Skip to content

GitLab

Commit 8e070350 authored by Lars Beckers's avatar Lars Beckers
Browse files

lint yaml files

parent 74b4658d
Hide whitespace changes
Inline Side-by-side
.yamllint 0 → 100644
View file @ 8e070350
---
extends: default
rules:
comments-indentation:
level: warning
document-start:
level: error
empty-lines:
max: 1
empty-values:
forbid-in-flow-mappings: true
forbid-in-block-mappings: true
line-length:
level: warning
octal-values:
forbid-implicit-octal: true
level: warning
ad-auth/tasks/kerberos.yml
View file @ 8e070350
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml # file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed - name: ensure kerberos is installed
apt: name=krb5-user state=present apt:
name: krb5-user
state: present
tags: tags:
- kerberos - kerberos
- packages
- name: ensure kerberos is configured - name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags: tags:
- kerberos - kerberos
- config
ad-auth/tasks/ldap.yml
View file @ 8e070350
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/ldap.yml # file: roles/ad-auth/tasks/ldap.yml
- name: ensure ldap-utils is installed - name: ensure ldap-utils is installed
apt: name=ldap-utils state=present apt:
name: ldap-utils
state: present
tags: tags:
- ldap - ldap
- packages
- name: ensure proper global ldap configuration - name: ensure proper global ldap configuration
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644 template:
src: ldap.conf.j2
dest: /etc/ldap/ldap.conf
owner: root
group: root
mode: '0644'
tags: tags:
- ldap - ldap
- config
ad-auth/tasks/main.yml
View file @ 8e070350
...@@ -18,8 +18,10 @@ ...@@ -18,8 +18,10 @@
- meta: flush_handlers - meta: flush_handlers
- name: ensure there is no local users group - name: ensure there is no local users group
lineinfile: path=/etc/group state=absent regexp="^users:" lineinfile:
path: /etc/group
state: absent
regexp: "^users:"
tags: tags:
- groups - groups
- config
- ad-auth - ad-auth
ad-auth/tasks/pam.yml
View file @ 8e070350
...@@ -2,9 +2,13 @@ ...@@ -2,9 +2,13 @@
# file: roles/ad-auth/tasks/pam.yml # file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask - name: ensure pam applies a general umask
copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644 copy:
src: pam/umask
dest: /usr/share/pam-configs/umask
owner: root
group: root
mode: '0644'
notify: notify:
- regenerate pam config - regenerate pam config
tags: tags:
- pam - pam
- config
ad-auth/tasks/sssd.yml
View file @ 8e070350
...@@ -9,41 +9,60 @@ ...@@ -9,41 +9,60 @@
- libnss-sss - libnss-sss
- sssd-tools - sssd-tools
- realmd - realmd
- policykit-1 # this is required for realm to discover realms... # yamllint disable rule:line-length
- adcli # this is required for realm to join realms... - policykit-1 # this is required for realm to discover realms...
- packagekit # this is required for realm to i don't know and don't even care anymore... - adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore...
# yamllint enable rule:line-length
- cracklib-runtime - cracklib-runtime
state: present state: present
install_recommends: no install_recommends: false
notify: notify:
- clear sssd cache - clear sssd cache
tags: tags:
- sssd - sssd
- packages
- name: check if our realm is configured - name: check if our realm is configured
shell: realm list | grep "{{ domain }}" shell: realm list | grep "{{ domain }}"
register: current_realms register: current_realms
changed_when: "current_realms.rc != 0" changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1" failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
tags:
- sssd
- block: - block:
- name: discover our realm - name: discover our realm
command: realm discover -v "{{ domain }}" command: realm discover -v "{{ domain }}"
tags:
- sssd
- name: get a kerberos ticket - name: get a kerberos ticket
# yamllint disable-line rule:line-length
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when: debian_version == "jessie" when: debian_version == "jessie"
no_log: True no_log: true
tags:
- sssd
- name: ensure pexpect is installed - name: ensure pexpect is installed
apt: name=python-pexpect state=present apt:
name: python-pexpect
state: present
when: debian_version == "stretch" when: debian_version == "stretch"
tags:
- sssd
- name: get a kerberos ticket - name: get a kerberos ticket
expect: expect:
command: kinit Administrator command: kinit Administrator
responses: responses:
# yamllint disable-line rule:line-length
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}" "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
when: debian_version == "stretch" when: debian_version == "stretch"
no_log: True no_log: true
tags:
- sssd
- name: leave any other realm - name: leave any other realm
command: realm leave command: realm leave
register: result register: result
...@@ -51,38 +70,50 @@ ...@@ -51,38 +70,50 @@
retries: 9001 retries: 9001
delay: 0 delay: 0
failed_when: "result.rc != 0 and result.rc != 1" failed_when: "result.rc != 0 and result.rc != 1"
tags:
- sssd
- name: join our realm - name: join our realm
command: realm join -v "{{ domain }}" command: realm join -v "{{ domain }}"
notify: notify:
- clear sssd cache - clear sssd cache
- restart sssd - restart sssd
tags:
- sssd
- name: destroy kerberos ticket - name: destroy kerberos ticket
command: kdestroy command: kdestroy
tags:
- sssd
when: "current_realms.rc != 0" when: "current_realms.rc != 0"
- name: ensure sssd is configured - name: ensure sssd is configured
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600 template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
owner: root
group: root
mode: '0600'
notify: notify:
- restart sssd - restart sssd
- clear sssd cache - clear sssd cache
tags: tags:
- sssd - sssd
- config
- name: ensure sssd is enabled and running - name: ensure sssd is enabled and running
service: name=sssd state=started enabled=yes service:
name: sssd
state: started
enabled: true
tags: tags:
- sssd - sssd
- service
- name: ensure we have a cronjob which renews krb credenitials once a day - name: ensure we have a cronjob which renews krb credenitials once a day
template: template:
src: templates/renew_krb5.j2 src: templates/renew_krb5.j2
dest: /etc/cron.daily/renew_krb5 dest: /etc/cron.daily/renew_krb5
mode: 0755 mode: '0755'
owner: root owner: root
group: root group: root
tags: tags:
- sssd - sssd
ad-auth/tasks/sudo.yml
View file @ 8e070350
...@@ -2,10 +2,13 @@ ...@@ -2,10 +2,13 @@
# file: roles/ad-auth/tasks/sudo.yml # file: roles/ad-auth/tasks/sudo.yml
- name: ensure users of group admin are in the sudoers - name: ensure users of group admin are in the sudoers
template: src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440 template:
src: sudo.j2
dest: /etc/sudoers.d/admin
owner: root
group: root
mode: '0440'
notify: notify:
- check sudo config - check sudo config
tags: tags:
- sudo - sudo
- config
ad-server-replication/defaults/main.yml 0 → 100644
View file @ 8e070350
---
ad_admin_password: samba-admin
ad-server-replication/handlers/main.yml
View file @ 8e070350
...@@ -3,4 +3,3 @@ ...@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server - name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted service: name=samba-ad-dc state=restarted
ad-server-replication/tasks/kerberos.yml
View file @ 8e070350
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml # file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed - name: ensure kerberos is installed
apt: name=krb5-user state=present apt:
name: krb5-user
state: present
tags: tags:
- kerberos - kerberos
- packages
- name: ensure kerberos is configured - name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags: tags:
- kerberos - kerberos
- config
ad-server-replication/tasks/main.yml
View file @ 8e070350
...@@ -4,109 +4,114 @@ ...@@ -4,109 +4,114 @@
- import_tasks: kerberos.yml - import_tasks: kerberos.yml
- name: ensure ad-server is installed - name: ensure ad-server is installed
apt: name=samba state=latest apt:
tags: name: samba
- packages state: present
tags:
- ad-server - ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
- name: figure out if domain is provisioned - name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }} stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned register: domain_provisioned
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
- block: - block:
- name: ensure smb.conf is absent for provision - name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent file:
tags: path: /etc/samba/smb.conf
- ad-server state: absent
- domain-provision tags:
- ad-server
- name: ensure pexpect is installed - domain-provision
apt: name=python-pexpect state=present
tags: - name: ensure pexpect is installed
- ad-server apt:
- domain-provision name: python-pexpect
when: debian_version == "stretch" state: present
tags:
- name: ensure domain is provisioned - ad-server
expect: - domain-provision
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log when: debian_version == "stretch"
responses:
"Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}" - name: ensure domain is provisioned
no_log: True expect:
tags: # yamllint disable-line rule:line-length
- ad-server shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
- domain-provision responses:
"Password for.*": "{{ lookup('passwordstore', ad_admin_password) }}"
- name: ensure the idmap library is exported no_log: true
shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb tags:
delegate_to: "{{ ad_primary }}" - ad-server
tags: - domain-provision
- ad-server
- domain-provision - name: ensure the idmap library is exported
# when: domain_provisioned.stat.exists == False shell: tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
- name: ensure the idmap library is copied to secondary tags:
synchronize: - ad-server
src: /var/lib/samba/private/idmap.ldb.bak - domain-provision
dest: /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}" - name: ensure the idmap library is copied to secondary
tags: synchronize:
- ad-server src: /var/lib/samba/private/idmap.ldb.bak
- domain-provision dest: /var/lib/samba/private/idmap.ldb
delegate_to: "{{ ad_primary }}"
tags:
- ad-server
- domain-provision
when: domain_provisioned.stat.exists == False when: domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
- name: ensure smb.conf is correct - name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644 template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server notify: restart samba-ad-dc server
tags: tags:
- ad-server - ad-server
- config
- name: ensure smbd is stopped and disabled - name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no service:
tags: name: smbd
state: stopped
enabled: false
tags:
- ad-server - ad-server
- service
- name: ensure nmbd is stopped and disabled - name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no service:
tags: name: nmbd
state: stopped
enabled: false
tags:
- ad-server - ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked - name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no systemd:
tags: name: samba-ad-dc
masked: false
state: started
enabled: true
tags:
- ad-server - ad-server
- service
- name: ensure samba-ad-dc is running and enabled - name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes service:
tags: name: samba-ad-dc
state: started
enabled: true
tags:
- ad-server - ad-server
- service
- name: ensure we have a replication cronjob for sysvol - name: ensure we have a replication cronjob for sysvol
template: src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron template:
src: replication-cron
dest: /etc/cron.d/samba-replication-cron
delegate_to: "{{ ad_primary }}" delegate_to: "{{ ad_primary }}"
tags: tags:
- ad-server - ad-server
......
ad-server/defaults/main.yml 0 → 100644
View file @ 8e070350
---
ad_admin_password: samba-admin
ad-server/handlers/main.yml
View file @ 8e070350
...@@ -3,4 +3,3 @@ ...@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server - name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted service: name=samba-ad-dc state=restarted
ad-server/tasks/main.yml
View file @ 8e070350
...@@ -2,81 +2,88 @@ ...@@ -2,81 +2,88 @@
# file: roles/ad-server/tasks/main.yml # file: roles/ad-server/tasks/main.yml
- name: ensure ad-server is installed - name: ensure ad-server is installed
apt: name=samba state=latest apt:
tags: name: samba
- packages state: present
tags:
- ad-server - ad-server
- name: ensure winbind is for some reasons installed - name: ensure winbind is for some reasons installed
apt: name=winbind state=latest apt:
tags: name: winbind
- packages state: present
tags:
- ad-server - ad-server
- name: figure out if domain is provisioned - name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }} stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned register: domain_provisioned
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision