initial commit: migrate all `MatthieuCoder/pantheon-ansible` files to the oss repo

7 files changed, 257 insertions, 0 deletions

diff --git a/templates/etc/krb5.j2 b/templates/etc/krb5.j2
new file mode 100644
index 0000000..af18b6f
--- /dev/null
+++ b/templates/etc/krb5.j2
@@ -0,0 +1,16 @@
+[libdefaults]
+    default_realm = LAB.MPGN.DEV
+    kdc_timesync = 1
+    ccache_type = 4 
+    forwardable = true
+    proxiable = true
+
+[realms]
+    LAB.MPGN.DEV = {
+            kdc = ldap.lab.mpgn.dev
+            admin_server = ldap.lab.mpgn.dev
+    }
+
+[domain_realm]
+    lab.mpgn.dev = LAB.MPGN.DEV
+    .lab.mpgn.dev = LAB.MPGN.DEV
\ No newline at end of file
diff --git a/templates/etc/ldap/ldap.conf.j2 b/templates/etc/ldap/ldap.conf.j2
new file mode 100644
index 0000000..fb0bff8
--- /dev/null
+++ b/templates/etc/ldap/ldap.conf.j2
@@ -0,0 +1,2 @@
+BASE dc=lab,dc=mpgn,dc=dev
+URI ldap://ldap.lab.mpgn.dev
\ No newline at end of file
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
new file mode 100644
index 0000000..ae5a516
--- /dev/null
+++ b/templates/etc/nftables.conf.j2
@@ -0,0 +1,64 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+#!{{ nft__bin_location }} -f
+{{ ansible_managed | comment }}
+{% set globalmerged = nft_global_default_rules.copy() %}
+{% set _ = globalmerged.update(nft_global_rules) %}
+{% set _ = globalmerged.update(nft_global_group_rules) %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
+  {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
+{% endif %}
+{% set _ = globalmerged.update(nft_global_host_rules) %}
+
+# clean
+table {{ nft_flush_table_target }}
+flush table {{ nft_flush_table_target }}
+
+include "{{ nft_define_conf_path }}"
+
+table inet filter {
+	chain global {
+{% for group, rules in globalmerged|dictsort  %}
+		# {{ group }}
+  {% if not rules %}
+		# (none)
+  {% endif %}
+  {% for rule in rules %}
+		{{ rule }}
+  {% endfor %}
+{% endfor %}
+	}
+	include "{{ nft_conntrack_conf_path }}"
+	include "{{ nft_set_conf_path }}"
+	include "{{ nft_input_conf_path }}"
+	include "{{ nft_output_conf_path }}"
+{% if nft__forward_table_manage %}
+	include "{{ nft_forward_conf_path }}"
+{% endif %}
+{% if nft__mangle_table_manage %}
+	include "{{ nft_mangle_conf_path }}"
+{% endif %}
+{% if nft_custom_includes | default() %}
+  {% if nft_custom_includes is string %}
+	include "{{ nft_custom_includes }}"
+  {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}
+    {% for include in nft_custom_includes %}
+	include "{{ include }}"
+    {% endfor %}
+  {% endif %}
+{% endif %}
+}
+
+{% if nft__nat_table_manage %}
+# Additionnal table for Network Address Translation (NAT)
+table ip nat {
+	include "{{ nft_conntrack_conf_path }}"
+	include "{{ nft_set_conf_path }}"
+	include "{{ nft__nat_prerouting_conf_path }}"
+	include "{{ nft__nat_postrouting_conf_path }}"
+}
+{% endif %}
+
+{% if nft__custom_content|d() %}
+# Custom content from ipr-cnrs.nftables
+{{ nft__custom_content }}
+{% endif %}
diff --git a/templates/etc/ssh/ssh_config.d/kerberos.conf.j2 b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2
new file mode 100644
index 0000000..b7c3dda
--- /dev/null
+++ b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2
@@ -0,0 +1,5 @@
+Host *
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials yes
diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2
new file mode 100644
index 0000000..7036710
--- /dev/null
+++ b/templates/etc/ssh/sshd_config.j2
@@ -0,0 +1,125 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+KerberosAuthentication yes
+#KerberosOrLocalPasswd yes
+KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+
+Ciphers aes256-gcm@openssh.com
+KexAlgorithms curve25519-sha256
+MACs hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
\ No newline at end of file
diff --git a/templates/etc/sssd/sssd.conf.j2 b/templates/etc/sssd/sssd.conf.j2
new file mode 100644
index 0000000..9dbdfbb
--- /dev/null
+++ b/templates/etc/sssd/sssd.conf.j2
@@ -0,0 +1,39 @@
+[sssd]
+config_file_version = 2
+domains = lab.mpgn.dev
+services = nss, pam, autofs, sudo
+full_name_format = %1$s
+
+[nss]
+
+[pam]
+
+[sudo]
+
+[domain/lab.mpgn.dev]
+id_provider = ldap
+auth_provider = krb5
+sudo_provider = ldap
+chpass_provider = krb5
+resolver_provider = ldap
+
+cache_credentials = True
+ldap_uri = ldaps://ldap.lab.mpgn.dev
+ldap_search_base = dc=lab,dc=mpgn,dc=dev
+ldap_sasl_mech = gssapi
+
+ldap_user_search_base = ou=users,dc=lab,dc=mpgn,dc=dev
+ldap_group_search_base = ou=groups,dc=lab,dc=mpgn,dc=dev
+ldap_group_nesting_level = 10
+ldap_sudo_search_base = ou=sudo,dc=lab,dc=mpgn,dc=dev
+
+krb5_server = ldap.lab.mpgn.dev
+krb5_kpasswd = ldap.lab.mpgn.dev
+krb5_realm = LAB.MPGN.DEV
+
+access_provider = permit
+krb5_validate = True
+override_homedir = /home/%u
+default_shell = /bin/bash
+
+enumerate = true
diff --git a/templates/proxmox_sources.j2 b/templates/proxmox_sources.j2
new file mode 100644
index 0000000..1e19eac
--- /dev/null
+++ b/templates/proxmox_sources.j2
@@ -0,0 +1,6 @@
+{{ ansible_managed | comment }}
+deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb http://debian.mithril.re/debian bookworm main
+deb https://security.debian.org/debian-security bookworm-security main
+deb http://debian.mithril.re/debian bookworm-updates main
+deb http://debian.mithril.re/debian bookworm contrib non-free non-free-firmware