From 0a7746d60c5344e3f0041f7d05eedcd1330e5aac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20Torma?= <tormakristof@tormakristof.eu>
Date: Tue, 25 Jul 2023 14:46:24 +0200
Subject: [PATCH] add realm and update ci

---
 .drone.yml                   | 35 ++------------
 realmd.yaml                  |  6 +++
 roles/common/tasks/apt.yaml  | 12 +----
 roles/realmd/tasks/main.yaml | 88 ++++++++++++++++++++++++++++++++++++
 4 files changed, 99 insertions(+), 42 deletions(-)
 create mode 100644 realmd.yaml
 create mode 100644 roles/realmd/tasks/main.yaml

diff --git a/.drone.yml b/.drone.yml
index 40cf79d..ce70ecf 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -13,42 +13,15 @@ steps:
     - echo "$PWD"
     - echo "$SSH_KEY" > $PWD/id_rsa && chmod 0600 $PWD/id_rsa
 
-- name: check ansible syntax
-  image: plugins/ansible:3
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
-    syntax_check: true
-
-- name: run playbook in check mode
-  image: plugins/ansible:3
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: "False"
-    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
-    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
-    ARTIFACTORY_APT_PASSWORD:
-      from_secret: ARTIFACTORY_APT_PASSWORD
-    CLOUDFLARE_TOKEN:
-      from_secret: CLOUDFLARE_TOKEN
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
-    check: true
-
 - name: ansible nightly run
-  image: plugins/ansible:3
+  image: alpinelinux/ansible
   environment:
     ANSIBLE_HOST_KEY_CHECKING: "False"
     ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
     ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
-    ARTIFACTORY_APT_PASSWORD:
-      from_secret: ARTIFACTORY_APT_PASSWORD
     CLOUDFLARE_TOKEN:
       from_secret: CLOUDFLARE_TOKEN
-  settings:
-    playbook: nightly.yaml
-    galaxy: requirements.yaml
-    inventory: inventory.yaml
+  commands:
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i inventory.yaml nightly.yaml
 ...
\ No newline at end of file
diff --git a/realmd.yaml b/realmd.yaml
new file mode 100644
index 0000000..a3165c5
--- /dev/null
+++ b/realmd.yaml
@@ -0,0 +1,6 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: all
+  roles:
+    - realmd
+...
\ No newline at end of file
diff --git a/roles/common/tasks/apt.yaml b/roles/common/tasks/apt.yaml
index b0132fc..be8a630 100644
--- a/roles/common/tasks/apt.yaml
+++ b/roles/common/tasks/apt.yaml
@@ -3,19 +3,9 @@
   ansible.builtin.replace:
     path: /etc/apt/sources.list
     regexp: 'http://hu.archive.ubuntu.com'
-    replace: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
+    replace: 'https://mirror.niif.hu'
     backup: yes
 
-- name: "Get JFrog password from local environment variable"
-  ansible.builtin.set_fact:
-    artifactory_password: "{{ lookup('env', 'ARTIFACTORY_APT_PASSWORD') }}"
-  delegate_to: localhost
-
-- name: "Render JFrog credentials configuration"
-  ansible.builtin.template:
-    src: jfrog.conf.template
-    dest: /etc/apt/auth.conf.d/jfrog.conf
-
 - name: "Remove Ubuntu bloatware"
   ansible.builtin.apt: 
     state: absent
diff --git a/roles/realmd/tasks/main.yaml b/roles/realmd/tasks/main.yaml
new file mode 100644
index 0000000..ffc3231
--- /dev/null
+++ b/roles/realmd/tasks/main.yaml
@@ -0,0 +1,88 @@
+---
+- name: "Use custom Ubuntu mirror"
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list
+    regexp: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
+    replace: 'https://mirror.niif.hu'
+    backup: yes
+
+- name: "Use custom Ubuntu mirror"
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://hu.archive.ubuntu.com'
+    replace: 'https://mirror.niif.hu'
+    backup: yes
+
+- name: "Update machine"
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: "yes"
+    autoclean: yes
+    autoremove: yes
+
+- name: "Install realmd and dependencies"
+  ansible.builtin.apt:
+    update_cache: yes
+    state: present
+    name:
+     - realmd
+     - sssd
+     - sssd-tools
+     - libnss-sss
+     - libpam-sss
+     - adcli
+     - samba-common-bin
+     - oddjob
+     - oddjob-mkhomedir
+     - packagekit
+
+- name: "Get join password from local environment variable"
+  ansible.builtin.set_fact:
+    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
+  delegate_to: localhost
+
+- name: Join to AD with realmd
+  ansible.builtin.shell:
+    cmd: echo -e {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev
+
+- name: Enable pam homedir create on first logon
+  ansible.builtin.command:
+    cmd: pam-auth-update --enable mkhomedir
+
+- name: Check if ad_gpo_access_control is disabled
+  ansible.builtin.lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_gpo_access_control"
+  check_mode: true
+  changed_when: false
+  register: checkadgpoac
+
+- name: Set ad_gpo_access_control to disabled
+  ansible.builtin.lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_gpo_access_control = disabled"
+  when: checkadgpoac.found == 0
+
+- name: Check if ad_access_filter is set
+  ansible.builtin.lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkadaf
+
+- name: Set ad_gpo_access_control to disabled
+  ansible.builtin.lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
+  when: checkadaf.found == 0
+
+- name: "Restart sssd"
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+...