diff --git a/group_vars/sssd.yml b/group_vars/sssd.yml new file mode 100644 index 0000000000000000000000000000000000000000..29b359f77c4fc113c828434c1c711ed8dca7558e --- /dev/null +++ b/group_vars/sssd.yml @@ -0,0 +1,16 @@ +glob_sssd: + primary: + domain: tealc.adm.crans.org + servers: + - "{{ query('ldap','ip','tealc','adm') | ipv4 | first }}" + - "{{ query('ldap','ip','sam','adm') | ipv4 | first }}" + - "{{ query('ldap','ip','daniel','adm') | ipv4 | first }}" + - "{{ query('ldap','ip','jack','adm') | ipv4 | first }}" + base: "dc=crans,dc=org" + secondary: + domain: re2o-ldap.adm.crans.org + base: "dc=crans,dc=org" + bind: + dn: "cn=nslcd,ou=service-users,dc=crans,dc=org" + passwd: "{{ vault.ldap_nslcd_passwd }}" + diff --git a/hosts b/hosts index 28188710ebe03c6df75cd32fefe1a887d027e114..1feaeb11c6fceebff05a1c13deaf96a5b2621ffa 100644 --- a/hosts +++ b/hosts @@ -219,6 +219,9 @@ jack.adm.crans.org sputnik.adm.crans.org gulp.cachan-adm.crans.org +[sssd] +zamok-tmtc.adm.crans.org + [thelounge] irc.adm.crans.org zamok.adm.crans.org @@ -295,6 +298,8 @@ tracker.adm.crans.org vol447.adm.crans.org voyager.adm.crans.org yson-partou.adm.crans.org +zamok-tmtc.adm.crans.org +#unifi.adm.crans.org [crans_vm:children] routeurs_vm diff --git a/roles/home-nounou/README.md b/roles/home-nounou/README.md new file mode 100644 index 0000000000000000000000000000000000000000..80dddb956eb08de74fa5aa397e209975b88dc236 --- /dev/null +++ b/roles/home-nounou/README.md @@ -0,0 +1,8 @@ +# HOME-NOUNOUS + +Ce rôle permet d'exporter les homes vers les différents serveurs. + +## VARS + +home_nounous: + ip: l'ip du serveur nfs diff --git a/roles/home-nounou/tasks/main.yml b/roles/home-nounou/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..1cbecea7a53b43fff7b3bf3166066b9238cf36e2 --- /dev/null +++ b/roles/home-nounou/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Install NFS client + apt: + update_cache: true + name: + - nfs-common + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Deploy nfs systemd mount + template: + src: systemd/system/home_nounou.mount.j2 + dest: /etc/systemd/system/home_nounou.mount + mode: 0644 + +- name: Load and activate nfs systemd mount + systemd: + name: home_nounou.mount + daemon_reload: true + enabled: true + state: started diff --git a/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2 b/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2 new file mode 100644 index 0000000000000000000000000000000000000000..a6065ca3da2f390eb6446c9103bf5fac4c545bdf --- /dev/null +++ b/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2 @@ -0,0 +1,14 @@ +{{ ansible_header | comment }} +[Unit] +Description=Mount home +Wants=network-online.target +After=network-online.target + +[Mount] +What={{ home_nounous.ip }}:/pool/home +Where=/home_nounou +Type=nfs +Options=rw,nosuid + +[Install] +WantedBy=multi-user.target diff --git a/roles/home-permanent/tasks/main.yml b/roles/home-permanent/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..b857e4b5a5ad348071c60695fa2604a3996bdcf8 --- /dev/null +++ b/roles/home-permanent/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Deploy nfs systemd mount + template: + src: systemd/system/{{ item }}.mount.j2 + dest: /etc/systemd/system/{{ item }}.mount + mode: 0755 + loop: + - home + - var-mail + +- name: Load and activate nfs home systemd mount + systemd: + name: home.mount + daemon_reload: true + enabled: true + state: started + +- name: Load and activate nfs mail systemd mount + systemd: + name: var-mail.mount + daemon_reload: true + enabled: true + state: started diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..1c219c2abc398f372bb9c061c146c07b051172bd --- /dev/null +++ b/roles/sssd/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart nslcd service + service: + name: nslcd + state: restarted + +- name: Restart sssd service + service: + name: sssd + state: restarted diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..d9b244b72a92f2c784ad9c21d558377b8855889f --- /dev/null +++ b/roles/sssd/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Install sssd and nslcd + apt: + update_cache: true + name: + - sssd + - libnss-ldapd + - libpam-ldapd + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure sssd + template: + src: sssd/sssd.conf.j2 + dest: /etc/sssd/sssd.conf + mode: 0600 + notify: Restart sssd service + +- name: Configure nslcd for hosts + template: + src: nslcd.conf.j2 + dest: /etc/nslcd.conf + mode: 0600 + notify: Restart nslcd service + +- name: Configure NSS to use sss + lineinfile: + dest: /etc/nsswitch.conf + regexp: "^{{ item.name }}:" + line: "{{ item.name }}: {{ item.db }}" + loop: + - {name: passwd, db: files systemd sss} + - {name: group, db: files systemd sss} + - {name: shadow, db: files sss} + - {name: networks, db: files ldap} + - {name: hosts, db: files ldap dns} + +- name: Configure PAM authentication + template: + src: pam.d/common-password.j2 + dest: /etc/pam.d/common-password diff --git a/roles/sssd/templates/nslcd.conf.j2 b/roles/sssd/templates/nslcd.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..2360eadc0d65a6ddc61eb85c79084922b5c2220e --- /dev/null +++ b/roles/sssd/templates/nslcd.conf.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +{% for server in sssd.primary.servers %} +uri ldaps://{{ server }}/ +{% endfor %} + +# The search base that will be used for all queries. +base {{ sssd.primary.base }} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +tls_reqcert allow +tls_cacertfile /etc/ssl/certs/ca-certificates.crt + +# The search scope. +#scope sub diff --git a/roles/sssd/templates/pam.d/common-password.j2 b/roles/sssd/templates/pam.d/common-password.j2 new file mode 100644 index 0000000000000000000000000000000000000000..34be825e17c6b4aaa935af80fe086d6c27938b12 --- /dev/null +++ b/roles/sssd/templates/pam.d/common-password.j2 @@ -0,0 +1,37 @@ +{{ ansible_header | comment }} +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password requisite pam_pwquality.so retry=3 +password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +password sufficient pam_sss.so use_authtok +password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/roles/sssd/templates/sssd/sssd.conf.j2 b/roles/sssd/templates/sssd/sssd.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..e5f445a09cf94b5a8ada31cee1a159cdf843f6ba --- /dev/null +++ b/roles/sssd/templates/sssd/sssd.conf.j2 @@ -0,0 +1,31 @@ +{{ ansible_header | comment }} +[sssd] +config_file_version = 2 +services = nss, pam +domains = {{ sssd.primary.domain }}, {{ sssd.secondary.domain }} + +[domain/{{ sssd.primary.domain }}] +ldap_access_filter = (objectClass=posixAccount) +enumerate = true +id_provider = ldap +auth_provider = ldap +ldap_uri = ldaps://{{ sssd.primary.domain }} +ldap_search_base = {{ sssd.primary.base }} +{% if sssd.primary.bind is defined -%} +ldap_default_bind_dn = {{ sssd.primary.bind.dn }} +ldap_default_authtok = {{ sssd.primary.bind.passwd }} +{% endif %} +ldap_tls_reqcert = allow + +[domain/{{ sssd.secondary.domain }}] +ldap_access_filter = (objectClass=posixAccount) +enumerate = true +id_provider = ldap +auth_provider = ldap +ldap_uri = ldaps://{{ sssd.secondary.domain }} +ldap_search_base = {{ sssd.secondary.base }} +{% if sssd.secondary.bind is defined -%} +ldap_default_bind_dn = {{ sssd.secondary.bind.dn }} +ldap_default_authtok = {{ sssd.secondary.bind.passwd }} +{% endif %} +ldap_tls_reqcert = allow diff --git a/roles/sudo/templates/sudoers.d/group_privilege.j2 b/roles/sudo/templates/sudoers.d/group_privilege.j2 index 2b7e31fd472c45b3110a460dafba074198e2f222..25902df57356615db420bcda8e4c7605a7d5bc38 100644 --- a/roles/sudo/templates/sudoers.d/group_privilege.j2 +++ b/roles/sudo/templates/sudoers.d/group_privilege.j2 @@ -1,3 +1,3 @@ {{ ansible_header | comment }} # Group privilege specification -NOUNOUS ALL=(ALL:ALL) ALL +%_nounou ALL=(ALL:ALL) ALL