aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Don't use anymore submodules as there are too many

Browse source
This commit is contained in:
Alexandre Iooss 2019-02-05 08:35:45 +01:00
parent ff4577b5d5
commit bdb4dadaa7
41 changed files with 5981 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
roles/baseconfig

@ -1 +0,0 @@
Subproject commit 18a1a5fd4527934ffc546b4d9bca9414f3763eac

6
roles/baseconfig/README.md Normal file
View file

@ -0,0 +1,6 @@
# Rôle baseconfig
Ce rôle Ansible a pour but de mettre en place une configuration de base.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).

3756
roles/baseconfig/files/skel/dot_zshrc Normal file
View file

File diff suppressed because it is too large Load diff

326
roles/baseconfig/files/skel/dot_zshrc.local Normal file
View file

@ -0,0 +1,326 @@
# Filename: /etc/skel/.zshrc
# Purpose: config file for zsh (z shell)
# Authors: (c) grml-team (grml.org)
# Bug-Reports: see http://grml.org/bugs/
# License: This file is licensed under the GPL v2 or any later version.
################################################################################
# Nowadays, grml's zsh setup lives in only *one* zshrc file.
# That is the global one: /etc/zsh/zshrc (from grml-etc-core).
# It is best to leave *this* file untouched and do personal changes to
# your zsh setup via ${HOME}/.zshrc.local which is loaded at the end of
# the global zshrc.
#
# That way, we enable people on other operating systems to use our
# setup, too, just by copying our global zshrc to their ${HOME}/.zshrc.
# Adjustments would still go to the .zshrc.local file.
################################################################################
## Aurore host color and white user
zstyle ':prompt:grml:left:items:host' pre '%B%F{red}'
zstyle ':prompt:grml:left:items:host' post '%f%b'
zstyle ':prompt:grml:left:items:user' pre '%B'
zstyle ':prompt:grml:left:items:user' post '%b'
## Settings for umask
#if (( EUID == 0 )); then
# umask 002
#else
# umask 022
#fi
## Now, we'll give a few examples of what you might want to use in your
## .zshrc.local file (just copy'n'paste and uncomment it there):
## Prompt theme extension ##
# Virtualenv support
#function virtual_env_prompt () {
# REPLY=${VIRTUAL_ENV+(${VIRTUAL_ENV:t}) }
#}
#grml_theme_add_token virtual-env -f virtual_env_prompt '%F{magenta}' '%f'
#zstyle ':prompt:grml:left:setup' items rc virtual-env change-root user at host path vcs percent
## ZLE tweaks ##
## use the vi navigation keys (hjkl) besides cursor keys in menu completion
#bindkey -M menuselect 'h' vi-backward-char # left
#bindkey -M menuselect 'k' vi-up-line-or-history # up
#bindkey -M menuselect 'l' vi-forward-char # right
#bindkey -M menuselect 'j' vi-down-line-or-history # bottom
## set command prediction from history, see 'man 1 zshcontrib'
#is4 && zrcautoload predict-on && \
#zle -N predict-on && \
#zle -N predict-off && \
#bindkey "^X^Z" predict-on && \
#bindkey "^Z" predict-off
## press ctrl-q to quote line:
#mquote () {
# zle beginning-of-line
# zle forward-word
# # RBUFFER="'$RBUFFER'"
# RBUFFER=${(q)RBUFFER}
# zle end-of-line
#}
#zle -N mquote && bindkey '^q' mquote
## define word separators (for stuff like backward-word, forward-word, backward-kill-word,..)
#WORDCHARS='*?_-.[]~=/&;!#$%^(){}<>' # the default
#WORDCHARS=.
#WORDCHARS='*?_[]~=&;!#$%^(){}'
#WORDCHARS='${WORDCHARS:s@/@}'
# just type '...' to get '../..'
#rationalise-dot() {
#local MATCH
#if [[ $LBUFFER =~ '(^|/| | |'$'\n''|\||;|&)\.\.$' ]]; then
# LBUFFER+=/
# zle self-insert
# zle self-insert
#else
# zle self-insert
#fi
#}
#zle -N rationalise-dot
#bindkey . rationalise-dot
## without this, typing a . aborts incremental history search
#bindkey -M isearch . self-insert
#bindkey '\eq' push-line-or-edit
## some popular options ##
## add `|' to output redirections in the history
#setopt histallowclobber
## try to avoid the 'zsh: no matches found...'
#setopt nonomatch
## warning if file exists ('cat /dev/null > ~/.zshrc')
#setopt NO_clobber
## don't warn me about bg processes when exiting
#setopt nocheckjobs
## alert me if something failed
#setopt printexitvalue
## with spelling correction, assume dvorak kb
#setopt dvorak
## Allow comments even in interactive shells
#setopt interactivecomments
## compsys related snippets ##
## changed completer settings
#zstyle ':completion:*' completer _complete _correct _approximate
#zstyle ':completion:*' expand prefix suffix
## another different completer setting: expand shell aliases
#zstyle ':completion:*' completer _expand_alias _complete _approximate
## to have more convenient account completion, specify your logins:
#my_accounts=(
# {grml,grml1}@foo.invalid
# grml-devel@bar.invalid
#)
#other_accounts=(
# {fred,root}@foo.invalid
# vera@bar.invalid
#)
#zstyle ':completion:*:my-accounts' users-hosts $my_accounts
#zstyle ':completion:*:other-accounts' users-hosts $other_accounts
## add grml.org to your list of hosts
#hosts+=(grml.org)
#zstyle ':completion:*:hosts' hosts $hosts
## telnet on non-default ports? ...well:
## specify specific port/service settings:
#telnet_users_hosts_ports=(
# user1@host1:
# user2@host2:
# @mail-server:{smtp,pop3}
# @news-server:nntp
# @proxy-server:8000
#)
#zstyle ':completion:*:*:telnet:*' users-hosts-ports $telnet_users_hosts_ports
## the default grml setup provides '..' as a completion. it does not provide
## '.' though. If you want that too, use the following line:
#zstyle ':completion:*' special-dirs true
## aliases ##
## translate
#alias u='translate -i'
## ignore ~/.ssh/known_hosts entries
#alias insecssh='ssh -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" -o "PreferredAuthentications=keyboard-interactive"'
## global aliases (for those who like them) ##
#alias -g '...'='../..'
#alias -g '....'='../../..'
#alias -g BG='& exit'
#alias -g C='|wc -l'
#alias -g G='|grep'
#alias -g H='|head'
#alias -g Hl=' --help |& less -r'
#alias -g K='|keep'
#alias -g L='|less'
#alias -g LL='|& less -r'
#alias -g M='|most'
#alias -g N='&>/dev/null'
#alias -g R='| tr A-z N-za-m'
#alias -g SL='| sort | less'
#alias -g S='| sort'
#alias -g T='|tail'
#alias -g V='| vim -'
## instead of global aliase it might be better to use grmls $abk assoc array, whose contents are expanded after pressing ,.
#$abk[SnL]="| sort -n | less"
## get top 10 shell commands:
#alias top10='print -l ${(o)history%% *} | uniq -c | sort -nr | head -n 10'
## Execute \kbd{./configure}
#alias CO="./configure"
## Execute \kbd{./configure --help}
#alias CH="./configure --help"
## miscellaneous code ##
## Use a default width of 80 for manpages for more convenient reading
#export MANWIDTH=${MANWIDTH:-80}
## Set a search path for the cd builtin
#cdpath=(.. ~)
## variation of our manzsh() function; pick you poison:
#manzsh() { /usr/bin/man zshall | most +/"$1" ; }
## Switching shell safely and efficiently? http://www.zsh.org/mla/workers/2001/msg02410.html
#bash() {
# NO_SWITCH="yes" command bash "$@"
#}
#restart () {
# exec $SHELL $SHELL_ARGS "$@"
#}
## Handy functions for use with the (e::) globbing qualifier (like nt)
#contains() { grep -q "$*" $REPLY }
#sameas() { diff -q "$*" $REPLY &>/dev/null }
#ot () { [[ $REPLY -ot ${~1} ]] }
## get_ic() - queries imap servers for capabilities; real simple. no imaps
#ic_get() {
# emulate -L zsh
# local port
# if [[ ! -z $1 ]] ; then
# port=${2:-143}
# print "querying imap server on $1:${port}...\n";
# print "a1 capability\na2 logout\n" | nc $1 ${port}
# else
# print "usage:\n $0 <imap-server> [port]"
# fi
#}
## List all occurrences of programm in current PATH
#plap() {
# emulate -L zsh
# if [[ $# = 0 ]] ; then
# echo "Usage: $0 program"
# echo "Example: $0 zsh"
# echo "Lists all occurrences of program in the current PATH."
# else
# ls -l ${^path}/*$1*(*N)
# fi
#}
## Find out which libs define a symbol
#lcheck() {
# if [[ -n "$1" ]] ; then
# nm -go /usr/lib/lib*.a 2>/dev/null | grep ":[[:xdigit:]]\{8\} . .*$1"
# else
# echo "Usage: lcheck <function>" >&2
# fi
#}
## Download a file and display it locally
#uopen() {
# emulate -L zsh
# if ! [[ -n "$1" ]] ; then
# print "Usage: uopen \$URL/\$file">&2
# return 1
# else
# FILE=$1
# MIME=$(curl --head $FILE | \
# grep Content-Type | \
# cut -d ' ' -f 2 | \
# cut -d\; -f 1)
# MIME=${MIME%$'\r'}
# curl $FILE | see ${MIME}:-
# fi
#}
## Memory overview
#memusage() {
# ps aux | awk '{if (NR > 1) print $5;
# if (NR > 2) print "+"}
# END { print "p" }' | dc
#}
## print hex value of a number
#hex() {
# emulate -L zsh
# if [[ -n "$1" ]]; then
# printf "%x\n" $1
# else
# print 'Usage: hex <number-to-convert>'
# return 1
# fi
#}
## log out? set timeout in seconds...
## ...and do not log out in some specific terminals:
#if [[ "${TERM}" == ([Exa]term*|rxvt|dtterm|screen*) ]] ; then
# unset TMOUT
#else
# TMOUT=1800
#fi
## associate types and extensions (be aware with perl scripts and anwanted behaviour!)
#check_com zsh-mime-setup || { autoload zsh-mime-setup && zsh-mime-setup }
#alias -s pl='perl -S'
## ctrl-s will no longer freeze the terminal.
#stty erase "^?"
## you want to automatically use a bigger font on big terminals?
#if [[ "$TERM" == "xterm" ]] && [[ "$LINES" -ge 50 ]] && [[ "$COLUMNS" -ge 100 ]] && [[ -z "$SSH_CONNECTION" ]] ; then
# large
#fi
## Some quick Perl-hacks aka /useful/ oneliner
#bew() { perl -le 'print unpack "B*","'$1'"' }
#web() { perl -le 'print pack "B*","'$1'"' }
#hew() { perl -le 'print unpack "H*","'$1'"' }
#weh() { perl -le 'print pack "H*","'$1'"' }
#pversion() { perl -M$1 -le "print $1->VERSION" } # i. e."pversion LWP -> 5.79"
#getlinks () { perl -ne 'while ( m/"((www|ftp|http):\/\/.*?)"/gc ) { print $1, "\n"; }' $* }
#gethrefs () { perl -ne 'while ( m/href="([^"]*)"/gc ) { print $1, "\n"; }' $* }
#getanames () { perl -ne 'while ( m/a name="([^"]*)"/gc ) { print $1, "\n"; }' $* }
#getforms () { perl -ne 'while ( m:(\</?(input|form|select|option).*?\>):gic ) { print $1, "\n"; }' $* }
#getstrings () { perl -ne 'while ( m/"(.*?)"/gc ) { print $1, "\n"; }' $*}
#showINC () { perl -e 'for (@INC) { printf "%d %s\n", $i++, $_ }' }
#vimpm () { vim `perldoc -l $1 | sed -e 's/pod$/pm/'` }
#vimhelp () { vim -c "help $1" -c on -c "au! VimEnter *" }
## END OF FILE #################################################################

40
roles/baseconfig/files/update-motd.d/00-logo Executable file
View file

@ -0,0 +1,40 @@
#!/bin/sh
# /etc/update-motd.d/00-logo
# Deployed with Aurore Ansible !
# Pretty uptime
upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"
mins=$((${upSeconds}/60%60))
hours=$((${upSeconds}/3600%24))
days=$((${upSeconds}/86400))
UPTIME=`printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins"`
# RAM
RAM=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
DISK=`df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}'`
# Text font
bold=$(tput bold)
normal=$(tput sgr0)
# Logo
cat << EOF

      ${bold}Uptime${normal} : ${UPTIME}
    ${bold}Mémoire${normal} : ${RAM}
        ${bold}Disque racine${normal} : ${DISK}
       
          
           
          
          
       
       
         
         
         
           
        
      
EOF

20
roles/baseconfig/tasks/apt-listchanges.yml Normal file
View file

@ -0,0 +1,20 @@
---
# Install apt-listchanges
- name: Install apt-listchanges
when: ansible_os_family == "Debian"
apt:
name: apt-listchanges
state: present
update_cache: yes
# Send email when there is something new
- name: Configure apt-listchanges
lineinfile:
dest: /etc/apt/listchanges.conf
regexp: "^{{ item.key }}="
line: "{{ item.value }}"
with_dict:
confirm: 'confirm=true'
email_address: "email_address={{ monitoring_mail }}"
which: 'which=both'

58
roles/baseconfig/tasks/main.yml Normal file
View file

@ -0,0 +1,58 @@
---
# Should contain only small tools that everyone can't live without
- name: Install basic tools
when: ansible_os_family == "Debian"
apt:
name: "{{ packages }}"
state: present
update_cache: yes
vars:
packages:
- bash-completion # for bash users
- zsh # alternative shell
- sudo # to gain root access
- git # code versioning
- nano # basic text editor
- vim # like nano but more powerful and complex
- htop # better than top
- less # i like cats
- tree # create a graphical tree of files
- ipython # better Python shell
- acl # for Ansible become support
# Pimp my server
- name: Customize motd
copy:
src: 'update-motd.d/00-logo'
dest: '/etc/update-motd.d/00-logo'
mode: 0755
# Configure APT mirrors on Debian Stretch
- name: Configure APT mirrors
when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
template:
src: 'apt/sources.list'
dest: '/etc/apt/sources.list'
mode: 0644
# Patriotisme
- name: Ensure French UTF-8 locale exists
locale_gen:
name: fr_FR.UTF-8
state: present
# Molly-Guard : prevent accidental shutdowns
- include_tasks: molly-guard.yml
# APT-List Changes : send email with changelog
- include_tasks: apt-listchanges.yml
# User skeleton
- name: Configure user skeleton
copy:
src: skel/{{ item.key }}
dest: /etc/skel/{{ item.value }}
with_dict:
dot_zshrc: .zshrc
dot_zshrc.local: .zshrc.local

16
roles/baseconfig/tasks/molly-guard.yml Normal file
View file

@ -0,0 +1,16 @@
---
# Install molly-guard
- name: Install molly-guard
when: ansible_os_family == "Debian"
apt:
name: molly-guard
state: present
update_cache: yes
# Always ask for hostname
- name: Configure molly-guard
lineinfile:
dest: /etc/molly-guard/rc
regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$'
line: 'ALWAYS_QUERY_HOSTNAME=true'

32
roles/baseconfig/templates/apt/sources.list Normal file
View file

@ -0,0 +1,32 @@
# /etc/apt/sources.list
# Deployed with Aurore Ansible !
{# #}
{# Default mirror #}
{% if debian_mirror is not defined %}
{% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
{% endif %}
{# #}
{# Default security mirror #}
{% if debian_security_mirror is not defined %}
{% set debian_security_mirror = 'http://security.debian.org' %}
{% endif %}
{# #}
{# Default components #}
{% if debian_components is not defined %}
{% set debian_components = 'main contrib' %}
{% endif %}
# Classic updates
deb {{ debian_mirror }} {{ ansible_distribution_release }} {{ debian_components }}
# Frequent updates
deb {{ debian_mirror }} {{ ansible_distribution_release }}-updates {{ debian_components }}
# Security updates
deb {{ debian_security_mirror }} {{ ansible_distribution_release }}/updates {{ debian_components }}
{% if debian_backport is defined and debian_backport %}
# Backports
deb {{ debian_security_mirror }} {{ ansible_distribution_release }}-backports {{ debian_components }}
{% endif %}

1
roles/dokuwiki

@ -1 +0,0 @@
Subproject commit 09558fca2433a9ebda515f790500305ebcd8484d

13
roles/dokuwiki/README.md Normal file
View file

@ -0,0 +1,13 @@
# Rôle baseconfig
Ce rôle Ansible permet d'installer DokuWiki avec un serveur Apache et PHP7.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).
## Migration future à Buster
Actuellement le paquet DokuWiki est pinné sur Debian Buster.
Quand il sera sorti et que l'on passera dessus on pourra supprimer la
majorité des tâches de ce rôle.

24
roles/dokuwiki/tasks/main.yml Normal file
View file

@ -0,0 +1,24 @@
---
# For DokuWiki package
- name: Configure Debian Buster mirrors
when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
template:
src: 'apt/buster.list'
dest: '/etc/apt/sources.list.d/buster.list'
mode: 0644
# For DokuWiki package
- name: Configure DokuWiki pin
when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
template:
src: 'apt/dokuwiki'
dest: '/etc/apt/preferences.d/dokuwiki'
mode: 0644
# Install
- name: Install DokuWiki
apt:
name: dokuwiki
state: present
update_cache: yes

11
roles/dokuwiki/templates/apt/buster.list Normal file
View file

@ -0,0 +1,11 @@
# /etc/apt/sources.list.d/buster.list
# Deployed with Aurore Ansible !
{# #}
{# Default mirror #}
{% if debian_mirror is not defined %}
{% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
{% endif %}
deb {{ debian_mirror }} buster main
deb-src {{ debian_mirror }} buster main

11
roles/dokuwiki/templates/apt/dokuwiki Normal file
View file

@ -0,0 +1,11 @@
# /etc/apt/preferences.d/dokuwiki
# Deployed with Aurore Ansible !
Package: *
Pin: release n=stretch*
Pin-Priority: 990
Package: dokuwiki
Pin: release n=buster
Pin-Priority: 990

1
roles/etherpad

@ -1 +0,0 @@
Subproject commit 4a621d81d23f14e6f5efc2b55e0a16df6c7c38f9

7
roles/etherpad/README.md Normal file
View file

@ -0,0 +1,7 @@
# Rôle EtherPad
Ce rôle Ansible permet d'installer EtherPad.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).

5
roles/etherpad/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

22
roles/etherpad/tasks/0_apt_dependencies.yml Normal file
View file

@ -0,0 +1,22 @@
---
# For NodeJS package
- name: Configure NodeJS pin
when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
template:
src: 'apt/nodejs'
dest: '/etc/apt/preferences.d/nodejs'
mode: 0644
# Install EtherPad dependencies
- name: Install required packages
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- build-essential
- curl
- git
- nodejs
- npm

27
roles/etherpad/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Security #1
- name: Create EtherPad system group
group:
name: etherpad
system: yes
state: present
# Security #2
- name: Create EtherPad user
user:
name: etherpad
group: etherpad
home: '/var/local/etherpad'
comment: EtherPad
system: yes
state: present
# Security #3
- name: Secure Etherpad home directory
file:
path: '/var/local/etherpad'
state: directory
owner: etherpad
group: etherpad
mode: 0750

60
roles/etherpad/tasks/main.yml Normal file
View file

@ -0,0 +1,60 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create EtherPad user and group
- include_tasks: 1_user_group.yml
# Download EtherPad
- name: Clone EtherPad project
git:
repo: 'https://github.com/ether/etherpad-lite.git'
dest: '/var/local/etherpad/etherpad-lite'
version: master
become: true
become_user: etherpad
# Installation script
# TODO: move this in a handler
- name: Install Etherpad dependencies
command: bin/installDeps.sh
args:
chdir: '/var/local/etherpad/etherpad-lite'
become: true
become_user: etherpad
# Configuration
- name: Configure EtherPad
lineinfile:
dest: '/var/local/etherpad/etherpad-lite/settings.json'
regexp: '^\s*"{{ item.key }}"'
line: "{{ item.value }}"
with_dict:
title: " \"title\": \"Etherpad Aurore\","
dbType: " \"dbType\" : \"postgres\","
defaultPadText: " \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est synchronisé avec les autres utilisateur·rice·s présent·e·s sur cette page.\\n\","
lang: " \"lang\": \"fr-fr\""
# Service file
- name: Install EtherPad systemd unit
template:
src: 'systemd/etherpad-lite.service.j2'
dest: '/etc/systemd/system/etherpad-lite.service'
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
- name: Ensure that EtherPad is started
service:
name: etherpad-lite
state: started
enabled: True
# La configuration de la clé `dbSettings` n'est pas encore automatisé !
# TODO-list
# * Configure admin user, logs
# Plugins : https://framacloud.org/fr/cultiver-son-jardin/etherpad.html#concernant-framapad

7
roles/etherpad/templates/apt/nodejs Normal file
View file

@ -0,0 +1,7 @@
# /etc/apt/preferences.d/dokuwiki
# Deployed with Aurore Ansible !
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

19
roles/etherpad/templates/systemd/etherpad-lite.service.j2 Normal file
View file

@ -0,0 +1,19 @@
# /etc/systemd/system/etherpad-lite.service
# Deployed with Aurore Ansible !
[Unit]
Description=Etherpad-lite, the collaborative editor.
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User=etherpad
Group=etherpad
WorkingDirectory=/var/local/etherpad/etherpad-lite
ExecStart=/usr/bin/nodejs /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
Restart=always
[Install]
WantedBy=multi-user.target

1
roles/ldap-client

@ -1 +0,0 @@
Subproject commit f6dbb1d53fe8f81fabf0e0a6101bc54473d9abd3

7
roles/ldap-client/README.md Normal file
View file

@ -0,0 +1,7 @@
# Rôle LDAP client
Ce rôle Ansible a pour but de mettre en place l'authentification
sur un serveur par LDAP.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).

17
roles/ldap-client/handlers/main.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Reconfigure libnss-ldapd package
command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
- name: Restart nslcd service
service:
name: nslcd
state: restarted
# Empty cache when nslcd is restarted
- name: Restart nscd service
service:
name: nscd
state: restarted
ignore_errors: true # Sometimes service do not exist
listen: 'Restart nslcd service'

41
roles/ldap-client/tasks/0_install_ldap.yml Normal file
View file

@ -0,0 +1,41 @@
---
# Install LDAP client packages
- name: Install LDAP client packages
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- nslcd
- libnss-ldapd
- libpam-ldapd
# Reduce LDAP load
# For the moment it is broken on Stretch when using PHP7.3
#- name: Install LDAP cache package
# apt:
# name: nscd
# state: present
# update_cache: yes
# Configure /etc/nslcd.conf
- name: Configure nslcd LDAP credentials
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
mode: 0600
notify: 'Restart nslcd service'
# Configure /etc/nsswitch.conf
- name: Configure NSS to use LDAP
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{ item.key }}:"
line: "{{ item.value }}"
with_dict:
passwd: 'passwd: files ldap'
group: 'group: files ldap'
shadow: 'shadow: files ldap'
sudoers: 'sudoers: files ldap'
notify: 'Restart nslcd service'

21
roles/ldap-client/tasks/1_group_security.yml Normal file
View file

@ -0,0 +1,21 @@
---
# Filter SSH on groups
- name: Filter SSH on groups
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^AllowGroups'
line: "AllowGroups root sudoldap aurore ssh"
# To gain root access with ldap rights
- name: Install SUDO package
package:
name: sudo
state: present
# Set sudo group
- name: Configure sudoers
lineinfile:
dest: /etc/sudoers
regexp: "^%{{ sudo_group }}"
line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"

18
roles/ldap-client/tasks/2_userland_scripts.yml Normal file
View file

@ -0,0 +1,18 @@
---
# Disable passwd and chsh
- name: Copy passwd and chsh scripts
template:
src: "{{ item }}"
dest: /usr/local/bin/
mode: 0755
with_items:
- 'chsh'
- 'passwd'
# We do not want password change this way
- name: Symlink chsh.ldap to chsh
file:
src: "/usr/local/bin/chsh"
dest: "/usr/local/bin/chsh.ldap"
state: link

25
roles/ldap-client/tasks/main.yml Normal file
View file

@ -0,0 +1,25 @@
---
# Install and configure main LDAP tools
- include_tasks: 0_install_ldap.yml
# Filter who can access server and sudo on groups
- include_tasks: 1_group_security.yml
# Some userland scripts specific to LDAP install
- include_tasks: 2_userland_scripts.yml
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
- name: Ensure home directories are created upon login
lineinfile:
dest: /etc/pam.d/common-account
regexp: 'pam_mkhomedir\.so'
line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077"
# If LDAP crashes
- name: Install SSH keys for root account
authorized_key:
user: root
key: "{{ ssh_pub_keys }}"
state: present
# exclusive: True

3
roles/ldap-client/templates/chsh Normal file
View file

@ -0,0 +1,3 @@
#!/bin/sh
echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"

39
roles/ldap-client/templates/nslcd.conf.j2 Normal file
View file

@ -0,0 +1,39 @@
# /etc/nslcd.conf
# Deployed with Aurore Ansible !
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
{% if ldap_local_replica_uri is defined %}
{% for uri in ldap_local_replica_uri %}
uri {{ uri }}
{% endfor %}
{% endif %}
uri {{ ldap_master_uri }}
# The search base that will be used for all queries.
base {{ ldap_base }}
base passwd cn=Utilisateurs,{{ ldap_base }}
base shadow cn=Utilisateurs,{{ ldap_base }}
base group ou=posix,ou=groups,{{ ldap_base }}
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn {{ ldap_nslcd_bind_dn }}
bindpw {{ ldap_nslcd_passwd }}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub

3
roles/ldap-client/templates/passwd Normal file
View file

@ -0,0 +1,3 @@
#!/bin/sh
echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"

1
roles/ldap-replica

@ -1 +0,0 @@
Subproject commit b1e548be79082a67574962323e30a14434b86ec0

10
roles/ldap-replica/README.md Normal file
View file

@ -0,0 +1,10 @@
# Rôle LDAP replica
Ce rôle Ansible a pour but de mettre en place un serveur de replication LDAP.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).
DANGER ! Pour le moment il flushe le LDAP a chaque exécution à cause de la
façon dont l'installation de re2o se fait. Donc ne l'exécutez pas pour tester !

57
roles/ldap-replica/tasks/main.yml Normal file
View file

@ -0,0 +1,57 @@
---
# slapd is OpenLDAP server
- name: Install LDAP server
apt:
name: slapd
state: present
update_cache: yes
# What is written after is really not a nice way to install a schema
# because the LDAP is being flushed away always...
# This is a problem in re2o installation method that may be fixed in the future.
# Much nicer than install_re2o.sh way
- name: Build schema
template:
src: schema.ldiff.j2
dest: /etc/ldap/schema.ldiff
mode: 0600
# Downtime!
- name: Stop LDAP server
service: name=slapd state=stopped
# Cry a bit
- name: Remove old data
file: path={{ item }} state=absent
with_items:
- /etc/ldap/slapd.d
- /var/lib/ldap
# Cry a lot
- name: Recreate structure
file: path={{ item }} state=directory
with_items:
- /etc/ldap/slapd.d
- /var/lib/ldap
# Install schema as root
# We can't do a `become_user` here
- name: Install LDAP schema
command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
# then fix permissions
- name: Fix permissions
file:
path: "{{ item }}"
owner: openldap
group: openldap
recurse: yes
with_items:
- '/var/lib/ldap'
- '/etc/ldap/slapd.d'
# Save the day
- name: Start LDAP server
service: name=slapd state=started

1187
roles/ldap-replica/templates/schema.ldiff.j2 Normal file
View file

File diff suppressed because it is too large Load diff

1
roles/nginx-reverse-proxy

@ -1 +0,0 @@
Subproject commit 081384a08400e2c6c56fbb668756618e9b1b8024

7
roles/nginx-reverse-proxy/README.md Normal file
View file

@ -0,0 +1,7 @@
# Rôle du Reversed Proxy NGINX
Ce rôle Ansible a pour but de mettre en place un proxy inversé avec NGINX.
Il doit être exécuté en tant que super-utilisateur
(option `-b` pour `--become`).

7
roles/nginx-reverse-proxy/handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
# Reload NGINX when a site changes
- name: Reload NGINX service
service:
name: nginx
state: reloaded

33
roles/nginx-reverse-proxy/tasks/main.yml Normal file
View file

@ -0,0 +1,33 @@
---
# nginx is the proxy server
- name: Install NGINX server
apt:
name: nginx
state: present
update_cache: yes
# Install sites
- name: Configure NGINX sites
template:
src: nginx-sites-available.j2
dest: /etc/nginx/sites-available/{{ item.name }}
mode: 0644
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service
# Desactive useless nginx sites
- name: Deactivate the default NGINX site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: Reload NGINX service
# Activate sites
- name: Activate sites
file:
src: /etc/nginx/sites-available/{{ item.name }}
dest: /etc/nginx/sites-enabled/{{ item.name }}
state: link
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service

46
roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 Normal file
View file

@ -0,0 +1,46 @@
server {
server_name {{ item.from }};
include "snippets/proxy-common.conf";
location / {
return 302 https://$host$request_uri;
}
# On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
# pour pouvoir utiliser le plugin webroot de letsencrypt
location /.well-known/acme-challenge {
alias /usr/share/nginx/html/.well-known/acme-challenge;
}
}
server {
include "snippets/proxy-common-ssl.conf";
server_name {{ item.from }};
# Separate log files
access_log /var/log/nginx/{{ item.name }}.access.log;
error_log /var/log/nginx/{{ item.name }}.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
location / {
proxy_redirect off;
proxy_pass http://{{ item.to }};
proxy_set_header Host {{ item.from }};
proxy_set_header P-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
}
# On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
# pour pouvoir utiliser le plugin webroot de letsencrypt
location /.well-known/acme-challenge {
alias /usr/share/nginx/html/.well-known/acme-challenge;
}
}