Update to 2020-06-03 19:00

roles/httpd_common/defaults/main.yml

@@ -15,6 +15,7 @@ httpd_modules:
   - authz_core
   - authz_host
   - authz_user
+  - authnz_pam
   - autoindex
   - deflate
   - dir

roles/httpd_common/tasks/main.yml

@@ -7,6 +7,7 @@
       - mod_fcgid
       - policycoreutils-python
       - python-passlib
+      - mod_authnz_pam
   tags: [package,web]
 
 - name: List httpd ports
@@ -134,6 +135,7 @@
     - httpd_can_connect_ldap
     - httpd_unified
     - httpd_can_network_connect
+    - httpd_mod_auth_pam
   when: ansible_selinux.status == 'enabled'
   tags: web
 

roles/matrix_synapse/tasks/install.yml

@@ -49,6 +49,7 @@
       - pysaml2
       - mock
       - six
+      - authlib
   notify: restart synapse
   tags: matrix
 

roles/nas/defaults/main.yml

@@ -55,7 +55,7 @@ nas_default_share:
     dir: Corbeille
   protocols:
     smb:
-      enabled: True
+      enabled: False
       browseable: True
       guest_ok: False
       full_audit: True
@@ -69,5 +69,6 @@ nas_default_share:
     http:
       enabled: False
       indexes: False
+      public: False
       force_ssl: True
       webdav: False

roles/nas/meta/main.yml

@@ -3,4 +3,4 @@ dependencies:
   - role: samba
   - role: rsync_server
   - role: nfs_server
-  - role: httpd_common
+  - role: httpd_front

roles/nas/tasks/main.yml

@@ -4,7 +4,17 @@
   set_fact: nas_shares_conf={{ nas_shares_conf | default([]) + [nas_default_share | combine(item,recursive=True)] }}
   with_items: "{{ nas_shares }}"
   tags: nas
-- set_fact: nas_shares={{ nas_shares_conf }}
+- set_fact: nas_shares={{ nas_shares_conf | default([]) }}
+  tags: nas
+
+- name: Install needed packages
+  yum:
+    name:
+      - rssh
+  tags: nas
+
+- name: Allow every user to use rssh
+  file: path=/bin/rssh mode=755
   tags: nas
 
 - name: Create directories
@@ -27,7 +37,7 @@
   tags: nas
 
 - name: Deploy NFS exports
-  template: src=exports.j2 dest=/etc/exports
+  template: src=exports.j2 dest=/etc/exports.d/shares.exports
   notify: reload nfs
   tags: nas
 
@@ -40,6 +50,12 @@
   with_items: "{{ nas_shares }}"
   tags: nas
 
+- name: Deploy httpd conf
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/50-shares.conf mode=640
+  notify:
+    - reload httpd
+  tags: nas
+
 - name: Deploy setfacl script
   template: src=setfacl.sh.j2 dest={{ nas_root_dir }}/meta/{{ item.name }}/setfacl.sh mode=755
   with_items: "{{ nas_shares }}"

roles/nas/templates/httpd.conf.j2

@@ -1,13 +1,13 @@
 {% for share in nas_shares %}
 {% if share.protocols.http.enabled %}
-Alias /{{ share.name }} {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+Alias /{{ share.name }} {{ share.path | default(nas_root_dir + '/data/' + share.name) }}
 RewriteEngine On
 {% if share.protocols.http.force_ssl %}
 RewriteCond %{HTTPS} =off
 RewriteRule ^/{{ share.name }}(/.*|$) https://%{HTTP_HOST}/{{ share.name }}$1
 {% endif %}
 
-<Directory {{ item.path | default(nas_root_dir + '/data/' + item.name) }}>
+<Directory {{ share.path | default(nas_root_dir + '/data/' + share.name) }}>
   Options None
   Options +FollowSymlinks
 {% if share.protocols.http.force_ssl %}

roles/nfs_server/tasks/main.yml

@@ -17,6 +17,10 @@
   template: src=exports.j2 dest=/etc/exports
   notify: reload nfs
 
+- name: Create the exports.d directory
+  file: path=/etc/exports.d state=directory
+  tags: nfs
+
 - name: Start and enable services
   service: name={{ item }} state=started enabled=True
   with_items:

roles/samba/defaults/main.yml

@@ -101,3 +101,7 @@ samba_trusted_domains: {}
 # Or
 #
 # samba_tls_letsencrypt_cert: 
+
+
+# samba_min_protocol: NT1
+# samba_max_protocol: SMB3

roles/samba/tasks/main.yml

@@ -267,6 +267,7 @@
 
 - name: Deploy an empty shares conf snippet
   copy: content="# No shares defined yet" dest=/etc/samba/smb.conf.d/shares.conf
+  when: not samba_shares_snippet.stat.exists
   tags: samba
 
 - name: Check if /etc/krb5.conf exists

roles/samba/templates/smb.conf.j2

@@ -26,6 +26,12 @@
 {% endif %}
   logging = systemd@1 file
   log level = {{ samba_log_level }}
+{% if samba_min_protocol is defined %}
+  server min protocol = {{ samba_min_protocol }}
+{% endif %}
+{% if samba_max_protocol is defined %}
+  server max protocol = {{ samba_max_protocol }}
+{% endif %}
 
 {% if samba_role == 'dc' or samba_role == 'rodc' %}
   tls dh params file = tls/dhparam.pem

roles/ssh/templates/sshd_config.j2

@@ -65,7 +65,7 @@ Match user {{ user.name }}
   ChrootDirectory {{ user.chroot }}
 {% endif %}
 {% if user.sftp_only | default(False) %}
-  ForceCommand internal-sftp
+  ForceCommand internal-sftp{% if user.sftp_cd is defined %} -d {{ user.sftp_cd }}{% endif %}
 {% endif %}
 {% if user.allow_forwarding is defined %}
   AllowTCPForwarding {{ user.allow_forwarding | ternary('yes', 'no') }}

roles/sssd_ad_auth/defaults/main.yml

@@ -7,6 +7,7 @@ ad_admin_pass: "{{ samba_dc_admin_pass }}"
 ad_computer_ou: 
 ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
 ad_enumerate: True
+ad_default_shell: /bin/false
 
 # sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
 ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"

roles/sssd_ad_auth/templates/sssd.conf.j2

@@ -15,7 +15,7 @@ id_provider = ad
 access_provider = ad
 ad_hostname = {{ ansible_hostname }}.{{ ad_realm | lower }}
 fallback_homedir = /home/%d/%u
-default_shell = /bin/false
+default_shell = {{ ad_default_shell }}
 cache_credentials = true
 krb5_store_password_if_offline = true
 ad_access_filter = {{ ad_access_filter }}