vm-ansible/roles/realmd/tasks/main.yaml

---
- name: "Install realmd and dependencies"
  ansible.builtin.apt:
    update_cache: yes
    state: present
    name:
     - realmd
     - sssd
     - sssd-tools
     - libnss-sss
     - libpam-sss
     - adcli
     - samba-common-bin
     - oddjob
     - oddjob-mkhomedir
     - packagekit

- name: Check if computer is joined to domain
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    line: "^ad_access_filter"
  check_mode: true
  changed_when: false
  register: checkjoined

- name: "Get join password from local environment variable"
  ansible.builtin.set_fact:
    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
  delegate_to: localhost
  when: checkjoined.found == 0

- name: Join to AD with realmd
  ansible.builtin.shell:
    cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
  when: checkjoined.found == 0

- name: Enable pam homedir create on first logon
  ansible.builtin.command:
    cmd: pam-auth-update --enable mkhomedir

- name: Check if ad_gpo_access_control is disabled
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    regexp: "^ad_gpo_access_control"
  check_mode: true
  changed_when: false
  register: checkadgpoac

- name: Set ad_gpo_access_control to disabled
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sssd/sssd.conf
    line: "ad_gpo_access_control = disabled"
  when: checkadgpoac.found == 0

- name: Check if ad_access_filter is set
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    regexp: "^ad_access_filter"
  check_mode: true
  changed_when: false
  register: checkadaf

- name: Set ad_gpo_access_control to disabled
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sssd/sssd.conf
    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
  when: checkadaf.found == 0

- name: "Restart sssd"
  ansible.builtin.service:
    name: sssd
    state: restarted

- name: Check if group is presend in sudoers
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sudoers
    regexp: "^%linuxadmins"
  check_mode: true
  changed_when: false
  register: checksudoers

- name: Define group in sudoers
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sudoers
    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
  when: checksudoers.found == 0
...
add realm and update ci 2023-07-25 14:46:24 +02:00			`---`
			`- name: "Install realmd and dependencies"`
			`ansible.builtin.apt:`
			`update_cache: yes`
			`state: present`
			`name:`
			`- realmd`
			`- sssd`
			`- sssd-tools`
			`- libnss-sss`
			`- libpam-sss`
			`- adcli`
			`- samba-common-bin`
			`- oddjob`
			`- oddjob-mkhomedir`
			`- packagekit`

update everything to be ad compatible 2023-07-25 16:58:19 +02:00			`- name: Check if computer is joined to domain`
			`ansible.builtin.lineinfile:`
			`state: absent`
			`path: /etc/sssd/sssd.conf`
			`line: "^ad_access_filter"`
			`check_mode: true`
			`changed_when: false`
			`register: checkjoined`

add realm and update ci 2023-07-25 14:46:24 +02:00			`- name: "Get join password from local environment variable"`
			`ansible.builtin.set_fact:`
			`join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"`
			`delegate_to: localhost`
fix vikunja 2023-08-14 20:23:20 +02:00			`when: checkjoined.found == 0`
add realm and update ci 2023-07-25 14:46:24 +02:00
			`- name: Join to AD with realmd`
			`ansible.builtin.shell:`
change user 2023-08-05 23:49:39 +02:00			`cmd: echo {{ join_passw }} \| realm join -v -U tormakris_admin intra.tormakris.dev`
fix vikunja 2023-08-14 20:23:20 +02:00			`when: checkjoined.found == 0`
add realm and update ci 2023-07-25 14:46:24 +02:00
			`- name: Enable pam homedir create on first logon`
			`ansible.builtin.command:`
			`cmd: pam-auth-update --enable mkhomedir`

			`- name: Check if ad_gpo_access_control is disabled`
			`ansible.builtin.lineinfile:`
			`state: absent`
			`path: /etc/sssd/sssd.conf`
			`regexp: "^ad_gpo_access_control"`
			`check_mode: true`
			`changed_when: false`
			`register: checkadgpoac`

			`- name: Set ad_gpo_access_control to disabled`
			`ansible.builtin.lineinfile:`
			`state: present`
			`path: /etc/sssd/sssd.conf`
			`line: "ad_gpo_access_control = disabled"`
fix vikunja 2023-08-14 20:23:20 +02:00			`when: checkadgpoac.found == 0`
add realm and update ci 2023-07-25 14:46:24 +02:00
			`- name: Check if ad_access_filter is set`
			`ansible.builtin.lineinfile:`
			`state: absent`
			`path: /etc/sssd/sssd.conf`
			`regexp: "^ad_access_filter"`
			`check_mode: true`
			`changed_when: false`
			`register: checkadaf`

			`- name: Set ad_gpo_access_control to disabled`
			`ansible.builtin.lineinfile:`
			`state: present`
			`path: /etc/sssd/sssd.conf`
			`line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"`
fix vikunja 2023-08-14 20:23:20 +02:00			`when: checkadaf.found == 0`
add realm and update ci 2023-07-25 14:46:24 +02:00
			`- name: "Restart sssd"`
			`ansible.builtin.service:`
			`name: sssd`
			`state: restarted`
replace usernames 2023-07-25 15:00:05 +02:00
			`- name: Check if group is presend in sudoers`
			`ansible.builtin.lineinfile:`
			`state: absent`
			`path: /etc/sudoers`
			`regexp: "^%linuxadmins"`
			`check_mode: true`
			`changed_when: false`
			`register: checksudoers`

			`- name: Define group in sudoers`
			`ansible.builtin.lineinfile:`
			`state: present`
more corrections 2023-07-25 15:59:06 +02:00			`path: /etc/sudoers`
replace usernames 2023-07-25 15:00:05 +02:00			`line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"`
fix vikunja 2023-08-14 20:23:20 +02:00			`when: checksudoers.found == 0`
add realm and update ci 2023-07-25 14:46:24 +02:00			`...`