vm-ansible/roles/realmd/tasks/main.yaml

95 lines
2.2 KiB
YAML
Raw Normal View History

2023-07-25 14:46:24 +02:00
---
- name: "Install realmd and dependencies"
2023-08-30 23:13:59 +02:00
apt:
2023-07-25 14:46:24 +02:00
update_cache: yes
state: present
name:
- realmd
- sssd
- sssd-tools
- libnss-sss
- libpam-sss
- adcli
- samba-common-bin
- oddjob
- oddjob-mkhomedir
- packagekit
2023-07-25 16:58:19 +02:00
- name: Check if computer is joined to domain
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 16:58:19 +02:00
state: absent
path: /etc/sssd/sssd.conf
line: "^ad_access_filter"
check_mode: true
changed_when: false
register: checkjoined
2023-07-25 14:46:24 +02:00
- name: "Get join password from local environment variable"
2023-08-30 23:13:59 +02:00
set_fact:
2023-07-25 14:46:24 +02:00
join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
delegate_to: localhost
2023-08-14 20:23:20 +02:00
when: checkjoined.found == 0
2023-07-25 14:46:24 +02:00
- name: Join to AD with realmd
2023-08-30 23:13:59 +02:00
shell:
2023-08-05 23:49:39 +02:00
cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
2023-08-14 20:23:20 +02:00
when: checkjoined.found == 0
2023-07-25 14:46:24 +02:00
- name: Enable pam homedir create on first logon
2023-08-30 23:13:59 +02:00
command:
2023-07-25 14:46:24 +02:00
cmd: pam-auth-update --enable mkhomedir
- name: Check if ad_gpo_access_control is disabled
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 14:46:24 +02:00
state: absent
path: /etc/sssd/sssd.conf
regexp: "^ad_gpo_access_control"
check_mode: true
changed_when: false
register: checkadgpoac
- name: Set ad_gpo_access_control to disabled
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 14:46:24 +02:00
state: present
path: /etc/sssd/sssd.conf
line: "ad_gpo_access_control = disabled"
2023-08-14 20:23:20 +02:00
when: checkadgpoac.found == 0
2023-07-25 14:46:24 +02:00
- name: Check if ad_access_filter is set
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 14:46:24 +02:00
state: absent
path: /etc/sssd/sssd.conf
regexp: "^ad_access_filter"
check_mode: true
changed_when: false
register: checkadaf
- name: Set ad_gpo_access_control to disabled
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 14:46:24 +02:00
state: present
path: /etc/sssd/sssd.conf
line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
2023-08-14 20:23:20 +02:00
when: checkadaf.found == 0
2023-07-25 14:46:24 +02:00
- name: "Restart sssd"
2023-08-30 23:13:59 +02:00
service:
2023-07-25 14:46:24 +02:00
name: sssd
state: restarted
2023-07-25 15:00:05 +02:00
- name: Check if group is presend in sudoers
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 15:00:05 +02:00
state: absent
path: /etc/sudoers
regexp: "^%linuxadmins"
check_mode: true
changed_when: false
register: checksudoers
- name: Define group in sudoers
2023-08-30 23:13:59 +02:00
lineinfile:
2023-07-25 15:00:05 +02:00
state: present
2023-07-25 15:59:06 +02:00
path: /etc/sudoers
2023-07-25 15:00:05 +02:00
line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
2023-08-14 20:23:20 +02:00
when: checksudoers.found == 0
2023-07-25 14:46:24 +02:00
...