stackhpc · jovial · Sep 4, 2024 · Sep 12, 2024 · Sep 18, 2024 · jovial
@@ -58,4 +58,13 @@ roles/*
 !roles/squid/**
 !roles/tuned/
 !roles/tuned/**
-
+!roles/sssd/
+!roles/sssd/**
+!roles/kerberos/
+!roles/kerberos/**
+!roles/ldap/
+!roles/ldap/**
+!roles/cacerts/
+!roles/cacerts/**
+!roles/sshd/
+!roles/sshd/**
@@ -0,0 +1,25 @@
+---
+
+- hosts: login
+  vars:
+    keytab_dest_path: "{{ appliances_environment_root }}/files/{{ inventory_hostname }}/krb5.keytab"
+  tasks:
+    - name: Ensure output directory exists
+      file:
+        state: directory
+        path: "{{ keytab_dest_path | dirname }}"
+      run_once: true
+      delegate_to: localhost
+
+    - name: Slurp keytab
+      ansible.builtin.fetch:
+        src: /etc/krb5.keytab
+        dest: "{{ keytab_dest_path }}"
+        flat: yes
+      become: true
+      when: keytab_dest_path is not exists
+      notify: Remind to encrypt keytab
+  handlers:
+    - name: Remind to encrypt keytab
+      debug:
+        msg: "Please remember to encrypt {{ keytab_dest_path }}"
@@ -111,6 +111,22 @@
       register: sestatus
 
 # --- tasks after here require access to package repos ---
+- hosts: cacerts
+  tags: cacerts
+  gather_facts: false
+  tasks:
+    - name: Install custom cacerts
+      import_role:
+        name: cacerts
+
+- hosts: sshd
+  tags: sshd
+  gather_facts: false
+  tasks:
+    - name: Configure sshd
+      import_role:
+        name: sshd
+
 - hosts: squid
   tags: squid
   gather_facts: yes

@@ -34,6 +34,21 @@
         tasks_from: client-install.yml
       when: "'freeipa_client' in group_names"
 
+    - name: Configure kerberos
+      import_role:
+        tasks_from: install.yml
+        name: kerberos
+
+    - name: Configure ldap
+      import_role:
+        tasks_from: install.yml
+        name: ldap
+
+    - name: Configure SSSD
+      import_role:
+        tasks_from: install.yml
+        name: sssd
+
     # - import_playbook: filesystems.yml:
     - name: Install nfs packages
       dnf:

@@ -40,3 +40,39 @@
       import_role:
         name: freeipa
         tasks_from: users.yml
+
+- hosts: kerberos_client
+  tags:
+    - users
+    - kerberos
+    - kerberos_client
+  tasks:
+    - name: Configure kerberos
+      import_role:
+        # Fix me: Split install/configure
+        #tasks_from: ...
+        name: kerberos
+
+- hosts: ldap_client
+  tags:
+    - users
+    - ldap
+    - ldap_client
+  tasks:
+    - name: Configure ldap
+      import_role:
+        # Fix me: Split install/configure
+        #tasks_from: ...
+        name: ldap
+
+- hosts: sssd
+  tags:
+    - users
+    - sssd
+  become: yes
+  tasks:
+    - name: Configure SSSD
+      import_role:
+        # Fix me: Split install/configure
+        #tasks_from: ...
+        name: sssd
@@ -0,0 +1,9 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - ca-certificates
@@ -0,0 +1,2 @@
+- import_tasks: install.yml
+- import_tasks: runtime.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Copy all certificates
+  copy:
+    src: "{{ item }}"
+    dest: /etc/pki/ca-trust/source/anchors
+    owner: root
+    mode: 0644
+  with_fileglob:
+    - "{{ appliances_environment_root }}/cacerts"
+  become: true
+
+- name: Update trust store
+  command: update-ca-trust extract
+  become: true
diff --git a/ansible/roles/cacerts/tasks/validate.yml b/ansible/roles/cacerts/tasks/validate.yml
@@ -0,0 +1 @@
+---
@@ -0,0 +1,2 @@
+---
+kerberos_key_tab_path: "{{ appliances_environment_root }}/files/{{ inventory_hostname }}/krb5.keytab"
@@ -0,0 +1,12 @@
+---
+
+
+- name: Install dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - krb5-workstation
+    - krb5-libs
+    - realmd
@@ -0,0 +1,2 @@
+- import_tasks: install.yml
+- import_tasks: runtime.yml
@@ -0,0 +1,31 @@
+---
+
+- name: Assert that kerberos keytab exists
+  assert:
+    that: kerberos_key_tab_path is exists
+    # FIXME: make this non client specific
+    fail_msg: >-
+      Please enroll the node with:
+      sudo realm join --computer-ou OU=<Operating Unit>
+      --computer-name {{ inventory_hostname }} -v
+      -U swinst
+      --automatic-id-mapping=no << AD realm >>
+
+- name: Copy keytab into place
+  ansible.builtin.copy:
+    src: "{{ kerberos_key_tab_path }}"
+    dest: /etc/krb5.keytab
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: Template configuration file
+  ansible.builtin.template:
+    src: "{{ appliances_environment_root }}/templates/krb5.conf.j2"
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  register: kerberos_config
diff --git a/ansible/roles/kerberos/tasks/validate.yml b/ansible/roles/kerberos/tasks/validate.yml
@@ -0,0 +1 @@
+---
@@ -0,0 +1,11 @@
+---
+
+
+- name: Install dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - sssd-ldap
+    - openldap-clients
@@ -0,0 +1,2 @@
+- import_tasks: install.yml
+- import_tasks: runtime.yml
diff --git a/ansible/roles/ldap/tasks/runtime.yml b/ansible/roles/ldap/tasks/runtime.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible/roles/ldap/tasks/validate.yml b/ansible/roles/ldap/tasks/validate.yml
@@ -0,0 +1 @@
+---
@@ -0,0 +1,2 @@
+# Whether or not to enable password login
+sshd_password_authentication: false
@@ -0,0 +1,5 @@
+- name: "Restart sshd"
+  service:
+    name: "sshd"
+    state: "restarted"
+  become: true
@@ -0,0 +1,9 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - openssh-server
@@ -0,0 +1,2 @@
+- import_tasks: install.yml
+- import_tasks: runtime.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Disallow SSH password authentication
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}"
+    state: present
+    validate: sshd -t -f %s
+  notify:
+    - Restart sshd
+  become: true
diff --git a/ansible/roles/sshd/tasks/validate.yml b/ansible/roles/sshd/tasks/validate.yml
@@ -0,0 +1 @@
+---
@@ -0,0 +1,65 @@
+SSSD Role
+=========
+
+This is the ansible SSSD role commonly used to configure infrastructure and servers.
+It's very basic - just getting the authentication sources right for LDAP, and that's all.
+
+As such, it's typically paired with the nearby openldap role.
+
+Role Variables
+--------------
+
+The role takes one main config, sssd_config:
+
+      sssd_config:
+        'sssd':
+          'config_file_version': '2'
+          'debug_level': '5'
+          'reconnection_retries': '3'
+          'services': 'nss, pam'
+          'domains': 'cam'
+        'domain/example':
+          'auth_provider': 'ldap'
+          'ldap_id_use_start_tls': 'False'
+          'chpass_provider': 'ldap'
+          'cache_credentials': 'True'
+          'krb5_realm': 'EXAMPLE.COM'
+          'ldap_search_base': "dc=example,dc=com"
+          'id_provider': 'ldap'
+          'ldap_uri': "ldaps://ldap.example.com"
+          'krb5_kdcip': 'kerberos.example.com'
+          'ldap_enumeration_refresh_timeout': '43200'
+          'ldap_purge_cache_timeout': '0'
+          'enumerate': 'true'
+
+
+Example Playbook
+----------------
+
+- name: "Configure SSSD client for user directory/authentication"
+  hosts: "all"
+  gather_facts: no
+  any_errors_fatal: true
+  become: true
+
+  roles:
+    - role: "sssd"
+      sssd_config:
+        'sssd':
+          'config_file_version': '2'
+          'debug_level': '5'
+          'reconnection_retries': '3'
+...
+
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Original author: Matt Raso-Barnett
+
+Current maintainer: Gwen Dawes
@@ -0,0 +1,11 @@
+---
+# Package state; use `present` to make sure it's installed, or `latest`
+# if you want to upgrade or switch versions using a new repo.
+sssd_packages_state: present
+
+# Choose if you want to enable the pam_mkhomedir module to auto-create
+# user home directories on successful login
+sssd_enable_mkhomedir: false
+
+# Default sssd configuration template
+sssd_conf_template: "sssd.conf.j2"
@@ -0,0 +1,18 @@
+---
+- name: "Restart sssd"
+  debug: msg="checking config first"
+  changed_when: True
+  notify:
+    - "Check sssd configuration"
+    - "Restart sssd - after config check"
+
+- name: "Check sssd configuration"
+  command: "sssctl config-check"
+  register: result
+  changed_when: "result.rc != 0"
+  check_mode: no
+
+- name: "Restart sssd - after config check"
+  service:
+    name: "{{ sssd_service }}"
+    state: "restarted"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- import_tasks: install.yml
		- import_tasks: runtime.yml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		---
		kerberos_key_tab_path: "{{ appliances_environment_root }}/files/{{ inventory_hostname }}/krb5.keytab"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Whether or not to enable password login
		sshd_password_authentication: false