update everything to be ad compatible
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Torma Kristóf 2023-07-25 16:58:19 +02:00
parent ed25955111
commit 8887c47c2c
5 changed files with 13 additions and 85 deletions

View File

@ -1,3 +1,4 @@
# TODO: Make backup user part of AD
---
- name: "Add backup user"
ansible.builtin.user:
@ -5,40 +6,6 @@
comment: Backup user
shell: /bin/bash
- name: "Dsiable service user"
ansible.builtin.user:
name: service-user
state: present
password_lock: true
shell: "/sbin/nologin"
- name: Undefine AllowUsers
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible service-user"
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
check_mode: true
changed_when: false
register: checkallowusers
- name: Define AllowUsers if undefined
ansible.builtin.lineinfile:
state: present
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris ansible backup"
when: checkallowusers.found == 0
- name: "Restart sshd"
ansible.builtin.service:
name: sshd
state: restarted
- name: Create .ssh directory of backup user
ansible.builtin.file:
path: /home/backup/.ssh

View File

@ -1,10 +1,4 @@
---
- name: Disable password authentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: 'PasswordAuthentication yes'
replace: 'PasswordAuthentication no'
- name: Disable root authentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
@ -23,22 +17,6 @@
regexp: '#AddressFamily any'
replace: 'AddressFamily inet'
- name: Check if AllowUsers is defined
ansible.builtin.lineinfile:
state: absent
path: /etc/ssh/sshd_config
regexp: "intra.tormakris.dev"
check_mode: true
changed_when: false
register: checkallowusers
- name: Define AllowUsers if undefined
ansible.builtin.lineinfile:
state: present
path: /etc/ssh/sshd_config
line: "AllowUsers tormakris@intra.tormakris.dev ansible@intra.tormakris.dev service-user@intra.tormakris.dev"
when: checkallowusers.found == 0
- name: "Restart sshd"
ansible.builtin.service:
name: sshd

View File

@ -1,5 +1,5 @@
---
- name: Create .ssh directory of root user
- name: Create .ssh directory of ansible user
ansible.builtin.file:
path: /home/ansible@intra.tormakris.dev/.ssh
state: directory

View File

@ -24,7 +24,6 @@
- name: "Add service user to docker group"
ansible.builtin.user:
name: service-user@intra.tormakris.dev
comment: Service user
groups: docker
append: yes

View File

@ -1,25 +1,4 @@
---
- name: "Use custom Ubuntu mirror"
ansible.builtin.replace:
path: /etc/apt/sources.list
regexp: 'https://tormakris.jfrog.io/artifactory/ubuntu-mirror'
replace: 'https://mirror.niif.hu'
backup: yes
- name: "Use custom Ubuntu mirror"
ansible.builtin.replace:
path: /etc/apt/sources.list
regexp: 'http://hu.archive.ubuntu.com'
replace: 'https://mirror.niif.hu'
backup: yes
- name: "Update machine"
ansible.builtin.apt:
update_cache: yes
upgrade: "yes"
autoclean: yes
autoremove: yes
- name: "Install realmd and dependencies"
ansible.builtin.apt:
update_cache: yes
@ -36,15 +15,25 @@
- oddjob-mkhomedir
- packagekit
- name: Check if computer is joined to domain
ansible.builtin.lineinfile:
state: absent
path: /etc/sssd/sssd.conf
line: "^ad_access_filter"
check_mode: true
changed_when: false
register: checkjoined
- name: "Get join password from local environment variable"
ansible.builtin.set_fact:
join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
delegate_to: localhost
when: checkjoined.found == 0
- name: Join to AD with realmd
ansible.builtin.shell:
cmd: echo {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev
ignore_errors: True
when: checkjoined.found == 0
- name: Enable pam homedir create on first logon
ansible.builtin.command:
@ -102,9 +91,4 @@
path: /etc/sudoers
line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
when: checksudoers.found == 0
- name: "Restart ssh"
ansible.builtin.service:
name: sshd
state: restarted
...