From 2bec21bcd618015b961fe05a4a00d7da72547598 Mon Sep 17 00:00:00 2001
From: Thien An <ctan@home.fr>
Date: Mon, 24 Nov 2025 21:44:03 +0000
Subject: [PATCH] Initial Commit

---
 .gitignore             |  1 +
 ca-certs.yml           | 21 +++++++++++++++
 contents/caofamily.pem | 33 +++++++++++++++++++++++
 contents/sssd.conf     | 37 ++++++++++++++++++++++++++
 init.yml               | 12 +++++++++
 ldap_unix.yml          | 60 ++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 164 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 ca-certs.yml
 create mode 100644 contents/caofamily.pem
 create mode 100644 contents/sssd.conf
 create mode 100644 init.yml
 create mode 100644 ldap_unix.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ceddaa3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.cache/
diff --git a/ca-certs.yml b/ca-certs.yml
new file mode 100644
index 0000000..df74d77
--- /dev/null
+++ b/ca-certs.yml
@@ -0,0 +1,21 @@
+- hosts: proxmox_all_lxc
+  remote_user: root
+  tasks:
+  - name: Install ca-certificates
+    package: 
+      name: ca-certificates
+      state: present
+  - name: Ensure ca-certificates folder exist
+    file:
+      path: /usr/local/share/ca-certificates
+      state: directory
+  - name: Add caofamily root CA
+    copy: 
+      src: /home/ansible/playbooks/contents/caofamily.pem
+      dest: /usr/local/share/ca-certificates/caofamily.crt
+      mode: '0644'
+      owner: root
+      group: root
+  - name: Update CA Trust
+    shell: 
+      cmd: update-ca-certificates
diff --git a/contents/caofamily.pem b/contents/caofamily.pem
new file mode 100644
index 0000000..fcc8d20
--- /dev/null
+++ b/contents/caofamily.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFhTCCA22gAwIBAgIUaVYutsaWaNGRvuYIA1tWbkyAmLQwDQYJKoZIhvcNAQEL
+BQAwPDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNBTyBGYW1pbHkxGDAWBgNVBAMT
+D0NBTy1QS0ktUk9PVC1DQTAeFw0yNTA4MjgxNDQyNTRaFw0zNTA4MjYxNDQzMjBa
+MDwxCzAJBgNVBAYTAkZSMRMwEQYDVQQKEwpDQU8gRmFtaWx5MRgwFgYDVQQDEw9D
+QU8tUEtJLVJPT1QtQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0
+6oCksBhwZIc6mjt46jxGfdPE0391lKk7Ap4RNQ2FzAUe9Hgz9s/ndXxfpQKE8nr0
+tJAum8HsWOF/dGbOVRm+HRdfRZl8puoKzD9XxXB0+YzdIxSIMrX09vFVBdPxv+u3
+Cy09h7escv5yO/6kz/S31VM7qmiRqOVsMztDWPeg058wP0Xr0ceWrGLF5pNIZdIz
+ozXkyRR9CfoX2gHyjOo0gJpQwdQKDYRC8gUCKYvDYJAyTjeYHMVNR+X2y42+xHyY
+t7AmV4vtUf9u6IZ2nH2uyr8TRlZKRV3R+BJVobYVOQZ0STDAqrP53zjyY2aOqzhQ
+4OM1K13S6ux4ARZBMJANjklkZgPewZ5s8GpcTOKnzRH9k9fCXL0QqeKrCw46X3Mk
+0cyg8t0gAkZ+LYdLIBrmuk/DOwugZwkK1eh5QIc5+3MXwsYMELc+DyNQDTm+1FD4
+SGuQBzlVRfB8lTeYtxZc9FmZ9Qq+T26IUKR77rbwRrXG/54TBjD4KQIXlHPtcbBn
+AqcSW8pTjRxNRoBZwSBMH5ySw4WlSlQ8DNk3HSSTNelpAYdvV4qXumowRpIxoMVu
+E0IG5CaA0+0sk1Vr+nBk1jaxohSekY3aydJbam6IuOLa2N8+4gfK+rfw/JB6QXMB
+CAbGGVLAqTUiKV0/XPBm7F0j7Euy88uRnuHLr168OQIDAQABo38wfTAOBgNVHQ8B
+Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUtOU9/iq2lknkGMp
+8IEuGsNDktIwHwYDVR0jBBgwFoAUUtOU9/iq2lknkGMp8IEuGsNDktIwGgYDVR0R
+BBMwEYIPQ0FPLVBLSS1ST09ULUNBMA0GCSqGSIb3DQEBCwUAA4ICAQCzL3XviOcv
+5M2uRF6DW1ZU8bbUo63quKnq4MAudQiEMDGy6+UIfDzoK+NmHl+vRF7sNldSNKDT
+PUJAAP54rd1WylL6kBpkY8fI9vevO2gKuD9CTTif6+E5TklGx45KpcgsMdZ7pscf
+DtNpCcNIV0HW4gpG5gRiOCTP/z5Gc3u+6Kc9wEdtFAxG4fG2+mtz1L18IVQVanY/
+o6YWOe83pZCaXX62M9cZtCaFwNaYq0M6vmdJQ2hqfoiTLehsG93Vi5ix96Y2iQ7s
+dB27UlWWomG4u6tnwEzr0RhIzD3FcCcuMh2kQXar7+wA203GVcYvzRhBbLXv+N4N
+ITzceMhh4Crshktl3+3fA8R7LY4sN/EdsEnQMaxEYoKyXWKISPPnFe6FmvZHTNeY
+/EnNtRbnwelxej5T10Vqt383Nzswt/3sKnGrwa94Q/MWzbi3GAmD/2p58ArLwiih
+1/TqkHuKhAWXtdJ5uu65aUXjhmE0X7cgxHiDXJtRU+bRrJaWzO4En3/Tgq+64LOq
+CkSsvjJZrVQMxgPGBnj+kibW0y2TllS3qIgCRsnqOs9RJt+/qf6UTlBxX3zJWkbC
+2r16wYpUkvt5FyouWArQf3W9WPIlq26BB6pFDY/alwrLpMG4CPO+AxIDItKbVsqv
+GU935iH06SzEMZ5OunM/FndFmMoZim/2LA==
+-----END CERTIFICATE-----
+
diff --git a/contents/sssd.conf b/contents/sssd.conf
new file mode 100644
index 0000000..eeb1f50
--- /dev/null
+++ b/contents/sssd.conf
@@ -0,0 +1,37 @@
+[sssd]
+config_file_version = 2
+domains = home.fr
+
+[nss]
+
+[pam]
+
+[domain/home.fr]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307
+ldap_uri = ldap://ldap.home.fr:3890/
+ldap_search_base = dc=home,dc=fr
+
+ldap_default_bind_dn = uid=unix_bind,ou=people,dc=home,dc=fr
+ldap_default_authtok = CucNvPPqfbKkSqSEhnyf
+
+ldap_user_search_base = ou=people,dc=home,dc=fr
+ldap_user_object_class = posixAccount
+ldap_user_name = uid
+ldap_user_gecos = uid
+ldap_user_uid_number = uidnumber
+ldap_user_gid_number = gidnumber
+ldap_user_home_directory = homedirectory
+ldap_user_shell = unixshell
+ldap_user_ssh_public_key = sshpublickey
+
+ldap_group_search_base = ou=groups,dc=home,dc=fr
+ldap_group_object_class = groupOfUniqueNames
+ldap_group_name = cn
+ldap_group_member = uniqueMember
+
+access_provider = permit
+cache_credentials = true
+simple_allow_groups = unix_admin
diff --git a/init.yml b/init.yml
new file mode 100644
index 0000000..28f94a6
--- /dev/null
+++ b/init.yml
@@ -0,0 +1,12 @@
+- hosts: all
+  remote_user: root
+  tasks:
+  - name: Install Python
+    package: 
+      name: python3
+      state: present
+  - name: Init SSH Key
+    authorized_key:
+      user: root
+      key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+      state: 'present'
diff --git a/ldap_unix.yml b/ldap_unix.yml
new file mode 100644
index 0000000..f00f3e7
--- /dev/null
+++ b/ldap_unix.yml
@@ -0,0 +1,60 @@
+- hosts: proxmox_all_lxc
+  remote_user: root
+  tasks:
+  - name: Install sssd
+    package: 
+      name: 
+      - sssd
+      - sssd-tools
+      - libnss-sss
+      - libpam-sss
+      - libsss-sudo
+      - sudo
+      state: latest
+  
+  - name: Create sssd.conf
+    copy: 
+      src: /home/ansible/playbooks/contents/sssd.conf
+      dest: /etc/sssd/sssd.conf
+      mode: '0600'
+      owner: root
+      group: root
+
+  - name: Start sssd
+    service: 
+      name: sssd
+      state: restarted
+  
+  - name: Update PAM
+    shell: 
+      cmd: pam-auth-update --enable mkhomedir
+
+  - name: Create sudoers file
+    file:
+      path: /etc/sudoers.d/unix_admin
+      state: touch
+      mode: '0440'
+  
+  - name: Add unix_admin to sudoers
+    community.general.sudoers:
+      name: unix_admin
+      state: present
+      group: unix_admin
+      commands: ALL
+
+  - name: Edit sshd_config - AuthorizedKeysCommand
+    lineinfile: 
+      path: /etc/ssh/sshd_config
+      search_string: 'AuthorizedKeysCommand'
+      line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+
+  - name: Edit sshd_config - AuthorizedKeysCommand
+    lineinfile: 
+      path: /etc/ssh/sshd_config
+      search_string: 'AuthorizedKeysCommandUser'
+      line: AuthorizedKeysCommandUser nobody
+
+  - name: Restart ssh
+    service: 
+      name: ssh
+      state: restarted