From a9579060a4b93105f44862025904b018f7756069 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 10 Nov 2021 15:53:08 +0100 Subject: [PATCH] update.. --- roles/common/tasks/apt.yml | 36 +++--- roles/common/tasks/luks.yml | 6 + roles/common/tasks/main.yml | 7 + roles/common/tasks/nfs.yml | 17 +++ roles/common/tasks/nis-user.yml | 54 ++++---- roles/common/tasks/nis_samba_user.yml | 121 ------------------ roles/common/tasks/samba-remove-user.yml | 6 +- roles/common/tasks/system-remove-user.yml | 29 +++++ .../common/tasks/ubuntu-x11vnc-2004-amd64.yml | 6 +- 9 files changed, 111 insertions(+), 171 deletions(-) create mode 100644 roles/common/tasks/luks.yml delete mode 100644 roles/common/tasks/nis_samba_user.yml create mode 100644 roles/common/tasks/system-remove-user.yml diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index 202deb7..8d113ca 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -65,6 +65,7 @@ name: "{{ apt_initial_install_stretch }}" state: "{{ apt_install_state }}" when: + - apt_initial_install_stretch is defined and apt_initial_install_stretch|length > 0 - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "9" tags: @@ -76,12 +77,25 @@ name: "{{ apt_initial_install_buster }}" state: "{{ apt_install_state }}" when: + - apt_initial_install_buster is defined and apt_initial_install_buster|length > 0 - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "10" tags: - apt-initial-install +- name: (apt.yml) Initial install debian packages (bullseye) + apt: + name: "{{ apt_initial_install_bullseye }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_bullseye is defined and apt_initial_install_bullseye|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "11" + tags: + - apt-initial-install + + - name: (apt.yml) Initial install ubuntu packages (bionic) apt: name: "{{ apt_initial_install_bionic }}" @@ -122,30 +136,15 @@ - apt-microcode -- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch) - apt: - name: "{{ microcode_amd_package }}" - state: present - default_release: "{{ ansible_distribution_release }}-backports" - when: - - apt_backports_enable - - apt_debian_contrib_nonfree_enable - - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "9" - - ansible_facts['processor']|string is search("AMD") - tags: - - apt-initial-install - - apt-microcode - - -- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster) +- name: (apt.yml) Install CPU microcode (debian buster/bullseye) apt: name: "{{ microcode_intel_package }}" state: present default_release: "{{ ansible_distribution_release }}" when: + - apt_debian_contrib_nonfree_enable - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "10" + - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" - ansible_facts['processor']|string is search("Intel") tags: - apt-initial-install @@ -239,6 +238,7 @@ - apt-initial-install - apt-firmware + - name: (apt.yml) Install Firmware packages (Debian) apt: name: "{{ firmware_packages_debian }}" diff --git a/roles/common/tasks/luks.yml b/roles/common/tasks/luks.yml new file mode 100644 index 0000000..2905035 --- /dev/null +++ b/roles/common/tasks/luks.yml @@ -0,0 +1,6 @@ +- name: (luks.ym) add new key to the LUKS container (container has to exist) + luks_device: + device: "{{ luks_device }}" + keyfile: "{{ role_path + '/files/vault/luks_default_passwd' }}" + new_keyfile: "{{ role_path + '/files/vault/luks_chris_passwd' }}" + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a0786d4..8e6d7f0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -101,6 +101,13 @@ - samba-remove-user +# tags supported inside system-remove-user.yml: +# +- import_tasks: system-remove-user.yml + tags: + - system-remove-user + + # tags supported inside system-user.yml: # # system-user diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml index 00bf1c0..0960de8 100644 --- a/roles/common/tasks/nfs.yml +++ b/roles/common/tasks/nfs.yml @@ -44,6 +44,23 @@ tags: - nfs-server +- name: Enable service rpc-statd and ensure it is not masked + systemd: + name: rpc-statd + enabled: yes + masked: no + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + +- name: Make sure service rpc-statd is running + systemd: + state: started + name: rpc-statd + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + # --- # NFS clients # --- diff --git a/roles/common/tasks/nis-user.yml b/roles/common/tasks/nis-user.yml index 409c438..b7754ed 100644 --- a/roles/common/tasks/nis-user.yml +++ b/roles/common/tasks/nis-user.yml @@ -1,32 +1,32 @@ --- -# --- -# - Remove unwanted users -# --- - -- name: (nis_user.yml) Remove (old) users from system - user: - name: '{{ item.name }}' - state: absent - with_items: - - "{{ remove_nis_users }}" - loop_control: - label: '{{ item.name }}' - tags: - - nis-user - - system-user - -- name: (nis_user.yml) Remove home directory from deleted users - file: - path: '{{ nis_base_home }}/{{ item.name }}' - state: absent - with_items: - - "{{ remove_nis_users }}" - loop_control: - label: '{{ item.name }}' - tags: - - nis-user - - system-user +## # --- +## # - Remove unwanted users +## # --- +## +## - name: (nis_user.yml) Remove (old) users from system +## user: +## name: '{{ item.name }}' +## state: absent +## with_items: +## - "{{ remove_nis_users }}" +## loop_control: +## label: '{{ item.name }}' +## tags: +## - nis-user +## - system-user +## +## - name: (nis_user.yml) Remove home directory from deleted users +## file: +## path: '{{ nis_base_home }}/{{ item.name }}' +## state: absent +## with_items: +## - "{{ remove_nis_users }}" +## loop_control: +## label: '{{ item.name }}' +## tags: +## - nis-user +## - system-user # --- # - default user/groups diff --git a/roles/common/tasks/nis_samba_user.yml b/roles/common/tasks/nis_samba_user.yml deleted file mode 100644 index 31fe77b..0000000 --- a/roles/common/tasks/nis_samba_user.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- - -# --- -# - Remove unwanted users -# --- - -- name: (nis_samba_user.yml) Check if samba user exists for removable nis user - shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' - register: samba_deleted_user_present - changed_when: "samba_deleted_user_present.rc == 0" - failed_when: "samba_deleted_user_present.rc > 1" - with_items: - - "{{ nis_deleted_user }}" - loop_control: - label: '{{ item.name }}' - tags: - - samba-user - - -- name: (nis_samba_user.yml) Remove (old) users from samba - shell: "smbpasswd -s -x {{ item.name }}" - with_items: - - "{{ nis_deleted_user }}" - loop_control: - label: '{{ item.name }}' - when: samba_deleted_user_present is changed - tags: - - samba-user - - -- name: (nis_samba_user.yml) Remove (old) users from system - user: - name: '{{ item.name }}' - state: absent - with_items: - - "{{ nis_deleted_user }}" - loop_control: - label: '{{ item.name }}' - tags: - - nis-user - - system-user - -- name: (nis_samba_user.yml) Remove home directory from deleted users - file: - path: '{{ nis_base_home }}/{{ item.name }}' - state: absent - with_items: - - "{{ nis_deleted_user }}" - loop_control: - label: '{{ item.name }}' - tags: - - nis-user - - system-user - -# --- -# - default user/groups -# --- - -- name: (nis_samba_user.yml) Ensure nis groups exists - group: - name: '{{ item.name }}' - state: present - gid: '{{ item.group_id | default(omit) }}' - loop: "{{ nis_groups }}" - loop_control: - label: '{{ item.name }}' - when: item.group_id is defined - notify: Renew nis databases - tags: - - nis-user - - system-user - -#- meta: end_host - -- name: (nis_samba_user.yml) Ensure nis users exists - user: - name: '{{ item.name }}' - state: present - uid: '{{ item.user_id | default(omit) }}' - #group: '{{ item.0.name | default(omit) }}' - groups: "{{ item.groups|join(', ') }}" - home: '{{ nis_base_home }}/{{ item.name }}' - shell: '{{ item.shell|d("/bin/bash") }}' - password: "{{ item.password | password_hash('sha512') }}" - update_password: on_create - append: yes - loop: "{{ nis_user }}" - loop_control: - label: '{{ item.name }}' - notify: Renew nis databases - tags: - - nis-user - - system-user - - -- name: (nis_samba_user.yml) Check if samba user exists for nis user - shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' - register: samba_nis_user_present - changed_when: "samba_nis_user_present.rc > 0" - failed_when: "samba_nis_user_present.rc > 1" - with_items: - - "{{ nis_user }}" - loop_control: - label: '{{ item.name }}' - when: - - item.is_samba_user is defined and item.is_samba_user|bool - tags: - - samba-user - -- name: (nis_samba_user.yml) Add nis user to samba (with nis users password) - shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}" - loop: "{{ nis_user }}" - loop_control: - label: '{{ item.name }}' - when: - - item.is_samba_user is defined and item.is_samba_user|bool - - samba_nis_user_present is changed - notify: Renew nis databases - tags: - - samba-user - diff --git a/roles/common/tasks/samba-remove-user.yml b/roles/common/tasks/samba-remove-user.yml index a246c4e..cdc0288 100644 --- a/roles/common/tasks/samba-remove-user.yml +++ b/roles/common/tasks/samba-remove-user.yml @@ -36,7 +36,7 @@ register: samba_remove_nis_users_present changed_when: "samba_remove_nis_users_present.rc == 0" failed_when: "samba_remove_nis_users_present.rc > 1" - with_items: + with_items: - "{{ remove_nis_users }}" loop_control: label: '{{ item.name }}' @@ -47,11 +47,11 @@ - name: (samba-remove-user.yml) Remove (old) nis users from samba shell: > smbpasswd -s -x {{ item.item.name }} - with_items: + with_items: - "{{ samba_remove_nis_users_present.results }}" loop_control: label: '{{ item.item.name }}' - when: + when: - item.changed tags: - samba-user diff --git a/roles/common/tasks/system-remove-user.yml b/roles/common/tasks/system-remove-user.yml new file mode 100644 index 0000000..97bff14 --- /dev/null +++ b/roles/common/tasks/system-remove-user.yml @@ -0,0 +1,29 @@ +--- + +# --- +# - Remove unwanted users +# --- + +- name: (system-remove-user.yml) Remove (old) users from system + user: + name: '{{ item.name }}' + state: absent + with_items: + - "{{ remove_nis_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user + +- name: (system-remove-user.yml) Remove home directory from deleted users + file: + path: '{{ nis_base_home }}/{{ item.name }}' + state: absent + with_items: + - "{{ remove_nis_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - nis-user + - system-user diff --git a/roles/common/tasks/ubuntu-x11vnc-2004-amd64.yml b/roles/common/tasks/ubuntu-x11vnc-2004-amd64.yml index 5d67afe..8d97abf 100644 --- a/roles/common/tasks/ubuntu-x11vnc-2004-amd64.yml +++ b/roles/common/tasks/ubuntu-x11vnc-2004-amd64.yml @@ -45,8 +45,10 @@ - name: "(ubuntu-x11vnc-2004-amd64.yml) Set permissions on /etc/x11vnc.pass" file: - path: "/etc/x11vnc.pass" - mode: 0644 + path: /etc/x11vnc.pass + owner: root + group: root + mode: 0644 - name: "(ubuntu-x11vnc-2004-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service" template: