Merge branch 'master' of git.fsmpi.rwth-aachen.de:infra/ansible

1793f1d7 · Robin Sonnabend · 09114a76 · ce7d939c · 1793f1d7 · 1793f1d7
Commit 1793f1d7 authored May 22, 2017 by Robin Sonnabend
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -9,6 +9,9 @@
    - libnss-sss
    - sssd-tools
    - realmd
+    - policykit-1 # this is required for realm to discover realms...
+    - adcli # this is required for realm to join realms...
+    - packagekit # this is required for realm to i don't know and don't even care anymore...
  notify:
    - clear sssd cache
  tags:
@@ -34,7 +37,7 @@
      expect:
        command: kinit Administrator
        responses:
-          "Password for Administrator@{{ domain.upper() }}": "{{ lookup('passwordstore', 'samba-admin') }}"
+          "Password for Administrator.*": "{{ lookup('passwordstore', 'samba-admin') }}"
      when: debian_version == "stretch"
    - name: leave any other realm
      command: realm leave

--- a/ad-server/tasks/main.yml
+++ b/ad-server/tasks/main.yml
@@ -8,7 +8,7 @@
    - ad-server

 - name: ensure winbind is for some reasons installed
-  apt: name=samba state=latest
+  apt: name=winbind state=latest
  tags: 
    - packages
    - ad-server
@@ -42,7 +42,7 @@
 # TODO: Evaluate if internal DNS-backend is powerful enough for usecase otherwise bind9 is needed

 - name: ensure domain is provisioned
-  shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=None --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
+  shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
  when: domain_provisioned.stat.exists == False
  tags: 
    - ad-server

--- a/ad-server/templates/smb.conf.j2
+++ b/ad-server/templates/smb.conf.j2
@@ -19,6 +19,7 @@
        kdc:renewal lifetime = {{ renewal_lifetime }}

        tls enabled = yes
+        tls cafile = /etc/ssl/certs/rwth_chain.pem
        tls keyfile = {{smb_tls_key}}
        tls certfile = {{smb_tls_cert}}


--- a/nfs-client/files/nfs-common
+++ b/nfs-client/files/nfs-common
+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD=no
+
+# Options for rpc.statd.
+#   Should rpc.statd listen on a specific port? This is especially useful
+#   when you have a port-based firewall. To use a fixed port, set this
+#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
+STATDOPTS=
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD=yes
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD=yes
--- a/nfs-client/tasks/main.yml
+++ b/nfs-client/tasks/main.yml
@@ -12,20 +12,29 @@
    - nfs-client
    - packages

-#- name: ensure we use the idmapper
-#  copy: content="N" dest=/sys/module/nfs/parameters/nfs4_disable_idmapping
-#  notify:
-#    - restart nfs-common
-#    - restart autofs
-#  tags:
-#    - nfs-client
-#    - config
-#
-#- name: ensure we use the idmapper after a reboot
-#  copy: src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
-#  tags:
-#    - nfs-client
-#    - config
+- name: ensure the nfs-common service is configured for nfs4
+  copy: src=nfs-common dest=/etc/default/nfs-common owner=root group=root mode=0644
+  notify:
+    - restart nfs-common
+    - restart autofs
+  tags:
+    - nfs-client
+    - config
+
+- name: ensure we use the idmapper
+  shell: echo "N" > /sys/module/nfs/parameters/nfs4_disable_idmapping
+  notify:
+    - restart nfs-common
+    - restart autofs
+  tags:
+    - nfs-client
+    - config
+
+- name: ensure we use the idmapper after a reboot
+  copy: src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
+  tags:
+    - nfs-client
+    - config

 - name: ensure the kernel key storage quote used for idmapping is sufficiently high
  sysctl: name=kernel.keys.root_maxkeys state=present value=1000 # default is 200, this quote was reached
@@ -47,6 +56,12 @@
    - sysctl
    - config

+- name: ensure nfs-common is enabled
+  service: name=nfs-common state=running enabled=yes
+  tags:
+    - nfs-client
+    - service
+
 - name: ensure there is a base directory for automount
  file: state=directory path=/net owner=root group=root mode=0755
  notify:

--- a/nfs-server/files/auto.master
+++ b/nfs-server/files/auto.master
-#
-# Sample auto.master file
-# This is an automounter map and it has the following format
-# key [ -mount-options-separated-by-comma ] location
-# For details of the format look at autofs(5).
-#
-#/misc	/etc/auto.misc
-#
-# NOTE: mounts done from a hosts map will be mounted with the
-#	"nosuid" and "nodev" options unless the "suid" and "dev"
-#	options are explicitly given.
-#
-#/net	-hosts
-/net	/etc/auto.nfs
-#
-# Include central master map if it can be found using
-# nsswitch sources.
-#
-# Note that if there are entries for /net or /misc (as
-# above) in the included master map any keys that are the
-# same will not be seen as the first read key seen takes
-# precedence.
-#
-+auto.master
--- a/nfs-server/files/modprobe-nfs.conf
+++ b/nfs-server/files/modprobe-nfs.conf
-options nfs nfs4_disable_idmapping=N
--- a/nfs-server/files/nfs-common
+++ b/nfs-server/files/nfs-common
+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD=
+
+# Options for rpc.statd.
+#   Should rpc.statd listen on a specific port? This is especially useful
+#   when you have a port-based firewall. To use a fixed port, set this
+#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
+STATDOPTS=
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD=yes
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD=yes
--- a/nfs-server/files/nfs-kernel-server
+++ b/nfs-server/files/nfs-kernel-server
+# Number of servers to start up
+RPCNFSDCOUNT=8
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY=0
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information, 
+# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
+# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
+RPCMOUNTDOPTS="--manage-gids"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD="yes"
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS="-vvv"
--- a/nfs-server/handlers/main.yml
+++ b/nfs-server/handlers/main.yml
 ---
-# file: roles/nfs-client/handlers/main.yml
+# file: roles/nfs-server/handlers/main.yml

- name: restart autofs
-  service: name=autofs state=restarted
+- name: restart nfs-server
+  service: name=nfs-server state=restarted

- name: restart nfs-common
-  service: name=nfs-common state=restarted
-
- name: reload sysctl
-  command: sysctl -p
--- a/nfs-server/tasks/main.yml
+++ b/nfs-server/tasks/main.yml
@@ -6,7 +6,7 @@
  with_items:
    - nfs-common
    - nfs-kernel-server
-    - msktutils
+    - msktutil
    - librpcsecgss3
    - libgssrpc4
  tags:
@@ -51,13 +51,13 @@
    - service

 - name: ensure that there is a keytab available
-  file: path=/etc/krb5.keytab state=present
+  file: path=/etc/krb5.keytab state=file
  tags:
    - nfs-server
    - service-principal

 - name: check that we have a valid service principal
-  shell: klist -k /etc/krb5.keytab | grep nfs/{{ ansible_fqdn }}
+  shell: klist -k /etc/krb5.keytab | grep "nfs/{{ ansible_fqdn }}"
  register: principal
  failed_when: False
  tags:
@@ -69,7 +69,7 @@
      shell: samba-tool user list | grep nfs-user
      register: nfsuser
      failed_when: False
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal
@@ -77,22 +77,23 @@
    - name: ensure there is a nfs-user account
      command: samba-tool user create nfs-user --random-password
      when: nfsuser.rc == 1
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal

    - name: create service principal
-      command: "samba-tool spn add nfs/{{ ansible_fqdn }} nfs-user"
-      delegate_to: "{{ authservers[0] }}"
+      command: samba-tool spn add "nfs/{{ ansible_fqdn }}" nfs-user
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal

    - name: export keytab
-      command: "samba-tool domain exportkeytab /root/{{ ansible_fqdn }}.keytab --principal nfs/{{ ansible_fqdn }}"
+      command: samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
+      args:
        creates: "/root/{{ ansible_fqdn }}.keytab"
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal
@@ -100,8 +101,8 @@
    - name: copy keytab
      synchronize:
        src: "/root/{{ ansible_fqdn }}.keytab"
-        dest: "{{ ansible_fqdn }}:/root/{{ ansible_fqdn }}.keytab"
-      delegate_to: "{{ authservers[0] }}"
+        dest: "/root/{{ ansible_fqdn }}.keytab"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal
@@ -113,14 +114,14 @@
        - service-principal

    - name: merge keytabs
-      - expect:
-          command: ktutil
-          responses:
-            ktutil(.*):
-              - rkt /etc/krb5.keytab
-              - "rkt /root/{{ ansible_fqdn }}.keytab"
-              - wkt /etc/krb5.keytab
-              - exit
+      expect:
+        command: ktutil
+        responses:
+          ktutil(.*):
+            - rkt /etc/krb5.keytab
+            - "rkt /root/{{ ansible_fqdn }}.keytab"
+            - wkt /etc/krb5.keytab
+            - exit
      notify:
        - restart nfs-server
      tags:
@@ -129,7 +130,7 @@

    - name: remove keytab at kdc
      file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
      tags:
        - nfs-server
        - service-principal

--- a/nfs-server/templates/auto.nfs.j2
+++ b/nfs-server/templates/auto.nfs.j2
-{%- for share in nfs_shares %}
-{{ share.netdir }} -{{ share.options }} {{ share.src }}
-{% endfor -%}
--- a/nfs-server/templates/exports.j2
+++ b/nfs-server/templates/exports.j2
+# /etc/exports: the access control list for filesystems which may be exported
+#		to NFS clients.  See exports(5).
+#
+# Example for NFSv2 and NFSv3:
+# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
+#
+# Example for NFSv4:
+# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
+# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
+#
+
+{%- for export in nfs_exports %}
+{{ export.src }}	{{ export.dest }}({{ export.options }})
+{% endfor -%}
+
+