Add csc-auth and csc-packages roles; update handlers
This commit is contained in:
parent
e8917ecf07
commit
3644adea52
|
@ -3,3 +3,5 @@
|
|||
become: true
|
||||
roles:
|
||||
- core
|
||||
- csc-auth
|
||||
- csc-packages
|
||||
|
|
|
@ -10,3 +10,4 @@
|
|||
service:
|
||||
name: ntp
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
|
|
@ -10,3 +10,4 @@
|
|||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
|
|
@ -10,3 +10,4 @@
|
|||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
|
|
@ -1,5 +1,20 @@
|
|||
---
|
||||
|
||||
- name: Remove unecessary packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- joe
|
||||
- lirc
|
||||
- pipentd
|
||||
- winbind
|
||||
- modemmanager
|
||||
- sn
|
||||
- network-manager
|
||||
- wpasupplicant
|
||||
- sn
|
||||
|
||||
- name: Install shells
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
|
@ -76,6 +91,28 @@
|
|||
- ftp
|
||||
- tftp
|
||||
|
||||
- name: Install physical tools
|
||||
when: not(ansible_virtualization_role == 'guest')
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
cache_valid_time: 3600
|
||||
with_items:
|
||||
- lm-sensors
|
||||
- smartmontools
|
||||
- hwinfo
|
||||
- lshw
|
||||
- acpi
|
||||
- vbetool
|
||||
- fbset
|
||||
- read-edid
|
||||
|
||||
- name: Enable sysrq
|
||||
when: not(ansible_virtualization_role == 'guest')
|
||||
lineinfile:
|
||||
dest: /etc/sysctl.conf
|
||||
line: kernel.sysrq = 1
|
||||
state: present
|
||||
|
||||
- name: Install terminal multiplexers
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
|
@ -125,6 +162,11 @@
|
|||
- manpages
|
||||
- info
|
||||
|
||||
- name: Install etckeeper
|
||||
apt:
|
||||
name: etckeeper
|
||||
cache_valid_time: 3600
|
||||
|
||||
- name: Install molly-guard
|
||||
apt:
|
||||
name: molly-guard
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
|
||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
|
||||
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
||||
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
|
||||
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
||||
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
|
||||
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
|
||||
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
|
||||
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
|
||||
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
|
||||
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
|
||||
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
|
||||
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
|
||||
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
|
||||
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
|
||||
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
|
||||
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
|
||||
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
|
||||
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
|
||||
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
|
||||
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
|
||||
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
|
||||
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/sh
|
||||
if test -z "$1"; then
|
||||
echo >&2 'usage: become_club clubaccount'
|
||||
echo >&2 ' become_club -l'
|
||||
exit 2
|
||||
fi
|
||||
if test "$(whoami)" = "$1"; then
|
||||
echo >&2 you are already $1
|
||||
exit 1
|
||||
fi
|
||||
if test -z "$SHELL"; then
|
||||
export SHELL=/bin/bash
|
||||
fi
|
||||
if test "$1" = -l; then
|
||||
sudo -l
|
||||
else
|
||||
exec sudo -H -s -u "$1"
|
||||
fi
|
|
@ -0,0 +1 @@
|
|||
sysadmin/admin@CSCLUB.UWATERLOO.CA
|
|
@ -0,0 +1,67 @@
|
|||
[libdefaults]
|
||||
default_realm = CSCLUB.UWATERLOO.CA
|
||||
forwardable = true
|
||||
proxiable = true
|
||||
dns_lookup_kdc = false
|
||||
dns_lookup_realm = false
|
||||
allow_weak_crypto = true
|
||||
|
||||
[realms]
|
||||
CSCLUB.UWATERLOO.CA = {
|
||||
kdc = kdc1.csclub.uwaterloo.ca
|
||||
kdc = kdc2.csclub.uwaterloo.ca
|
||||
admin_server = kadmin.csclub.uwaterloo.ca
|
||||
}
|
||||
|
||||
STUDENT.CS.UWATERLOO.CA = {
|
||||
kdc = eponina.student.cs.uwaterloo.ca:88
|
||||
kdc = canadenis.student.cs.uwaterloo.ca:88
|
||||
admin_server = canadenis.student.cs.uwaterloo.ca:464
|
||||
}
|
||||
|
||||
CS.UWATERLOO.CA = {
|
||||
kdc = intacta.cs.uwaterloo.ca:88
|
||||
kdc = serverus.cs.uwaterloo.ca:88
|
||||
admin_server = intacta.cs.uwaterloo.ca:464
|
||||
}
|
||||
|
||||
ADS.UWATERLOO.CA = {
|
||||
kdc = ads.uwaterloo.ca:88
|
||||
admin_server = ads.uwaterloo.ca:464
|
||||
default_domain = ads.uwaterloo.ca
|
||||
}
|
||||
|
||||
NEXUS.UWATERLOO.CA = {
|
||||
kdc = nexus.uwaterloo.ca:88
|
||||
kdc = nexus.uwaterloo.ca
|
||||
admin_server = nexus.uwaterloo.ca:464
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.uwaterloo.ca = ADS.UWATERLOO.CA
|
||||
uwaterloo.ca = ADS.UWATERLOO.CA
|
||||
.csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
|
||||
csclub.uwaterloo.ca = CSCLUB.UWATERLOO.CA
|
||||
.nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
|
||||
nexus.uwaterloo.ca = NEXUS.UWATERLOO.CA
|
||||
.cs.uwaterloo.ca = CS.UWATERLOO.CA
|
||||
cs.uwaterloo.ca = CS.UWATERLOO.CA
|
||||
.student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
|
||||
student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
|
||||
|
||||
[logging]
|
||||
kdc = FILE:/var/log/krb5kdc.log
|
||||
admin_server = FILE:/var/log/kadmin.log
|
||||
default = FILE:/var/log/krb5.log
|
||||
|
||||
|
||||
#[dbmodules]
|
||||
# openldap_ldapconf = {
|
||||
# db_library = kldap
|
||||
# ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
|
||||
# ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
|
||||
# ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
|
||||
# ldap_service_password_file = /etc/krb5kdc/service.keyfile
|
||||
# ldap_servers = ldapi:///
|
||||
# }
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
|
||||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE dc=csclub, dc=uwaterloo, dc=ca
|
||||
URI ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca
|
||||
|
||||
SIZELIMIT 0
|
||||
|
||||
TLS_CACERT /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||
TLS_CACERTFILE /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
[sssd]
|
||||
config_file_version = 2
|
||||
services = nss, pam, sudo
|
||||
domains = csclub.uwaterloo.ca
|
||||
|
||||
[domain/csclub.uwaterloo.ca]
|
||||
cache_credentials = true
|
||||
enumerate = true
|
||||
|
||||
id_provider = ldap
|
||||
auth_provider = krb5
|
||||
sudo_provider = ldap
|
||||
entry_cache_timeout = 600
|
||||
|
||||
ldap_uri = ldaps://ldap1.csclub.uwaterloo.ca,ldaps://ldap2.csclub.uwaterloo.ca
|
||||
ldap_tls_cacert = /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||
ldap_tls_reqcert = demand
|
||||
ldap_search_base = dc=csclub,dc=uwaterloo,dc=ca
|
||||
ldap_schema = rfc2307bis
|
||||
ldap_group_member = uniqueMember
|
||||
|
||||
ldap_user_search_base = ou=People,dc=csclub,dc=uwaterloo,dc=ca
|
||||
ldap_group_search_base = ou=Group,dc=csclub,dc=uwaterloo,dc=ca
|
||||
ldap_sudo_search_base = ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca
|
||||
|
||||
krb5_realm = CSCLUB.UWATERLOO.CA
|
||||
krb5_server = kdc1.csclub.uwaterloo.ca,kdc2.csclub.uwaterloo.ca
|
||||
krb5_kpasswd = kadmin.csclub.uwaterloo.ca
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
|
||||
- name: Start sssd
|
||||
service:
|
||||
name: sssd
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Restart sssd
|
||||
service:
|
||||
name: sssd
|
||||
state: restarted
|
||||
enabled: true
|
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
|
||||
- name: Install sssd
|
||||
apt:
|
||||
name: sssd
|
||||
cache_valid_time: 3600
|
||||
notify:
|
||||
- Start sssd
|
||||
|
||||
- name: Remove unecessary authentication packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- libpam-ldapd
|
||||
- libpam-ldap
|
||||
- nscd
|
||||
- nslcd
|
||||
|
||||
- name: Install authentication packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
cache_valid_time: 3600
|
||||
with_items:
|
||||
- sssd-tools
|
||||
- krb5-user
|
||||
- ldap-utils
|
||||
- kstart
|
||||
- sudo
|
||||
- libpam-csc
|
||||
|
||||
- name: Configure sssd
|
||||
copy:
|
||||
src: sssd.conf
|
||||
dest: /etc/sssd/sssd.conf
|
||||
mode: 0600
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
- Restart sssd
|
||||
|
||||
- name: Configure PAM (syscom)
|
||||
when: '"syscom" in group_names'
|
||||
blockinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
block: |
|
||||
# only allow system accounts and members of the systems committee
|
||||
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||
account required pam_deny.so
|
||||
|
||||
- name: Configure PAM (general)
|
||||
when: '"syscom" not in group_names'
|
||||
blockinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
block: |
|
||||
# Allow system accounts and members of the systems committee,
|
||||
# otherwise only allow current CSC members.
|
||||
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||
account required pam_csc.so
|
||||
|
||||
- name: Copy authentication configuration
|
||||
copy:
|
||||
src: '{{ item.src }}'
|
||||
dest: '{{ item.dest }}'
|
||||
with_items:
|
||||
- src: krb5.conf
|
||||
dest: /etc/krb5.conf
|
||||
- src: ldap.conf
|
||||
dest: /etc/ldap/ldap.conf
|
||||
- src: k5login
|
||||
dest: /root/.k5login
|
||||
- src: GlobalSign_Intermediate_Root_SHA256_G2.pem
|
||||
dest: /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2
|
||||
|
||||
- name: Copy user scripts
|
||||
copy:
|
||||
src: become_club
|
||||
dest: /usr/local/bin/become_club
|
||||
mode: 0755
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Install ceo client
|
||||
apt:
|
||||
name: ceo-python
|
||||
cache_valid_time: 3600
|
||||
|
||||
- name: Install library
|
||||
apt:
|
||||
name: library
|
||||
cache_valid_time: 3600
|
Loading…
Reference in New Issue