Add csc-auth and csc-packages roles; update handlers
This commit is contained in:
parent
e8917ecf07
commit
3644adea52
|
@ -3,3 +3,5 @@
|
||||||
become: true
|
become: true
|
||||||
roles:
|
roles:
|
||||||
- core
|
- core
|
||||||
|
- csc-auth
|
||||||
|
- csc-packages
|
||||||
|
|
|
@ -10,3 +10,4 @@
|
||||||
service:
|
service:
|
||||||
name: ntp
|
name: ntp
|
||||||
state: restarted
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
|
|
@ -10,3 +10,4 @@
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: restarted
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
|
|
@ -10,3 +10,4 @@
|
||||||
service:
|
service:
|
||||||
name: rsyslog
|
name: rsyslog
|
||||||
state: restarted
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Remove unecessary packages
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- joe
|
||||||
|
- lirc
|
||||||
|
- pipentd
|
||||||
|
- winbind
|
||||||
|
- modemmanager
|
||||||
|
- sn
|
||||||
|
- network-manager
|
||||||
|
- wpasupplicant
|
||||||
|
- sn
|
||||||
|
|
||||||
- name: Install shells
|
- name: Install shells
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
|
@ -76,6 +91,28 @@
|
||||||
- ftp
|
- ftp
|
||||||
- tftp
|
- tftp
|
||||||
|
|
||||||
|
- name: Install physical tools
|
||||||
|
when: not(ansible_virtualization_role == 'guest')
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
cache_valid_time: 3600
|
||||||
|
with_items:
|
||||||
|
- lm-sensors
|
||||||
|
- smartmontools
|
||||||
|
- hwinfo
|
||||||
|
- lshw
|
||||||
|
- acpi
|
||||||
|
- vbetool
|
||||||
|
- fbset
|
||||||
|
- read-edid
|
||||||
|
|
||||||
|
- name: Enable sysrq
|
||||||
|
when: not(ansible_virtualization_role == 'guest')
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/sysctl.conf
|
||||||
|
line: kernel.sysrq = 1
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Install terminal multiplexers
|
- name: Install terminal multiplexers
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
|
@ -125,6 +162,11 @@
|
||||||
- manpages
|
- manpages
|
||||||
- info
|
- info
|
||||||
|
|
||||||
|
- name: Install etckeeper
|
||||||
|
apt:
|
||||||
|
name: etckeeper
|
||||||
|
cache_valid_time: 3600
|
||||||
|
|
||||||
- name: Install molly-guard
|
- name: Install molly-guard
|
||||||
apt:
|
apt:
|
||||||
name: molly-guard
|
name: molly-guard
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
|
||||||
|
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
||||||
|
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
|
||||||
|
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
||||||
|
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
|
||||||
|
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
||||||
|
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
|
||||||
|
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
|
||||||
|
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
|
||||||
|
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
|
||||||
|
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
|
||||||
|
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
|
||||||
|
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
|
||||||
|
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
|
||||||
|
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
|
||||||
|
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
|
||||||
|
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
|
||||||
|
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
|
||||||
|
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
|
||||||
|
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
|
||||||
|
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
|
||||||
|
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
|
||||||
|
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
|
||||||
|
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
if test -z "$1"; then
|
||||||
|
echo >&2 'usage: become_club clubaccount'
|
||||||
|
echo >&2 ' become_club -l'
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
if test "$(whoami)" = "$1"; then
|
||||||
|
echo >&2 you are already $1
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if test -z "$SHELL"; then
|
||||||
|
export SHELL=/bin/bash
|
||||||
|
fi
|
||||||
|
if test "$1" = -l; then
|
||||||
|
sudo -l
|
||||||
|
else
|
||||||
|
exec sudo -H -s -u "$1"
|
||||||
|
fi
|
|
@ -0,0 +1 @@
|
||||||
|
sysadmin/admin@CSCLUB.UWATERLOO.CA
|
|
@ -0,0 +1,67 @@
|
||||||
|
[libdefaults]
|
||||||
|
default_realm = CSCLUB.UWATERLOO.CA
|
||||||
|
forwardable = true
|
||||||
|
proxiable = true
|
||||||
|
dns_lookup_kdc = false
|
||||||
|
dns_lookup_realm = false
|
||||||
|
allow_weak_crypto = true
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
CSCLUB.UWATERLOO.CA = {
|
||||||
|
kdc = kdc1.csclub.uwaterloo.ca
|
||||||
|
kdc = kdc2.csclub.uwaterloo.ca
|
||||||
|
admin_server = kadmin.csclub.uwaterloo.ca
|
||||||
|
}
|
||||||
|
|
||||||
|
STUDENT.CS.UWATERLOO.CA = {
|
||||||
|
kdc = eponina.student.cs.uwaterloo.ca:88
|
||||||
|
kdc = canadenis.student.cs.uwaterloo.ca:88
|
||||||
|
admin_server = canadenis.student.cs.uwaterloo.ca:464
|
||||||
|
}
|
||||||
|
|
||||||
|
CS.UWATERLOO.CA = {
|
||||||
|
kdc = intacta.cs.uwaterloo.ca:88
|
||||||
|
kdc = serverus.cs.uwaterloo.ca:88
|
||||||
|
admin_server = intacta.cs.uwaterloo.ca:464
|
||||||
|
}
|
||||||
|
|
||||||
|
ADS.UWATERLOO.CA = {
|
||||||
|
kdc = ads.uwaterloo.ca:88
|
||||||
|
admin_server = ads.uwaterloo.ca:464
|
||||||
|
default_domain = ads.uwaterloo.ca
|
||||||
|
}
|
||||||
|
|
||||||
|
NEXUS.UWATERLOO.CA = {
|
||||||
|
kdc = nexus.uwaterloo.ca:88
|
||||||
|
kdc = nexus.uwaterloo.ca
|
||||||
|
admin_server = nexus.uwaterloo.ca:464
|
||||||
|
}
|
||||||
|
|
||||||
|
[domain_realm]
|
||||||
|
.uwaterloo.ca = ADS.UWATERLOO.CA
|
||||||
|
uwaterloo.ca = ADS.UWATERLOO.CA
|
||||||
|
.csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
|
||||||
|
csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
|
||||||
|
.nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
|
||||||
|
nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
|
||||||
|
.cs.uwaterloo.ca = CS.UWATERLOO.CA
|
||||||
|
cs.uwaterloo.ca = CS.UWATERLOO.CA
|
||||||
|
.student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
|
||||||
|
student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
kdc = FILE:/var/log/krb5kdc.log
|
||||||
|
admin_server = FILE:/var/log/kadmin.log
|
||||||
|
default = FILE:/var/log/krb5.log
|
||||||
|
|
||||||
|
|
||||||
|
#[dbmodules]
|
||||||
|
# openldap_ldapconf = {
|
||||||
|
# db_library = kldap
|
||||||
|
# ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
|
||||||
|
# ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
|
||||||
|
# ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
|
||||||
|
# ldap_service_password_file = /etc/krb5kdc/service.keyfile
|
||||||
|
# ldap_servers = ldapi:///
|
||||||
|
# }
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
|
||||||
|
#
|
||||||
|
# LDAP Defaults
|
||||||
|
#
|
||||||
|
|
||||||
|
# See ldap.conf(5) for details
|
||||||
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
|
BASE dc=csclub, dc=uwaterloo, dc=ca
|
||||||
|
URI ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca
|
||||||
|
|
||||||
|
SIZELIMIT 0
|
||||||
|
|
||||||
|
TLS_CACERT /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||||
|
TLS_CACERTFILE /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
[sssd]
|
||||||
|
config_file_version = 2
|
||||||
|
services = nss, pam, sudo
|
||||||
|
domains = csclub.uwaterloo.ca
|
||||||
|
|
||||||
|
[domain/csclub.uwaterloo.ca]
|
||||||
|
cache_credentials = true
|
||||||
|
enumerate = true
|
||||||
|
|
||||||
|
id_provider = ldap
|
||||||
|
auth_provider = krb5
|
||||||
|
sudo_provider = ldap
|
||||||
|
entry_cache_timeout = 600
|
||||||
|
|
||||||
|
ldap_uri = ldaps://ldap1.csclub.uwaterloo.ca,ldaps://ldap2.csclub.uwaterloo.ca
|
||||||
|
ldap_tls_cacert = /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||||
|
ldap_tls_reqcert = demand
|
||||||
|
ldap_search_base = dc=csclub,dc=uwaterloo,dc=ca
|
||||||
|
ldap_schema = rfc2307bis
|
||||||
|
ldap_group_member = uniqueMember
|
||||||
|
|
||||||
|
ldap_user_search_base = ou=People,dc=csclub,dc=uwaterloo,dc=ca
|
||||||
|
ldap_group_search_base = ou=Group,dc=csclub,dc=uwaterloo,dc=ca
|
||||||
|
ldap_sudo_search_base = ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca
|
||||||
|
|
||||||
|
krb5_realm = CSCLUB.UWATERLOO.CA
|
||||||
|
krb5_server = kdc1.csclub.uwaterloo.ca,kdc2.csclub.uwaterloo.ca
|
||||||
|
krb5_kpasswd = kadmin.csclub.uwaterloo.ca
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Start sssd
|
||||||
|
service:
|
||||||
|
name: sssd
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: Restart sssd
|
||||||
|
service:
|
||||||
|
name: sssd
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
|
@ -0,0 +1,81 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install sssd
|
||||||
|
apt:
|
||||||
|
name: sssd
|
||||||
|
cache_valid_time: 3600
|
||||||
|
notify:
|
||||||
|
- Start sssd
|
||||||
|
|
||||||
|
- name: Remove unecessary authentication packages
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- libpam-ldapd
|
||||||
|
- libpam-ldap
|
||||||
|
- nscd
|
||||||
|
- nslcd
|
||||||
|
|
||||||
|
- name: Install authentication packages
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
cache_valid_time: 3600
|
||||||
|
with_items:
|
||||||
|
- sssd-tools
|
||||||
|
- krb5-user
|
||||||
|
- ldap-utils
|
||||||
|
- kstart
|
||||||
|
- sudo
|
||||||
|
- libpam-csc
|
||||||
|
|
||||||
|
- name: Configure sssd
|
||||||
|
copy:
|
||||||
|
src: sssd.conf
|
||||||
|
dest: /etc/sssd/sssd.conf
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify:
|
||||||
|
- Restart sssd
|
||||||
|
|
||||||
|
- name: Configure PAM (syscom)
|
||||||
|
when: '"syscom" in group_names'
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/pam.d/common-account
|
||||||
|
block: |
|
||||||
|
# only allow system accounts and members of the systems committee
|
||||||
|
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||||
|
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||||
|
account required pam_deny.so
|
||||||
|
|
||||||
|
- name: Configure PAM (general)
|
||||||
|
when: '"syscom" not in group_names'
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/pam.d/common-account
|
||||||
|
block: |
|
||||||
|
# Allow system accounts and members of the systems committee,
|
||||||
|
# otherwise only allow current CSC members.
|
||||||
|
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||||
|
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||||
|
account required pam_csc.so
|
||||||
|
|
||||||
|
- name: Copy authentication configuration
|
||||||
|
copy:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '{{ item.dest }}'
|
||||||
|
with_items:
|
||||||
|
- src: krb5.conf
|
||||||
|
dest: /etc/krb5.conf
|
||||||
|
- src: ldap.conf
|
||||||
|
dest: /etc/ldap/ldap.conf
|
||||||
|
- src: k5login
|
||||||
|
dest: /root/.k5login
|
||||||
|
- src: GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||||
|
dest: /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2
|
||||||
|
|
||||||
|
- name: Copy user scripts
|
||||||
|
copy:
|
||||||
|
src: become_club
|
||||||
|
dest: /usr/local/bin/become_club
|
||||||
|
mode: 0755
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install ceo client
|
||||||
|
apt:
|
||||||
|
name: ceo-python
|
||||||
|
cache_valid_time: 3600
|
||||||
|
|
||||||
|
- name: Install library
|
||||||
|
apt:
|
||||||
|
name: library
|
||||||
|
cache_valid_time: 3600
|
Loading…
Reference in New Issue