commit 059d15868032b16586c0d0a2f2c13643304e563d Author: Christoph Date: Tue Aug 27 18:46:32 2019 +0200 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/README.create_vault_string b/README.create_vault_string new file mode 100644 index 0000000..aad081b --- /dev/null +++ b/README.create_vault_string @@ -0,0 +1,12 @@ + +# Create entcypted string +# +# ansible-vault encrypt_string '' --name 'password' +# +$ ansible-vault encrypt_string 'test100' --name 'password' +password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33663235396237373338323536643030393235323266656333323934663431323531316638383962 + 3536333065363364653561366464393262663832376339630a353236316431636338373034343566 + 31373136613434636562353237653230633162613531313466366437663730633931346131396531 + 3632653737643363350a306435656633343132366461346262623131323337633663363135313563 diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..2d3f20c --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,43 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== +# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg +# +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + + +[defaults] +#ansible_managed = ** Ansible managed: DO NOT EDIT DIRECTLY ** +ansible_managed = ############################################ # + # -------------------------- # + # ** DO NOT EDIT DIRECTLY ** # + # -------------------------- # + # Ansible managed file # + # ############################################ # +#gathering = smart +#fact_caching = jsonfile +#fact_caching_connection = ~/.cache/ +#fact_caching_timeout = 86400 +#forks = 20 +inventory = ./hosts +remote_user = root +ask_pass=True +roles_path = ./roles +vault_password_file = sprachenatelier_the_vault.sh +#retry_files_enabled = False +#allow_world_readable_tmpfiles = True +interpreter_python: auto +#interpreter_python: /usr/bin/python3 + +[privilege_escalation] +become=False + +[ssh_connection] + +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = True diff --git a/common.yml b/common.yml new file mode 100644 index 0000000..016774b --- /dev/null +++ b/common.yml @@ -0,0 +1,20 @@ +--- + +# Intended to be run once for every new server to secure the ssh connection allowing the team access +# with their public keys. This script will lock itself out from every server it is run on. +# Further playbooks are intended to be run by logging in as one of the created users. +# It also ensures python2 is installed as it's necessary for the modules used in this playbook at +# the time of this writing. + +# The used login data depends on the used server provider. In most cases the ansible_user will be +# root, but we can't safely assume anything. +# The following line is an example for securing a new vagrant maching, after running `vagrant up`: +# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key' +# For real providers it could look like: +# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa' +# If you don't have a ssh-key on the server and the server expects password authentication use: +# ansible-playbook first_run.yml -i hosts -u root --ask-pass + +- hosts: all + roles: + - common diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml new file mode 100644 index 0000000..7d1cb35 --- /dev/null +++ b/group_vars/all/main.yml @@ -0,0 +1,419 @@ +--- + +# --- +# NFS +# --- + +nfs_server: 192.168.92.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +nfs_exports: + - src: 192.168.92.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.92.0/24 + - 10.0.92.0/24 + - 10.1.92.0/24 + - 192.168.63.0/24 + fs_encrypted: false + +# --- +# Samba / NIS +# --- + +samba_server: file-spr.sprachenatelier.netz + +samba_shares: + - name: Transfer + user: + - alina + - anahit + - andrea + - bueropraktikum + - chema + - chris + - eva + - hannah + - isadora + - konstantin + - kristin + - lara + - linda + - marei + - margit + - matija + - musa + - praktikant1 + - praktikant2 + - praktikant3 + - praktikant4 + - praktikant5 + - praktikant6 + - saravic + - sysadm + - tali + - thea + - name: Verwaltung + user: + - alina + - anahit + - andrea + - bueropraktikum + - chema + - chris + - eva + - hannah + - isadora + - konstantin + - kristin + - lara + - linda + - marei + - margit + - matija + - musa + - saravic + - sysadm + - tali + - thea + - name: Multimedia + user: + - chris + - margit + - musa + +nis_deleted_user: + - name: test-user + - name: gast + - name: s7 + + +nis_base_home: /data/home + +nis_groups: + - name: intern + group_id: 1100 + - name: buero + group_id: 1110 + - name: no-backup + group_id: 1120 + +nis_user: + - name: chris + groups: + - buero + - intern + - no-backup + is_samba_user: true + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38643435653764393333613564393733666139656264343833333632373938323230393036303234 + 3633303562636465643930643961663165646237386664370a386362346162313037353163383365 + 61343263386239316164613935633062343165363863376462653165306464633136313839343962 + 3865353333373661390a643564386432643532396632323664383330646430613033643130626430 + 6139 + + - name: alina + groups: + - intern + - buero + is_samba_user: true + password: '140686' + + - name: anahit + groups: + - intern + - buero + is_samba_user: true + password: '150290' + + - name: andrea + groups: + - intern + - buero + - lpadmin + is_samba_user: true + password: 'kurse2010' + + - name: bueropraktikum + groups: + - intern + - buero + is_samba_user: true + password: 's2016bp' + + - name: chema + groups: + - intern + - buero + is_samba_user: true + password: 'spa2014' + + - name: elke + groups: + - intern + - buero + is_samba_user: true + password: 'luis11' + + - name: hannah + groups: + - intern + - buero + is_samba_user: true + password: '28031973' + + - name: isadora + groups: + - intern + - buero + is_samba_user: true + password: '270988' + + - name: konstantin + groups: + - intern + - buero + is_samba_user: true + password: '100978' + + - name: kristin + groups: + - intern + - buero + is_samba_user: true + password: '49371' + + - name: lara + groups: + - intern + - buero + - lpadmin + is_samba_user: true + password: 'sommer13' + + - name: linda + groups: + - intern + - buero + is_samba_user: true + password: '050381' + + - name: marei + groups: + - intern + - buero + is_samba_user: true + password: '220792' + + - name: margit + groups: + - intern + - buero + - no-backup + - lpadmin + is_samba_user: true + password: 'beelen10' + + - name: matija + groups: + - intern + - buero + is_samba_user: true + password: '010985' + + - name: musa + groups: + - intern + - buero + - no-backup + - lpadmin + is_samba_user: true + password: 'bermu18' + + - name: praktikant1 + groups: + - buero + is_samba_user: true + password: 'praktikant1' + + - name: praktikant2 + groups: + - buero + is_samba_user: true + password: 'praktikant2' + + - name: praktikant3 + groups: + - buero + is_samba_user: true + password: 'praktikant3' + + - name: praktikant4 + groups: + - buero + is_samba_user: true + password: 'praktikant4' + + - name: praktikant5 + groups: + - buero + is_samba_user: true + password: 'praktikant5' + + - name: praktikant6 + groups: + - buero + is_samba_user: true + password: 'praktikant6' + + - name: s1 + groups: [] + is_samba_user: false + password: 's1' + + - name: s2 + groups: [] + is_samba_user: false + password: 's2' + + - name: s3 + groups: [] + is_samba_user: false + password: 's3' + + - name: s4 + groups: [] + is_samba_user: false + password: 's4' + + - name: s5 + groups: [] + is_samba_user: false + password: 's5' + + - name: s6 + groups: [] + is_samba_user: false + password: 's6' + + - name: saravic + groups: + - intern + - buero + is_samba_user: true + password: '2408' + + - name: tali + groups: + - intern + - buero + is_samba_user: true + password: '220686' + + - name: thea + groups: + - intern + - buero + is_samba_user: true + password: '060995' + + + +# --- +# vars used by roles/ansible_dependencies +# --- + +apt_ansible_dependencies: + - python + - python-apt + - python3 + - python3-apt + - lsb-release + - apt-transport-https + - dbus + - sudo + - vim + - net-tools + - vlan + + +# --- +# vars used by roles/ansible_user +# --- + +ssh_keys_admin: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + +ansible_remote_user: + - name: local + password: $6$hJSDt2xM$mWlfc6Ve11Y7F9J3KRapYGpN7KCD1IlbelYq/jd/xuG.UfK04nl2VOHJXVPYqC3H6q3VToAyD3yPqEcwT.KPA0 + shell: /bin/bash + + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +time_zone: Europe/Berlin + +locales: + - en_US.UTF-8 + - de_DE.UTF-8 + +set_default_limit_nofile: false + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +sudo_users: + - local + - chris + - sysadm + + +# /etc/sudoers +# +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: + - name: MOUNT + entry: '/bin/mount,/bin/umount' + +sudoers_file_runas_aliases: [] + diff --git a/host_vars/file-spr.sprachenatelier.netz.yml b/host_vars/file-spr.sprachenatelier.netz.yml new file mode 100644 index 0000000..165337e --- /dev/null +++ b/host_vars/file-spr.sprachenatelier.netz.yml @@ -0,0 +1,3 @@ +--- + +ansible_python_interpreter: /usr/bin/python3 diff --git a/hosts b/hosts new file mode 100644 index 0000000..afc457c --- /dev/null +++ b/hosts @@ -0,0 +1,54 @@ + +[initial_setup] +cl101.sprachenatelier.netz +cl102.sprachenatelier.netz +cl103.sprachenatelier.netz +cl104.sprachenatelier.netz +cl105.sprachenatelier.netz +cl106.sprachenatelier.netz +cl107.sprachenatelier.netz +cl108.sprachenatelier.netz +cl109.sprachenatelier.netz +file-spr.sprachenatelier.netz + +[client_pc] +cl101.sprachenatelier.netz +cl102.sprachenatelier.netz +cl103.sprachenatelier.netz +cl104.sprachenatelier.netz +cl105.sprachenatelier.netz +cl106.sprachenatelier.netz +cl107.sprachenatelier.netz +cl108.sprachenatelier.netz +cl109.sprachenatelier.netz + +[nfs_client] +cl101.sprachenatelier.netz +cl102.sprachenatelier.netz +cl103.sprachenatelier.netz +cl104.sprachenatelier.netz +cl105.sprachenatelier.netz +cl106.sprachenatelier.netz +cl107.sprachenatelier.netz +cl108.sprachenatelier.netz +cl109.sprachenatelier.netz + +[nis_client] +cl101.sprachenatelier.netz +cl102.sprachenatelier.netz +cl103.sprachenatelier.netz +cl104.sprachenatelier.netz +cl105.sprachenatelier.netz +cl106.sprachenatelier.netz +cl107.sprachenatelier.netz +cl108.sprachenatelier.netz +cl109.sprachenatelier.netz + +[file_server] +file-spr.sprachenatelier.netz + +[nfs_server] +file-spr.sprachenatelier.netz + +[nis_server] +file-spr.sprachenatelier.netz diff --git a/initialize-ansible.yml b/initialize-ansible.yml new file mode 100644 index 0000000..c3a46f3 --- /dev/null +++ b/initialize-ansible.yml @@ -0,0 +1,16 @@ +--- + +- hosts: initial_setup + #remote_user: root + #become: false + gather_facts: false + +# vars_prompt: +# +# - name: ansible_ssh_pass +# prompt: "Give root's password here" + + + roles: + - ansible_dependencies + - ansible_user diff --git a/poweroff-clients.yml b/poweroff-clients.yml new file mode 100644 index 0000000..0056775 --- /dev/null +++ b/poweroff-clients.yml @@ -0,0 +1,10 @@ +--- + +- hosts: client_pc + gather_facts: false + + tasks: + - name: Power off client pcs + command: "/sbin/shutdown -h +1 >/dev/null 2>&1 &" + + diff --git a/roles/ansible_dependencies/tasks/main.yml b/roles/ansible_dependencies/tasks/main.yml new file mode 100644 index 0000000..749fd65 --- /dev/null +++ b/roles/ansible_dependencies/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt) + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: apt upgrade + apt: + upgrade: dist + update_cache: true + dpkg_options: force-confdef,force-confold + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: latest + tags: + - ansible-dependencies + diff --git a/roles/ansible_user/tasks/main.yml b/roles/ansible_user/tasks/main.yml new file mode 100644 index 0000000..01de5d3 --- /dev/null +++ b/roles/ansible_user/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: Ensure remote users for ansible exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.name | default(omit) }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password }}" + update_password: on_create + with_items: '{{ ansible_remote_user }}' + loop_control: + label: ' user "{{ item.name }}" exists' + tags: + - ansible-remote-user + +- name: Ensure ansible user is part of sudo group + user: + name: "{{ item.name }}" + groups: sudo + append: yes + with_items: "{{ ansible_remote_user }}" + loop_control: + label: ' user "{{ item.name }}" is part of sudo group' + tags: + - sudo-users + +- name: Ensure authorized_key files are present for ansible user + authorized_key: + user: "{{ item.name }}" + key: "{{ ssh_keys_admin|join('\n') }}" + state: present + with_items: + - '{{ ansible_remote_user }}' + loop_control: + label: ' authorized_key of user "{{ item.name }}" is present' + tags: + - authorized_key + +- name: Ensure authorized_key files are present for user root + authorized_key: + user: root + key: "{{ ssh_keys_admin|join('\n') }}" + state: present + tags: + - authorized_key + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..a2a80e7 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Renew nis databases + shell: make -C /var/yp + when: + - "groups['nis_server']|string is search(inventory_hostname)" + +- name: Reload nfs + service: + name: nfs-kernel-server + state: reloaded + enabled: yes + when: + - "groups['nfs_server']|string is search(inventory_hostname)" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..1ecb2c4 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,40 @@ +--- + + +# tags supported inside nfs.yml: +# +# nfs-server +# nfs-client +- import_tasks: nfs.yml + tags: + - nfs +# tags supported inside nis_samba_user.yml: +# +# samba-user +# nis-user +# system-user +- import_tasks: nis_samba_user.yml + when: "groups['nis_server']|string is search(inventory_hostname)" + tags: + - nis-samba-user + +- import_tasks: user-systemfiles.yml + when: "groups['nis_server']|string is search(inventory_hostname)" + tags: + - user-systemfiles + +# tags supported inside sudoers.yml: +# +# sudoers-remove +# sudoers-file-configuration +# sudoers-global-configuration +- import_tasks: sudoers.yml + when: "groups['client_pc']|string is search(inventory_hostname)" + tags: + - sudoers + +- import_tasks: mount_samba_shares.yml + when: "groups['client_pc']|string is search(inventory_hostname)" + tags: + - samba-shares + diff --git a/roles/common/tasks/mount_samba_shares.yml b/roles/common/tasks/mount_samba_shares.yml new file mode 100644 index 0000000..0c5ac8f --- /dev/null +++ b/roles/common/tasks/mount_samba_shares.yml @@ -0,0 +1,28 @@ +--- + + +- name: (mount_samba_shares.yml) Ensure (user separated) base mount directories for samba shares exists + file: + path: "/mnt/{{ item.name }}" + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: '0700' + state: directory + with_items: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + +- name: (mount_samba_shares.yml) Ensure (user separated) mount directories for samba shares exists + file: + path: "/mnt/{{ item.1 }}/{{ item.0.name }}" + owner: "{{ item.1 }}" + group: "{{ item.1 }}" + mode: '0770' + state: directory + with_subelements: + - "{{ samba_shares }}" + - user + loop_control: + label: '{{ item.1 }} share: {{ item.0.name }}' diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml new file mode 100644 index 0000000..86ac2ab --- /dev/null +++ b/roles/common/tasks/nfs.yml @@ -0,0 +1,75 @@ +--- + +# --- +# NFS Server +# --- + +- name: (nfs.yml) Ensure NFS utilities (server) are installed. + apt: + name: + - nfs-common + - nfs-kernel-server + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Ensure directories to export exist + file: + path: '{{ item.src.split(":")[1] }}' + owner: root + group: root + mode: '0755' + state: directory + with_items: "{{ nfs_exports }}" + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Copy exports file. + template: + src: etc/exports.j2 + dest: /etc/exports + owner: root + group: root + mode: 0644 + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + notify: Reload nfs + tags: + - nfs-server + +# --- +# NFS clients +# --- + +- name: (nfs.yml) Ensure NFS utilities (clients) are installed. + apt: + pkg: nfs-common + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + +- name: (nfs.yml) NFS Mount exports from nfs server + mount: + path: "{{ item.path }}" + src: "{{ item.src }}" + fstype: nfs + opts: "{{ item.mount_opts }}" + dump: "{{ item.dump | default(omit) }}" + passno: "{{ item.passno | default(omit) }}" + state: mounted + loop: "{{ nfs_exports }}" + when: + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + + + diff --git a/roles/common/tasks/nis_samba_user.yml b/roles/common/tasks/nis_samba_user.yml new file mode 100644 index 0000000..097352a --- /dev/null +++ b/roles/common/tasks/nis_samba_user.yml @@ -0,0 +1,122 @@ +--- + +# --- +# - Remove unwanted users +# --- + +- name: (nis_samba_user.yml) Check if samba user exists for removable nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_deleted_user_present + changed_when: "samba_deleted_user_present.rc == 0" + failed_when: "samba_deleted_user_present.rc > 1" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-user + + +- name: (nis_samba_user.yml) Remove (old) users from samba + shell: "smbpasswd -s -x {{ item.name }}" + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + when: samba_deleted_user_present is changed + tags: + - samba-user + + +- name: (nis_samba_user.yml) Remove (old) users from system + user: + name: '{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +- name: (nis_samba_user.yml) Remove home directory from deleted users + file: + path: '{{ nis_base_home }}/{{ item.name }}' + state: absent + with_items: + - "{{ nis_deleted_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + + +# --- +# - default user/groups +# --- + +- name: (nis_samba_user.yml) Ensure nis groups exists + group: + name: '{{ item.name }}' + state: present + gid: '{{ item.group_id | default(omit) }}' + loop: "{{ nis_groups }}" + loop_control: + label: '{{ item.name }}' + when: item.group_id is defined + notify: Renew nis databases + tags: + - nis-user + - system-user + +#- meta: end_host + +- name: (nis_samba_user.yml) Ensure nis users exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.0.name | default(omit) }}' + groups: "{{ item.groups|join(', ') }}" + home: '{{ nis_base_home }}/{{ item.name }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password | password_hash('sha512') }}" + update_password: on_create + append: yes + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + notify: Renew nis databases + tags: + - nis-user + - system-user + + +- name: (nis_samba_user.yml) Check if samba user exists for nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_nis_user_present + changed_when: "samba_nis_user_present.rc > 0" + failed_when: "samba_nis_user_present.rc > 1" + with_items: + - "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - samba-user + +- name: (nis_samba_user.yml) Add nis user to samba (with nis users password) + shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}" + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + - samba_nis_user_present is changed + notify: Renew nis databases + tags: + - samba-user + diff --git a/roles/common/tasks/sudoers.yml b/roles/common/tasks/sudoers.yml new file mode 100644 index 0000000..fb277a6 --- /dev/null +++ b/roles/common/tasks/sudoers.yml @@ -0,0 +1,32 @@ +--- + +- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/) + template: + src: etc/sudoers.d/50-user.j2 + dest: /etc/sudoers.d/50-user + validate: visudo -cf %s + owner: root + group: root + mode: 0440 + tags: + - sudoers-file-configuration + +- name: (sudoers.yml) update global sudoers configuration file + template: + src: etc/sudoers.j2 + dest: /etc/sudoers + owner: root + group: root + mode: 0440 + validate: visudo -cf %s + tags: + - sudoers-global-configuration + +- name: (sudoers.yml) Ensure all sudo_users are in sudo group + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudo_users }}" + tags: + - sudo-users diff --git a/roles/common/tasks/user-systemfiles.yml b/roles/common/tasks/user-systemfiles.yml new file mode 100644 index 0000000..8ae8fe2 --- /dev/null +++ b/roles/common/tasks/user-systemfiles.yml @@ -0,0 +1,39 @@ +--- + +- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists + stat: + path: "~{{ item.name }}/.profile.ORIG" + register: profile_user_orig_exists + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - profile + +- name: (user-systemfiles.yml) Backup existing users .profile file + command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG + loop: "{{ profile_user_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + - item.stat.exists == False + tags: + - profile + +- name: (user-systemfiles.yml) Create new users .profile file + template: + src: user_homedirs/dot.profile.j2 + dest: "~{{ item.name }}/.profile" + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: 0644 + loop: "{{ nis_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.is_samba_user is defined and item.is_samba_user|bool + tags: + - profile diff --git a/roles/common/templates/etc/exports.j2 b/roles/common/templates/etc/exports.j2 new file mode 100644 index 0000000..62161dc --- /dev/null +++ b/roles/common/templates/etc/exports.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} + +# /etc/exports: the access control list for filesystems which may be exported +# to NFS clients. See exports(5). +# +# Example for NFSv2 and NFSv3: +# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) +# +# Example for NFSv4: +# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) +# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) +# + +{% set count = namespace(nfs_exports=100) %} +{% for export in nfs_exports %} + +{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %} + +{% set count.nfs_exports = count.nfs_exports + 10 %} +{% for network in export.export_networks %} +{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }}) +{% else %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }}) +{% endif %} +{% endfor %} + +{{ export_str.nfs_exports }} +{% endfor %} diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.j2 new file mode 100644 index 0000000..ed81711 --- /dev/null +++ b/roles/common/templates/etc/sudoers.d/50-user.j2 @@ -0,0 +1,34 @@ +# {{ ansible_managed }} + +{% for item in sudoers_file_defaults | default([]) %} +Defaults {{ item }} +{% endfor %} + +# Host alias specification +{% for item in sudoers_file_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_file_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_file_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_file_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification + +{# rules for nis users #} +{% for item in nis_user | default([]) %} +{{ item.name }} ALL=(root)NOPASSWD: MOUNT +{% endfor %} + +# Group privilege specification diff --git a/roles/common/templates/etc/sudoers.j2 b/roles/common/templates/etc/sudoers.j2 new file mode 100644 index 0000000..d8ea85b --- /dev/null +++ b/roles/common/templates/etc/sudoers.j2 @@ -0,0 +1,56 @@ +# {{ ansible_managed }} + +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +{% for item in sudoers_defaults %} +{% if item != '' %} +Defaults {{ item }} +{% endif %} +{% endfor %} + +# Host alias specification +{% for item in sudoers_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification +{% for item in sudoers_user_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# Members of the admin group may gain root privileges +%admin ALL=(ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# Group privilege specification + +{% for item in sudoers_group_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d + diff --git a/roles/common/templates/user_homedirs/dot.profile.j2 b/roles/common/templates/user_homedirs/dot.profile.j2 new file mode 100644 index 0000000..7817c0a --- /dev/null +++ b/roles/common/templates/user_homedirs/dot.profile.j2 @@ -0,0 +1,126 @@ +# {{ ansible_managed }} + +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. + +# the default umask is set in /etc/profile; for setting the umask +# for ssh logins, install and configure the libpam-umask package. +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +#. /usr/lib/mc/bin/mc.sh +# +if [ -f "/usr/share/mc/bin/mc.sh" ] ; then + source /usr/share/mc/bin/mc.sh +fi + +export LANG="de_DE.utf8" + +# --- +# Mmount samba shares +# --- + +# Don't try to mount samba shares if login at samba server +# +[[ "$(hostname --long)" = "{{ samba_server }}" ]] && return + +SERVER="{{ samba_server }}" +USER="{{ item.name }}" +PASSWORD='{{ item.password }}' +VERSION="1.0" + +# Use NTLMv2 password hashing and force packet signing +# +# SEC="ntlmv2i" +# +# Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing +# +# SEC="ntlmsspi" +# +SEC="ntlmsspi" + +# - uid/guid of the user at fielserver +# - +_UID="$(id -u)" +_GID="$(id -g)" + + +# Logfile to see what happened.. +# +_logfile=/tmp/profile_${USER}.log + + +echo "" > $_logfile +echo "$(date +"%Y-%m-%d-%H%M")" >> $_logfile + +# Network present +# +_network=false + +if [ "X$_addr" = "X" ] ; then + echo "no inet address assigned yet.." >> $_logfile + declare -i count=1 + while ! $_network && [[ $count -lt 5 ]] ; do + echo "sleeping 2 seconds.." >> $_logfile + sleep 2 + _addr="$(hostname --ip-address)" + if [ "X$_addr" != "X" ] ; then + _network=true + echo "inet address present: $_addr" >> $_logfile + fi + ((count++)) + done +fi + +for dir in $(ls /mnt/$USER) ; do + MOUNT_POINT=/mnt/$USER/$dir + SHARE=$dir + + [ ! -d $MOUNT_POINT ] && continue + + if ! mount | grep $MOUNT_POINT > /dev/null ; then + echo "Going to mount share '${SHARE}' .." >> $_logfile + if [ -x /usr/bin/smb4k_mount ]; then + ## - Ubuntu <= 12.04 + if [[ "$VERSION" = "1.0" ]]; then + sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,vers=1.0 \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + else + sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,uid=$_UID,gid=$_GID,vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + fi + else + ## - Ubuntu Version >= 14.04 + if [[ "$VERSION" = "1.0" ]]; then + sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + else + sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,uid=$USER,sec=${SEC},vers=$VERSION \ + -n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1 + fi + fi + else + echo "mount point $MOUNT_POINT already exists. nothing left to do.." >> $_logfile + fi + +done + diff --git a/sprachenatelier_the_vault.sh b/sprachenatelier_the_vault.sh new file mode 100755 index 0000000..011ef7c --- /dev/null +++ b/sprachenatelier_the_vault.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +echoerr() { echo "$@" 1>&2; } + +PWFILE="$HOME/.private/ansible/ansible-sprachenatelier-vault-passphrase" + +if test ! -f "$PWFILE" +then + echoerr "File doesn't exist!" + exit 1 +fi + +perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}') +owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}') +group=$(/bin/ls -l "$PWFILE" | awk '{print $4}') +#not everyone is using debian based foo. get primary group of user and test file group permission against it +pgroup=$(id -gn) + +if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]] +then + echoerr "Wrong permissions!" + exit 1 +fi + +if test "$USER" != "$owner" +then + echoerr "Wrong owner!" + exit 1 +fi + +if test "$pgroup" != "$group" +then + echoerr "Wrong group!" + exit 1 +fi + +cat "$PWFILE" +exit 0