initial commit: migrate all `MatthieuCoder/pantheon-ansible` files to the oss repo

author: Matthieu Pignolet <m@mpgn.dev> 2025-03-17 14:18:03 +0400
committer: Matthieu Pignolet <m@mpgn.dev> 2025-03-17 14:18:03 +0400
commit: 5098223d5c81fac49ded8e555ba629281b06d425 (patch)
tree: 451988b8a7287735ac98704c5f2b1783fd837666 /kerberos.yml
parent: 63efaaf0ba315a9af837d9e9016d331a1327e5e5 (diff)
1 files changed, 99 insertions, 0 deletions
diff --git a/kerberos.yml b/kerberos.yml
new file mode 100644
index 0000000..d78b4de
--- /dev/null
+++ b/kerberos.yml
@@ -0,0 +1,99 @@
+- hosts: vms
+  become: true
+
+  tasks:
+  - name: Install required packages
+    ansible.builtin.apt:
+      pkg:
+      - krb5-user
+      - sssd-krb5
+      - sssd-tools
+      - libsss-sudo
+      - ldap-utils
+      - libldap-common
+
+  - name: Install sudo-ldap
+    apt: name=sudo-ldap state=present
+    environment:
+      SUDO_FORCE_REMOVE: "yes"
+    
+  - name: Configuring krb5.conf
+    when: inventory_hostname != "ldap.pantheon.lab.mpgn.dev"
+    template:
+      src: templates/etc/krb5.j2
+      dest: /etc/krb5.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Configuring ldap.conf
+    template:
+      src: templates/etc/ldap/ldap.conf.j2
+      dest: /etc/ldap/ldap.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Check that the keytab exists
+    stat:
+      path: /etc/krb5.keytab
+    register: keytab_exists
+
+  - name: Generate kerberos keytab
+    when: not keytab_exists.stat.exists
+    shell: |
+      kadmin -p "{{ kerberos_user }}" -w "{{ kerberos_password }}" addprinc -x containerdn=ou=machines,dc=lab,dc=mpgn,dc=dev -randkey host/{{ inventory_hostname }}@LAB.MPGN.DEV
+      kadmin -p "{{ kerberos_user }}" -w "{{ kerberos_password }}" ktadd -k /etc/krb5.keytab host/{{ inventory_hostname }}@LAB.MPGN.DEV
+      chown root:root /etc/krb5.keytab
+      chmod 0600 /etc/krb5.keytab
+
+  - name: Configuring sssd.conf
+    template:
+      src: templates/etc/sssd/sssd.conf.j2
+      dest: /etc/sssd/sssd.conf
+      owner: root
+      group: root
+      mode: 0600
+
+  - name: Remove motd
+    ansible.builtin.file:
+      path: /etc/motd
+      state: absent
+
+  - name: Edit /etc/nsswitch.conf to enable sss sudo
+    lineinfile: 
+      path: /etc/nsswitch.conf 
+      regexp: 'sudoers: files ldap' 
+      line: 'sudoers: files sss'
+      backrefs: yes
+  
+  - name: Configuring /etc/ssh/sshd_config
+    template:
+      src: templates/etc/ssh/sshd_config.j2
+      dest: /etc/ssh/sshd_config
+      owner: root
+      group: root
+      mode: 0644
+  
+  - name: Configuring /etc/ssh/ssh_config.d/kerberos.conf
+    template:
+      src: templates/etc/ssh/ssh_config.d/kerberos.conf.j2
+      dest: /etc/ssh/ssh_config.d/kerberos.conf
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Restart the ssh service
+    ansible.builtin.service:
+      name: "sshd"
+      state: restarted
+      enabled: true
+
+  - name: Start and enable sssd
+    ansible.builtin.service:
+      name: "sssd"
+      state: restarted
+      enabled: true
+
+  - name: Enable homedir
+    shell: pam-auth-update --enable mkhomedir
+\ No newline at end of file
author	Matthieu Pignolet <m@mpgn.dev>	2025-03-17 14:18:03 +0400
committer	Matthieu Pignolet <m@mpgn.dev>	2025-03-17 14:18:03 +0400
commit	5098223d5c81fac49ded8e555ba629281b06d425 (patch)
tree	451988b8a7287735ac98704c5f2b1783fd837666 /kerberos.yml
parent	63efaaf0ba315a9af837d9e9016d331a1327e5e5 (diff)