Add csc-auth and csc-packages roles; update handlers

playbooks/test.yml

@@ -3,3 +3,5 @@
   become: true
   roles:
     - core
+    - csc-auth
+    - csc-packages

roles/core/handlers/ntp.yml

@@ -10,3 +10,4 @@
   service:
     name: ntp
     state: restarted
+    enabled: true

roles/core/handlers/remote_access.yml

@@ -10,3 +10,4 @@
   service:
     name: sshd
     state: restarted
+    enabled: true

roles/core/handlers/rsyslog.yml

@@ -10,3 +10,4 @@
   service:
     name: rsyslog
     state: restarted
+    enabled: true

roles/core/tasks/packages.yml

@@ -1,5 +1,20 @@
 ---
 
+- name: Remove unecessary packages
+  apt:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - joe
+    - lirc
+    - pipentd
+    - winbind
+    - modemmanager
+    - sn
+    - network-manager
+    - wpasupplicant
+    - sn
+
 - name: Install shells
   apt:
     name: '{{ item }}'
@@ -76,6 +91,28 @@
     - ftp
     - tftp
 
+- name: Install physical tools
+  when: not(ansible_virtualization_role == 'guest')
+  apt:
+    name: '{{ item }}'
+    cache_valid_time: 3600
+  with_items:
+    - lm-sensors
+    - smartmontools
+    - hwinfo
+    - lshw
+    - acpi
+    - vbetool
+    - fbset
+    - read-edid
+
+- name: Enable sysrq
+  when: not(ansible_virtualization_role == 'guest')
+  lineinfile:
+    dest: /etc/sysctl.conf
+    line: kernel.sysrq = 1
+    state: present
+
 - name: Install terminal multiplexers
   apt:
     name: '{{ item }}'
@@ -125,6 +162,11 @@
     - manpages
     - info
 
+- name: Install etckeeper
+  apt:
+    name: etckeeper
+    cache_valid_time: 3600
+
 - name: Install molly-guard
   apt:
     name: molly-guard

roles/csc-auth/files/GlobalSign_Intermediate_Root_SHA256_G2.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
+MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
+YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
+C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
+SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
+mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
+Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
+2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
+Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
+HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
+dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
+KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
+BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
+bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
+hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
+32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
+XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
+30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
+SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
+K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
+-----END CERTIFICATE-----

roles/csc-auth/files/become_club

@@ -0,0 +1,18 @@
+#!/bin/sh
+if test -z "$1"; then
+    echo >&2 'usage: become_club clubaccount'
+    echo >&2 '       become_club -l'
+    exit 2
+fi
+if test "$(whoami)" = "$1"; then
+    echo >&2 you are already $1
+    exit 1
+fi
+if test -z "$SHELL"; then
+    export SHELL=/bin/bash
+fi
+if test "$1" = -l; then
+    sudo -l
+else
+    exec sudo -H -s -u "$1"
+fi

roles/csc-auth/files/k5login

@@ -0,0 +1 @@
+sysadmin/admin@CSCLUB.UWATERLOO.CA

roles/csc-auth/files/krb5.conf

@@ -0,0 +1,67 @@
+[libdefaults]
+  default_realm = CSCLUB.UWATERLOO.CA
+  forwardable = true
+  proxiable = true
+  dns_lookup_kdc = false
+  dns_lookup_realm = false
+  allow_weak_crypto = true
+
+[realms]
+  CSCLUB.UWATERLOO.CA = {
+    kdc = kdc1.csclub.uwaterloo.ca
+    kdc = kdc2.csclub.uwaterloo.ca
+    admin_server = kadmin.csclub.uwaterloo.ca
+  }
+
+  STUDENT.CS.UWATERLOO.CA = {
+    kdc = eponina.student.cs.uwaterloo.ca:88
+    kdc = canadenis.student.cs.uwaterloo.ca:88
+    admin_server = canadenis.student.cs.uwaterloo.ca:464
+  }
+
+  CS.UWATERLOO.CA = {
+    kdc = intacta.cs.uwaterloo.ca:88
+    kdc = serverus.cs.uwaterloo.ca:88
+    admin_server = intacta.cs.uwaterloo.ca:464
+  }
+
+  ADS.UWATERLOO.CA = {
+    kdc = ads.uwaterloo.ca:88
+    admin_server = ads.uwaterloo.ca:464
+    default_domain = ads.uwaterloo.ca
+  }
+
+  NEXUS.UWATERLOO.CA = {
+    kdc = nexus.uwaterloo.ca:88
+    kdc = nexus.uwaterloo.ca
+    admin_server = nexus.uwaterloo.ca:464
+  }
+
+[domain_realm]
+  .uwaterloo.ca = ADS.UWATERLOO.CA
+  uwaterloo.ca = ADS.UWATERLOO.CA
+  .csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
+  csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
+  .nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
+  nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
+  .cs.uwaterloo.ca = CS.UWATERLOO.CA
+  cs.uwaterloo.ca = CS.UWATERLOO.CA
+  .student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
+  student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
+
+[logging]
+  kdc = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmin.log
+  default = FILE:/var/log/krb5.log
+
+
+#[dbmodules]
+# openldap_ldapconf = {
+#   db_library = kldap
+#   ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
+#   ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
+#   ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
+#   ldap_service_password_file = /etc/krb5kdc/service.keyfile
+#   ldap_servers = ldapi:///
+# }
+

roles/csc-auth/files/ldap.conf

@@ -0,0 +1,16 @@
+# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	dc=csclub, dc=uwaterloo, dc=ca
+URI     ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca
+
+SIZELIMIT	0
+
+TLS_CACERT      /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
+TLS_CACERTFILE	/etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
+

roles/csc-auth/files/sssd.conf

@@ -0,0 +1,28 @@
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = csclub.uwaterloo.ca
+
+[domain/csclub.uwaterloo.ca]
+cache_credentials = true
+enumerate = true
+
+id_provider = ldap
+auth_provider = krb5
+sudo_provider = ldap
+entry_cache_timeout = 600
+
+ldap_uri = ldaps://ldap1.csclub.uwaterloo.ca,ldaps://ldap2.csclub.uwaterloo.ca
+ldap_tls_cacert = /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
+ldap_tls_reqcert = demand
+ldap_search_base = dc=csclub,dc=uwaterloo,dc=ca
+ldap_schema = rfc2307bis
+ldap_group_member = uniqueMember
+
+ldap_user_search_base = ou=People,dc=csclub,dc=uwaterloo,dc=ca
+ldap_group_search_base = ou=Group,dc=csclub,dc=uwaterloo,dc=ca
+ldap_sudo_search_base = ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca
+
+krb5_realm = CSCLUB.UWATERLOO.CA
+krb5_server = kdc1.csclub.uwaterloo.ca,kdc2.csclub.uwaterloo.ca
+krb5_kpasswd = kadmin.csclub.uwaterloo.ca

roles/csc-auth/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Start sssd
+  service:
+    name: sssd
+    state: started
+    enabled: true
+
+- name: Restart sssd
+  service:
+    name: sssd
+    state: restarted
+    enabled: true

roles/csc-auth/tasks/main.yml

@@ -0,0 +1,81 @@
+---
+
+- name: Install sssd
+  apt:
+    name: sssd
+    cache_valid_time: 3600
+  notify:
+    - Start sssd
+
+- name: Remove unecessary authentication packages
+  apt:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - libpam-ldapd
+    - libpam-ldap
+    - nscd
+    - nslcd
+
+- name: Install authentication packages
+  apt:
+    name: '{{ item }}'
+    cache_valid_time: 3600
+  with_items:
+    - sssd-tools
+    - krb5-user
+    - ldap-utils
+    - kstart
+    - sudo
+    - libpam-csc
+
+- name: Configure sssd
+  copy:
+    src: sssd.conf
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+    owner: root
+    group: root
+  notify:
+    - Restart sssd
+
+- name: Configure PAM (syscom)
+  when: '"syscom" in group_names'
+  blockinfile:
+    dest: /etc/pam.d/common-account
+    block: |
+      # only allow system accounts and members of the systems committee
+      account [success=2 default=ignore]    pam_succeed_if.so quiet uid < 10000
+      account [success=1 default=ignore]    pam_succeed_if.so quiet user ingroup syscom
+      account required                      pam_deny.so
+
+- name: Configure PAM (general)
+  when: '"syscom" not in group_names'
+  blockinfile:
+    dest: /etc/pam.d/common-account
+    block: |
+      # Allow system accounts and members of the systems committee,
+      # otherwise only allow current CSC members.
+      account [success=2 default=ignore]    pam_succeed_if.so quiet uid < 10000
+      account [success=1 default=ignore]    pam_succeed_if.so quiet user ingroup syscom
+      account required                      pam_csc.so
+
+- name: Copy authentication configuration
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+  with_items:
+    - src: krb5.conf
+      dest: /etc/krb5.conf
+    - src: ldap.conf
+      dest: /etc/ldap/ldap.conf
+    - src: k5login
+      dest: /root/.k5login
+    - src: GlobalSign_Intermediate_Root_SHA256_G2.pem
+      dest: /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2
+
+- name: Copy user scripts
+  copy:
+    src: become_club
+    dest: /usr/local/bin/become_club
+    mode: 0755

roles/csc-packages/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Install ceo client
+  apt:
+    name: ceo-python
+    cache_valid_time: 3600
+
+- name: Install library
+  apt:
+    name: library
+    cache_valid_time: 3600