Skip to content

GitLab

Commit 8e070350 authored by Lars Beckers's avatar Lars Beckers
Browse files

lint yaml files

parent 74b4658d
Hide whitespace changes
Inline Side-by-side
.yamllint 0 → 100644
View file @ 8e070350
---
extends: default
rules:
comments-indentation:
level: warning
document-start:
level: error
empty-lines:
max: 1
empty-values:
forbid-in-flow-mappings: true
forbid-in-block-mappings: true
line-length:
level: warning
octal-values:
forbid-implicit-octal: true
level: warning
ad-auth/tasks/kerberos.yml
View file @ 8e070350
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed
apt: name=krb5-user state=present
apt:
name: krb5-user
state: present
tags:
- kerberos
- packages
- name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags:
- kerberos
- config
ad-auth/tasks/ldap.yml
View file @ 8e070350
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/ldap.yml
- name: ensure ldap-utils is installed
apt: name=ldap-utils state=present
apt:
name: ldap-utils
state: present
tags:
- ldap
- packages
- name: ensure proper global ldap configuration
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
template:
src: ldap.conf.j2
dest: /etc/ldap/ldap.conf
owner: root
group: root
mode: '0644'
tags:
- ldap
- config
ad-auth/tasks/main.yml
View file @ 8e070350
......@@ -18,8 +18,10 @@
- meta: flush_handlers
- name: ensure there is no local users group
lineinfile: path=/etc/group state=absent regexp="^users:"
lineinfile:
path: /etc/group
state: absent
regexp: "^users:"
tags:
- groups
- config
- ad-auth
ad-auth/tasks/pam.yml
View file @ 8e070350
......@@ -2,9 +2,13 @@
# file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask
copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644
copy:
src: pam/umask
dest: /usr/share/pam-configs/umask
owner: root
group: root
mode: '0644'
notify:
- regenerate pam config
tags:
- pam
- config
- pam
ad-auth/tasks/sssd.yml
View file @ 8e070350
......@@ -9,41 +9,60 @@
- libnss-sss
- sssd-tools
- realmd
- policykit-1 # this is required for realm to discover realms...
- adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore...
# yamllint disable rule:line-length
- policykit-1 # this is required for realm to discover realms...
- adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore...
# yamllint enable rule:line-length
- cracklib-runtime
state: present
install_recommends: no
install_recommends: false
notify:
- clear sssd cache
tags:
- sssd
- packages
- name: check if our realm is configured
shell: realm list | grep "{{ domain }}"
register: current_realms
changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
tags:
- sssd
- block:
- name: discover our realm
command: realm discover -v "{{ domain }}"
tags:
- sssd
- name: get a kerberos ticket
# yamllint disable-line rule:line-length
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when: debian_version == "jessie"
no_log: True
no_log: true
tags:
- sssd
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
apt:
name: python-pexpect
state: present
when: debian_version == "stretch"
tags:
- sssd
- name: get a kerberos ticket
expect:
command: kinit Administrator
responses:
# yamllint disable-line rule:line-length
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
when: debian_version == "stretch"
no_log: True
no_log: true
tags:
- sssd
- name: leave any other realm
command: realm leave
register: result
......@@ -51,38 +70,50 @@
retries: 9001
delay: 0
failed_when: "result.rc != 0 and result.rc != 1"
tags:
- sssd
- name: join our realm
command: realm join -v "{{ domain }}"
notify:
- clear sssd cache
- restart sssd
tags:
- sssd
- name: destroy kerberos ticket
command: kdestroy
tags:
- sssd
when: "current_realms.rc != 0"
- name: ensure sssd is configured
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
owner: root
group: root
mode: '0600'
notify:
- restart sssd
- clear sssd cache
tags:
- sssd
- config
- name: ensure sssd is enabled and running
service: name=sssd state=started enabled=yes
service:
name: sssd
state: started
enabled: true
tags:
- sssd
- service
- name: ensure we have a cronjob which renews krb credenitials once a day
template:
src: templates/renew_krb5.j2
dest: /etc/cron.daily/renew_krb5
mode: 0755
mode: '0755'
owner: root
group: root
tags:
- sssd
ad-auth/tasks/sudo.yml
View file @ 8e070350
......@@ -2,10 +2,13 @@
# file: roles/ad-auth/tasks/sudo.yml
- name: ensure users of group admin are in the sudoers
template: src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440
template:
src: sudo.j2
dest: /etc/sudoers.d/admin
owner: root
group: root
mode: '0440'
notify:
- check sudo config
tags:
- sudo
- config
ad-server-replication/defaults/main.yml 0 → 100644
View file @ 8e070350
---
ad_admin_password: samba-admin
ad-server-replication/handlers/main.yml
View file @ 8e070350
......@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted
ad-server-replication/tasks/kerberos.yml
View file @ 8e070350
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed
apt: name=krb5-user state=present
apt:
name: krb5-user
state: present
tags:
- kerberos
- packages
- name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags:
- kerberos
- config
ad-server-replication/tasks/main.yml
View file @ 8e070350
......@@ -4,109 +4,114 @@
- import_tasks: kerberos.yml
- name: ensure ad-server is installed
apt: name=samba state=latest
tags:
- packages
apt:
name: samba
state: present
tags:
- ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
- name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }}
stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned
tags:
tags:
- ad-server
- domain-provision
- block:
- name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent
tags:
- ad-server
- domain-provision
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
tags:
- ad-server
- domain-provision
when: debian_version == "stretch"
- name: ensure domain is provisioned
expect:
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
responses:
"Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}"
no_log: True
tags:
- ad-server
- domain-provision
- name: ensure the idmap library is exported
shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
- domain-provision
# when: domain_provisioned.stat.exists == False
- name: ensure the idmap library is copied to secondary
synchronize:
src: /var/lib/samba/private/idmap.ldb.bak
dest: /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is absent for provision
file:
path: /etc/samba/smb.conf
state: absent
tags:
- ad-server
- domain-provision
- name: ensure pexpect is installed
apt:
name: python-pexpect
state: present
tags:
- ad-server
- domain-provision
when: debian_version == "stretch"
- name: ensure domain is provisioned
expect:
# yamllint disable-line rule:line-length
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
responses:
"Password for.*": "{{ lookup('passwordstore', ad_admin_password) }}"
no_log: true
tags:
- ad-server
- domain-provision
- name: ensure the idmap library is exported
shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
- domain-provision
- name: ensure the idmap library is copied to secondary
synchronize:
src: /var/lib/samba/private/idmap.ldb.bak
dest: /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
- domain-provision
when: domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
- name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server
tags:
tags:
- ad-server
- config
- name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no
tags:
service:
name: smbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no
tags:
service:
name: nmbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no
tags:
systemd:
name: samba-ad-dc
masked: false
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes
tags:
service:
name: samba-ad-dc
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure we have a replication cronjob for sysvol
template: src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron
template:
src: replication-cron
dest: /etc/cron.d/samba-replication-cron
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
......
ad-server/defaults/main.yml 0 → 100644
View file @ 8e070350
---
ad_admin_password: samba-admin
ad-server/handlers/main.yml
View file @ 8e070350
......@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted
ad-server/tasks/main.yml
View file @ 8e070350
......@@ -2,81 +2,88 @@
# file: roles/ad-server/tasks/main.yml
- name: ensure ad-server is installed
apt: name=samba state=latest
tags:
- packages
apt:
name: samba
state: present
tags:
- ad-server
- name: ensure winbind is for some reasons installed
apt: name=winbind state=latest
tags:
- packages
apt:
name: winbind
state: present
tags:
- ad-server
- name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }}
stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned
tags:
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent
when: domain_provisioned.stat.exists == False
tags:
- ad-server
- domain-provision
- name: get admin password for SAMBA
local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
register: adminpass
file:
path: /etc/samba/smb.conf
state: absent
when: domain_provisioned.stat.exists == False
no_log: True
tags:
- ad-server
- domain-provision
- password
# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
# passwords will be selected at random and safed to /root/smb-provision.log)
- name: ensure domain is provisioned
shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }} 2> /root/smb-provision.log
# yamllint disable-line rule:line-length
shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ lookup('passwordstore', ad_admin_password) }} 2>/root/smb-provision.log
when: domain_provisioned.stat.exists == False
no_log: True
tags:
no_log: true
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server
tags:
tags:
- ad-server
- config
- name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no
tags:
service:
name: smbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no
tags:
service:
name: nmbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no state=started enabled=yes
tags:
systemd:
name: samba-ad-dc
masked: false
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes
tags:
service:
name: samba-ad-dc
state: started
enabled: true
tags:
- ad-server
- service
- meta: flush_handlers
lvm-snapshots/tasks/main.yml
View file @ 8e070350
......@@ -2,10 +2,14 @@
# file: roles/lvm-snapshots/tasks/main.yml
- name: ensure we have the target folder
file: path="{{program_dir}}" state=directory owner=root group=root mode=0755
file:
path: "{{program_dir}}"
state: directory
owner: root
group: root
mode: '0755'
tags:
- lvm-snapshots
- directory
- name: ensure our deploy key is present
copy:
......@@ -13,11 +17,10 @@
dest: /root/.ssh/lvm-snapshots.key
owner: root
group: root