commit 29672d6c3edae515e2173fbf2d2da045af006ede Author: Paul Lecuq Date: Thu Aug 31 21:22:57 2017 +0200 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a977916 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vagrant/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..4bd4f61 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# ansible-gnu-corporate-workstation + +ansible-gnu-corporate-workstation is a set of roles that enable Active Directory member role to a GNU/Linux workstation or a server + + - Currently supports Ubuntu 16.04 LTS with Unity, will support other flavors and OS + - Supports single command to deploy + + +### Installation + +``` +todo +``` + + + diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..3bd3617 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,10 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "boxcutter/ubuntu1604-desktop" + config.vm.provision "ansible" do |ansible| + ansible.verbose = "vv" + ansible.playbook = "test.yml" + end +end diff --git a/hosts b/hosts new file mode 100644 index 0000000..2a25209 --- /dev/null +++ b/hosts @@ -0,0 +1 @@ +localhost ansible_user=vagrant ansible_password=vagrant ansible_ssh_port=2222 diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..5b7ec04 --- /dev/null +++ b/playbook.yml @@ -0,0 +1,29 @@ +--- +- hosts: all + become: yes + roles: + - common + - samba + - pam + - lightdm + vars: + - kbdlang: "fr" + - kbdmodel: "pc105" + - kbdvariant: "latin9" + - localelang: "fr_FR" + - localelanguage: "fr_FR:" + - languagepacks: + - language-pack-fr + - language-pack-fr-base + vars_prompt: + - name: "ad_dns_domain" + prompt: "Active Directory DNS domain name " + private: no + - name: "ad_nt_domain" + prompt: "NT domain name " + private: no + - name: "ad_admin_username" + prompt: "Admin username " + private: no + - name: "ad_admin_password" + prompt: "Admin password " diff --git a/provision.sh b/provision.sh new file mode 100755 index 0000000..bd397e1 --- /dev/null +++ b/provision.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +prereqs="curl wget ansible" +remote_file_url="https://github.com/paulbsd/???" +archive_file="/tmp/???.tar.gz" +working_directory="/tmp/???" + +update() +{ + apt-get update + apt-get install -y ${prereqs} +} + +fetch_archive() +{ + wget -O ${archive_file} ${remote_file_url} +} + +run_playbook() +{ + cd $1 + ansible-playbook playbook.yml +} + +cleanup() +{ + rm -rf /tmp/??? +} + +echo "Let's update repositories and install ansible" +update + +echo "Let's download archive ..." +fetch_archive + + +if [[ -f ${archive_file} ]] +then + echo "Let's run " + run_playbook ${working_directory} + cleanup +fi diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml new file mode 100644 index 0000000..858f6fd --- /dev/null +++ b/roles/apt/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Update apt sources + apt: + update_cache=yes + upgrade=yes + tags: apt diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml new file mode 100644 index 0000000..b27422d --- /dev/null +++ b/roles/common/tasks/apt.yml @@ -0,0 +1,21 @@ +- name: Update apt sources + apt: + update_cache=yes + upgrade=yes + tags: apt + +- name: Install utils main utils + apt: name={{ item }} + with_items: + - htop + - ncdu + - tmux + tags: prereqs + +- name: Install needed language packs + apt: name={{ item }} + with_items: + - language-pack-fr + - language-pack-fr-base + tags: prereqs + diff --git a/roles/common/tasks/keyboard.yml b/roles/common/tasks/keyboard.yml new file mode 100644 index 0000000..7c45191 --- /dev/null +++ b/roles/common/tasks/keyboard.yml @@ -0,0 +1,9 @@ +- name: Set keyboard layouts + template: + src=keyboard.j2 + dest=/etc/default/keyboard + mode=0644 + owner=root + group=root + tags: prereqs + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..861490e --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,8 @@ +- name: Install aptitude + command: apt-get install -y aptitude + +- name: Include apt updates + include: keyboard.yml + +- name: Install needed packages + include: apt.yml diff --git a/roles/common/templates/keyboard.j2 b/roles/common/templates/keyboard.j2 new file mode 100644 index 0000000..0667a4f --- /dev/null +++ b/roles/common/templates/keyboard.j2 @@ -0,0 +1,11 @@ +# KEYBOARD CONFIGURATION FILE + +# Consult the keyboard(5) manual page. + +XKBMODEL="{{ kbdmodel }}" +XKBLAYOUT="{{ kbdlang }}" +XKBVARIANT="{{ kbdvariant }}" +XKBOPTIONS="" + +BACKSPACE="guess" + diff --git a/roles/lightdm/handlers/main.yml b/roles/lightdm/handlers/main.yml new file mode 100644 index 0000000..2b3780d --- /dev/null +++ b/roles/lightdm/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart lightdm + service: + name=lightdm + state=restarted diff --git a/roles/lightdm/tasks/main.yml b/roles/lightdm/tasks/main.yml new file mode 100644 index 0000000..5706e28 --- /dev/null +++ b/roles/lightdm/tasks/main.yml @@ -0,0 +1,20 @@ +- name: Set lightdm main configuration file + template: + src=lightdm.conf.j2 + dest=/etc/lightdm/lightdm.conf + mode=0644 + owner=root + group=root + notify: restart lightdm + tags: lightdm + +- name: Set lightdm users.conf file + template: + src=users.conf.j2 + dest=/etc/lightdm/users.conf + mode=0644 + owner=root + group=root + notify: restart lightdm + tags: lightdm + diff --git a/roles/lightdm/templates/lightdm.conf.j2 b/roles/lightdm/templates/lightdm.conf.j2 new file mode 100644 index 0000000..1718b24 --- /dev/null +++ b/roles/lightdm/templates/lightdm.conf.j2 @@ -0,0 +1,6 @@ +[SeatDefaults] +allow-guest=false +greeter-hide-users=true +greeter-show-manual-login=true +autologin-user= + diff --git a/roles/lightdm/templates/users.conf.j2 b/roles/lightdm/templates/users.conf.j2 new file mode 100644 index 0000000..aa2c3fd --- /dev/null +++ b/roles/lightdm/templates/users.conf.j2 @@ -0,0 +1,15 @@ +# +# User accounts configuration +# +# NOTE: If you have AccountsService installed on your system, then LightDM will +# use this instead and these settings will be ignored +# +# minimum-uid = Minimum UID required to be shown in greeter +# hidden-users = Users that are not shown to the user +# hidden-shells = Shells that indicate a user cannot login +# +[UserList] +minimum-uid=500 +hidden-users=nobody nobody4 noaccess +hidden-shells=/bin/false /usr/sbin/nologin + diff --git a/roles/pam/tasks/main.yml b/roles/pam/tasks/main.yml new file mode 100644 index 0000000..0dbbd6f --- /dev/null +++ b/roles/pam/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- name: Install common-account + template: + src=common-account.j2 + dest=/etc/pam.d/common-account + mode=0644 + owner=root + group=root + tags: pam + +- name: Install common-auth + template: + src=common-auth.j2 + dest=/etc/pam.d/common-auth + mode=0644 + owner=root + group=root + tags: pam + +- name: Install common-password + template: + src=common-password.j2 + dest=/etc/pam.d/common-password + mode=0644 + owner=root + group=root + tags: pam + +- name: Install common-session + template: + src=common-session.j2 + dest=/etc/pam.d/common-session + mode=0644 + owner=root + group=root + tags: pam + +- name: Install common-session-noninteractive + template: + src=common-session-noninteractive.j2 + dest=/etc/pam.d/common-session-noninteractive + mode=0644 + owner=root + group=root + tags: pam + diff --git a/roles/pam/templates/common-account.j2 b/roles/pam/templates/common-account.j2 new file mode 100644 index 0000000..1f12f47 --- /dev/null +++ b/roles/pam/templates/common-account.j2 @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so cached_login +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/roles/pam/templates/common-auth.j2 b/roles/pam/templates/common-auth.j2 new file mode 100644 index 0000000..b3d0da0 --- /dev/null +++ b/roles/pam/templates/common-auth.j2 @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=1 default=ignore] pam_winbind.so use_first_pass cached_login krb5_auth krb5_ccache_type=FILE +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/roles/pam/templates/common-password.j2 b/roles/pam/templates/common-password.j2 new file mode 100644 index 0000000..ed312f8 --- /dev/null +++ b/roles/pam/templates/common-password.j2 @@ -0,0 +1,35 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=2 default=ignore] pam_unix.so obscure sha512 +password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +password optional pam_gnome_keyring.so +# end of pam-auth-update config diff --git a/roles/pam/templates/common-session-noninteractive.j2 b/roles/pam/templates/common-session-noninteractive.j2 new file mode 100644 index 0000000..e4bdfb3 --- /dev/null +++ b/roles/pam/templates/common-session-noninteractive.j2 @@ -0,0 +1,31 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_winbind.so +# end of pam-auth-update config diff --git a/roles/pam/templates/common-session.j2 b/roles/pam/templates/common-session.j2 new file mode 100644 index 0000000..525c3ae --- /dev/null +++ b/roles/pam/templates/common-session.j2 @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent +session optional pam_winbind.so +session optional pam_systemd.so +# end of pam-auth-update config diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml new file mode 100644 index 0000000..0652db6 --- /dev/null +++ b/roles/samba/handlers/main.yml @@ -0,0 +1,8 @@ +- name: restart samba + service: + name={{ item }} + state=restarted + with_items: + - smbd + - nmbd + - winbind diff --git a/roles/samba/tasks/.main.yml.swp b/roles/samba/tasks/.main.yml.swp new file mode 100644 index 0000000..406c5e8 Binary files /dev/null and b/roles/samba/tasks/.main.yml.swp differ diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml new file mode 100644 index 0000000..82736ab --- /dev/null +++ b/roles/samba/tasks/main.yml @@ -0,0 +1,62 @@ +- name: Install samba and required tools + apt: + name={{ item }} + state=present + with_items: + - heimdal-clients + - libnss-winbind + - libpam-winbind + - ntp + - ntpdate + - samba + - winbind + tags: samba_install + +- name: Install nsswitch passwd config + lineinfile: + dest=/etc/nsswitch.conf + regexp="^passwd:" + line="passwd{{ ':' }} files winbind" + notify: restart samba + tags: samba_nsswitch + +- name: Install nsswitch group config + lineinfile: + dest=/etc/nsswitch.conf + regexp="^group:" + line="group{{ ':' }} files winbind" + notify: restart samba + tags: samba_nsswitch + +- name: Install nsswitch shadow config + lineinfile: + dest=/etc/nsswitch.conf + regexp="^shadow:" + line="shadow{{ ':' }} files winbind" + notify: restart samba + tags: samba_nsswitch + +- name: Install samba configuration + template: + src=smb.conf.j2 + dest=/etc/samba/smb.conf + mode=0644 + owner=root + group=root + notify: restart samba + tags: samba_smbconf + +- name: Enable samba services + service: + name={{ item }} + enabled=yes + with_items: + - smbd + - nmbd + - winbind + tags: samba_services + +- name: Join domain + shell: net ads join -U {{ ad_admin_username }}%{{ ad_admin_password }} + notify: restart samba + tags: samba_join diff --git a/roles/samba/templates/smb.conf.j2 b/roles/samba/templates/smb.conf.j2 new file mode 100644 index 0000000..cb809ea --- /dev/null +++ b/roles/samba/templates/smb.conf.j2 @@ -0,0 +1,17 @@ +[global] + workgroup = {{ ad_nt_domain }} + realm = {{ ad_dns_domain }} + security = ADS + log file = /var/log/samba/%m + max log size = 1024 + template homedir = /home/%U + template shell = /bin/bash + winbind separator = / + winbind enum users = Yes + winbind enum groups = Yes + winbind use default domain = Yes + winbind offline logon = Yes + winbind rpc only = Yes + winbind refresh tickets = Yes + idmap config * : range = 16777216-33554431 + idmap config * : backend = tdb diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..35f56db --- /dev/null +++ b/test.yml @@ -0,0 +1,21 @@ +--- +- hosts: all + become: yes + roles: + - common + - samba + - pam + - lightdm + vars: + - kbdlang: "fr" + - kbdmodel: "pc105" + - kbdvariant: "latin9" + - localelang: "fr_FR" + - localelanguage: "fr_FR:" + - languagepacks: + - language-pack-fr + - language-pack-fr-base + - ad_dns_domain: AD.PAULBSD.NET + - ad_nt_domain: AD + - ad_admin_username: Administrator + - ad_admin_password: Password50