From 23d29500e757ae10df7f4e90033c6f0b8e54d2aa Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 20 Mar 2020 09:40:39 +0100
Subject: [PATCH] Split ldap role and reorder base.yml

---
 base.yml                                      | 58 ++++++++-----------
 roles/common-security/tasks/main.yml          |  8 ---
 .../{scripts => crans-scripts}/tasks/main.yml |  6 +-
 roles/ldap-client/tasks/install_ldap.yml      | 34 -----------
 roles/ldap-client/tasks/main.yml              | 52 +++++++++++------
 roles/openssh/handlers/main.yml               |  5 ++
 roles/openssh/tasks/main.yml                  | 16 +++++
 roles/sudo/tasks/main.yml                     | 10 ++++
 .../templates/sudoers.d/custom_passprompt.j2  |  0
 .../templates/sudoers.d/group_privilege.j2    |  0
 .../templates/sudoers.j2                      |  0
 11 files changed, 92 insertions(+), 97 deletions(-)
 delete mode 100644 roles/common-security/tasks/main.yml
 rename roles/{scripts => crans-scripts}/tasks/main.yml (79%)
 delete mode 100644 roles/ldap-client/tasks/install_ldap.yml
 create mode 100644 roles/openssh/handlers/main.yml
 create mode 100644 roles/openssh/tasks/main.yml
 create mode 100644 roles/sudo/tasks/main.yml
 rename roles/{ldap-client => sudo}/templates/sudoers.d/custom_passprompt.j2 (100%)
 rename roles/{ldap-client => sudo}/templates/sudoers.d/group_privilege.j2 (100%)
 rename roles/{ldap-client => sudo}/templates/sudoers.j2 (100%)

diff --git a/base.yml b/base.yml
index 90a378c0..ca54454a 100644
--- a/base.yml
+++ b/base.yml
@@ -1,34 +1,11 @@
 ---
-# Deploy common Crans configuration and tools
-- hosts: server,test_vm,!ovh_physical
+# Common CRANS configuration for all servers
+- hosts: server
   vars:
     # Debian mirror on adm
     debian_mirror: http://mirror.adm.crans.org/debian
     debian_components: main non-free
 
-    # NTP servers
-    # TODO get this list with re2o
-    ntp_servers:
-      - charybde.adm.crans.org
-      - silice.adm.crans.org
-  roles:
-    - debian-apt-sources
-    - common-security
-    - common-tools
-    - ntp-client
-    - nfs-common
-
-# Deploy backup system
-- hosts: server
-  vars:
-    # Backup password
-    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
-  roles:
-    - rsync-client
-
-# Plug LDAP on all servers
-- hosts: server
-  vars:
     # LDAP binding
     ldap_base: 'dc=crans,dc=org'
     ldap_master_ipv4: '10.231.136.19'
@@ -46,15 +23,30 @@
     # Scripts will tell users to go there to manage their account
     intranet_url: 'https://intranet.crans.org/'
 
-    # SSH keys for root account to use when LDAP is broken
-    ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
+    # Backup password
+    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
+
+    # Will be in /usr/scripts/
+    crans_scripts_git: "http://gitlab.adm.crans.org/nounous/scripts.git"
+
+    # NTP servers
+    ntp_servers:
+      - charybde.adm.crans.org
+      - silice.adm.crans.org
   roles:
+    - common-tools
+    - debian-apt-sources
     - ldap-client
+    - openssh
+    - sudo
+    - rsync-client
+    - ntp-client
+    - crans-scripts
 
-# Install scripts on all servers
-- hosts: server
+# Deploy NFS only on campus
+- hosts: crans_server
   roles:
-    - scripts
+    - nfs-common
 
 # Document servers
 - hosts: voyager.adm.crans.org  # test only on voyager for now
@@ -70,13 +62,12 @@
   roles: []  # TODO
 
 # Playbook to deploy autofs NFS
-- hosts: crans_physical,crans_vm,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
+- hosts: crans_server,!odlyd.adm.crans.org,!zamok.adm.crans.org,!omnomnom.adm.crans.org,!owl.adm.crans.org,!owncloud-srv.adm.crans.org
   roles:
     - nfs-autofs
 
 # Redirect local mail to mailserver
-# Should be on server,!redisdead.adm.crans.org
-- hosts: prometheus.adm.crans.org,cas-srv.adm.crans.org,fyre.adm.crans.org,sitesweb.adm.crans.org,cochon.adm.crans.org,gateau.adm.crans.org,test_vm
+- hosts: crans_server,test_vm,!redisdead.adm.crans.org
   vars:
     mail_root: root@crans.org
     mail_snmp_server: smtp.adm.crans.org
@@ -96,6 +87,7 @@
   roles:
     - ansible
 
+# Tools for memebers
 - hosts: zamok.adm.crans.org
   roles:
     - zamok-tools
diff --git a/roles/common-security/tasks/main.yml b/roles/common-security/tasks/main.yml
deleted file mode 100644
index f864a749..00000000
--- a/roles/common-security/tasks/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Delete authorized SSH keys for root account
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /root/.ssh/authorized_keys
-    - /root/.ssh/authorized_keys2
diff --git a/roles/scripts/tasks/main.yml b/roles/crans-scripts/tasks/main.yml
similarity index 79%
rename from roles/scripts/tasks/main.yml
rename to roles/crans-scripts/tasks/main.yml
index 55ed153b..9af7506a 100644
--- a/roles/scripts/tasks/main.yml
+++ b/roles/crans-scripts/tasks/main.yml
@@ -3,7 +3,7 @@
   file:
     path: /usr/scripts
     state: directory
-    mode: '2775'
+    mode: "2775"
     owner: root
     group: nounou
 
@@ -18,7 +18,7 @@
 
 - name: Clone scripts repository
   git:
-    repo: 'http://gitlab.adm.crans.org/nounous/scripts.git'
+    repo: "{{ crans_scripts_git }}"
     dest: /usr/scripts
     version: master
-    umask: '002'
+    umask: "002"
diff --git a/roles/ldap-client/tasks/install_ldap.yml b/roles/ldap-client/tasks/install_ldap.yml
deleted file mode 100644
index 2f81e113..00000000
--- a/roles/ldap-client/tasks/install_ldap.yml
+++ /dev/null
@@ -1,34 +0,0 @@
----
-# Install LDAP client packages
-- name: Install LDAP client packages
-  apt:
-    update_cache: true
-    name:
-      - nslcd
-      - libnss-ldapd
-      - libpam-ldapd
-      - nscd  # local cache
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-# Configure /etc/nslcd.conf
-- name: Configure nslcd LDAP credentials
-  template:
-    src: nslcd.conf.j2
-    dest: /etc/nslcd.conf
-    mode: 0600
-  notify: Restart nslcd service
-
-# Configure /etc/nsswitch.conf
-- name: Configure NSS to use LDAP
-  lineinfile:
-    dest: /etc/nsswitch.conf
-    regexp: "^{{ item }}:"
-    line: "{{ item }}:         files ldap"
-  loop:
-    - passwd
-    - group
-    - shadow
-  notify: Restart nslcd service
diff --git a/roles/ldap-client/tasks/main.yml b/roles/ldap-client/tasks/main.yml
index 3ec97ffc..3912f981 100644
--- a/roles/ldap-client/tasks/main.yml
+++ b/roles/ldap-client/tasks/main.yml
@@ -1,6 +1,37 @@
 ---
-# Install and configure main LDAP tools
-- include_tasks: install_ldap.yml
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    update_cache: true
+    name:
+      - nslcd
+      - libnss-ldapd
+      - libpam-ldapd
+      - nscd  # local cache
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd LDAP credentials
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item }}:"
+    line: "{{ item }}:         files ldap"
+  loop:
+    - passwd
+    - group
+    - shadow
+  notify: Restart nslcd service
 
 # Disable passwd and chsh
 - name: Copy passwd and chsh scripts
@@ -12,20 +43,3 @@
     - chsh
     - chsh.ldap
     - passwd
-
-- name: Filter SSH on groups
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: ^AllowGroups
-    line: "AllowGroups {{ ssh_allow_groups }}"
-    state: present
-
-- name: Configure sudoers
-  template:
-    src: "{{ item }}.j2"
-    dest: "/etc/{{ item }}"
-    mode: 0440
-  loop:
-    - sudoers.d/custom_passprompt
-    - sudoers.d/group_privilege
-    - sudoers
diff --git a/roles/openssh/handlers/main.yml b/roles/openssh/handlers/main.yml
new file mode 100644
index 00000000..3c59dc25
--- /dev/null
+++ b/roles/openssh/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart sshd service
+  service:
+    name: sshd
+    state: restarted
diff --git a/roles/openssh/tasks/main.yml b/roles/openssh/tasks/main.yml
new file mode 100644
index 00000000..575af6bd
--- /dev/null
+++ b/roles/openssh/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: ^AllowGroups
+    line: "AllowGroups {{ ssh_allow_groups }}"
+    state: present
+  notify: Restart sshd service
+
+- name: Delete authorized SSH keys for root account
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /root/.ssh/authorized_keys
+    - /root/.ssh/authorized_keys2
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 00000000..2701c683
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Configure sudoers
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+    mode: 0440
+  loop:
+    - sudoers.d/custom_passprompt
+    - sudoers.d/group_privilege
+    - sudoers
diff --git a/roles/ldap-client/templates/sudoers.d/custom_passprompt.j2 b/roles/sudo/templates/sudoers.d/custom_passprompt.j2
similarity index 100%
rename from roles/ldap-client/templates/sudoers.d/custom_passprompt.j2
rename to roles/sudo/templates/sudoers.d/custom_passprompt.j2
diff --git a/roles/ldap-client/templates/sudoers.d/group_privilege.j2 b/roles/sudo/templates/sudoers.d/group_privilege.j2
similarity index 100%
rename from roles/ldap-client/templates/sudoers.d/group_privilege.j2
rename to roles/sudo/templates/sudoers.d/group_privilege.j2
diff --git a/roles/ldap-client/templates/sudoers.j2 b/roles/sudo/templates/sudoers.j2
similarity index 100%
rename from roles/ldap-client/templates/sudoers.j2
rename to roles/sudo/templates/sudoers.j2
-- 
GitLab