add files to build cobalamin and fix ipv6 in office terms

6 years ago · 79efa07285
parent 7174bb3bc6
commit 79efa07285
12 changed files with 56 additions and 18 deletions
--- a/install-office-terminal.yml
+++ b/install-office-terminal.yml
@ -14,4 +14,5 @@
      - general-use
      - general-use-gui
      - audio-client
+      - ipv6-disable-ra-privacy
      - cleanup
--- a/install-syscom.yml
+++ b/install-syscom.yml
@ -0,0 +1,13 @@
+---
+  - hosts: cobalamin.csclub.uwaterloo.ca
+    become: yes
+    become_method: sudo
+    roles:
+      - common
+      - core
+      - hardware
+      - generate-hosts
+      - auth
+      - csc-packages
+      - nfs
+      - cleanup
--- a/roles/auth/tasks/main.yml
+++ b/roles/auth/tasks/main.yml
@ -35,7 +35,7 @@
  file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600

 - name: configure PAM for syscom machine
-  when: syscom
+  when: "'syscom' in group_names"
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
@ -45,7 +45,7 @@
        account required        pam_deny.so

 - name: configure PAM for regular machine
-  when: not syscom
+  when: "'syscom' not in group_names"
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
--- a/roles/auth/vars/main.yml
+++ b/roles/auth/vars/main.yml
@ -1,2 +0,0 @@
---
-syscom: False
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -15,16 +15,4 @@
 - name: Update apt and packages (if just installed unlikely)
  package: update_cache=yes upgrade=safe

- name: ensure directories exist
-  file: path={{ item }} state=directory
-  with_items:
-    - /etc/opt/chrome/policies/managed/
-    - /etc/firefox
-
- name: copy chrome managed policy
-  copy: src={{ item.src }} dest={{ item.dest }} backup=no
-  with_items:
-    - { src: 'files/web-kerberos/chrome.json', dest: '/etc/opt/chrome/policies/managed/csc-kerberos.json' }
-    - { src: 'files/web-kerberos/firefox.js', dest: '/etc/firefox/syspref.js' }
-
 - include: etckeeper.yml
--- a/roles/core/tasks/main.yml
+++ b/roles/core/tasks/main.yml
@ -13,7 +13,6 @@
        - rc
        - bash-doc
        - bash-completion
-        - bashdb

 -   name: Install Editors
    apt: name={{ item }} state=latest
--- a/roles/devel/tasks/main.yml
+++ b/roles/devel/tasks/main.yml
@ -58,6 +58,7 @@
        - elfutils
        - valgrind
        - libc6-dbg
+        - bashdb

 -   name: Install interpreters
    apt: name={{ item }} state=latest
--- a/roles/general-use-gui/tasks/main.yml
+++ b/roles/general-use-gui/tasks/main.yml
@ -27,6 +27,18 @@
        - midori
        - flashplugin-installer

+- name: ensure directories exist
+  file: path={{ item }} state=directory
+  with_items:
+    - /etc/opt/chrome/policies/managed/
+    - /etc/firefox
+
+- name: copy chrome managed policy
+  copy: src={{ item.src }} dest={{ item.dest }} backup=no
+  with_items:
+    - { src: 'web-kerberos/chrome.json', dest: '/etc/opt/chrome/policies/managed/csc-kerberos.json' }
+    - { src: 'web-kerberos/firefox.js', dest: '/etc/firefox/syspref.js' }
+
 -   name: Install Mail Clients
    apt: name={{ item }} state=latest
    with_items:
--- a/roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf
+++ b/roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf
@ -0,0 +1,12 @@
+# IPv6 Privacy Extensions (RFC 4941)
+# ---
+# IPv6 typically uses a device's MAC address when choosing an IPv6 address
+# to use in autoconfiguration. Privacy extensions allow using a randomly
+# generated IPv6 address, which increases privacy.
+#
+# Acceptable values:
+#    0 - don’t use privacy extensions.
+#    1 - generate privacy addresses
+#    2 - prefer privacy addresses and use them over the normal addresses.
+net.ipv6.conf.all.use_tempaddr = 0
+net.ipv6.conf.default.use_tempaddr = 0
--- a/roles/ipv6-disable-ra-privacy/tasks/main.yml
+++ b/roles/ipv6-disable-ra-privacy/tasks/main.yml
@ -0,0 +1,9 @@
+- name: copy over ipv6 kernel configs
+  copy: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+      - { src: '10-ipv6-privacy.conf', dest: '/etc/sysctl.d/10-ipv6-privacy.conf' }
+
+- name: Template disable ra
+  template: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+    - { src: '10-ipv6-disable-ra.conf', dest: '/etc/sysctl.d/10-ipv6-disable-ra.conf' }
--- a/roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf
+++ b/roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf
@ -0,0 +1,5 @@
+net.ipv6.conf.all.accept_ra = 0
+net.ipv6.conf.default.accept_ra = 0
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.accept_ra = 0
+{% endfor %}
--- a/roles/nfs/tasks/main.yml
+++ b/roles/nfs/tasks/main.yml
@ -21,7 +21,7 @@
    - /scratch

 - name: Add fstab entry for users
-  mount: src="aspartame:/users" name=/users fstype=nfs opts="bg,vers=3,sec=krb5,nosuid,nodev" dump=0 passno=0 state=mounted
+  mount: src="aspartame:/users" name=/users fstype=nfs opts="bg,vers=3,sec=krb5p,nosuid,nodev" dump=0 passno=0 state=mounted

 - name: Add fstab entry for music
  mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted