public
/
ansible-playbooks
13
0
Fork 0
Code Issues 8 Pull Requests Projects Releases Wiki Activity

created roles for office terminal install, tested up to auth

This commit is contained in:
Jordan Pryde 2016-06-02 00:47:31 -04:00
parent 912a93ea55
commit 1cb9bd08ba
17 changed files with 903 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bootstrap-packages.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
sudo apt-get update && sudo apt-get install python python-apt aptitude

13
install-office-terminal.yml Normal file
View File

@ -0,0 +1,13 @@
---
- hosts: new-office
become: yes
become_method: sudo
roles:
- common
- core
- hardware
- devel
- generate-hosts
- auth
- nfs
- csc-packages

66
roles/auth/files/krb5.conf Normal file
View File

@ -0,0 +1,66 @@
[libdefaults]
default_realm = CSCLUB.UWATERLOO.CA
forwardable = true
proxiable = true
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
CSCLUB.UWATERLOO.CA = {
kdc = kdc1.csclub.uwaterloo.ca
kdc = kdc2.csclub.uwaterloo.ca
admin_server = kadmin.csclub.uwaterloo.ca
}
STUDENT.CS.UWATERLOO.CA = {
kdc = eponina.student.cs.uwaterloo.ca:88
kdc = canadenis.student.cs.uwaterloo.ca:88
admin_server = canadenis.student.cs.uwaterloo.ca:464
}
CS.UWATERLOO.CA = {
kdc = intacta.cs.uwaterloo.ca:88
kdc = serverus.cs.uwaterloo.ca:88
admin_server = intacta.cs.uwaterloo.ca:464
}
ADS.UWATERLOO.CA = {
kdc = ads.uwaterloo.ca:88
admin_server = ads.uwaterloo.ca:464
default_domain = ads.uwaterloo.ca
}
NEXUS.UWATERLOO.CA = {
kdc = nexus.uwaterloo.ca:88
kdc = nexus.uwaterloo.ca
admin_server = nexus.uwaterloo.ca:464
}
[domain_realm]
.uwaterloo.ca = ADS.UWATERLOO.CA
uwaterloo.ca = ADS.UWATERLOO.CA
.csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
.nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
.cs.uwaterloo.ca = CS.UWATERLOO.CA
cs.uwaterloo.ca = CS.UWATERLOO.CA
.student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5.log
#[dbmodules]
# openldap_ldapconf = {
# db_library = kldap
# ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
# ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
# ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
# ldap_service_password_file = /etc/krb5kdc/service.keyfile
# ldap_servers = ldapi:///
# }

16
roles/auth/files/ldap.conf Normal file
View File

@ -0,0 +1,16 @@
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=csclub, dc=uwaterloo, dc=ca
URI ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca
SIZELIMIT 0
TLS_CACERT /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
TLS_CACERTFILE /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem

25
roles/auth/files/ssh_config Normal file
View File

@ -0,0 +1,25 @@
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
SendEnv LANG LC_*
GSSAPITrustDns yes
GSSAPIKeyExchange yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
UseRoaming no

64
roles/auth/files/sshd_config Normal file
View File

@ -0,0 +1,64 @@
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use only protocol version 2
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
# Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication
UsePAM yes
StrictModes yes
PermitRootLogin yes
LoginGraceTime 120
MaxStartups 25:30:100
# password authentication via PAM (single sign-on initial case)
PasswordAuthentication yes
PermitEmptyPasswords no
# keyboard-interactive authentication (like password, works with +needchange)
ChallengeResponseAuthentication yes
# kerberos (single sign-on already authenticated case)
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
# public key authentication with authorized_keys
PubkeyAuthentication yes
# no single sign-on via hosts.equiv; we use kerberos
HostbasedAuthentication no
IgnoreRhosts yes
# no builtin kerberos auth with password, we do the same via pam_krb5
KerberosAuthentication no
# allow X forwarding
X11Forwarding yes
X11DisplayOffset 10
# PAM prints these already
PrintMotd no
PrintLastLog no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

28
roles/auth/files/sssd.conf Normal file
View File

@ -0,0 +1,28 @@
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = csclub.uwaterloo.ca
[domain/csclub.uwaterloo.ca]
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
sudo_provider = ldap
entry_cache_timeout = 600
ldap_uri = ldaps://ldap1.csclub.uwaterloo.ca,ldaps://ldap2.csclub.uwaterloo.ca
ldap_tls_cacert = /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
ldap_tls_reqcert = demand
ldap_search_base = dc=csclub,dc=uwaterloo,dc=ca
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_user_search_base = ou=People,dc=csclub,dc=uwaterloo,dc=ca
ldap_group_search_base = ou=Group,dc=csclub,dc=uwaterloo,dc=ca
ldap_sudo_search_base = ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca
krb5_realm = CSCLUB.UWATERLOO.CA
krb5_server = kdc1.csclub.uwaterloo.ca,kdc2.csclub.uwaterloo.ca
krb5_kpasswd = kadmin.csclub.uwaterloo.ca

54
roles/auth/tasks/main.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: install libpam-csc
apt: name=libpam-csc state=latest
- name: install required aptitude packages
apt: name={{ item }} state=latest
with_items:
- krb5-user
- ldap-utils
- sssd
- sssd-tools
- name: install ubuntu sss pam and nss
apt: name={{ item }} state=latest
when: ansible_distribution == 'Ubuntu'
with_items:
- libnss-sss
- libpam-sss
- name: copy over configs
template: src={{ item.src }} dest={{ item.dest }}
with_items:
- { src: 'krb5.conf', dest: '/etc/krb5.conf' }
- { src: 'ldap.conf', dest: '/etc/ldap/ldap.conf' }
- { src: 'sssd.conf', dest: '/etc/sssd/sssd.conf' }
- { src: 'sshd_config', dest: '/etc/ssh/sshd_config' }
- { src: 'ssh_config', dest: '/etc/ssh/ssh_config' }
- name: configure PAM for syscom machine
when: syscom
blockinfile:
dest: /etc/pam.d/common-account
block: |
# make sure user is up to date, except system accounts and syscom
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account required pam_deny.so
- name: configure PAM for regular machine
when: not syscom
blockinfile:
dest: /etc/pam.d/common-account
block: |
# make sure user is up to date, except system accounts and syscom
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account required pam_csc.so
- name: restart services
service: name={{ item }} state=restarted
with_items:
- sssd
- ssh

29
roles/common/tasks/etckeeper.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Install git
apt: name=git state=latest
- name: install etckeeper
apt: name=etckeeper state=present
register: etckeeper
- name: update etckeeper VCS
lineinfile: dest=/etc/etckeeper/etckeeper.conf
state=present
backrefs=yes
regexp={{ item.regex }}
line={{ item.line }}
with_items:
- { regex: '^(VCS=.*)$', line: '#\1' }
- { regex: '^#(VCS=\"git\")$', line: '\1' }
when: etckeeper.changed == true
- name: re-initialize etckeeper with git
command: "{{ item }}"
with_items:
- 'etckeeper uninit -f'
- 'etckeeper init'
- 'etckeeper commit "Initial commit"'
args:
chdir: /etc
when: etckeeper.changed == true

27
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Add debian.csclub.uwaterloo.ca GPG key
apt_key: url=http://debian.csclub.uwaterloo.ca/csclub.asc state=present
- name: Add debian.csclub.uwaterloo.ca repository
apt_repository: repo="{{ item }}" state=present
with_items:
- "deb http://debian.csclub.uwaterloo.ca/ {{ ansible_distribution_release }} main"
- "deb-src http://debian.csclub.uwaterloo.ca/ {{ ansible_distribution_release }} main"
- name: Update apt and packages (if just installed unlikely)
package: update_cache=yes upgrade=safe
- name: ensure directories exist
file: path={{ item }} state=directory
with_items:
- /etc/opt/chrome/policies/managed/
- /etc/firefox
- name: copy chrome managed policy
copy: src={{ item.src }} dest={{ item.dest }} backup=no
with_items:
- { src: 'files/web-kerberos/chrome.json', dest: '/etc/opt/chrome/policies/managed/csc-kerberos.json' }
- { src: 'files/web-kerberos/firefox.js', dest: '/etc/firefox/syspref.js' }
- include: etckeeper.yml

120
roles/core/tasks/main.yml Normal file
View File

@ -0,0 +1,120 @@
---
- name: Install Shells
apt: name={{ item }} state=latest
with_items:
- bash
- zsh
- zsh-doc
- dash
- ksh
- tcsh
- csh
- rc
- bash-doc
- bash-completion
- bashdb
- name: Install Editors
apt: name={{ item }} state=latest
with_items:
- vim-nox
- ed
- nano
- name: Install words
apt: name={{ item }} state=latest
with_items:
- wamerican-insane
- name: Install utils
apt: name={{ item }} state=latest
with_items:
- acl
- tmux
- screen
- less
- lsof
- bc
- dc
- psmisc
- procps
- htop
- schedtool
- pciutils
- rsync
- name: Install compression
apt: name={{ item }} state=latest
with_items:
- bzip2
- gzip
- pax
- lzma
- xz-utils
- cpio
- name: Install ncurses
apt: name={{ item }} state=latest
with_items:
- ncurses-bin
- ncurses-term
- name: Install network
apt: name={{ item }} state=latest
with_items:
- iputils-ping
- iputils-arping
- traceroute
- telnet
- iproute2
- ethtool
- dnsutils
- whois
- wget
- curl
- netcat-traditional
- netcat-openbsd
- vlan
- bridge-utils
- tcpdump
- tshark
- ftp
- tftp
- name: Install ntp
apt: name=ntp state=latest
- name: Install debian package management
apt: name={{ item }} state=latest
with_items:
- aptitude
- dselect
- name: Install gpg
apt: name=gnupg state=latest
- name: Install fail2ban
apt: name=fail2ban state=latest
- name: Install man pages
apt: name={{ item }} state=latest
with_items:
- manpages
- info
- name: Install rsyslog
apt: name=rsyslog state=latest
- name: Install molly-guard
apt: name=molly-guard state=latest
- name: Install ssmtp
apt: name=ssmtp state=latest
- name: Configure ssmtp
lineinfile: dest=/etc/ssmtp/ssmtp.conf
state=present
backrefs=yes
regexp='^#(FromLineOverride=YES)$'
line='\\1'

7
roles/csc-packages/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install CSC packages
apt: name={{ item }} state=latest
with_items:
- ceo-python
- library

378
roles/devel/tasks/main.yml Normal file
View File

@ -0,0 +1,378 @@
---
- name: Install build essentials
apt: name=build-essential state=latest
- name: Install debian dev stuff
apt: name={{ item }} state=latest
with_items:
- dpkg-dev
- devscripts
- debootstrap
- dupload
- fakeroot
- debhelper
- dh-make
- dh-make-perl
- dh-buildinfo
- cdbs
- dpatch
- kernel-package
- lintian
- alien
- po-debconf
- pbuilder
- dpkg-repack
- name: Install build helpers
apt: name={{ item }} state=latest
with_items:
- make
- make-doc
- autoconf
- autoconf-doc
- automake
- cmake
- ccache
- ant
- ant-optional
- scons
- qt5-qmake
- qt4-qmake
- autogen
- autotools-dev
- autoproject
- kbuild
- name: Install OpenJDK
apt: name={{ item }} state=latest
with_items:
- openjdk-8-jdk
- name: Install Debuggers
apt: name={{ item }} state=latest
with_items:
- strace
- gdb
- elfutils
- valgrind
- libc6-dbg
- name: Install interpreters
apt: name={{ item }} state=latest
with_items:
- python3
- python
- perl
- ruby
- name: Install dev docs
apt: name={{ item }} state=latest
with_items:
- manpages-dev
- gcc-doc
- cpp-doc
- binutils-doc
- manpages-posix-dev
- glibc-doc
- glibc-doc-reference
- gdb-doc
- stl-manual
- perl-doc
- name: Install x86 assembly tools
apt: name={{ item }} state=latest
with_items:
- bin86
- nasm
- yasm
- name: Install scanning and parsing utils
apt: name={{ item }} state=latest
with_items:
- flex
- flex-doc
- bison
- bison-doc
- ragel
- byacc
- re2c
- name: Install VCS
apt: name={{ item }} state=latest
with_items:
- git
- git-email
- git-cvs
- git-svn
- git-arch
- git-doc
- git-buildpackage
- mercurial
- subversion
- subversion-tools
- darcs
- bzr
- bzrtools
- cvs
- cvsps
- wdiff
- colordiff
- patch
- patchutils
- quilt
- gitk
- git-gui
- diffutils
- tkdiff
- name: Install mono
apt: name={{ item }} state=latest
with_items:
- mono-complete
- mono-devel
- mono-profiler
- mono-tools-devel
- mono-tools-gui
- mono-vbnc
- name: Install haskell
apt: name={{ item }} state=latest
with_items:
- ghc
- ghc-doc
- haskell-platform
- name: Install ocaml
apt: name={{ item }} state=latest
with_items:
- ocaml
- camlp4
- name: Install python and libs
apt: name={{ item }} state=latest
with_items:
- python3-virtualenv
- python3-pip
- python3-all-dev
- python-pip
- python-virtualenv
- drpython
- ipython
- pylint
- pychecker
- pyflakes
- python-all-dev
- python-m2crypto
- python-mysqldb
- python-imaging
- python-libxml2
- python-libxslt1
- python-numpy
- python-numpy-doc
- python-twisted
- python-openssl
- python-pexpect
- python-pyasn1
- python-pysnmp4
- python-sqlobject
- python-subversion
- python-urwid
- python-xmpp
- python-beautifulsoup
- python-chardet
- python-kerberos
- python-mako
- python-pyme
- python-rpm
- python-selinux
- python-setuptools
- python-simplejson
- python-sqlite
- python-sqlitecachec
- python-urlgrabber
- python-cups
- python-notify
- python-tk
- jython
- jython-doc
- name: Install ruby
apt: name={{ item }} state=latest
with_items:
- ruby-dev
- rake
- name: Install llvm
apt: name={{ item }} state=latest
with_items:
- clang
- llvm
- llvm-dev
- name: Install scheme/racket
apt: name={{ item }} state=latest
with_items:
- racket
- racket-doc
- scheme2c
- guile-1.8
- guile-1.8-dev
- tinyscheme
- chicken-bin
- mit-scheme-doc
- scheme9
- stalin
- name: Install tcl/tk
apt: name={{ item }} state=latest
with_items:
- tcl
- tcl-dev
- tcl8.5
- tk
- tk-dev
- name: Install lua
apt: name={{ item }} state=latest
with_items:
- lua5.3
- liblua5.3-dev
- name: Install misc scripting
apt: name={{ item }} state=latest
with_items:
- swig
- gawk
- mawk
- m4
- name: Install misc languages
apt: name={{ item }} state=latest
with_items:
- gfortran
- erlang
- erlang-dev
- beef
- intercal
- php-cli
- rhino
- sbcl
- name: Install AVR tools
apt: name={{ item }} state=latest
with_items:
- gcc-avr
- binutils-avr
- gdb-avr
- avrdude
- avrdude-doc
- simulavr
- avarice
- avr-libc
- avra
- avrp
- uisp
- usbprog
- name: Install misc libs
apt: name={{ item }} state=latest
with_items:
- libpam2-dev
- libpam0g-dev
- comerr-dev
- e2fslibs-dev
- libcap-dev
- libattr1-dev
- libacl1-dev
- libselinux1-dev
- libpcre3-dev
- libapt-pkg-dev
- linux-libc-dev
- libkrb5-dev
- libgnutls-dev
- libreadline-dev
- libncurses5-dev
- libncursesw5-dev
- libghc-mtl-dev
- libghc-mtl-prof
- libghc-mtl-doc
- libghc-network-dev
- libghc-parsec3-dev
- libboost-dev
- zlib1g-dev
- libbz2-dev
- libcurl4-gnutls-dev
- libexpat1-dev
- libglib2.0-dev
- libgmp3-dev
- libsasl2-dev
- libsctp-dev
- libsqlite3-dev
- libssl-dev
- libxml2-dev
- libxslt1-dev
- ss-dev
- mesa-common-dev
- uuid-dev
- libprotobuf-c-dev
- libprotobuf-dev
- libffi-dev
- libidl-dev
- libelf-dev
- libdw-dev
- libaudit-dev
- libgmp-dev
- libmpfr-dev
- libmpc-dev
- libfplll-dev
- name: Install x11 libs
apt: name={{ item }} state=latest
with_items:
- xorg-dev
- libgtk2.0-dev
- libqt4-dev
- libsdl1.2-dev
- freeglut3-dev
- libgl1-mesa-dev
- libglu1-mesa-dev
- libghc-x11-dev
- libghc-x11-doc
- libghc-x11-prof
- libgtkmm-2.4-dev
- glade
- xutils-dev
- name: Install IDEs
apt: name={{ item }} state=latest
with_items:
- eclipse
- monodevelop
- name: Install cross toolchains
apt: name={{ item }} state=latest
with_items:
- gcc-5-arm-linux-gnueabi
- gcc-5-mips-linux-gnu
- gcc-5-mipsel-linux-gnu
- gcc-5-powerpc-linux-gnu
- gcc-5-sparc64-linux-gnu
- gcc-5-s390x-linux-gnu
- name: Install misc dev tools
apt: name={{ item }} state=latest
with_items:
- gperf
- gettext
- check
- dejagnu
- doxygen
- exuberant-ctags
- indent
- cutils
- chrpath
- openmpi-bin
- openmpi-doc
- protobuf-compiler
- protobuf-c-compiler

13
roles/generate-hosts/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: update hosts
connection: local
become: no
git: repo=~git/public/hosts.git dest=generate-hosts
- name: generate hosts file
connection: local
become: no
shell: generate-hosts/generate-hosts.py < generate-hosts/hosts.in > generate-hosts/hosts
- name: copy hosts file
copy: src=generate-hosts/hosts dest=/etc/hosts backup=yes

18
roles/hardware/tasks/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: Install hardware probing tools
apt: name={{ item }} state=latest
with_items:
- lm-sensors
- smartmontools
- hwinfo
- lshw
- acpi
- name: Install framebuffer stuff
apt: name={{ item }} state=latest
with_items:
- vbetool
- fbset
- read-edid

30
roles/nfs/tasks/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Install nfs-common
apt: name=nfs-common state=latest
- name: change NEED_GSSD to NEED_GSSD=1
lineinfile: dest=/etc/default/nfs-common
state=present
backrefs=yes
regexp='^NEED_GSSD=$'
line='NEED_GSSD=1'
- name: restart and enable rpc-gssd
service: name=rpc-gssd state=started enabled=yes
- name: ensure mountpoints exist
file: path={{ item }} state=directory
with_items:
- /users
- /music
- /scratch
- name: Add fstab entry for users
mount: src="aspartame:/users" name=/users fstype=nfs opts="bg,vers=3,sec=krb5,nosuid,nodev" dump=0 passno=0 state=mounted
- name: Add fstab entry for music
mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
- name: Add fstab entry for scratch
mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted

13
roles/ubuntu-desktops/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Install Ubuntu desktop metapackages
apt: name={{ item }} state=latest
with_items:
- ubuntu-desktop
- kubuntu-desktop
- edubuntu-desktop
- lubuntu-desktop
- mate-desktop-environment
- cinnamon-desktop-environment
- ubuntustudio-desktop
- xubuntu-desktop