Files
@ 3816b71c274c
Branch filter:
Location: majic-ansible-roles/docs/rolereference.rst - annotation
3816b71c274c
9.3 KiB
text/prs.fallenstein.rst
MAR-1: Added reference documentation for LDAP client role.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 | c377c1d24d7c c377c1d24d7c cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d 626eadba53b7 626eadba53b7 cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d 0aff90546ac4 cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d cc12c282bb3d 626eadba53b7 626eadba53b7 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 0aff90546ac4 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 0aff90546ac4 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c 3816b71c274c | Role Reference
==============
Preseed
-------
The ``preseed`` role can be used for generating simple preseed files for Debian
Wheezy installations.
The generated preseed files allow simplified installation, with a single root
partition. A number of common parameters can be provided.
Parameters
~~~~~~~~~~
**preseed_directory** (mandatory)
Destination directory where the preseed files should be stored.
**preseed_servers** (mandatory)
List of servers for which a preseed file should be created. Each item in
this list defines options for a single server. The options are as follows:
**name** (string, mandatory)
Name associated with the server. This name is used in the preseed
configuration filename.
**language** (string, mandatory)
Language.
**country** (string, mandatory)
Country.
**locale** (string, mandatory)
Locale.
**keymap** (string, mandatory)
Keymap.
**network_interface** (string, mandatory)
Name of network interface (for example *eth0*) that should be
configured.
**network_auto** (boolean, mandatory)
Specifies whether the network configuration should be automatic (using
DHCP) or manual. If manual configuration is selected a number of
additional options needs to be specified.
**network_ip** (string, mandatory if **network_auto** is set to ``no``)
IP address for the server network interface.
**network_netmask** (string, mandatory if **network_auto** is set to ``no``)
Netmask for the server network interface.
**network_gateway** (string, mandatory if **network_auto** is set to ``no``)
Default gateway for the server.
**network_dns** (string, mandatory if **network_auto** is set to ``no``)
Comma-separated list of DNS servers.
**network_hostname** (string, mandatory if **network_auto** is set to ``no``)
Server hostname.
**network_domain** (string, mandatory if **network_auto** is set to ``no``)
Server domain.
**mirror_hostname** (string, mandatory)
Resolvable hostname of FQDN where the Debian apt repositories can be
found. Only HTTP mirrors are supported.
**mirror_directory** (string, mandatory)
Directory under which the Debian apt repositories can be found on the
specified mirror.
**mirror_proxy** (string, optional, default is *None*)
An HTTP proxy that should be used for accessing the Debian apt
repositories.
**root_password** (string, mandatory)
Initial password that should be set for the server during the
installation.
**timezone** (string, mandatory)
Timezone that should be used when calculating server time. It is assumed
that the local hardware clock is set to UTC.
Examples
~~~~~~~~
Here is an example configuration for a preseed file for two servers, one with
automatic and one with manual network configuration:
.. code-block:: yaml
---
preseed_directory: /var/www/preseed/
preseed_servers:
- name: test1.example.com
language: en
country: SE
locale: en_US.UTF-8
keymap: us
network_interface: eth0
network_auto: yes
mirror_hostname: ftp.se.debian.org
mirror_directory: /debian
mirror_proxy: http://proxy.example.com/
root_password: testserver
timezone: Europe/Stockholm
- name: test2.example.com
language: en
country: SE
locale: en_US.UTF-8
keymap: us
network_interface: eth0
network_auto: no
network_ip: 10.0.0.10
network_netmask: 255.255.255.0
network_gateway: 10.0.0.1
network_dns: 10.0.0.2,10.0.0.3
network_hostname: test1
network_domain: example.com
mirror_hostname: ftp.se.debian.org
mirror_proxy: http://proxy.example.com/
mirror_directory: /debian
root_password: testserver
timezone: Europe/Stockholm
Bootstrap
---------
The ``bootstrap`` role can be used for bootstraping a new server with
Ansible. In order to apply this role to a server, all that is necessary is root
access to the server (either via SSH or locally).
The role implements the following:
* Installs sudo package.
* Creates operating system user and group for Ansible (``ansible``).
* Sets-up an authorized_key for operating system user ``ansible`` (for remote
SSH access).
* Configures sudo to allow operating system user ``ansible`` to run sudo
commands without password authentication.
Parameters
~~~~~~~~~~
**ansible_key** (string, mandatory)
SSH public key that should be deployed to authorized_keys truststore for
operating system user ``ansible``.
Examples
~~~~~~~~
Since the role is meant to be used just after the server has been installed, and
using the ``root`` account, it is probably going to be invoked from a separate
playbook.
For example, a playbook (``bootstrap.yml``) could look something similar to:
.. code-block:: yaml
---
- hosts: "{{ server }}"
remote_user: root
roles:
- bootstrap
vars:
ansible_key: "{{ lookup('file', 'authorized_keys/ansible.pub') }}"
With such a playbook in place, it would be invoked with:
ansible-playbook --ask-pass -e server=test1.example.com bootstrap.yml
Common
------
The ``common`` role can be used for applying a common configuration and
hardening across all servers, no matter what services they provide.
The role implements the following:
* Sets-up umask for all logins to ``0027``.
* Installs sudo.
* Installs additional base packages, as configured.
* Creates additional operating system groups, as configured.
* Creates additional operating system users, as configured.
* Hardens the SSH server by disabling remote ``root`` logins and password-based
authentication.
Parameters
~~~~~~~~~~
**os_users** (list, optional)
A list of operating system users that should be set-up on a server. Each item
is a dictionary with the following options describing the user parameters:
**name** (string, mandatory)
Name of the operating system user that should be created. User's default
group will have the same name as the user.
**uid** (number, mandatory)
UID for the operating system user. User's default group will have a GID
identical to the user's UID.
**additional_groups** (string, mandatory)
Comma-separated list of additional groups that a user should belong to. If
no additional groups should be appended to user's list of groups, set it to
empty string (``""``).
**authorized_keys** (list, mandatory)
List of SSH public keys that should be deployed to user's authorized_keys
truststore. If no authorized keys should be deployed, set it to empty list
(``[]``).
**password** (string, mandatory)
Encrypted password that should be set for the user.
**os_groups** (list, optional)
A list of operating system groups that should be set-up on a server. Each item
is a dictionary with the following options describing the group parameters:
**name** (string, mandatory)
Name of the operating system group that should be created.
**gid** (number, mandatory)
GID for the operating system group.
**common_packages** (list, optional)
List of additional operating system packages that should be installed on the
server. Each element of the list should be a simple string denoting the name
of the package.
Examples
~~~~~~~~
Here is an example configuration for setting-up some common users, groups, and
packages on all servers:
.. code-block:: yaml
---
os_users:
- name: admin
uid: 1000
additional_groups: sudo
authorized_keys:
- "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}"
password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'
- name: john
uid: 1001
additional_groups: ""
authorized_keys: []
password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.'
os_groups:
- name: localusers
gid: 2500
common_packages:
- emacs23-nox
- screen
- debconf-utils
LDAP Client
-----------
The ``ldap_client`` role can be used for setting-up an OpenLDAP client on
destination machine.
The role implements the followings:
* Installs OpenLDAP client tools.
* Sets-up global configuration file for OpenLDAP clients at /etc/ldap/ldap.conf.
Parameters
~~~~~~~~~~
**ldap_client_config** (list, mandatory)
A list of configuration options that should be put into the LDAP configuration
file. Each item is a dictionary with the following options defining the
configuration parameter:
**comment** (string, mandatory)
Comment that will be shown in the file just above the configuration option.
**option** (string, mandatory)
Name of configuration option.
**value** (string, mandatory)
Value for configuration option.
Examples
~~~~~~~~
Here is an example configuration for setting some common LDAP client options:
.. code-block:: yaml
---
ldap_client_config:
- comment: Set the base DN
option: BASE
value: dc=example,dc=com
- comment: Set the default URI
option: URI
value: ldap://ldap.example.com/
- comment: Set the truststore for TLS/SSL
option: TLS_CACERT
value: /etc/ssl/certs/example_ca.pem
- commment: Force basic server certificate verification
option: TLS_REQCERT
value: demand
- comment: Disable CRL checks for server certificate
option: TLS_CRLCHECK
value: none
|