CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 6 Pull requests 9 Wiki Activity Actions
ansible-infra/ansible_collections/debops/debops/playbooks/bootstrap-sss.yml
Stefan Bethke 2aed20393f
Some checks failed
/ Ansible Lint (push) Failing after 5m45s
Details
/ Ansible Lint (pull_request) Failing after 4m59s
Details
Vendor Galaxy Roles and Collections
2026-02-06 22:07:16 +01:00

200 lines
6.2 KiB
YAML
Raw Blame History

---
# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
# Copyright (C) 2019-2021 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# This playbook can be used to bootstrap new Debian/Ubuntu host to be used with
# LDAP environment. It will automatically enable LDAP support and prepare
# secure access to the LDAP directory, including PAM/NSS and SSH key lookups.
#
# The configuration applied by this playbook is minimal, just enough to be able
# to login via SSH using information gathered from LDAP. You should apply the
# DebOps 'common.yml' playbook on a host afterwards to complete the initial
# configuration, for example firewall/TCP Wrappers setup.
#
# Note that this playbook is an alternative to the bootstrap-ldap playbook,
# which sets up the target system with nslcd/nscd integration, whereas this
# playbook instead relies on sssd (but should otherwise be identical).
#
# Usage:
# To connect directly as root, run:
#
# debops bootstrap-sss -u root -k --limit host
#
# To connect as normal user and switch to sudo, run:
#
# debops bootstrap-sss --become --limit host
- name: Bootstrap Python support on a host
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
strategy: linear
gather_facts: False
become: True
tasks:
- name: Initialize Ansible support via raw tasks
ansible.builtin.import_role:
name: 'python'
tasks_from: 'main_raw'
tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
- name: Bootstrap APT configuration on a host
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: apt_proxy
tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
- role: apt
tags: [ 'role::apt', 'skip::apt' ]
- name: Apply core configuration
import_playbook: 'service/core.yml'
- name: Bootstrap host for Ansible management with LDAP
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
# Automatically enable LDAP support on new hosts
ldap__enabled: True
pre_tasks:
- name: Prepare pki environment
ansible.builtin.import_role:
name: 'pki'
tasks_from: 'main_env'
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
- name: Prepare sshd environment
ansible.builtin.import_role:
name: 'sshd'
tasks_from: 'main_env'
tags: [ 'role::sshd', 'role::ldap' ]
roles:
- role: resolved
tags: [ 'role::resolved', 'skip::resolved' ]
- role: python
tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
python__dependent_packages3:
- '{{ netbase__python__dependent_packages3 }}'
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ netbase__python__dependent_packages2 }}'
- '{{ ldap__python__dependent_packages2 }}'
- role: netbase
tags: [ 'role::netbase', 'skip::netbase' ]
- role: secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: fhs
tags: [ 'role::fhs', 'skip::fhs' ]
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ etckeeper__apt_preferences__dependent_list }}'
- '{{ yadm__apt_preferences__dependent_list }}'
- role: etckeeper
tags: [ 'role::etckeeper', 'skip::etckeeper' ]
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: atd
tags: [ 'role::atd', 'skip::atd' ]
- role: dhparam
tags: [ 'role::dhparam', 'skip::dhparam' ]
- role: pki
tags: [ 'role::pki', 'skip::pki' ]
- role: machine
tags: [ 'role::machine', 'skip::machine' ]
# LDAP client initialization should be done separately to prepare local
# facts for other roles to use in configuration.
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- '{{ sshd__ldap__dependent_tasks }}'
- '{{ sssd__ldap__dependent_tasks }}'
- role: sssd
tags: [ 'role::sssd', 'skip::sssd' ]
when: ansible_local.ldap.posix_enabled | d() | bool
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: yadm
tags: [ 'role::yadm', 'skip::yadm' ]
- role: sudo
tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
sudo__dependent_sudoers:
- '{{ sshd__sudo__dependent_sudoers }}'
# The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
# this role after 'debops.sudo' role skips additional changes done in the
# configuration later on.
- role: nsswitch
tags: [ 'role::nsswitch', 'skip::nsswitch' ]
nsswitch__dependent_services:
- '{{ sssd__nsswitch__dependent_services }}'
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: system_groups
tags: [ 'role::system_groups', 'skip::system_groups' ]
- role: system_users
tags: [ 'role::system_users', 'skip::system_users' ]
- role: pam_access
tags: [ 'role::pam_access', 'skip::pam_access' ]
pam_access__dependent_rules:
- '{{ sshd__pam_access__dependent_rules }}'
- role: sshd
tags: [ 'role::sshd', 'skip::sshd' ]
Reference in a new issue View git blame Copy permalink