add realm and update ci

2023-07-25 14:46:24 +02:00 · 2023-07-25 14:46:24 +02:00 · 0a7746d60c
parent 45020413f2
commit 0a7746d60c
4 changed files with 99 additions and 42 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -13,42 +13,15 @@ steps:
    - echo "$PWD"
    - echo "$SSH_KEY" > $PWD/id_rsa && chmod 0600 $PWD/id_rsa

- name: check ansible syntax
-  image: plugins/ansible:3
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
-    syntax_check: true
-
- name: run playbook in check mode
-  image: plugins/ansible:3
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: "False"
-    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
-    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
-    ARTIFACTORY_APT_PASSWORD:
-      from_secret: ARTIFACTORY_APT_PASSWORD
-    CLOUDFLARE_TOKEN:
-      from_secret: CLOUDFLARE_TOKEN
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
-    check: true
-
 - name: ansible nightly run
-  image: plugins/ansible:3
+  image: alpinelinux/ansible
  environment:
    ANSIBLE_HOST_KEY_CHECKING: "False"
    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
-    ARTIFACTORY_APT_PASSWORD:
-      from_secret: ARTIFACTORY_APT_PASSWORD
    CLOUDFLARE_TOKEN:
      from_secret: CLOUDFLARE_TOKEN
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
+  commands:
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i inventory.yaml nightly.yaml
 ...
--- a/realmd.yaml
+++ b/realmd.yaml
@ -0,0 +1,6 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: all
+  roles:
+    - realmd
+...
--- a/roles/common/tasks/apt.yaml
+++ b/roles/common/tasks/apt.yaml
@ -3,19 +3,9 @@
  ansible.builtin.replace:
    path: /etc/apt/sources.list
    regexp: 'http://hu.archive.ubuntu.com'
-    replace: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
+    replace: 'https://mirror.niif.hu'
    backup: yes

- name: "Get JFrog password from local environment variable"
-  ansible.builtin.set_fact:
-    artifactory_password: "{{ lookup('env', 'ARTIFACTORY_APT_PASSWORD') }}"
-  delegate_to: localhost
-
- name: "Render JFrog credentials configuration"
-  ansible.builtin.template:
-    src: jfrog.conf.template
-    dest: /etc/apt/auth.conf.d/jfrog.conf
-
 - name: "Remove Ubuntu bloatware"
  ansible.builtin.apt: 
    state: absent
--- a/roles/realmd/tasks/main.yaml
+++ b/roles/realmd/tasks/main.yaml
@ -0,0 +1,88 @@
+---
+- name: "Use custom Ubuntu mirror"
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list
+    regexp: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
+    replace: 'https://mirror.niif.hu'
+    backup: yes
+
+- name: "Use custom Ubuntu mirror"
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://hu.archive.ubuntu.com'
+    replace: 'https://mirror.niif.hu'
+    backup: yes
+
+- name: "Update machine"
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: "yes"
+    autoclean: yes
+    autoremove: yes
+
+- name: "Install realmd and dependencies"
+  ansible.builtin.apt:
+    update_cache: yes
+    state: present
+    name:
+     - realmd
+     - sssd
+     - sssd-tools
+     - libnss-sss
+     - libpam-sss
+     - adcli
+     - samba-common-bin
+     - oddjob
+     - oddjob-mkhomedir
+     - packagekit
+
+- name: "Get join password from local environment variable"
+  ansible.builtin.set_fact:
+    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
+  delegate_to: localhost
+
+- name: Join to AD with realmd
+  ansible.builtin.shell:
+    cmd: echo -e {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev
+
+- name: Enable pam homedir create on first logon
+  ansible.builtin.command:
+    cmd: pam-auth-update --enable mkhomedir
+
+- name: Check if ad_gpo_access_control is disabled
+  ansible.builtin.lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_gpo_access_control"
+  check_mode: true
+  changed_when: false
+  register: checkadgpoac
+
+- name: Set ad_gpo_access_control to disabled
+  ansible.builtin.lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_gpo_access_control = disabled"
+  when: checkadgpoac.found == 0
+
+- name: Check if ad_access_filter is set
+  ansible.builtin.lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkadaf
+
+- name: Set ad_gpo_access_control to disabled
+  ansible.builtin.lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
+  when: checkadaf.found == 0
+
+- name: "Restart sssd"
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+...