependencies/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python2 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt)
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: apt upgrade
apt:
upgrade: dist
update_cache: true
dpkg_options: force-confdef,force-confold
tags:
- ansible-dependencies
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies }}"
state: latest
tags:
- ansible-dependencies

48
roles/ansible_user/tasks/main.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Ensure remote users for ansible exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.name | default(omit) }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ ansible_remote_user }}'
loop_control:
label: ' user "{{ item.name }}" exists'
tags:
- ansible-remote-user
- name: Ensure ansible user is part of sudo group
user:
name: "{{ item.name }}"
groups: sudo
append: yes
with_items: "{{ ansible_remote_user }}"
loop_control:
label: ' user "{{ item.name }}" is part of sudo group'
tags:
- sudo-users
- name: Ensure authorized_key files are present for ansible user
authorized_key:
user: "{{ item.name }}"
key: "{{ ssh_keys_admin|join('\n') }}"
state: present
with_items:
- '{{ ansible_remote_user }}'
loop_control:
label: ' authorized_key of user "{{ item.name }}" is present'
tags:
- authorized_key
- name: Ensure authorized_key files are present for user root
authorized_key:
user: root
key: "{{ ssh_keys_admin|join('\n') }}"
state: present
tags:
- authorized_key

14
roles/common/handlers/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Renew nis databases
shell: make -C /var/yp
when:
- "groups['nis_server']|string is search(inventory_hostname)"
- name: Reload nfs
service:
name: nfs-kernel-server
state: reloaded
enabled: yes
when:
- "groups['nfs_server']|string is search(inventory_hostname)"

40
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,40 @@
---
# tags supported inside nfs.yml:
#
# nfs-server
# nfs-client
- import_tasks: nfs.yml
tags:
- nfs
# tags supported inside nis_samba_user.yml:
#
# samba-user
# nis-user
# system-user
- import_tasks: nis_samba_user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-samba-user
- import_tasks: user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported inside sudoers.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
- import_tasks: mount_samba_shares.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- samba-shares

28
roles/common/tasks/mount_samba_shares.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (mount_samba_shares.yml) Ensure (user separated) base mount directories for samba shares exists
file:
path: "/mnt/{{ item.name }}"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: '0700'
state: directory
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- name: (mount_samba_shares.yml) Ensure (user separated) mount directories for samba shares exists
file:
path: "/mnt/{{ item.1 }}/{{ item.0.name }}"
owner: "{{ item.1 }}"
group: "{{ item.1 }}"
mode: '0770'
state: directory
with_subelements:
- "{{ samba_shares }}"
- user
loop_control:
label: '{{ item.1 }} share: {{ item.0.name }}'

75
roles/common/tasks/nfs.yml Normal file
View File

@ -0,0 +1,75 @@
---
# ---
# NFS Server
# ---
- name: (nfs.yml) Ensure NFS utilities (server) are installed.
apt:
name:
- nfs-common
- nfs-kernel-server
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Ensure directories to export exist
file:
path: '{{ item.src.split(":")[1] }}'
owner: root
group: root
mode: '0755'
state: directory
with_items: "{{ nfs_exports }}"
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
- name: (nfs.yml) Copy exports file.
template:
src: etc/exports.j2
dest: /etc/exports
owner: root
group: root
mode: 0644
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
notify: Reload nfs
tags:
- nfs-server
# ---
# NFS clients
# ---
- name: (nfs.yml) Ensure NFS utilities (clients) are installed.
apt:
pkg: nfs-common
state: present
when:
- ansible_os_family == "Debian"
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client
- name: (nfs.yml) NFS Mount exports from nfs server
mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
fstype: nfs
opts: "{{ item.mount_opts }}"
dump: "{{ item.dump | default(omit) }}"
passno: "{{ item.passno | default(omit) }}"
state: mounted
loop: "{{ nfs_exports }}"
when:
- "groups['nfs_client']|string is search(inventory_hostname)"
tags:
- nfs-client

122
roles/common/tasks/nis_samba_user.yml Normal file
View File

@ -0,0 +1,122 @@
---
# ---
# - Remove unwanted users
# ---
- name: (nis_samba_user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_deleted_user_present
changed_when: "samba_deleted_user_present.rc == 0"
failed_when: "samba_deleted_user_present.rc > 1"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from samba
shell: "smbpasswd -s -x {{ item.name }}"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
when: samba_deleted_user_present is changed
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
# ---
# - default user/groups
# ---
- name: (nis_samba_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_samba_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc > 0"
failed_when: "samba_nis_user_present.rc > 1"
with_items:
- "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (nis_samba_user.yml) Add nis user to samba (with nis users password)
shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- samba_nis_user_present is changed
notify: Renew nis databases
tags:
- samba-user

32
roles/common/tasks/sudoers.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
template:
src: etc/sudoers.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_users }}"
tags:
- sudo-users

39
roles/common/tasks/user-systemfiles.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- item.stat.exists == False
tags:
- profile
- name: (user-systemfiles.yml) Create new users .profile file
template:
src: user_homedirs/dot.profile.j2
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile

31
roles/common/templates/etc/exports.j2 Normal file
View File

@ -0,0 +1,31 @@
# {{ ansible_managed }}
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{% set count = namespace(nfs_exports=100) %}
{% for export in nfs_exports %}
{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %}
{% set count.nfs_exports = count.nfs_exports + 10 %}
{% for network in export.export_networks %}
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
{% else %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }})
{% endif %}
{% endfor %}
{{ export_str.nfs_exports }}
{% endfor %}

34
roles/common/templates/etc/sudoers.d/50-user.j2 Normal file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
{% for item in sudoers_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rules for nis users #}
{% for item in nis_user | default([]) %}
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
{% endfor %}
# Group privilege specification

56
roles/common/templates/etc/sudoers.j2 Normal file
View File

@ -0,0 +1,56 @@
# {{ ansible_managed }}
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Group privilege specification
{% for item in sudoers_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

126
roles/common/templates/user_homedirs/dot.profile.j2 Normal file
View File

@ -0,0 +1,126 @@
# {{ ansible_managed }}
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
#. /usr/lib/mc/bin/mc.sh
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
export LANG="de_DE.utf8"
# ---
# Mmount samba shares
# ---
# Don't try to mount samba shares if login at samba server
#
[[ "$(hostname --long)" = "{{ samba_server }}" ]] && return
SERVER="{{ samba_server }}"
USER="{{ item.name }}"
PASSWORD='{{ item.password }}'
VERSION="1.0"
# Use NTLMv2 password hashing and force packet signing
#
# SEC="ntlmv2i"
#
# Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
#
# SEC="ntlmsspi"
#
SEC="ntlmsspi"
# - uid/guid of the user at fielserver
# -
_UID="$(id -u)"
_GID="$(id -g)"
# Logfile to see what happened..
#
_logfile=/tmp/profile_${USER}.log
echo "" > $_logfile
echo "$(date +"%Y-%m-%d-%H%M")" >> $_logfile
# Network present
#
_network=false
if [ "X$_addr" = "X" ] ; then
echo "no inet address assigned yet.." >> $_logfile
declare -i count=1
while ! $_network && [[ $count -lt 5 ]] ; do
echo "sleeping 2 seconds.." >> $_logfile
sleep 2
_addr="$(hostname --ip-address)"
if [ "X$_addr" != "X" ] ; then
_network=true
echo "inet address present: $_addr" >> $_logfile
fi
((count++))
done
fi
for dir in $(ls /mnt/$USER) ; do
MOUNT_POINT=/mnt/$USER/$dir
SHARE=$dir
[ ! -d $MOUNT_POINT ] && continue
if ! mount | grep $MOUNT_POINT > /dev/null ; then
echo "Going to mount share '${SHARE}' .." >> $_logfile
if [ -x /usr/bin/smb4k_mount ]; then
## - Ubuntu <= 12.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,vers=1.0 \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,uid=$_UID,gid=$_GID,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
else
## - Ubuntu Version >= 14.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,uid=$USER,sec=${SEC},vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
fi
else
echo "mount point $MOUNT_POINT already exists. nothing left to do.." >> $_logfile
fi
done

38
sprachenatelier_the_vault.sh Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env bash
echoerr() { echo "$@" 1>&2; }
PWFILE="$HOME/.private/ansible/ansible-sprachenatelier-vault-passphrase"
if test ! -f "$PWFILE"
then
echoerr "File doesn't exist!"
exit 1
fi
perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}')
owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}')
group=$(/bin/ls -l "$PWFILE" | awk '{print $4}')
#not everyone is using debian based foo. get primary group of user and test file group permission against it
pgroup=$(id -gn)
if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]]
then
echoerr "Wrong permissions!"
exit 1
fi
if test "$USER" != "$owner"
then
echoerr "Wrong owner!"
exit 1
fi
if test "$pgroup" != "$group"
then
echoerr "Wrong group!"
exit 1
fi
cat "$PWFILE"
exit 0