ansible-playbooks/roles/csc-auth/tasks/main.yml

---

- name: Install sssd
  apt:
    name: sssd
    cache_valid_time: 3600
  notify:
    - Start sssd

- name: Remove unecessary authentication packages
  apt:
    name: '{{ item }}'
    state: absent
  with_items:
    - libpam-ldapd
    - libpam-ldap
    - nscd
    - nslcd

- name: Install authentication packages
  apt:
    name: '{{ item }}'
    cache_valid_time: 3600
  with_items:
    - sssd-tools
    - krb5-user
    - ldap-utils
    - kstart
    - sudo
    - libpam-csc

- name: Configure sssd
  copy:
    src: sssd.conf
    dest: /etc/sssd/sssd.conf
    mode: 0600
    owner: root
    group: root
  notify:
    - Restart sssd

- name: Configure PAM (syscom)
  when: '"syscom" in group_names'
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
      # only allow system accounts and members of the systems committee
      account [success=2 default=ignore]    pam_succeed_if.so quiet uid < 10000
      account [success=1 default=ignore]    pam_succeed_if.so quiet user ingroup syscom
      account required                      pam_deny.so      

- name: Configure PAM (general)
  when: '"syscom" not in group_names'
  blockinfile:
    dest: /etc/pam.d/common-account
    block: |
      # Allow system accounts and members of the systems committee,
      # otherwise only allow current CSC members.
      account [success=2 default=ignore]    pam_succeed_if.so quiet uid < 10000
      account [success=1 default=ignore]    pam_succeed_if.so quiet user ingroup syscom
      account required                      pam_csc.so      

- name: Copy authentication configuration
  copy:
    src: '{{ item.src }}'
    dest: '{{ item.dest }}'
  with_items:
    - src: krb5.conf
      dest: /etc/krb5.conf
    - src: ldap.conf
      dest: /etc/ldap/ldap.conf
    - src: k5login
      dest: /root/.k5login
    - src: GlobalSign_Intermediate_Root_SHA256_G2.pem
      dest: /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem

- name: Copy user scripts
  copy:
    src: become_club
    dest: /usr/local/bin/become_club
    mode: 0755