stargate-cluster/vm-ansible
stargate-cluster/vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

update everything to be ad compatible
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Torma Kristóf 2023-07-25 16:58:19 +02:00
parent ed25955111
commit 8887c47c2c
5 changed files with 13 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
roles/backuphost/tasks/main.yaml
View File

@ -1,3 +1,4 @@
# TODO: Make backup user part of AD
--- ---
- name: "Add backup user" - name: "Add backup user"
ansible.builtin.user: ansible.builtin.user:
@ -5,40 +6,6 @@
comment: Backup user comment: Backup user
shell: /bin/bash shell: /bin/bash
- name: "Dsiable service user"
ansible.builtin.user:
name: service-user
state: present
password_lock: true
shell: "/sbin/nologin"
- name: Undefine AllowUsers
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible service-user"
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
check_mode: true
changed_when: false
register: checkallowusers
- name: Define AllowUsers if undefined
ansible.builtin.lineinfile:
state: present
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible backup"
when: checkallowusers.found == 0
- name: "Restart sshd"
ansible.builtin.service:
name: sshd
state: restarted
- name: Create .ssh directory of backup user - name: Create .ssh directory of backup user
ansible.builtin.file: ansible.builtin.file:
path: /home/backup/.ssh path: /home/backup/.ssh

22
roles/common/tasks/ssh-security-settings.yaml
View File

@ -1,10 +1,4 @@
--- ---
- name: Disable password authentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: 'PasswordAuthentication yes'
replace: 'PasswordAuthentication no'
- name: Disable root authentication - name: Disable root authentication
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
@ -23,22 +17,6 @@
regexp: '#AddressFamily any' regexp: '#AddressFamily any'
replace: 'AddressFamily inet' replace: 'AddressFamily inet'
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
regexp: "intra.tormakris.dev"
check_mode: true
changed_when: false
register: checkallowusers
- name: Define AllowUsers if undefined
ansible.builtin.lineinfile:
state: present
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris@intra.tormakris.dev ansible@intra.tormakris.dev service-user@intra.tormakris.dev"
when: checkallowusers.found == 0
- name: "Restart sshd" - name: "Restart sshd"
ansible.builtin.service: ansible.builtin.service:
name: sshd name: sshd

2
roles/common/tasks/user-ops.yaml
View File

@ -1,5 +1,5 @@
--- ---
- name: Create .ssh directory of root user - name: Create .ssh directory of ansible user
ansible.builtin.file: ansible.builtin.file:
path: /home/ansible@intra.tormakris.dev/.ssh path: /home/ansible@intra.tormakris.dev/.ssh
state: directory state: directory

1
roles/docker/tasks/main.yaml
View File

@ -24,7 +24,6 @@
- name: "Add service user to docker group" - name: "Add service user to docker group"
ansible.builtin.user: ansible.builtin.user:
name: service-user@intra.tormakris.dev name: service-user@intra.tormakris.dev
comment: Service user
groups: docker groups: docker
append: yes append: yes

38
roles/realmd/tasks/main.yaml
View File

@ -1,25 +1,4 @@
--- ---
- name: "Use custom Ubuntu mirror"
ansible.builtin.replace:
path: /etc/apt/sources.list
regexp: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
replace: 'https://mirror.niif.hu'
backup: yes
- name: "Use custom Ubuntu mirror"
ansible.builtin.replace:
path: /etc/apt/sources.list
regexp: 'http://hu.archive.ubuntu.com'
replace: 'https://mirror.niif.hu'
backup: yes
- name: "Update machine"
ansible.builtin.apt:
update_cache: yes
upgrade: "yes"
autoclean: yes
autoremove: yes
- name: "Install realmd and dependencies" - name: "Install realmd and dependencies"
ansible.builtin.apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
@ -36,15 +15,25 @@
- oddjob-mkhomedir - oddjob-mkhomedir
- packagekit - packagekit
- name: Check if computer is joined to domain
ansible.builtin.lineinfile:
state: absent
path: /etc/sssd/sssd.conf
line: "^ad_access_filter"
check_mode: true
changed_when: false
register: checkjoined
- name: "Get join password from local environment variable" - name: "Get join password from local environment variable"
ansible.builtin.set_fact: ansible.builtin.set_fact:
join_passw: "{{ lookup('env', 'JOIN_PASSW') }}" join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
delegate_to: localhost delegate_to: localhost
when: checkjoined.found == 0
- name: Join to AD with realmd - name: Join to AD with realmd
ansible.builtin.shell: ansible.builtin.shell:
cmd: echo {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev cmd: echo {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev
ignore_errors: True when: checkjoined.found == 0
- name: Enable pam homedir create on first logon - name: Enable pam homedir create on first logon
ansible.builtin.command: ansible.builtin.command:
@ -102,9 +91,4 @@
path: /etc/sudoers path: /etc/sudoers
line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL" line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
when: checksudoers.found == 0 when: checksudoers.found == 0
- name: "Restart ssh"
ansible.builtin.service:
name: sshd
state: restarted
... ...