Merge pull request #1 from hellofresh/add-role

c4pone · web-flow · commit 39ba13797a9a · 2018-01-26T18:02:00.000+01:00
Add initial role files
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,13 @@
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
+  # NOTE(retr0h): Templates no longer fail this lint rule.
+  #               Uncomment if running old Molecule templates.
+  # truthy: disable
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Anton Ustyuzhanin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -1 +1,45 @@
-# ansible-sssd-ldap
+sssd_ldap
+=========
+
+Install and configure sssd, nsswitch, pam and sshd to get user accounts from LDAP
+
+Requirements
+------------
+
+None
+
+Role Variables
+--------------
+
+You can override variables in your group_vars
+
+- `sssd_ldap_search_base: dc=example,dc=org`
+- `sssd_ldap_uri: ldap://example.org`
+- `sssd_ldap_default_bind_dn: cn=manager,dc=example,dc=org`
+- `sssd_ldap_default_authtok: bind_password`
+- `sssd_ldap_user_ssh_public_key: sshPublicKey`
+
+
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: sssd_ldap }
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+Anton Ustyuzhanin
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+sssd_ldap_search_base: dc=example,dc=org
+sssd_ldap_uri: ldap://example.org
+sssd_ldap_default_bind_dn: cn=manager,dc=example,dc=org
+sssd_ldap_default_authtok: bind_password
+sssd_ldap_user_ssh_public_key: sshPublicKey
diff --git a/files/pam_mkhomedir b/files/pam_mkhomedir
@@ -0,0 +1,7 @@
+Name: Create home directory on login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required        pam_mkhomedir.so umask=0077 skel=/etc/skel
+
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+# handlers file for sssd_ldap
+- name: restart sssd
+  service:
+    name: sssd
+    state: restarted
+
+- name: run pam auth update
+  shell: pam-auth-update --package
+
+- name: restart sshd
+  service:
+    name: "{{ sssd_ldap_ssh_service }}"
+    state: restarted
diff --git a/meta/main.yml b/meta/main.yml
@@ -0,0 +1,21 @@
+---
+galaxy_info:
+  author: antonu17
+  description: Anton Ustyuzhanin
+  company: HelloFresh
+
+  license: MIT
+
+  min_ansible_version: 1.2
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+
+  galaxy_tags:
+    - sssd
+    - ldap
+    - ssh
+
+dependencies: []
diff --git a/molecule/.gitignore b/molecule/.gitignore
@@ -0,0 +1,5 @@
+*.pyc
+.cache
+.molecule
+pytestdebug.log
+__pycache__/
diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2
@@ -0,0 +1,9 @@
+# Molecule managed
+
+FROM {{ item.image }}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi
diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst
@@ -0,0 +1,16 @@
+*******
+Install
+*******
+
+Requirements
+============
+
+* Docker Engine
+* docker-py
+
+Install
+=======
+
+.. code-block:: bash
+
+  $ sudo pip install docker-py
diff --git a/molecule/default/create.yml b/molecule/default/create.yml
@@ -0,0 +1,59 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}"
+    molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
+  tasks:
+    - name: Create Dockerfiles from image names
+      template:
+        src: "{{ molecule_scenario_directory }}/Dockerfile.j2"
+        dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}"
+      with_items: "{{ molecule_yml.platforms }}"
+      register: platforms
+
+    - name: Discover local Docker images
+      docker_image_facts:
+        name: "molecule_local/{{ item.item.name }}"
+      with_items: "{{ platforms.results }}"
+      register: docker_images
+
+    - name: Build an Ansible compatible image
+      docker_image:
+        path: "{{ molecule_ephemeral_directory }}"
+        name: "molecule_local/{{ item.item.image }}"
+        dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}"
+        force: "{{ item.item.force | default(true) }}"
+      with_items: "{{ platforms.results }}"
+      when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0
+
+    - name: Create molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        hostname: "{{ item.name }}"
+        image: "molecule_local/{{ item.image }}"
+        state: started
+        recreate: false
+        log_driver: syslog
+        command: "{{ item.command | default('bash -c \"while true; do sleep 10000; done\"') }}"
+        privileged: "{{ item.privileged | default(omit) }}"
+        volumes: "{{ item.volumes | default(omit) }}"
+        capabilities: "{{ item.capabilities | default(omit) }}"
+        ports: "{{ item.exposed_ports | default(omit) }}"
+      register: server
+      with_items: "{{ molecule_yml.platforms }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) creation to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: docker_jobs
+      until: docker_jobs.finished
+      retries: 300
+      with_items: "{{ server.results }}"
diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml
@@ -0,0 +1,27 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
+  tasks:
+    - name: Destroy molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        state: absent
+        force_kill: "{{ item.force_kill | default(true) }}"
+      register: server
+      with_items: "{{ molecule_yml.platforms }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) deletion to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: docker_jobs
+      until: docker_jobs.finished
+      retries: 300
+      with_items: "{{ server.results }}"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -0,0 +1,22 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: instance
+    image: ubuntu:xenial
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+    options:
+      x: ANSIBLE0013
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: ansible-role-sssd_ldap
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -0,0 +1,5 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: false
+  tasks: []
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
@@ -0,0 +1,14 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+# tasks file for sssd_ldap
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution|lower }}.yml"
+    - "{{ ansible_os_family|lower }}.yml"
+    - defaults.yml
+  tags: vars
+
+- import_tasks: packages.yml
+
+- import_tasks: sssd.yml
+
+- import_tasks: nsswitch.yml
+
+- import_tasks: pamd.yml
+
+- import_tasks: sshd.yml
diff --git a/tasks/nsswitch.yml b/tasks/nsswitch.yml
@@ -0,0 +1,14 @@
+---
+- name: sssd_ldap | nsswitch | enable sss
+  replace:
+    dest: /etc/nsswitch.conf
+    regexp: '^({{ item }}(?!.*\bsss\b).*)$'
+    replace: '\1 sss'
+    backup: yes
+  with_items:
+    - passwd
+    - group
+    - shadow
+    - services
+    - netgroup
+    - sudoers
diff --git a/tasks/packages.yml b/tasks/packages.yml
@@ -0,0 +1,6 @@
+---
+- name: sssd_ldap | packages | install packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ sssd_ldap_packages }}"
diff --git a/tasks/pamd.yml b/tasks/pamd.yml
@@ -0,0 +1,8 @@
+---
+- name: sssd_ldap | pamd | add pam_mkhomedir for Debian machines
+  copy:
+    src: pam_mkhomedir
+    dest: /usr/share/pam-configs/sssd_mkhomedir
+  when: ansible_os_family == "Debian"
+  notify:
+    - run pam auth update
diff --git a/tasks/sshd.yml b/tasks/sshd.yml
@@ -0,0 +1,14 @@
+---
+- name: sssd_ldap | sshd | enable authorized keys lookup script
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: 'AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'
+  notify:
+    - restart sshd
+
+- name: sssd_ldap | sshd | make authorized keys lookup script run as nobody
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: 'AuthorizedKeysCommandUser nobody'
+  notify:
+    - restart sshd
diff --git a/tasks/sssd.yml b/tasks/sssd.yml
@@ -0,0 +1,11 @@
+---
+- name: sssd_ldap | configure sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+    backup: yes
+    owner: root
+    group: root
+  notify:
+    - restart sssd
diff --git a/templates/sssd.conf.j2 b/templates/sssd.conf.j2
diff --git a/vars/main.yml b/vars/main.yml
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
