From 79efa07285293f40a9ad11a92e473c07fc1066b8 Mon Sep 17 00:00:00 2001
From: Jordan Pryde <jxpryde@csclub.uwaterloo.ca>
Date: Fri, 22 Jul 2016 15:48:06 -0400
Subject: [PATCH] add files to build cobalamin and fix ipv6 in office terms

---
 install-office-terminal.yml                         |  1 +
 install-syscom.yml                                  | 13 +++++++++++++
 roles/auth/tasks/main.yml                           |  4 ++--
 roles/auth/vars/main.yml                            |  2 --
 roles/common/tasks/main.yml                         | 12 ------------
 roles/core/tasks/main.yml                           |  1 -
 roles/devel/tasks/main.yml                          |  1 +
 roles/general-use-gui/tasks/main.yml                | 12 ++++++++++++
 .../files/10-ipv6-privacy.conf                      | 12 ++++++++++++
 roles/ipv6-disable-ra-privacy/tasks/main.yml        |  9 +++++++++
 .../templates/10-ipv6-disable-ra.conf               |  5 +++++
 roles/nfs/tasks/main.yml                            |  2 +-
 12 files changed, 56 insertions(+), 18 deletions(-)
 create mode 100644 install-syscom.yml
 delete mode 100644 roles/auth/vars/main.yml
 create mode 100644 roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf
 create mode 100644 roles/ipv6-disable-ra-privacy/tasks/main.yml
 create mode 100644 roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf

diff --git a/install-office-terminal.yml b/install-office-terminal.yml
index 5cf15e9..2c9dad1 100644
--- a/install-office-terminal.yml
+++ b/install-office-terminal.yml
@@ -14,4 +14,5 @@
       - general-use
       - general-use-gui
       - audio-client
+      - ipv6-disable-ra-privacy
       - cleanup
diff --git a/install-syscom.yml b/install-syscom.yml
new file mode 100644
index 0000000..9ea1e94
--- /dev/null
+++ b/install-syscom.yml
@@ -0,0 +1,13 @@
+---
+  - hosts: cobalamin.csclub.uwaterloo.ca
+    become: yes
+    become_method: sudo
+    roles:
+      - common
+      - core
+      - hardware
+      - generate-hosts
+      - auth
+      - csc-packages
+      - nfs
+      - cleanup
diff --git a/roles/auth/tasks/main.yml b/roles/auth/tasks/main.yml
index 7a90f75..a434ada 100644
--- a/roles/auth/tasks/main.yml
+++ b/roles/auth/tasks/main.yml
@@ -35,7 +35,7 @@
   file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600
 
 - name: configure PAM for syscom machine
-  when: syscom
+  when: "'syscom' in group_names"
   blockinfile:
     dest: /etc/pam.d/common-account
     block: |
@@ -45,7 +45,7 @@
         account required        pam_deny.so
 
 - name: configure PAM for regular machine
-  when: not syscom
+  when: "'syscom' not in group_names"
   blockinfile:
     dest: /etc/pam.d/common-account
     block: |
diff --git a/roles/auth/vars/main.yml b/roles/auth/vars/main.yml
deleted file mode 100644
index 9d829ac..0000000
--- a/roles/auth/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-syscom: False
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2c07dda..a683288 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,16 +15,4 @@
 - name: Update apt and packages (if just installed unlikely)
   package: update_cache=yes upgrade=safe
 
-- name: ensure directories exist
-  file: path={{ item }} state=directory
-  with_items:
-    - /etc/opt/chrome/policies/managed/
-    - /etc/firefox
-
-- name: copy chrome managed policy
-  copy: src={{ item.src }} dest={{ item.dest }} backup=no
-  with_items:
-    - { src: 'files/web-kerberos/chrome.json', dest: '/etc/opt/chrome/policies/managed/csc-kerberos.json' }
-    - { src: 'files/web-kerberos/firefox.js', dest: '/etc/firefox/syspref.js' }
-
 - include: etckeeper.yml
diff --git a/roles/core/tasks/main.yml b/roles/core/tasks/main.yml
index 305dd6b..97d1ab9 100644
--- a/roles/core/tasks/main.yml
+++ b/roles/core/tasks/main.yml
@@ -13,7 +13,6 @@
         - rc
         - bash-doc
         - bash-completion
-        - bashdb
 
 -   name: Install Editors
     apt: name={{ item }} state=latest
diff --git a/roles/devel/tasks/main.yml b/roles/devel/tasks/main.yml
index 0c436c4..3caa4b1 100644
--- a/roles/devel/tasks/main.yml
+++ b/roles/devel/tasks/main.yml
@@ -58,6 +58,7 @@
         - elfutils
         - valgrind
         - libc6-dbg
+        - bashdb
 
 -   name: Install interpreters
     apt: name={{ item }} state=latest
diff --git a/roles/general-use-gui/tasks/main.yml b/roles/general-use-gui/tasks/main.yml
index 481a7d7..23fcf3e 100644
--- a/roles/general-use-gui/tasks/main.yml
+++ b/roles/general-use-gui/tasks/main.yml
@@ -27,6 +27,18 @@
         - midori
         - flashplugin-installer
 
+- name: ensure directories exist
+  file: path={{ item }} state=directory
+  with_items:
+    - /etc/opt/chrome/policies/managed/
+    - /etc/firefox
+
+- name: copy chrome managed policy
+  copy: src={{ item.src }} dest={{ item.dest }} backup=no
+  with_items:
+    - { src: 'web-kerberos/chrome.json', dest: '/etc/opt/chrome/policies/managed/csc-kerberos.json' }
+    - { src: 'web-kerberos/firefox.js', dest: '/etc/firefox/syspref.js' }
+
 -   name: Install Mail Clients
     apt: name={{ item }} state=latest
     with_items:
diff --git a/roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf b/roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf
new file mode 100644
index 0000000..b3b9822
--- /dev/null
+++ b/roles/ipv6-disable-ra-privacy/files/10-ipv6-privacy.conf
@@ -0,0 +1,12 @@
+# IPv6 Privacy Extensions (RFC 4941)
+# ---
+# IPv6 typically uses a device's MAC address when choosing an IPv6 address
+# to use in autoconfiguration. Privacy extensions allow using a randomly
+# generated IPv6 address, which increases privacy.
+#
+# Acceptable values:
+#    0 - don’t use privacy extensions.
+#    1 - generate privacy addresses
+#    2 - prefer privacy addresses and use them over the normal addresses.
+net.ipv6.conf.all.use_tempaddr = 0
+net.ipv6.conf.default.use_tempaddr = 0
diff --git a/roles/ipv6-disable-ra-privacy/tasks/main.yml b/roles/ipv6-disable-ra-privacy/tasks/main.yml
new file mode 100644
index 0000000..265fae5
--- /dev/null
+++ b/roles/ipv6-disable-ra-privacy/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: copy over ipv6 kernel configs
+  copy: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+      - { src: '10-ipv6-privacy.conf', dest: '/etc/sysctl.d/10-ipv6-privacy.conf' }
+
+- name: Template disable ra
+  template: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+    - { src: '10-ipv6-disable-ra.conf', dest: '/etc/sysctl.d/10-ipv6-disable-ra.conf' }
\ No newline at end of file
diff --git a/roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf b/roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf
new file mode 100644
index 0000000..7722d43
--- /dev/null
+++ b/roles/ipv6-disable-ra-privacy/templates/10-ipv6-disable-ra.conf
@@ -0,0 +1,5 @@
+net.ipv6.conf.all.accept_ra = 0
+net.ipv6.conf.default.accept_ra = 0
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.accept_ra = 0
+{% endfor %}
diff --git a/roles/nfs/tasks/main.yml b/roles/nfs/tasks/main.yml
index e8b0165..8a35c83 100644
--- a/roles/nfs/tasks/main.yml
+++ b/roles/nfs/tasks/main.yml
@@ -21,7 +21,7 @@
     - /scratch
 
 - name: Add fstab entry for users
-  mount: src="aspartame:/users" name=/users fstype=nfs opts="bg,vers=3,sec=krb5,nosuid,nodev" dump=0 passno=0 state=mounted
+  mount: src="aspartame:/users" name=/users fstype=nfs opts="bg,vers=3,sec=krb5p,nosuid,nodev" dump=0 passno=0 state=mounted
 
 - name: Add fstab entry for music
   mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted