dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
configpolicy/roles/samba-dc/tasks/main.yml

268 lines
6.3 KiB
YAML
Raw Blame History

- name: load distribution-specific values
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_distribution }}.yml'
- defaults.yml
tags:
- always
- name: ensure packages are installed
package:
name={{ samba_dc_packages|join(',') }}
state=present
tags:
- install
- name: ensure bind9 dlz plugin is configured
include_tasks: bind9-dlz.yml
when: samba_dc_dns_backend|d == 'BIND9_DLZ'
- name: ensure kerberos is configured
template:
src=krb5.conf.j2
dest=/etc/krb5.conf.d/samba.conf
- name: ensure domain is provisioned
samba_domain:
realm={{ krb5_realm }}
domain={{ netbios_domain|d(omit) }}
use_rfc2307={{ samba_dc_use_rfc2307 }}
dns_backend={{ samba_dc_dns_backend|d(omit) }}
username={{ samba_dc_join_username|d(omit) }}
password={{ samba_dc_join_password|d(omit) }}
state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
register: samba_dc_provision
notify:
- restore samba file contexts
- display generated admin password
- sync sysvol
tags:
- provision-domain
- name: ensure samba certificate is installed
copy:
src={{ item }}
dest={{ samba_tls_certfile }}
mode=0644
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba.cer
notify: restart samba
- name: ensure samba certificate private key is installed
copy:
src={{ item }}
dest={{ samba_tls_keyfile }}
mode=0600
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba.key
notify: restart samba
- name: ensure samba ca certificate is installed
copy:
src={{ item }}
dest={{ samba_tls_cafile }}
mode=0644
with_fileglob:
- certs/samba/{{ inventory_hostname }}/samba-ca.crt
when: samba_tls_cafile is defined
notify: restart samba
- name: ensure smb.conf is configured
template:
src=smb.conf.j2
dest=/etc/samba/smb.conf
mode=0644
notify: restart samba
- name: ensure samba systemd unit extension directory exists
file:
path=/etc/systemd/system/samba.service.d
mode=0755
state=directory
tags:
- systemd
- name: ensure samba service auto restart is configurd
copy:
src: auto-restart.conf
dest: /etc/systemd/system/samba.service.d
owner: root
group: root
mode: u=rw,go=r
notify:
- reload systemd
- restart samba
tags:
- systemd
- name: ensure samba starts at boot
service:
name=samba
enabled=yes
- name: ensure sysvolsync ssh key exists
openssh_keypair:
type: ed25519
comment: '{{ inventory_hostname }}'
path: /var/lib/samba/private/sysvolsync.key
owner: root
group: root
mode: u=r,go=
state: present
register: sysvolsync_key
tags:
- sysvolsync
- name: ensure sysvolsync key is trusted on other domain controllers
delegate_to: '{{ item }}'
authorized_key:
user: root
path: /root/.ssh/authorized_keys_sysvolsync
key: >-
{{ sysvolsync_key.public_key }}
key_options: command="/usr/local/libexec/sysvolsync-server"
state: present
# openssh_keypair module doesn't return public_key in check mode
when: not ansible_check_mode
loop: '{{ groups["samba-dc"] }}'
tags:
- sysvolsync
- name: ensure sysvolsync cache directory exists
file:
path: /var/cache/sysvolsync
mode: u=rwx,go=rx
state: directory
tags:
- sysvolsync
- name: ensure sysvolsync ssh host key database is populated
template:
src: sysvolsync.ssh_known_hosts.j2
dest: /var/cache/sysvolsync/ssh_known_hosts
mode: u=rw,go=r
tags:
- sysvolsync
- ssh_known_hosts
- name: ensure sysvolsync script is installed
copy:
src: sysvolsync.sh
dest: /usr/local/sbin/sysvolsync
mode: u=rwx,go=rx
notify:
- restart sysvolsync.timer
tags:
- sysvolsync
- name: ensure sysvolsync systemd units are installed
copy:
src: '{{ item }}'
dest: /etc/systemd/system
mode: u=rw,go=r
loop:
- sysvolsync.service
- sysvolsync.timer
notify:
- reload systemd
- restart sysvolsync.timer
tags:
- sysvolsync
- systemd
- name: ensure sysvolsync timer unit is enabled
systemd:
name: sysvolsync.timer
enabled: true
tags:
- sysvolsync
- service
- name: ensure sysvolsync timer unit is running
systemd:
name: sysvolsync.timer
state: started
tags:
- sysvolsync
- service
- name: ensure sysvolsync-server script is installed
copy:
src: sysvolsync-server.sh
dest: /usr/local/libexec/sysvolsync-server
mode: u=rwx,go=rx
tags:
- sysvolsync
- name: ensure sshd is configured for sysvolsync
copy:
src: sysvolsync.sshd.conf
dest: /etc/ssh/sshd_config.d/80-sysvolsync.conf
mode: u=rw,go=r
notify:
- reload sshd
tags:
- sysvolsync
- name: ensure idmap-backup systemd units are installed
copy:
src: '{{ item }}'
dest: /etc/systemd/system/
mode: u=rw,go=r
loop:
- idmap-backup.service
- idmap-backup.timer
notify:
- reload systemd
- restart idmap-backup.timer
tags:
- idmap-backup
- systemd
- name: ensure idmap-backup timer unit is enabled
systemd:
name: idmap-backup.timer
enabled: true
tags:
- idmap-backup
- service
- name: ensure idmap-backup timer unit is running
systemd:
name: idmap-backup.timer
state: started
tags:
- idmap-backup
- service
- name: flush_handlers
meta: flush_handlers
- name: ensure samba is running
service:
name=samba
state=started
- name: ensure firewall is configured for samba
firewalld:
service={{ item if '/' not in item else omit }}
port={{ item if '/' in item else omit }}
state=enabled
permanent=no
immediate=yes
with_items: '{{ samba_firewall }}'
notify: save firewalld configuration
when: host_users_firewalld|d(true)|bool
tags:
- firewalld
# Samba maintains a host keytab at /var/lib/samba/private/secrets.keytab,
# however it uses HOST/<fqdn> instead of host/<fqdn> SPNs. mit-krb5 seems to
# treat SPNs case-sensitively, breaking SSH GSSAPI authentication.
#
# It is likely that this keytab will become state, as domain controller account
# keys may rotate. Hopefully, I will find a better way to manage this at some
# point.
- name: ensure host keytab exists
command: >-
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/{{ ansible_fqdn }}
creates=/etc/krb5.keytab
- name: ensure logroate is configured for samba kdc
copy:
src: krb5kdc.logrotate.conf
dest: /etc/logrotate.d/krb5kdc
mode: u=rw,go=r
tags:
- logrotate
Reference in New Issue View Git Blame Copy Permalink