diff options
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/etc/krb5.j2 | 16 | ||||
| -rw-r--r-- | templates/etc/ldap/ldap.conf.j2 | 2 | ||||
| -rw-r--r-- | templates/etc/nftables.conf.j2 | 64 | ||||
| -rw-r--r-- | templates/etc/ssh/ssh_config.d/kerberos.conf.j2 | 5 | ||||
| -rw-r--r-- | templates/etc/ssh/sshd_config.j2 | 125 | ||||
| -rw-r--r-- | templates/etc/sssd/sssd.conf.j2 | 39 | ||||
| -rw-r--r-- | templates/proxmox_sources.j2 | 6 |
7 files changed, 257 insertions, 0 deletions
diff --git a/templates/etc/krb5.j2 b/templates/etc/krb5.j2 new file mode 100644 index 0000000..af18b6f --- /dev/null +++ b/templates/etc/krb5.j2 @@ -0,0 +1,16 @@ +[libdefaults] + default_realm = LAB.MPGN.DEV + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + +[realms] + LAB.MPGN.DEV = { + kdc = ldap.lab.mpgn.dev + admin_server = ldap.lab.mpgn.dev + } + +[domain_realm] + lab.mpgn.dev = LAB.MPGN.DEV + .lab.mpgn.dev = LAB.MPGN.DEV
\ No newline at end of file diff --git a/templates/etc/ldap/ldap.conf.j2 b/templates/etc/ldap/ldap.conf.j2 new file mode 100644 index 0000000..fb0bff8 --- /dev/null +++ b/templates/etc/ldap/ldap.conf.j2 @@ -0,0 +1,2 @@ +BASE dc=lab,dc=mpgn,dc=dev +URI ldap://ldap.lab.mpgn.dev
\ No newline at end of file diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 new file mode 100644 index 0000000..ae5a516 --- /dev/null +++ b/templates/etc/nftables.conf.j2 @@ -0,0 +1,64 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" +#!{{ nft__bin_location }} -f +{{ ansible_managed | comment }} +{% set globalmerged = nft_global_default_rules.copy() %} +{% set _ = globalmerged.update(nft_global_rules) %} +{% set _ = globalmerged.update(nft_global_group_rules) %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} + {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %} +{% endif %} +{% set _ = globalmerged.update(nft_global_host_rules) %} + +# clean +table {{ nft_flush_table_target }} +flush table {{ nft_flush_table_target }} + +include "{{ nft_define_conf_path }}" + +table inet filter { + chain global { +{% for group, rules in globalmerged|dictsort %} + # {{ group }} + {% if not rules %} + # (none) + {% endif %} + {% for rule in rules %} + {{ rule }} + {% endfor %} +{% endfor %} + } + include "{{ nft_conntrack_conf_path }}" + include "{{ nft_set_conf_path }}" + include "{{ nft_input_conf_path }}" + include "{{ nft_output_conf_path }}" +{% if nft__forward_table_manage %} + include "{{ nft_forward_conf_path }}" +{% endif %} +{% if nft__mangle_table_manage %} + include "{{ nft_mangle_conf_path }}" +{% endif %} +{% if nft_custom_includes | default() %} + {% if nft_custom_includes is string %} + include "{{ nft_custom_includes }}" + {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %} + {% for include in nft_custom_includes %} + include "{{ include }}" + {% endfor %} + {% endif %} +{% endif %} +} + +{% if nft__nat_table_manage %} +# Additionnal table for Network Address Translation (NAT) +table ip nat { + include "{{ nft_conntrack_conf_path }}" + include "{{ nft_set_conf_path }}" + include "{{ nft__nat_prerouting_conf_path }}" + include "{{ nft__nat_postrouting_conf_path }}" +} +{% endif %} + +{% if nft__custom_content|d() %} +# Custom content from ipr-cnrs.nftables +{{ nft__custom_content }} +{% endif %} diff --git a/templates/etc/ssh/ssh_config.d/kerberos.conf.j2 b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2 new file mode 100644 index 0000000..b7c3dda --- /dev/null +++ b/templates/etc/ssh/ssh_config.d/kerberos.conf.j2 @@ -0,0 +1,5 @@ +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 new file mode 100644 index 0000000..7036710 --- /dev/null +++ b/templates/etc/ssh/sshd_config.j2 @@ -0,0 +1,125 @@ +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no + +# Kerberos options +KerberosAuthentication yes +#KerberosOrLocalPasswd yes +KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Ciphers aes256-gcm@openssh.com +KexAlgorithms curve25519-sha256 +MACs hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
\ No newline at end of file diff --git a/templates/etc/sssd/sssd.conf.j2 b/templates/etc/sssd/sssd.conf.j2 new file mode 100644 index 0000000..9dbdfbb --- /dev/null +++ b/templates/etc/sssd/sssd.conf.j2 @@ -0,0 +1,39 @@ +[sssd] +config_file_version = 2 +domains = lab.mpgn.dev +services = nss, pam, autofs, sudo +full_name_format = %1$s + +[nss] + +[pam] + +[sudo] + +[domain/lab.mpgn.dev] +id_provider = ldap +auth_provider = krb5 +sudo_provider = ldap +chpass_provider = krb5 +resolver_provider = ldap + +cache_credentials = True +ldap_uri = ldaps://ldap.lab.mpgn.dev +ldap_search_base = dc=lab,dc=mpgn,dc=dev +ldap_sasl_mech = gssapi + +ldap_user_search_base = ou=users,dc=lab,dc=mpgn,dc=dev +ldap_group_search_base = ou=groups,dc=lab,dc=mpgn,dc=dev +ldap_group_nesting_level = 10 +ldap_sudo_search_base = ou=sudo,dc=lab,dc=mpgn,dc=dev + +krb5_server = ldap.lab.mpgn.dev +krb5_kpasswd = ldap.lab.mpgn.dev +krb5_realm = LAB.MPGN.DEV + +access_provider = permit +krb5_validate = True +override_homedir = /home/%u +default_shell = /bin/bash + +enumerate = true diff --git a/templates/proxmox_sources.j2 b/templates/proxmox_sources.j2 new file mode 100644 index 0000000..1e19eac --- /dev/null +++ b/templates/proxmox_sources.j2 @@ -0,0 +1,6 @@ +{{ ansible_managed | comment }} +deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription +deb http://debian.mithril.re/debian bookworm main +deb https://security.debian.org/debian-security bookworm-security main +deb http://debian.mithril.re/debian bookworm-updates main +deb http://debian.mithril.re/debian bookworm contrib non-free non-free-firmware |