Commit 8e070350 authored by Lars Beckers's avatar Lars Beckers
Browse files

lint yaml files

parent 74b4658d
---
extends: default
rules:
comments-indentation:
level: warning
document-start:
level: error
empty-lines:
max: 1
empty-values:
forbid-in-flow-mappings: true
forbid-in-block-mappings: true
line-length:
level: warning
octal-values:
forbid-implicit-octal: true
level: warning
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml # file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed - name: ensure kerberos is installed
apt: name=krb5-user state=present apt:
name: krb5-user
state: present
tags: tags:
- kerberos - kerberos
- packages
- name: ensure kerberos is configured - name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags: tags:
- kerberos - kerberos
- config
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/ldap.yml # file: roles/ad-auth/tasks/ldap.yml
- name: ensure ldap-utils is installed - name: ensure ldap-utils is installed
apt: name=ldap-utils state=present apt:
name: ldap-utils
state: present
tags: tags:
- ldap - ldap
- packages
- name: ensure proper global ldap configuration - name: ensure proper global ldap configuration
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644 template:
src: ldap.conf.j2
dest: /etc/ldap/ldap.conf
owner: root
group: root
mode: '0644'
tags: tags:
- ldap - ldap
- config
...@@ -18,8 +18,10 @@ ...@@ -18,8 +18,10 @@
- meta: flush_handlers - meta: flush_handlers
- name: ensure there is no local users group - name: ensure there is no local users group
lineinfile: path=/etc/group state=absent regexp="^users:" lineinfile:
path: /etc/group
state: absent
regexp: "^users:"
tags: tags:
- groups - groups
- config
- ad-auth - ad-auth
...@@ -2,9 +2,13 @@ ...@@ -2,9 +2,13 @@
# file: roles/ad-auth/tasks/pam.yml # file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask - name: ensure pam applies a general umask
copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644 copy:
src: pam/umask
dest: /usr/share/pam-configs/umask
owner: root
group: root
mode: '0644'
notify: notify:
- regenerate pam config - regenerate pam config
tags: tags:
- pam - pam
- config
...@@ -9,41 +9,60 @@ ...@@ -9,41 +9,60 @@
- libnss-sss - libnss-sss
- sssd-tools - sssd-tools
- realmd - realmd
# yamllint disable rule:line-length
- policykit-1 # this is required for realm to discover realms... - policykit-1 # this is required for realm to discover realms...
- adcli # this is required for realm to join realms... - adcli # this is required for realm to join realms...
- packagekit # this is required for realm to i don't know and don't even care anymore... - packagekit # this is required for realm to i don't know and don't even care anymore...
# yamllint enable rule:line-length
- cracklib-runtime - cracklib-runtime
state: present state: present
install_recommends: no install_recommends: false
notify: notify:
- clear sssd cache - clear sssd cache
tags: tags:
- sssd - sssd
- packages
- name: check if our realm is configured - name: check if our realm is configured
shell: realm list | grep "{{ domain }}" shell: realm list | grep "{{ domain }}"
register: current_realms register: current_realms
changed_when: "current_realms.rc != 0" changed_when: "current_realms.rc != 0"
failed_when: "current_realms.rc != 0 and current_realms.rc != 1" failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
tags:
- sssd
- block: - block:
- name: discover our realm - name: discover our realm
command: realm discover -v "{{ domain }}" command: realm discover -v "{{ domain }}"
tags:
- sssd
- name: get a kerberos ticket - name: get a kerberos ticket
# yamllint disable-line rule:line-length
shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
when: debian_version == "jessie" when: debian_version == "jessie"
no_log: True no_log: true
tags:
- sssd
- name: ensure pexpect is installed - name: ensure pexpect is installed
apt: name=python-pexpect state=present apt:
name: python-pexpect
state: present
when: debian_version == "stretch" when: debian_version == "stretch"
tags:
- sssd
- name: get a kerberos ticket - name: get a kerberos ticket
expect: expect:
command: kinit Administrator command: kinit Administrator
responses: responses:
# yamllint disable-line rule:line-length
"Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}" "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
when: debian_version == "stretch" when: debian_version == "stretch"
no_log: True no_log: true
tags:
- sssd
- name: leave any other realm - name: leave any other realm
command: realm leave command: realm leave
register: result register: result
...@@ -51,38 +70,50 @@ ...@@ -51,38 +70,50 @@
retries: 9001 retries: 9001
delay: 0 delay: 0
failed_when: "result.rc != 0 and result.rc != 1" failed_when: "result.rc != 0 and result.rc != 1"
tags:
- sssd
- name: join our realm - name: join our realm
command: realm join -v "{{ domain }}" command: realm join -v "{{ domain }}"
notify: notify:
- clear sssd cache - clear sssd cache
- restart sssd - restart sssd
tags:
- sssd
- name: destroy kerberos ticket - name: destroy kerberos ticket
command: kdestroy command: kdestroy
tags:
- sssd
when: "current_realms.rc != 0" when: "current_realms.rc != 0"
- name: ensure sssd is configured - name: ensure sssd is configured
template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600 template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
owner: root
group: root
mode: '0600'
notify: notify:
- restart sssd - restart sssd
- clear sssd cache - clear sssd cache
tags: tags:
- sssd - sssd
- config
- name: ensure sssd is enabled and running - name: ensure sssd is enabled and running
service: name=sssd state=started enabled=yes service:
name: sssd
state: started
enabled: true
tags: tags:
- sssd - sssd
- service
- name: ensure we have a cronjob which renews krb credenitials once a day - name: ensure we have a cronjob which renews krb credenitials once a day
template: template:
src: templates/renew_krb5.j2 src: templates/renew_krb5.j2
dest: /etc/cron.daily/renew_krb5 dest: /etc/cron.daily/renew_krb5
mode: 0755 mode: '0755'
owner: root owner: root
group: root group: root
tags: tags:
- sssd - sssd
...@@ -2,10 +2,13 @@ ...@@ -2,10 +2,13 @@
# file: roles/ad-auth/tasks/sudo.yml # file: roles/ad-auth/tasks/sudo.yml
- name: ensure users of group admin are in the sudoers - name: ensure users of group admin are in the sudoers
template: src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440 template:
src: sudo.j2
dest: /etc/sudoers.d/admin
owner: root
group: root
mode: '0440'
notify: notify:
- check sudo config - check sudo config
tags: tags:
- sudo - sudo
- config
---
ad_admin_password: samba-admin
...@@ -3,4 +3,3 @@ ...@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server - name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted service: name=samba-ad-dc state=restarted
...@@ -2,14 +2,18 @@ ...@@ -2,14 +2,18 @@
# file: roles/ad-auth/tasks/kerberos.yml # file: roles/ad-auth/tasks/kerberos.yml
- name: ensure kerberos is installed - name: ensure kerberos is installed
apt: name=krb5-user state=present apt:
name: krb5-user
state: present
tags: tags:
- kerberos - kerberos
- packages
- name: ensure kerberos is configured - name: ensure kerberos is configured
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 template:
src: krb5.conf.j2
dest: /etc/krb5.conf
owner: root
group: root
mode: '0644'
tags: tags:
- kerberos - kerberos
- config
...@@ -4,34 +4,33 @@ ...@@ -4,34 +4,33 @@
- import_tasks: kerberos.yml - import_tasks: kerberos.yml
- name: ensure ad-server is installed - name: ensure ad-server is installed
apt: name=samba state=latest apt:
name: samba
state: present
tags: tags:
- packages
- ad-server - ad-server
#- name: ensure winbind is for some reasons installed
# apt: name=winbind state=latest
# tags:
# - packages
# - ad-server
- name: figure out if domain is provisioned - name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }} stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned register: domain_provisioned
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
- block: - block:
- name: ensure smb.conf is absent for provision - name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent file:
path: /etc/samba/smb.conf
state: absent
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
- name: ensure pexpect is installed - name: ensure pexpect is installed
apt: name=python-pexpect state=present apt:
name: python-pexpect
state: present
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
...@@ -39,10 +38,11 @@ ...@@ -39,10 +38,11 @@
- name: ensure domain is provisioned - name: ensure domain is provisioned
expect: expect:
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log # yamllint disable-line rule:line-length
shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
responses: responses:
"Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}" "Password for.*": "{{ lookup('passwordstore', ad_admin_password) }}"
no_log: True no_log: true
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
...@@ -53,7 +53,6 @@ ...@@ -53,7 +53,6 @@
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
# when: domain_provisioned.stat.exists == False
- name: ensure the idmap library is copied to secondary - name: ensure the idmap library is copied to secondary
synchronize: synchronize:
...@@ -63,50 +62,56 @@ ...@@ -63,50 +62,56 @@
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
when: domain_provisioned.stat.exists == False when: domain_provisioned.stat.exists == False
#- name: ensure the id library is rted to secondary
# shell: samba-tool ntacl sysvolreset
# tags:
# - ad-server
# - domain-provision
# #when: domain_provisioned.stat.exists == False
- name: ensure smb.conf is correct - name: ensure smb.conf is correct
template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644 template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: '0644'
notify: restart samba-ad-dc server notify: restart samba-ad-dc server
tags: tags:
- ad-server - ad-server
- config
- name: ensure smbd is stopped and disabled - name: ensure smbd is stopped and disabled
service: name=smbd state=stopped enabled=no service:
name: smbd
state: stopped
enabled: false
tags: tags:
- ad-server - ad-server
- service
- name: ensure nmbd is stopped and disabled - name: ensure nmbd is stopped and disabled
service: name=nmbd state=stopped enabled=no service:
name: nmbd
state: stopped
enabled: false
tags: tags:
- ad-server - ad-server
- service
- name: ensure samba-ad-dc unit is running, enabled and not masked - name: ensure samba-ad-dc unit is running, enabled and not masked
systemd: name=samba-ad-dc masked=no systemd:
name: samba-ad-dc
masked: false
state: started
enabled: true
tags: tags:
- ad-server - ad-server
- service
- name: ensure samba-ad-dc is running and enabled - name: ensure samba-ad-dc is running and enabled
service: name=samba-ad-dc state=started enabled=yes service:
name: samba-ad-dc
state: started
enabled: true
tags: tags:
- ad-server - ad-server
- service
- name: ensure we have a replication cronjob for sysvol - name: ensure we have a replication cronjob for sysvol
template: src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron template:
src: replication-cron
dest: /etc/cron.d/samba-replication-cron
delegate_to: "{{ ad_primary }}" delegate_to: "{{ ad_primary }}"
tags: tags:
- ad-server - ad-server
......
---
ad_admin_password: samba-admin
...@@ -3,4 +3,3 @@ ...@@ -3,4 +3,3 @@
- name: restart samba-ad-dc server - name: restart samba-ad-dc server
service: name=samba-ad-dc state=restarted service: name=samba-ad-dc state=restarted
...@@ -2,81 +2,88 @@ ...@@ -2,81 +2,88 @@
# file: roles/ad-server/tasks/main.yml # file: roles/ad-server/tasks/main.yml
- name: ensure ad-server is installed - name: ensure ad-server is installed
apt: name=samba state=latest apt:
name: samba
state: present
tags: tags:
- packages
- ad-server - ad-server
- name: ensure winbind is for some reasons installed - name: ensure winbind is for some reasons installed
apt: name=winbind state=latest apt:
name: winbind
state: present
tags: tags:
- packages
- ad-server - ad-server
- name: figure out if domain is provisioned - name: figure out if domain is provisioned
stat: path=/var/lib/samba/sysvol/{{ domain }} stat:
path: "/var/lib/samba/sysvol/{{ domain }}"
register: domain_provisioned register: domain_provisioned
tags: tags:
- ad-server - ad-server
- domain-provision - domain-provision
- name: ensure smb.conf is absent for provision - name: ensure smb.conf is absent for provision
file: path=/etc/samba/smb.conf state=absent file:
path: /etc/samba/smb.conf
state: absent
when: domain_provisioned.stat.exists == False when: domain_provisioned.stat.exists == False
tags: tags:
- ad-server - ad-server
- domain-provision