Skip to content
Snippets Groups Projects
Commit 8e070350 authored by Lars Beckers's avatar Lars Beckers
Browse files

lint yaml files

parent 74b4658d
No related branches found
No related tags found
No related merge requests found
Showing
with 370 additions and 231 deletions
---
extends: default
rules:
comments-indentation:
level: warning
document-start:
level: error
empty-lines:
max: 1
empty-values:
forbid-in-flow-mappings: true
forbid-in-block-mappings: true
line-length:
level: warning
octal-values:
forbid-implicit-octal: true
level: warning
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed
apt: name=krb5-user state=present
apt:
name: krb5-user
state: present
tags:
- kerberos
- packages
- name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags:
- kerberos
- config
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/ldap.yml
- name: ensure ldap-utils is installed
apt: name=ldap-utils state=present
apt:
name: ldap-utils
state: present
tags:
- ldap
- packages
- name: ensure proper global ldap configuration
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
template:
src: ldap.conf.j2
dest: /etc/ldap/ldap.conf
owner: root
group: root
mode: '0644'
tags:
- ldap
- config
......@@ -18,8 +18,10 @@
- meta: flush_handlers
- name: ensure there is no local users group
lineinfile: path=/etc/group state=absent regexp="^users:"
lineinfile:
path: /etc/group
state: absent
regexp: "^users:"
tags:
- groups
- config
- ad-auth
......@@ -2,9 +2,13 @@
# file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask
copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644
copy:
src: pam/umask
dest: /usr/share/pam-configs/umask
owner: root
group: root
mode: '0644'
notify:
- regenerate pam config
tags:
- pam
- config
......@@ -9,41 +9,60 @@
- libnss-sss
- sssd-tools
- realmd
# yamllint disable rule:line-length
- policykit-1 # this is required for realm to discover realms...
- adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore...
# yamllint enable rule:line-length
- cracklib-runtime
state: present
install_recommends: no
install_recommends: false
notify:
- clear sssd cache
tags:
- sssd
- packages
- name: check if our realm is configured
shell: realm list | grep "{{ domain }}"
register: current_realms
changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
tags:
- sssd
- block:
- name: discover our realm
command: realm discover -v "{{ domain }}"
tags:
- sssd
- name: get a kerberos ticket
# yamllint disable-line rule:line-length
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when: debian_version == "jessie"
no_log: True
no_log: true
tags:
- sssd
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
apt:
name: python-pexpect
state: present
when: debian_version == "stretch"
tags:
- sssd
- name: get a kerberos ticket
expect:
command: kinit Administrator
responses:
# yamllint disable-line rule:line-length
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
when: debian_version == "stretch"
no_log: True
no_log: true
tags:
- sssd
- name: leave any other realm
command: realm leave
register: result
......@@ -51,38 +70,50 @@
retries: 9001
delay: 0
failed_when: "result.rc != 0 and result.rc != 1"
tags:
- sssd
- name: join our realm
command: realm join -v "{{ domain }}"
notify:
- clear sssd cache
- restart sssd
tags:
- sssd
- name: destroy kerberos ticket
command: kdestroy
tags:
- sssd
when: "current_realms.rc != 0"
- name: ensure sssd is configured
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
owner: root
group: root
mode: '0600'
notify:
- restart sssd
- clear sssd cache
tags:
- sssd
- config
- name: ensure sssd is enabled and running
service: name=sssd state=started enabled=yes
service:
name: sssd
state: started
enabled: true
tags:
- sssd
- service
- name: ensure we have a cronjob which renews krb credenitials once a day
template:
src: templates/renew_krb5.j2
dest: /etc/cron.daily/renew_krb5
mode: 0755
mode: '0755'
owner: root
group: root
tags:
- sssd
......@@ -2,10 +2,13 @@
# file: roles/ad-auth/tasks/sudo.yml
- name: ensure users of group admin are in the sudoers
template: src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440
template:
src: sudo.j2
dest: /etc/sudoers.d/admin
owner: root
group: root
mode: '0440'
notify:
- check sudo config
tags:
- sudo
- config
---
ad_admin_password: samba-admin
......@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted
......@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed
apt: name=krb5-user state=present
apt:
name: krb5-user
state: present
tags:
- kerberos
- packages
- name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags:
- kerberos
- config
......@@ -4,34 +4,33 @@
- import_tasks: kerberos.yml
- name: ensure ad-server is installed
apt: name=samba state=latest
apt:
name: samba
state: present
tags:
- packages
- ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
- name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }}
stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned
tags:
- ad-server
- domain-provision
- block:
- name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent
file:
path: /etc/samba/smb.conf
state: absent
tags:
- ad-server
- domain-provision
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
apt:
name: python-pexpect
state: present
tags:
- ad-server
- domain-provision
......@@ -39,10 +38,11 @@
- name: ensure domain is provisioned
expect:
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
# yamllint disable-line rule:line-length
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
responses:
"Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}"
no_log: True
"Password for.*": "{{ lookup('passwordstore', ad_admin_password) }}"
no_log: true
tags:
- ad-server
- domain-provision
......@@ -53,7 +53,6 @@
tags:
- ad-server
- domain-provision
# when: domain_provisioned.stat.exists == False
- name: ensure the idmap library is copied to secondary
synchronize:
......@@ -63,50 +62,56 @@
tags:
- ad-server
- domain-provision
when: domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
- name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server
tags:
- ad-server
- config
- name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no
service:
name: smbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no
service:
name: nmbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no
systemd:
name: samba-ad-dc
masked: false
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes
service:
name: samba-ad-dc
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure we have a replication cronjob for sysvol
template: src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron
template:
src: replication-cron
dest: /etc/cron.d/samba-replication-cron
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
......
---
ad_admin_password: samba-admin
......@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted
......@@ -2,81 +2,88 @@
# file: roles/ad-server/tasks/main.yml
- name: ensure ad-server is installed
apt: name=samba state=latest
apt:
name: samba
state: present
tags:
- packages
- ad-server
- name: ensure winbind is for some reasons installed
apt: name=winbind state=latest
apt:
name: winbind
state: present
tags:
- packages
- ad-server
- name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }}
stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent
file:
path: /etc/samba/smb.conf
state: absent
when: domain_provisioned.stat.exists == False
tags:
- ad-server
- domain-provision
- name: get admin password for SAMBA
local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
register: adminpass
when: domain_provisioned.stat.exists == False
no_log: True
tags:
- ad-server
- domain-provision
- password
# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
# passwords will be selected at random and safed to /root/smb-provision.log)
- name: ensure domain is provisioned
shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }} 2> /root/smb-provision.log
# yamllint disable-line rule:line-length
shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ lookup('passwordstore', ad_admin_password) }} 2>/root/smb-provision.log
when: domain_provisioned.stat.exists == False
no_log: True
no_log: true
tags:
- ad-server
- domain-provision
- name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server
tags:
- ad-server
- config
- name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no
service:
name: smbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no
service:
name: nmbd
state: stopped
enabled: false
tags:
- ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no state=started enabled=yes
systemd:
name: samba-ad-dc
masked: false
state: started
enabled: true
tags:
- ad-server
- service
- name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes
service:
name: samba-ad-dc
state: started
enabled: true
tags:
- ad-server
- service
- meta: flush_handlers
......@@ -2,10 +2,14 @@
# file: roles/lvm-snapshots/tasks/main.yml
- name: ensure we have the target folder
file: path="{{program_dir}}" state=directory owner=root group=root mode=0755
file:
path: "{{program_dir}}"
state: directory
owner: root
group: root
mode: '0755'
tags:
- lvm-snapshots
- directory
- name: ensure our deploy key is present
copy:
......@@ -13,11 +17,10 @@
dest: /root/.ssh/lvm-snapshots.key
owner: root
group: root
mode: 0600
no_log: True
mode: '0600'
no_log: true
tags:
- lvm-snapshots
- ssh
- name: ensure our public deploy key is present
copy:
......@@ -25,11 +28,10 @@
dest: /root/.ssh/lvm-snapshots.pub
owner: root
group: root
mode: 0644
no_log: True
mode: '0644'
no_log: true
tags:
- lvm-snapshots
- ssh
- name: ensure we have our lvm-snapshots ssh config
copy:
......@@ -37,31 +39,26 @@
dest: /root/.ssh/config.lvm-snapshots
owner: root
group: root
mode: 0644
mode: '0644'
tags:
- lvm-snapshots
- ssh
- config
- name: ensure our lvm-snapshots ssh config is included
lineinfile:
dest: /root/.ssh/config
line: "Include config.lvm-snapshots"
create: yes
create: true
owner: root
group: root
mode: 0644
mode: '0644'
tags:
- lvm-snapshots
- ssh
- config
- name: ensure we have the program
git:
repo: git@git.fsmpi.rwth-aachen.de:infra/lvm-snapshots.git
dest: "{{program_dir}}"
tags:
- git
- lvm-snapshots
- name: ensure the necessary programs are installed
......@@ -71,7 +68,6 @@
- virtualenv
state: present
tags:
- packages
- lvm-snapshots
- name: ensure we have a virtualenv
......@@ -80,8 +76,6 @@
virtualenv: "{{program_dir}}"
virtualenv_python: python3
tags:
- pip
- python
- lvm-snapshots
- name: ensure we have a frontend script
......@@ -90,10 +84,9 @@
dest: /usr/local/sbin/lvm-snapshots
owner: root
group: root
mode: 0755
mode: '0755'
tags:
- lvm-snapshots
- config
- name: ensure we have our config
template:
......@@ -101,10 +94,9 @@
dest: /etc/lvm-snapshots.toml
owner: root
group: root
mode: 0644
mode: '0644'
tags:
- lvm-snapshots
- config
- name: ensure we have a cron job
cron:
......@@ -113,4 +105,3 @@
job: "/usr/local/sbin/lvm-snapshots update"
tags:
- lvm-snapshots
- cron
---
nfs_enable_cifs: False
nfs_enable_quota: False
nfs_enable_cifs: false
nfs_enable_quota: false
......@@ -11,7 +11,6 @@
state: present
tags:
- nfs-client
- packages
- name: ensure cifs client utils are installed
apt:
......@@ -22,35 +21,41 @@
when: nfs_enable_cifs
tags:
- nfs-client
- packages
- name: ensure quota tools are installed
apt: name=quota state=present
apt:
name: quota
state: present
when: nfs_enable_quota
tags:
- nfs-client
- packages
- name: ensure the nfs-client service is configured for nfs4
copy: src=nfs-common dest=/etc/default/nfs-common owner=root group=root mode=0644
copy:
src: nfs-common
dest: /etc/default/nfs-common
owner: root
group: root
mode: '0644'
notify:
- restart nfs-client
- restart autofs
tags:
- nfs-client
- config
- name: ensure nfs module is loaded
modprobe: name=nfs state=present
modprobe:
name: nfs
state: present
tags:
- nfs-client
- config
- name: ensure nfs module is loaded after a reboot
copy: content="nfs" dest=/etc/modules-load.d/nfs.conf
copy:
content: "nfs"
dest: /etc/modules-load.d/nfs.conf
tags:
- nfs-client
- config
- name: ensure we use the idmapper
shell: echo "N" > /sys/module/nfs/parameters/nfs4_disable_idmapping
......@@ -59,74 +64,101 @@
- restart autofs
tags:
- nfs-client
- config
- name: ensure we use the idmapper after a reboot
copy: src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
copy:
src: modprobe-nfs.conf
dest: /etc/modprobe.d/nfs.conf
owner: root
group: root
mode: '0644'
tags:
- nfs-client
- config
- name: ensure the kernel key storage quote used for idmapping is sufficiently high
sysctl: name=kernel.keys.root_maxkeys state=present value=1000 # default is 200, this quote was reached
- name: ensure the kernel key storage used for idmapping is sufficiently high
sysctl:
name: kernel.keys.root_maxkeys
state: present
value: 1000 # default is 200, this quote was reached
when: debian_version == "jessie"
notify:
- reload sysctl
tags:
- nfs-client
- sysctl
- config
- name: stretch has a reasonable default value for the kernel key storage size
sysctl: name=kernel.keys.root_maxkeys state=absent
sysctl:
name: kernel.keys.root_maxkeys
state: absent
when: debian_version == "stretch"
notify:
- reload sysctl
tags:
- nfs-client
- sysctl
- config
- name: ensure nfs-common is enabled
service: name=nfs-client.target state=started enabled=yes
service:
name: nfs-client.target
state: started
enabled: true
tags:
- nfs-client
- service
- name: Configure automount
when: automount
block:
- name: ensure there is a base directory for automount
file: state=directory path=/net owner=root group=root mode=0755
file:
state: directory
path: /net
owner: root
group: root
mode: '0755'
notify:
- restart autofs
tags:
- nfs-client
- name: ensure automounter is configured
copy: src=auto.master dest=/etc/auto.master owner=root group=root mode=0644
copy:
src: auto.master
dest: /etc/auto.master
owner: root
group: root
mode: '0644'
notify:
- restart autofs
tags:
- nfs-client
- config
- name: ensure mounts from central storage are available
template: src=auto.nfs.j2 dest=/etc/auto.nfs owner=root group=root mode=0644
template:
src: auto.nfs.j2
dest: /etc/auto.nfs
owner: root
group: root
mode: '0644'
notify:
- restart autofs
tags:
- nfs-client
- config
- name: ensure automounter is enabled
service: name=autofs state=started enabled=yes
service:
name: autofs
state: started
enabled: true
tags:
- nfs-client
- service
- name: ensure linking of netdirs
file: src="/net/{{ item.netdir }}" dest="/{{ item.dest }}" state=link force=yes
file:
src: "/net/{{ item.netdir }}"
dest: "/{{ item.dest }}"
state: link
force: true
with_items: "{{ nfs_shares }}"
tags:
- nfs-client
......@@ -138,10 +170,9 @@
service:
name: autofs
state: stopped
enabled: no
enabled: false
tags:
- nfs-client
- service
- name: Ensure mountpoints are directories
file:
......@@ -163,10 +194,14 @@
- nfs-client
- name: configure default umask and other user related stuff
copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644
copy:
src: login.defs
dest: /etc/login.defs
owner: root
group: root
mode: '0644'
tags:
- nfs-client
- umask
- config
- meta: flush_handlers
......@@ -3,4 +3,3 @@
- name: restart nfs-server
service: name=nfs-server state=restarted
......@@ -12,47 +12,66 @@
state: present
tags:
- nfs-server
- packages
- name: ensure default umask and other user related stuff
copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644
copy:
src: login.defs
dest: /etc/login.defs
owner: root
group: root
mode: '0644'
tags:
- nfs-server
- umask
- config
- name: ensure exports configuration is in place
template: src=exports.j2 dest=/etc/exports owner=root group=root mode=0644
template:
src: exports.j2
dest: /etc/exports
owner: root
group: root
mode: '0644'
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-common is configured
copy: src=nfs-common dest=/etc/default/nfs-common owner=root group=root mode=0644
copy:
src: nfs-common
dest: /etc/default/nfs-common
owner: root
group: root
mode: '0644'
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-kernel-server is configured
copy: src=nfs-kernel-server dest=/etc/default/nfs-kernel-server owner=root group=root mode=0644
copy:
src: nfs-kernel-server
dest: /etc/default/nfs-kernel-server
owner: root
group: root
mode: '0644'
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-server is enabled and running
service: name=nfs-server state=started enabled=yes
service:
name: nfs-server
state: started
enabled: true
tags:
- nfs-server
- service
- name: ensure that there is a keytab available
file: path=/etc/krb5.keytab state=file
file:
path: /etc/krb5.keytab
state: file
tags:
- nfs-server
- service-principal
......@@ -61,7 +80,7 @@
- name: check that we have a valid service principal
shell: klist -k /etc/krb5.keytab | grep "nfs/{{ ansible_fqdn }}"
register: principal
failed_when: False
failed_when: false
tags:
- nfs-server
- service-principal
......@@ -69,6 +88,7 @@
- block:
- name: create service principal
# yamllint disable-line rule:line-length
command: samba-tool spn add "nfs/{{ ansible_fqdn }}" "{{ ansible_hostname | upper }}$"
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
......@@ -76,6 +96,7 @@
- service-principal
- name: export keytab
# yamllint disable-line rule:line-length
command: samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
args:
creates: "/root/{{ ansible_fqdn }}.keytab"
......@@ -94,7 +115,9 @@
- service-principal
- name: ensure pexpect is installed
apt: name=python-pexpect state=present
apt:
name: python-pexpect
state: present
tags:
- nfs-server
- service-principal
......@@ -115,14 +138,18 @@
- service-principal
- name: remove keytab at kdc
file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
file:
path: "/root/{{ ansible_fqdn }}.keytab"
state: absent
delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
tags:
- nfs-server
- service-principal
- name: remove keytab at host
file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
file:
path: "/root/{{ ansible_fqdn }}.keytab"
state: absent
tags:
- nfs-server
- service-principal
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment