From 43dc4a80099bce1e5694047f0b16a3b0f5b61053 Mon Sep 17 00:00:00 2001 From: "ladislav.dusa" Date: Wed, 11 Dec 2024 16:35:32 +0100 Subject: [PATCH] conf added --- roles/autofs_client/tasks/main.yml | 42 ++++++ roles/fail2ban/files/action.d/banan.conf | 8 + roles/fail2ban/files/filter.d/bad-auth.conf | 4 + roles/fail2ban/files/filter.d/nextcloud.conf | 5 + roles/fail2ban/files/filter.d/sshd.conf | 138 +++++++++++++++++ roles/fail2ban/files/jail.d/bad-auth.conf | 14 ++ roles/fail2ban/files/jail.d/nextcloud.conf | 15 ++ roles/fail2ban/files/jail.d/sshd.conf | 17 +++ roles/fail2ban/tasks/main.yml | 149 +++++++++++++++++++ roles/ldap_client/tasks/main.yml | 149 +++++++++++++++++++ roles/vnc_server/tasks/main.yml | 24 +++ 11 files changed, 565 insertions(+) create mode 100755 roles/autofs_client/tasks/main.yml create mode 100644 roles/fail2ban/files/action.d/banan.conf create mode 100644 roles/fail2ban/files/filter.d/bad-auth.conf create mode 100644 roles/fail2ban/files/filter.d/nextcloud.conf create mode 100644 roles/fail2ban/files/filter.d/sshd.conf create mode 100644 roles/fail2ban/files/jail.d/bad-auth.conf create mode 100644 roles/fail2ban/files/jail.d/nextcloud.conf create mode 100644 roles/fail2ban/files/jail.d/sshd.conf create mode 100755 roles/fail2ban/tasks/main.yml create mode 100755 roles/ldap_client/tasks/main.yml create mode 100755 roles/vnc_server/tasks/main.yml diff --git a/roles/autofs_client/tasks/main.yml b/roles/autofs_client/tasks/main.yml new file mode 100755 index 0000000..5591a85 --- /dev/null +++ b/roles/autofs_client/tasks/main.yml @@ -0,0 +1,42 @@ +- block: + - name: include vault + ansible.builtin.include_vars: + file: jaydee.yml + - name: Install autofs + ansible.builtin.apt: + name: + - autofs + - cifs-utils + state: present + + - name: Creating a file with content + copy: + dest: "/etc/auto.auth" + content: | + username={{ samba_user }} + password={{ samba_password }} + + - name: Creating a file with content + copy: + dest: "/etc/auto.nas" + content: | + nas-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Data + nas-docker-data -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/docker_data + nas-photo -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Photo + nas-public -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Public + nas-install -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/install + nas-media -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/Media + nas-downloads -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw ://nas.home.lan/downloads + + - name: Reconfigure zabbix agent Server + ansible.builtin.lineinfile: + path: /etc/auto.master + regexp: "^/media/nas.*" + insertafter: '^/media/nas' + line: "/media/nas /etc/auto.nas --timeout 360 --ghost" + + - name: Restart docker service + ansible.builtin.service: + name: autofs + state: restarted + become: true \ No newline at end of file diff --git a/roles/fail2ban/files/action.d/banan.conf b/roles/fail2ban/files/action.d/banan.conf new file mode 100644 index 0000000..ed734d8 --- /dev/null +++ b/roles/fail2ban/files/action.d/banan.conf @@ -0,0 +1,8 @@ +[Definition] + +#actionban = ssh -i /config/fail2ban/id_rsa2 admin@192.168.77.1 'firewall ban ip ""' +#actionban = touch /ban/ +actionban = docker exec blockips-unifi php /add_block_firewall.php >> /tmp/lala + +#actionunban = touch /unban/ +actionunban = docker exec blockips-unifi php /del_block_firewall.php >> /tmp/lala \ No newline at end of file diff --git a/roles/fail2ban/files/filter.d/bad-auth.conf b/roles/fail2ban/files/filter.d/bad-auth.conf new file mode 100644 index 0000000..e663f18 --- /dev/null +++ b/roles/fail2ban/files/filter.d/bad-auth.conf @@ -0,0 +1,4 @@ +# Fail2Ban configuration file +[Definition] +failregex = .* client login failed: .+ client:\ +ignoreregex = \ No newline at end of file diff --git a/roles/fail2ban/files/filter.d/nextcloud.conf b/roles/fail2ban/files/filter.d/nextcloud.conf new file mode 100644 index 0000000..3d2f8ae --- /dev/null +++ b/roles/fail2ban/files/filter.d/nextcloud.conf @@ -0,0 +1,5 @@ +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/roles/fail2ban/files/filter.d/sshd.conf b/roles/fail2ban/files/filter.d/sshd.conf new file mode 100644 index 0000000..f876958 --- /dev/null +++ b/roles/fail2ban/files/filter.d/sshd.conf @@ -0,0 +1,138 @@ +# Fail2Ban filter for openssh +# +# If you want to protect OpenSSH from being bruteforced by password +# authentication then get public key authentication working before disabling +# PasswordAuthentication in sshd_config. +# +# +# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[DEFAULT] + +_daemon = sshd + +# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " +__pref = (?:(?:error|fatal): (?:PAM: )?)? +# optional suffix (logged from several ssh versions) like " [preauth]" +#__suff = (?: port \d+)?(?: \[preauth\])?\s* +__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* +__on_port_opt = (?: (?:port \d+|on \S+)){0,2} +# close by authenticating user: +__authng_user = (?: (?:invalid|authenticating) user \S+|.*?)? + +# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", +# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. +__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) + +# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: +__pam_auth = pam_[a-z]+ + +[Definition] + +prefregex = ^%(__prefix_line)s%(__pref)s.+$ + +cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?%(__suff)s$ + ^User not known to the underlying authentication module for .* from %(__suff)s$ + > + ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) + ^ROOT LOGIN REFUSED FROM + ^[iI](?:llegal|nvalid) user .*? from %(__suff)s$ + ^User \S+|.*? from not allowed because not listed in AllowUsers%(__suff)s$ + ^User \S+|.*? from not allowed because listed in DenyUsers%(__suff)s$ + ^User \S+|.*? from not allowed because not in any group%(__suff)s$ + ^refused connect from \S+ \(\) + ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ + ^User \S+|.*? from not allowed because a group is listed in DenyGroups%(__suff)s$ + ^User \S+|.*? from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ + ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ + ^maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ + ^User \S+|.*? not allowed because account is locked%(__suff)s + ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ + ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ + ^Received disconnect from %(__on_port_opt)s:\s*11: + -other> + ^Accepted \w+ for \S+ from (?:\s|$) + +cmnfailed-any = \S+ +cmnfailed-ignore = \b(?!publickey)\S+ +cmnfailed-invalid = +cmnfailed-nofail = (?:publickey|\S+) +cmnfailed = > + +mdre-normal = +# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) +mdre-normal-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ + +mdre-ddos = ^Did not receive identification string from + ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) + ^Bad protocol version identification '.*' from + ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: + ^Read from socket failed: Connection reset by peer + ^banner exchange: Connection from <__on_port_opt>: invalid format +# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): +mdre-ddos-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ + ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s (?:%(__on_port_opt)s|\s*)$ + +mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available + ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. + ^Unable to negotiate a <__alg_match> + ^no matching <__alg_match> found: +# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: +mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? %(__on_port_opt)s \[preauth\]\s*$ + +mdre-aggressive = %(mdre-ddos)s + %(mdre-extra)s +# mdre-extra-other is fully included within mdre-ddos-other: +mdre-aggressive-other = %(mdre-ddos-other)s + +# Parameter "publickey": nofail (default), invalid, any, ignore +publickey = nofail +# consider failed publickey for invalid users only: +cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) +# consider failed publickey for valid users too (don't need RE, see cmnfailed): +cmnfailre-failed-pub-any = +# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): +cmnfailre-failed-pub-nofail = +# don't consider failed publickey as failures (don't need RE, see cmnfailed): +cmnfailre-failed-pub-ignore = + +cfooterre = ^Connection from + +failregex = %(cmnfailre)s + > + %(cfooterre)s + +# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) +# Usage example (for jail.local): +# [sshd] +# mode = extra +# # or another jail (rewrite filter parameters of jail): +# [sshd-aggressive] +# filter = sshd[mode=aggressive] +# +mode = normal + +#filter = sshd[mode=aggressive] + +ignoreregex = + +maxlines = 1 + +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + +# DEV Notes: +# +# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because +# it is coming before use of which is not hard-anchored at the end as well, +# and later catch-all's could contain user-provided input, which need to be greedily +# matched away first. +# +# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres +# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester. diff --git a/roles/fail2ban/files/jail.d/bad-auth.conf b/roles/fail2ban/files/jail.d/bad-auth.conf new file mode 100644 index 0000000..bd5ad9b --- /dev/null +++ b/roles/fail2ban/files/jail.d/bad-auth.conf @@ -0,0 +1,14 @@ +[bad-auth] +enabled = true +backend = systemd +filter = bad-auth +journalmatch='CONTAINER_TAG=mailu-front' +bantime = 36000000 +findtime = 36000 +maxretry = 2 +sender = fail2ban@sectorq.eu +destemail = jaydee@sectorq.eu +ignoreip = 192.168.77.0/24 87.197.162.37 +#action = %(action_mwl)s +action = banan + %(action_mwl)s \ No newline at end of file diff --git a/roles/fail2ban/files/jail.d/nextcloud.conf b/roles/fail2ban/files/jail.d/nextcloud.conf new file mode 100644 index 0000000..4e364fe --- /dev/null +++ b/roles/fail2ban/files/jail.d/nextcloud.conf @@ -0,0 +1,15 @@ +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +bantime = 36000000 +findtime = 36000 +maxretry = 2 +ignoreip = 192.168.77.0/24 87.197.162.37 +sender = fail2ban@sectorq.eu +destemail = jaydee@sectorq.eu +logpath = /share/docker_data/nextcloud/app/data/nextcloud.log +action = banan + %(action_mwl)s diff --git a/roles/fail2ban/files/jail.d/sshd.conf b/roles/fail2ban/files/jail.d/sshd.conf new file mode 100644 index 0000000..bfd1f35 --- /dev/null +++ b/roles/fail2ban/files/jail.d/sshd.conf @@ -0,0 +1,17 @@ +[sshd] + +# To use more aggressive sshd modes set filter parameter "mode" in jail.local: +# normal (default), ddos, extra or aggressive (combines all). +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. +#mode = normal +enabled = true +port = ssh +bantime = 36000000 +findtime = 36000 +maxretry = 2 +sender = fail2ban@sectorq.eu +destemail = jaydee@sectorq.eu +ignoreip = 192.168.77.0/24 87.197.162.37 +backend = systemd +action = %(action_mwl)s + banan \ No newline at end of file diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml new file mode 100755 index 0000000..a1451b5 --- /dev/null +++ b/roles/fail2ban/tasks/main.yml @@ -0,0 +1,149 @@ +- block: + - name: Install ldap packages + ansible.builtin.apt: + name: + - libpam-ldapd + - ldap-utils + - libnss-ldapd + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^base " + # line: "base dc=sectorq,dc=eu" + + # - name: Reconfigure ldap uri + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^uri ldap.*" + # line: "uri ldaps://ldap-server.loc/" + # - name: Reconfigure ldap version + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^ldap_version.*" + # line: "ldap_version 3" + + # - name: Reconfigure ldap rootbinddn + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^rootbinddn.*" + # line: "rootbinddn cn=admin,dc=sectorq,dc=eu" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session optional pam_mkhomedir.so.*" + line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session.*pam_ldap.so.*" + line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000" + - name: Reconfigure common-password + ansible.builtin.lineinfile: + path: /etc/pam.d/common-password + regexp: "^password.*success=1 user_unknown=ignore default=die.*" + line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass" + - name: Reconfigure nsswitch passwd + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^passwd:.*" + line: "passwd: compat systemd ldap" + - name: Reconfigure nsswitch group + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^group:.*" + line: "group: compat systemd ldap" + - name: Reconfigure nsswitch shadow + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^shadow:.*" + line: "shadow: compat ldap" + + - name: Reconfigure nslcd uri + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^uri ldap.*" + line: "uri ldap://192.168.77.101:2389/" + + + - name: Reconfigure ldap base + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^base " + line: "base dc=sectorq,dc=eu" + + + - name: Reconfigure nslcd binddn + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^binddn" + line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu" + + - name: Reconfigure nslcd bindpw + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^bindpw" + line: "bindpw {{ ldap_admin_password }}" + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/nslcd.conf + # regexp: "^#ssl" + # line: "ssl start_tls" + - name: Reconfigure nslcd tls_reqcert + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^tls_reqcert" + line: "tls_reqcert allow" + - name: Restart nslcd service + ansible.builtin.service: + name: nslcd.service + state: restarted + + - name: Creating a file with content + copy: + dest: "/usr/local/bin/fetchSSHKeysFromLDAP" + content: | + #!/usr/bin/bash + ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' + mode: '0755' + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommand *" + line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP" + + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommandUser *" + line: "AuthorizedKeysCommandUser root" + - name: Create a directory LDAP if it does not exist + ansible.builtin.file: + path: /etc/ldap/ + state: directory + mode: '0755' + - name: Creating a file with content + copy: + dest: "/etc/ldap/ldap.conf" + content: | + # + # LDAP Defaults + # + + # See ldap.conf(5) for details + # This file should be world readable but not world writable. + + BASE dc=sectorq,dc=eu + URI ldap://192.168.77.101:2389 + + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never + + # TLS certificates (needed for GnuTLS) + TLS_CACERT /etc/ssl/certs/ca-certificates.crt + + - name: Restart sshd service + ansible.builtin.service: + name: sshd.service + state: restarted + become: true \ No newline at end of file diff --git a/roles/ldap_client/tasks/main.yml b/roles/ldap_client/tasks/main.yml new file mode 100755 index 0000000..a1451b5 --- /dev/null +++ b/roles/ldap_client/tasks/main.yml @@ -0,0 +1,149 @@ +- block: + - name: Install ldap packages + ansible.builtin.apt: + name: + - libpam-ldapd + - ldap-utils + - libnss-ldapd + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^base " + # line: "base dc=sectorq,dc=eu" + + # - name: Reconfigure ldap uri + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^uri ldap.*" + # line: "uri ldaps://ldap-server.loc/" + # - name: Reconfigure ldap version + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^ldap_version.*" + # line: "ldap_version 3" + + # - name: Reconfigure ldap rootbinddn + # ansible.builtin.lineinfile: + # path: /etc/ldap.conf + # regexp: "^rootbinddn.*" + # line: "rootbinddn cn=admin,dc=sectorq,dc=eu" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session optional pam_mkhomedir.so.*" + line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" + - name: Reconfigure common-session + ansible.builtin.lineinfile: + path: /etc/pam.d/common-session + regexp: "^session.*pam_ldap.so.*" + line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000" + - name: Reconfigure common-password + ansible.builtin.lineinfile: + path: /etc/pam.d/common-password + regexp: "^password.*success=1 user_unknown=ignore default=die.*" + line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass" + - name: Reconfigure nsswitch passwd + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^passwd:.*" + line: "passwd: compat systemd ldap" + - name: Reconfigure nsswitch group + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^group:.*" + line: "group: compat systemd ldap" + - name: Reconfigure nsswitch shadow + ansible.builtin.lineinfile: + path: /etc/nsswitch.conf + regexp: "^shadow:.*" + line: "shadow: compat ldap" + + - name: Reconfigure nslcd uri + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^uri ldap.*" + line: "uri ldap://192.168.77.101:2389/" + + + - name: Reconfigure ldap base + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^base " + line: "base dc=sectorq,dc=eu" + + + - name: Reconfigure nslcd binddn + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^binddn" + line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu" + + - name: Reconfigure nslcd bindpw + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^bindpw" + line: "bindpw {{ ldap_admin_password }}" + # - name: Reconfigure ldap base + # ansible.builtin.lineinfile: + # path: /etc/nslcd.conf + # regexp: "^#ssl" + # line: "ssl start_tls" + - name: Reconfigure nslcd tls_reqcert + ansible.builtin.lineinfile: + path: /etc/nslcd.conf + regexp: "^tls_reqcert" + line: "tls_reqcert allow" + - name: Restart nslcd service + ansible.builtin.service: + name: nslcd.service + state: restarted + + - name: Creating a file with content + copy: + dest: "/usr/local/bin/fetchSSHKeysFromLDAP" + content: | + #!/usr/bin/bash + ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' + mode: '0755' + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommand *" + line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP" + + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AuthorizedKeysCommandUser *" + line: "AuthorizedKeysCommandUser root" + - name: Create a directory LDAP if it does not exist + ansible.builtin.file: + path: /etc/ldap/ + state: directory + mode: '0755' + - name: Creating a file with content + copy: + dest: "/etc/ldap/ldap.conf" + content: | + # + # LDAP Defaults + # + + # See ldap.conf(5) for details + # This file should be world readable but not world writable. + + BASE dc=sectorq,dc=eu + URI ldap://192.168.77.101:2389 + + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never + + # TLS certificates (needed for GnuTLS) + TLS_CACERT /etc/ssl/certs/ca-certificates.crt + + - name: Restart sshd service + ansible.builtin.service: + name: sshd.service + state: restarted + become: true \ No newline at end of file diff --git a/roles/vnc_server/tasks/main.yml b/roles/vnc_server/tasks/main.yml new file mode 100755 index 0000000..de9755b --- /dev/null +++ b/roles/vnc_server/tasks/main.yml @@ -0,0 +1,24 @@ +- name: Install vnc packages + ansible.builtin.apt: + name: + - tigervnc-standalone-server + - tigervnc-common + update_cache: yes + + +- name: Creating a file with content + copy: + dest: "/home/jd/.vnc/config" + content: | + session=cinnamon + geometry=1200x721 + localhost + alwaysshared + + - name: Reconfigure zabbix agent Server + ansible.builtin.lineinfile: + path: "/etc/tigervnc/vncserver.users" + regexp: "^:1=jd" + line: ":1=jd" + become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}" +