--- # Copyright (C) 2019-2020 Maciej Delmanowski # Copyright (C) 2021 David Härdeman # Copyright (C) 2019-2021 DebOps # SPDX-License-Identifier: GPL-3.0-only # This playbook can be used to bootstrap new Debian/Ubuntu host to be used with # LDAP environment. It will automatically enable LDAP support and prepare # secure access to the LDAP directory, including PAM/NSS and SSH key lookups. # # The configuration applied by this playbook is minimal, just enough to be able # to login via SSH using information gathered from LDAP. You should apply the # DebOps 'common.yml' playbook on a host afterwards to complete the initial # configuration, for example firewall/TCP Wrappers setup. # # Note that this playbook is an alternative to the bootstrap-ldap playbook, # which sets up the target system with nslcd/nscd integration, whereas this # playbook instead relies on sssd (but should otherwise be identical). # # Usage: # To connect directly as root, run: # # debops bootstrap-sss -u root -k --limit host # # To connect as normal user and switch to sudo, run: # # debops bootstrap-sss --become --limit host - name: Bootstrap Python support on a host collections: [ 'debops.debops', 'debops.roles01', 'debops.roles02', 'debops.roles03' ] hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ] strategy: linear gather_facts: False become: True tasks: - name: Initialize Ansible support via raw tasks ansible.builtin.import_role: name: 'python' tasks_from: 'main_raw' tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ] - name: Bootstrap APT configuration on a host collections: [ 'debops.debops', 'debops.roles01', 'debops.roles02', 'debops.roles03' ] hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ] become: True environment: '{{ inventory__environment | d({}) | combine(inventory__group_environment | d({})) | combine(inventory__host_environment | d({})) }}' roles: - role: apt_proxy tags: [ 'role::apt_proxy', 'skip::apt_proxy' ] - role: apt tags: [ 'role::apt', 'skip::apt' ] - name: Apply core configuration import_playbook: 'service/core.yml' - name: Bootstrap host for Ansible management with LDAP collections: [ 'debops.debops', 'debops.roles01', 'debops.roles02', 'debops.roles03' ] hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ] become: True environment: '{{ inventory__environment | d({}) | combine(inventory__group_environment | d({})) | combine(inventory__host_environment | d({})) }}' vars: # Automatically enable LDAP support on new hosts ldap__enabled: True pre_tasks: - name: Prepare pki environment ansible.builtin.import_role: name: 'pki' tasks_from: 'main_env' tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ] - name: Prepare sshd environment ansible.builtin.import_role: name: 'sshd' tasks_from: 'main_env' tags: [ 'role::sshd', 'role::ldap' ] roles: - role: resolved tags: [ 'role::resolved', 'skip::resolved' ] - role: python tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ] python__dependent_packages3: - '{{ netbase__python__dependent_packages3 }}' - '{{ ldap__python__dependent_packages3 }}' python__dependent_packages2: - '{{ netbase__python__dependent_packages2 }}' - '{{ ldap__python__dependent_packages2 }}' - role: netbase tags: [ 'role::netbase', 'skip::netbase' ] - role: secret tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ] secret_directories: - '{{ pki_env_secret_directories }}' - role: fhs tags: [ 'role::fhs', 'skip::fhs' ] - role: apt_preferences tags: [ 'role::apt_preferences', 'skip::apt_preferences' ] apt_preferences__dependent_list: - '{{ etckeeper__apt_preferences__dependent_list }}' - '{{ yadm__apt_preferences__dependent_list }}' - role: etckeeper tags: [ 'role::etckeeper', 'skip::etckeeper' ] - role: cron tags: [ 'role::cron', 'skip::cron' ] - role: atd tags: [ 'role::atd', 'skip::atd' ] - role: dhparam tags: [ 'role::dhparam', 'skip::dhparam' ] - role: pki tags: [ 'role::pki', 'skip::pki' ] - role: machine tags: [ 'role::machine', 'skip::machine' ] # LDAP client initialization should be done separately to prepare local # facts for other roles to use in configuration. - role: ldap tags: [ 'role::ldap', 'skip::ldap' ] - role: ldap tags: [ 'role::ldap', 'skip::ldap' ] ldap__dependent_tasks: - '{{ sudo__ldap__dependent_tasks }}' - '{{ sshd__ldap__dependent_tasks }}' - '{{ sssd__ldap__dependent_tasks }}' - role: sssd tags: [ 'role::sssd', 'skip::sssd' ] when: ansible_local.ldap.posix_enabled | d() | bool - role: keyring tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ] keyring__dependent_gpg_keys: - '{{ yadm__keyring__dependent_gpg_keys }}' - role: yadm tags: [ 'role::yadm', 'skip::yadm' ] - role: sudo tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ] sudo__dependent_sudoers: - '{{ sshd__sudo__dependent_sudoers }}' # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running # this role after 'debops.sudo' role skips additional changes done in the # configuration later on. - role: nsswitch tags: [ 'role::nsswitch', 'skip::nsswitch' ] nsswitch__dependent_services: - '{{ sssd__nsswitch__dependent_services }}' - role: libuser tags: [ 'role::libuser', 'skip::libuser' ] - role: system_groups tags: [ 'role::system_groups', 'skip::system_groups' ] - role: system_users tags: [ 'role::system_users', 'skip::system_users' ] - role: pam_access tags: [ 'role::pam_access', 'skip::pam_access' ] pam_access__dependent_rules: - '{{ sshd__pam_access__dependent_rules }}' - role: sshd tags: [ 'role::sshd', 'skip::sshd' ]