Update to 2020-06-03 19:00

master
Daniel Berteaud 4 years ago
parent 2826f1b684
commit a7431429e1
  1. 1
      roles/httpd_common/defaults/main.yml
  2. 2
      roles/httpd_common/tasks/main.yml
  3. 1
      roles/matrix_synapse/tasks/install.yml
  4. 3
      roles/nas/defaults/main.yml
  5. 2
      roles/nas/meta/main.yml
  6. 20
      roles/nas/tasks/main.yml
  7. 4
      roles/nas/templates/httpd.conf.j2
  8. 4
      roles/nfs_server/tasks/main.yml
  9. 4
      roles/samba/defaults/main.yml
  10. 1
      roles/samba/tasks/main.yml
  11. 6
      roles/samba/templates/smb.conf.j2
  12. 2
      roles/ssh/templates/sshd_config.j2
  13. 1
      roles/sssd_ad_auth/defaults/main.yml
  14. 2
      roles/sssd_ad_auth/templates/sssd.conf.j2

@ -15,6 +15,7 @@ httpd_modules:
- authz_core
- authz_host
- authz_user
- authnz_pam
- autoindex
- deflate
- dir

@ -7,6 +7,7 @@
- mod_fcgid
- policycoreutils-python
- python-passlib
- mod_authnz_pam
tags: [package,web]
- name: List httpd ports
@ -134,6 +135,7 @@
- httpd_can_connect_ldap
- httpd_unified
- httpd_can_network_connect
- httpd_mod_auth_pam
when: ansible_selinux.status == 'enabled'
tags: web

@ -49,6 +49,7 @@
- pysaml2
- mock
- six
- authlib
notify: restart synapse
tags: matrix

@ -55,7 +55,7 @@ nas_default_share:
dir: Corbeille
protocols:
smb:
enabled: True
enabled: False
browseable: True
guest_ok: False
full_audit: True
@ -69,5 +69,6 @@ nas_default_share:
http:
enabled: False
indexes: False
public: False
force_ssl: True
webdav: False

@ -3,4 +3,4 @@ dependencies:
- role: samba
- role: rsync_server
- role: nfs_server
- role: httpd_common
- role: httpd_front

@ -4,7 +4,17 @@
set_fact: nas_shares_conf={{ nas_shares_conf | default([]) + [nas_default_share | combine(item,recursive=True)] }}
with_items: "{{ nas_shares }}"
tags: nas
- set_fact: nas_shares={{ nas_shares_conf }}
- set_fact: nas_shares={{ nas_shares_conf | default([]) }}
tags: nas
- name: Install needed packages
yum:
name:
- rssh
tags: nas
- name: Allow every user to use rssh
file: path=/bin/rssh mode=755
tags: nas
- name: Create directories
@ -27,7 +37,7 @@
tags: nas
- name: Deploy NFS exports
template: src=exports.j2 dest=/etc/exports
template: src=exports.j2 dest=/etc/exports.d/shares.exports
notify: reload nfs
tags: nas
@ -40,6 +50,12 @@
with_items: "{{ nas_shares }}"
tags: nas
- name: Deploy httpd conf
template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/50-shares.conf mode=640
notify:
- reload httpd
tags: nas
- name: Deploy setfacl script
template: src=setfacl.sh.j2 dest={{ nas_root_dir }}/meta/{{ item.name }}/setfacl.sh mode=755
with_items: "{{ nas_shares }}"

@ -1,13 +1,13 @@
{% for share in nas_shares %}
{% if share.protocols.http.enabled %}
Alias /{{ share.name }} {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
Alias /{{ share.name }} {{ share.path | default(nas_root_dir + '/data/' + share.name) }}
RewriteEngine On
{% if share.protocols.http.force_ssl %}
RewriteCond %{HTTPS} =off
RewriteRule ^/{{ share.name }}(/.*|$) https://%{HTTP_HOST}/{{ share.name }}$1
{% endif %}
<Directory {{ item.path | default(nas_root_dir + '/data/' + item.name) }}>
<Directory {{ share.path | default(nas_root_dir + '/data/' + share.name) }}>
Options None
Options +FollowSymlinks
{% if share.protocols.http.force_ssl %}

@ -17,6 +17,10 @@
template: src=exports.j2 dest=/etc/exports
notify: reload nfs
- name: Create the exports.d directory
file: path=/etc/exports.d state=directory
tags: nfs
- name: Start and enable services
service: name={{ item }} state=started enabled=True
with_items:

@ -101,3 +101,7 @@ samba_trusted_domains: {}
# Or
#
# samba_tls_letsencrypt_cert:
# samba_min_protocol: NT1
# samba_max_protocol: SMB3

@ -267,6 +267,7 @@
- name: Deploy an empty shares conf snippet
copy: content="# No shares defined yet" dest=/etc/samba/smb.conf.d/shares.conf
when: not samba_shares_snippet.stat.exists
tags: samba
- name: Check if /etc/krb5.conf exists

@ -26,6 +26,12 @@
{% endif %}
logging = systemd@1 file
log level = {{ samba_log_level }}
{% if samba_min_protocol is defined %}
server min protocol = {{ samba_min_protocol }}
{% endif %}
{% if samba_max_protocol is defined %}
server max protocol = {{ samba_max_protocol }}
{% endif %}
{% if samba_role == 'dc' or samba_role == 'rodc' %}
tls dh params file = tls/dhparam.pem

@ -65,7 +65,7 @@ Match user {{ user.name }}
ChrootDirectory {{ user.chroot }}
{% endif %}
{% if user.sftp_only | default(False) %}
ForceCommand internal-sftp
ForceCommand internal-sftp{% if user.sftp_cd is defined %} -d {{ user.sftp_cd }}{% endif %}
{% endif %}
{% if user.allow_forwarding is defined %}
AllowTCPForwarding {{ user.allow_forwarding | ternary('yes', 'no') }}

@ -7,6 +7,7 @@ ad_admin_pass: "{{ samba_dc_admin_pass }}"
ad_computer_ou:
ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
ad_enumerate: True
ad_default_shell: /bin/false
# sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"

@ -15,7 +15,7 @@ id_provider = ad
access_provider = ad
ad_hostname = {{ ansible_hostname }}.{{ ad_realm | lower }}
fallback_homedir = /home/%d/%u
default_shell = /bin/false
default_shell = {{ ad_default_shell }}
cache_credentials = true
krb5_store_password_if_offline = true
ad_access_filter = {{ ad_access_filter }}

Loading…
Cancel
Save