bitwarden

desktop.yml

@@ -0,0 +1,9 @@
+---
+- hosts: desktop
+  roles:
+    - common
+    - wake_on_lan
+    - timeshift
+    - zabbix-agent
+    - autofs_client
+    - ldap_client

roles/fail2ban/tasks/main.yml

@@ -1,149 +1,39 @@
 - block:
-  - name: Install ldap packages
+  - name: Install fail2ban packages
     ansible.builtin.apt:
       name: 
-        - libpam-ldapd
-        - ldap-utils
-        - libnss-ldapd
-  # - name: Reconfigure ldap base
-  #   ansible.builtin.lineinfile:
-  #     path: /etc/ldap.conf
-  #     regexp: "^base "
-  #     line: "base dc=sectorq,dc=eu"
-
-  # - name: Reconfigure ldap uri
-  #   ansible.builtin.lineinfile:
-  #     path: /etc/ldap.conf
-  #     regexp: "^uri ldap.*"
-  #     line: "uri ldaps://ldap-server.loc/"
-  # - name: Reconfigure ldap version
-  #   ansible.builtin.lineinfile:
-  #     path: /etc/ldap.conf
-  #     regexp: "^ldap_version.*"
-  #     line: "ldap_version 3"
-
-  # - name: Reconfigure ldap rootbinddn
-  #   ansible.builtin.lineinfile:
-  #     path: /etc/ldap.conf
-  #     regexp: "^rootbinddn.*"
-  #     line: "rootbinddn cn=admin,dc=sectorq,dc=eu"
-  - name: Reconfigure common-session
-    ansible.builtin.lineinfile:
-      path: /etc/pam.d/common-session
-      regexp: "^session optional pam_mkhomedir.so.*"
-      line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077"
-  - name: Reconfigure common-session
-    ansible.builtin.lineinfile:
-      path: /etc/pam.d/common-session
-      regexp: "^session.*pam_ldap.so.*"
-      line: "session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000"      
-  - name: Reconfigure common-password
-    ansible.builtin.lineinfile:
-      path: /etc/pam.d/common-password
-      regexp: "^password.*success=1 user_unknown=ignore default=die.*"
-      line: "password        [success=1 default=ignore]     pam_ldap.so minimum_uid=1000 try_first_pass"
-  - name: Reconfigure nsswitch passwd
-    ansible.builtin.lineinfile:
-      path: /etc/nsswitch.conf
-      regexp: "^passwd:.*"
-      line: "passwd:         compat systemd ldap"
-  - name: Reconfigure nsswitch group
-    ansible.builtin.lineinfile:
-      path: /etc/nsswitch.conf
-      regexp: "^group:.*"
-      line: "group:          compat systemd ldap"
-  - name: Reconfigure nsswitch shadow
-    ansible.builtin.lineinfile:
-      path: /etc/nsswitch.conf
-      regexp: "^shadow:.*"
-      line: "shadow:         compat ldap"
-
-  - name: Reconfigure nslcd uri
-    ansible.builtin.lineinfile:
-      path: /etc/nslcd.conf
-      regexp: "^uri ldap.*"
-      line: "uri ldap://192.168.77.101:2389/"
-
-
-  - name: Reconfigure ldap base
-    ansible.builtin.lineinfile:
-      path: /etc/nslcd.conf
-      regexp: "^base "
-      line: "base dc=sectorq,dc=eu"
-
-
-  - name: Reconfigure nslcd binddn
-    ansible.builtin.lineinfile:
-      path: /etc/nslcd.conf
-      regexp: "^binddn"
-      line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu"
-      
-  - name: Reconfigure nslcd bindpw
-    ansible.builtin.lineinfile:
-      path: /etc/nslcd.conf
-      regexp: "^bindpw"
-      line: "bindpw {{ ldap_admin_password }}"
-  # - name: Reconfigure ldap base
-  #   ansible.builtin.lineinfile:
-  #     path: /etc/nslcd.conf
-  #     regexp: "^#ssl"
-  #     line: "ssl start_tls"
-  - name: Reconfigure nslcd tls_reqcert
-    ansible.builtin.lineinfile:
-      path: /etc/nslcd.conf
-      regexp: "^tls_reqcert"
-      line: "tls_reqcert allow"
-  - name: Restart nslcd service
-    ansible.builtin.service:
-      name: nslcd.service
-      state: restarted
-
-  - name: Creating a file with content
+        - fail2ban
+        - sendmail
+  - name: Copy files
     copy:
-      dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
-      content: |
-        #!/usr/bin/bash
-        ldapsearch  -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' |     sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'  
-      mode: '0755'
-  - name: Reconfigure sshd
-    ansible.builtin.lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: "^#AuthorizedKeysCommand *"
-      line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP"
+      src: "{{ item }}"
+      dest: /etc/fail2ban/jail.d/
+    with_fileglob:
+      - "jail.d/*.conf"
 
-  - name: Reconfigure sshd
-    ansible.builtin.lineinfile:
-      path: /etc/ssh/sshd_config
-      regexp: "^#AuthorizedKeysCommandUser *"
-      line: "AuthorizedKeysCommandUser root"
-  - name: Create a directory LDAP if it does not exist
-    ansible.builtin.file:
-      path: /etc/ldap/
-      state: directory
-      mode: '0755'
-  - name: Creating a file with content
+  - name: Copy files
     copy:
-      dest: "/etc/ldap/ldap.conf"
-      content: |
-        #
-        # LDAP Defaults
-        #
+      src: "{{ item }}"
+      dest: /etc/fail2ban/filter.d/
+    with_fileglob:
+      - "filter.d/*.conf"
 
-        # See ldap.conf(5) for details
-        # This file should be world readable but not world writable.
+  - name: Copy files
+    copy:
+      src: "{{ item }}"
+      dest: /etc/fail2ban/action.d/
+    with_fileglob:
+      - "action.d/*.conf"
 
-        BASE    dc=sectorq,dc=eu
-        URI     ldap://192.168.77.101:2389
-
-        #SIZELIMIT      12
-        #TIMELIMIT      15
-        #DEREF          never
-
-        # TLS certificates (needed for GnuTLS)
-        TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
-  
-  - name: Restart sshd service
+  - name: disable sendmail service
     ansible.builtin.service:
-      name: sshd.service
+      name: sendmail.service
+      state: stopped
+      enabled: false
+
+  - name: Restart fail2ban service
+    ansible.builtin.service:
+      name: fail2ban.service
       state: restarted
+      enabled: true
   become: true

roles/ldap_client/tasks/main.yml

@@ -76,7 +76,7 @@
     ansible.builtin.lineinfile:
       path: /etc/nslcd.conf
       regexp: "^binddn"
-      line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu"
+      line: "binddn cn=ldapservice,ou=users,dc=sectorq,dc=eu"
       
   - name: Reconfigure nslcd bindpw
     ansible.builtin.lineinfile:
@@ -103,8 +103,10 @@
       dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
       content: |
         #!/usr/bin/bash
-        ldapsearch  -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' |     sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'  
-      mode: '0755'
+        ldapsearch  -x -H ldap://192.168.77.101:2389 -D 'cn=ldapservice,ou=users,DC=sectorq,DC=eu' -w {{ ldap_admin_password }} '(&(objectClass=person)(cn='"$1"'))' 'sshPublicKey' |     sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
+      owner: root
+      group: root
+      mode: '0700'
   - name: Reconfigure sshd
     ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
@@ -144,6 +146,6 @@
   
   - name: Restart sshd service
     ansible.builtin.service:
-      name: sshd.service
+      name: ssh
       state: restarted
   become: true

roles/ssh_banner/tasks/main.yml

@@ -0,0 +1,35 @@
+- block:
+  - name: Install packages
+    ansible.builtin.apt:
+      name: 
+        - figlet 
+        - toilet
+        
+  - name: Create Banner
+    ansible.builtin.command: |
+      figlet -c  {{ (inventory_hostname|split('.'))[0] }} -f slant
+    register: logo
+
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/banner"
+      content: |
+        {{ logo.stdout }}
+
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^Banner.* "
+      line: "Banner /etc/banner"
+
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^#PrintLastLog.* "
+      line: "PrintLastLog no"
+
+  - name: sshd
+    ansible.builtin.service:
+      name: ssh.service
+      state: restarted
+  become: true

roles/vnc_server/tasks/main.yml

@@ -1,24 +1,46 @@
-- name: Install vnc packages
-  ansible.builtin.apt:
-    name: 
-      - tigervnc-standalone-server
-      - tigervnc-common
-    update_cache: yes
+- block:
+  
+  - name: Install vnc packages
+    ansible.builtin.apt:
+      name: 
+        - tigervnc-standalone-server
+        - tigervnc-common
+      update_cache: yes
 
+  - name: Create a directory if it does not exist
+    ansible.builtin.file:
+      path: /home/jd/.vnc/
+      state: directory
+      mode: '0755'
+      owner: jd
+      group: jd
+  - name: Creating a file with content
+    copy:
+      dest: "/home/jd/.vnc/config"
+      content: |
+        session=mate
+        geometry=1200x721
+        localhost
+        alwaysshared
+      mode: '0755'
+      owner: jd
+      group: jd
+  - name: Reconfigure vnc
+    ansible.builtin.lineinfile:
+      path: /etc/tigervnc/vncserver-config-defaults
+      regexp: "^$localhost =.* "
+      line: '$localhost = "no";'
 
-- name: Creating a file with content
-  copy:
-    dest: "/home/jd/.vnc/config"
-    content: |
-      session=cinnamon
-      geometry=1200x721
-      localhost
-      alwaysshared
+  - name: Reconfigure vnc1
+    ansible.builtin.lineinfile:
+      path:  /etc/tigervnc/vncserver.users
+      #regexp: "^:1=.*"
+      line: ':1=jd'
 
   - name: Reconfigure zabbix agent Server
     ansible.builtin.lineinfile:
       path: "/etc/tigervnc/vncserver.users"
       regexp: "^:1=jd"
       line: ":1=jd"
-    become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
+  become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
     

roles/wake_on_lan/tasks/main.yml

@@ -8,10 +8,14 @@
     var: ansible_facts.interfaces
 - name: Get wifi adapter
   set_fact: 
-    wifi_adapter: '{{ item }}'
+    active_adapter: '{{ item }}'
   loop: '{{ ansible_facts.interfaces }}'
   when: 'item.startswith("eno")'
-  
+- name: Display all interfaces name
+  debug:
+    msg:  "{{ ansible_default_ipv4.interface }}"
+
+
 - name: Creating config
   become: true
   ansible.builtin.copy:
@@ -23,7 +27,7 @@
 
       [Service]
       Type=oneshot
-      ExecStart = /usr/sbin/ethtool --change {{ wifi_adapter }} wol g
+      ExecStart = /usr/sbin/ethtool --change {{ ansible_default_ipv4.interface }} wol g
 
       [Install]
       WantedBy=basic.target

servers.yml

@@ -9,4 +9,5 @@
     - monitoring
     - zabbix-agent
     - autofs_client
-    - ldap_client
+    - ldap_client
+    - ssh_banner

test.yml

@@ -0,0 +1,4 @@
+---
+- hosts: datacenter
+  roles:
+    - vnc_server