Initial commit

.gitignore

@@ -0,0 +1 @@
+.vagrant/

README.md

@@ -0,0 +1,16 @@
+# ansible-gnu-corporate-workstation
+
+ansible-gnu-corporate-workstation is a set of roles that enable Active Directory member role to a GNU/Linux workstation or a server
+
+  - Currently supports Ubuntu 16.04 LTS with Unity, will support other flavors and OS
+  - Supports single command to deploy
+
+
+### Installation
+
+```
+todo
+```
+
+
+

Vagrantfile

@@ -0,0 +1,10 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "boxcutter/ubuntu1604-desktop"
+  config.vm.provision "ansible" do |ansible|
+    ansible.verbose = "vv"
+    ansible.playbook = "test.yml"
+  end
+end

hosts

@@ -0,0 +1 @@
+localhost ansible_user=vagrant ansible_password=vagrant ansible_ssh_port=2222

playbook.yml

@@ -0,0 +1,29 @@
+---
+- hosts: all
+  become: yes
+  roles:
+    - common
+    - samba
+    - pam
+    - lightdm
+  vars:
+    - kbdlang: "fr"
+    - kbdmodel: "pc105"
+    - kbdvariant: "latin9"
+    - localelang: "fr_FR"
+    - localelanguage: "fr_FR:"
+    - languagepacks:
+      - language-pack-fr
+      - language-pack-fr-base
+  vars_prompt:
+    - name: "ad_dns_domain"
+      prompt: "Active Directory DNS domain name "
+      private: no
+    - name: "ad_nt_domain"
+      prompt: "NT domain name "
+      private: no
+    - name: "ad_admin_username"
+      prompt: "Admin username "
+      private: no
+    - name: "ad_admin_password"
+      prompt: "Admin password "

provision.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+prereqs="curl wget ansible"
+remote_file_url="https://github.com/paulbsd/???"
+archive_file="/tmp/???.tar.gz"
+working_directory="/tmp/???"
+
+update()
+{
+  apt-get update
+  apt-get install -y ${prereqs}
+}
+
+fetch_archive()
+{
+  wget -O ${archive_file} ${remote_file_url}
+}
+
+run_playbook()
+{
+  cd $1
+  ansible-playbook playbook.yml
+}
+
+cleanup()
+{
+  rm -rf /tmp/???
+}
+
+echo "Let's update repositories and install ansible"
+update
+
+echo "Let's download archive ..."
+fetch_archive
+
+
+if [[ -f ${archive_file} ]]
+then
+  echo "Let's run "
+  run_playbook ${working_directory}
+  cleanup
+fi

roles/apt/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Update apt sources
+  apt:
+    update_cache=yes
+    upgrade=yes
+  tags: apt

roles/common/tasks/apt.yml

@@ -0,0 +1,21 @@
+- name: Update apt sources
+  apt:
+    update_cache=yes
+    upgrade=yes
+  tags: apt
+
+- name: Install utils main utils
+  apt: name={{ item }}
+  with_items:
+    - htop
+    - ncdu
+    - tmux
+  tags: prereqs
+
+- name: Install needed language packs
+  apt: name={{ item }}
+  with_items:
+    - language-pack-fr
+    - language-pack-fr-base
+  tags: prereqs
+

roles/common/tasks/keyboard.yml

@@ -0,0 +1,9 @@
+- name: Set keyboard layouts
+  template:
+    src=keyboard.j2
+    dest=/etc/default/keyboard
+    mode=0644
+    owner=root
+    group=root
+  tags: prereqs
+

roles/common/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Install aptitude
+  command: apt-get install -y aptitude
+
+- name: Include apt updates
+  include: keyboard.yml
+
+- name: Install needed packages
+  include: apt.yml

roles/common/templates/keyboard.j2

@@ -0,0 +1,11 @@
+# KEYBOARD CONFIGURATION FILE
+
+# Consult the keyboard(5) manual page.
+
+XKBMODEL="{{ kbdmodel }}"
+XKBLAYOUT="{{ kbdlang }}"
+XKBVARIANT="{{ kbdvariant }}"
+XKBOPTIONS=""
+
+BACKSPACE="guess"
+

roles/lightdm/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart lightdm
+  service:
+    name=lightdm
+    state=restarted

roles/lightdm/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Set lightdm main configuration file
+  template:
+    src=lightdm.conf.j2
+    dest=/etc/lightdm/lightdm.conf
+    mode=0644
+    owner=root
+    group=root
+  notify: restart lightdm
+  tags: lightdm
+
+- name: Set lightdm users.conf file
+  template:
+    src=users.conf.j2
+    dest=/etc/lightdm/users.conf
+    mode=0644
+    owner=root
+    group=root
+  notify: restart lightdm
+  tags: lightdm
+

roles/lightdm/templates/lightdm.conf.j2

@@ -0,0 +1,6 @@
+[SeatDefaults]
+allow-guest=false
+greeter-hide-users=true
+greeter-show-manual-login=true
+autologin-user=
+

roles/lightdm/templates/users.conf.j2

@@ -0,0 +1,15 @@
+#
+# User accounts configuration
+#
+# NOTE: If you have AccountsService installed on your system, then LightDM will
+# use this instead and these settings will be ignored
+#
+# minimum-uid = Minimum UID required to be shown in greeter
+# hidden-users = Users that are not shown to the user
+# hidden-shells = Shells that indicate a user cannot login
+#
+[UserList]
+minimum-uid=500
+hidden-users=nobody nobody4 noaccess
+hidden-shells=/bin/false /usr/sbin/nologin
+

roles/pam/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+- name: Install common-account
+  template:
+    src=common-account.j2
+    dest=/etc/pam.d/common-account
+    mode=0644
+    owner=root
+    group=root
+  tags: pam
+
+- name: Install common-auth
+  template:
+    src=common-auth.j2
+    dest=/etc/pam.d/common-auth
+    mode=0644
+    owner=root
+    group=root
+  tags: pam
+
+- name: Install common-password
+  template:
+    src=common-password.j2
+    dest=/etc/pam.d/common-password
+    mode=0644
+    owner=root
+    group=root
+  tags: pam
+
+- name: Install common-session
+  template:
+    src=common-session.j2
+    dest=/etc/pam.d/common-session
+    mode=0644
+    owner=root
+    group=root
+  tags: pam
+
+- name: Install common-session-noninteractive
+  template:
+    src=common-session-noninteractive.j2
+    dest=/etc/pam.d/common-session-noninteractive
+    mode=0644
+    owner=root
+    group=root
+  tags: pam
+

roles/pam/templates/common-account.j2

@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_winbind.so cached_login
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

roles/pam/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=2 default=ignore]	pam_unix.so nullok_secure
+auth	[success=1 default=ignore]	pam_winbind.so use_first_pass cached_login krb5_auth krb5_ccache_type=FILE
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth	optional			pam_cap.so
+# end of pam-auth-update config

roles/pam/templates/common-password.j2

@@ -0,0 +1,35 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=2 default=ignore]	pam_unix.so obscure sha512
+password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+password	optional	pam_gnome_keyring.so 
+# end of pam-auth-update config

roles/pam/templates/common-session-noninteractive.j2

@@ -0,0 +1,31 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so
+session optional  pam_winbind.so
+# end of pam-auth-update config

roles/pam/templates/common-session.j2

@@ -0,0 +1,33 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so
+session required  pam_mkhomedir.so skel=/etc/skel umask=0022 silent
+session optional  pam_winbind.so
+session	optional	pam_systemd.so
+# end of pam-auth-update config

roles/samba/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: restart samba
+  service:
+    name={{ item }}
+    state=restarted
+  with_items:
+    - smbd
+    - nmbd
+    - winbind

roles/samba/tasks/main.yml

@@ -0,0 +1,62 @@
+- name: Install samba and required tools
+  apt:
+    name={{ item }}
+    state=present
+  with_items:
+    - heimdal-clients
+    - libnss-winbind
+    - libpam-winbind
+    - ntp
+    - ntpdate
+    - samba
+    - winbind
+  tags: samba_install
+
+- name: Install nsswitch passwd config
+  lineinfile:
+    dest=/etc/nsswitch.conf
+    regexp="^passwd:"
+    line="passwd{{ ':' }}   files winbind"
+  notify: restart samba
+  tags: samba_nsswitch
+
+- name: Install nsswitch group config
+  lineinfile:
+    dest=/etc/nsswitch.conf
+    regexp="^group:"
+    line="group{{ ':' }}    files winbind"
+  notify: restart samba
+  tags: samba_nsswitch
+
+- name: Install nsswitch shadow config
+  lineinfile:
+    dest=/etc/nsswitch.conf
+    regexp="^shadow:"
+    line="shadow{{ ':' }}   files winbind"
+  notify: restart samba
+  tags: samba_nsswitch
+
+- name: Install samba configuration
+  template:
+    src=smb.conf.j2
+    dest=/etc/samba/smb.conf
+    mode=0644
+    owner=root
+    group=root
+  notify: restart samba
+  tags: samba_smbconf
+
+- name: Enable samba services
+  service:
+    name={{ item }}
+    enabled=yes
+  with_items:
+    - smbd
+    - nmbd
+    - winbind
+  tags: samba_services
+
+- name: Join domain
+  shell: net ads join -U {{ ad_admin_username }}%{{ ad_admin_password }}
+  notify: restart samba
+  tags: samba_join

roles/samba/templates/smb.conf.j2

@@ -0,0 +1,17 @@
+[global]
+  workgroup = {{ ad_nt_domain }}
+  realm = {{ ad_dns_domain }}
+  security = ADS
+  log file = /var/log/samba/%m
+  max log size = 1024
+  template homedir = /home/%U
+  template shell = /bin/bash
+  winbind separator = /
+  winbind enum users = Yes
+  winbind enum groups = Yes
+  winbind use default domain = Yes
+  winbind offline logon = Yes
+  winbind rpc only = Yes
+  winbind refresh tickets = Yes
+  idmap config * : range = 16777216-33554431
+  idmap config * : backend = tdb

test.yml

@@ -0,0 +1,21 @@
+---
+- hosts: all
+  become: yes
+  roles:
+    - common
+    - samba
+    - pam
+    - lightdm
+  vars:
+    - kbdlang: "fr"
+    - kbdmodel: "pc105"
+    - kbdvariant: "latin9"
+    - localelang: "fr_FR"
+    - localelanguage: "fr_FR:"
+    - languagepacks:
+      - language-pack-fr
+      - language-pack-fr-base
+    - ad_dns_domain: AD.PAULBSD.NET
+    - ad_nt_domain: AD
+    - ad_admin_username: Administrator
+    - ad_admin_password: Password50