Initial Commit

.gitignore

@@ -0,0 +1 @@
+.cache/

ca-certs.yml

@@ -0,0 +1,21 @@
+- hosts: proxmox_all_lxc
+  remote_user: root
+  tasks:
+  - name: Install ca-certificates
+    package: 
+      name: ca-certificates
+      state: present
+  - name: Ensure ca-certificates folder exist
+    file:
+      path: /usr/local/share/ca-certificates
+      state: directory
+  - name: Add caofamily root CA
+    copy: 
+      src: /home/ansible/playbooks/contents/caofamily.pem
+      dest: /usr/local/share/ca-certificates/caofamily.crt
+      mode: '0644'
+      owner: root
+      group: root
+  - name: Update CA Trust
+    shell: 
+      cmd: update-ca-certificates

contents/caofamily.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFhTCCA22gAwIBAgIUaVYutsaWaNGRvuYIA1tWbkyAmLQwDQYJKoZIhvcNAQEL
+BQAwPDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNBTyBGYW1pbHkxGDAWBgNVBAMT
+D0NBTy1QS0ktUk9PVC1DQTAeFw0yNTA4MjgxNDQyNTRaFw0zNTA4MjYxNDQzMjBa
+MDwxCzAJBgNVBAYTAkZSMRMwEQYDVQQKEwpDQU8gRmFtaWx5MRgwFgYDVQQDEw9D
+QU8tUEtJLVJPT1QtQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0
+6oCksBhwZIc6mjt46jxGfdPE0391lKk7Ap4RNQ2FzAUe9Hgz9s/ndXxfpQKE8nr0
+tJAum8HsWOF/dGbOVRm+HRdfRZl8puoKzD9XxXB0+YzdIxSIMrX09vFVBdPxv+u3
+Cy09h7escv5yO/6kz/S31VM7qmiRqOVsMztDWPeg058wP0Xr0ceWrGLF5pNIZdIz
+ozXkyRR9CfoX2gHyjOo0gJpQwdQKDYRC8gUCKYvDYJAyTjeYHMVNR+X2y42+xHyY
+t7AmV4vtUf9u6IZ2nH2uyr8TRlZKRV3R+BJVobYVOQZ0STDAqrP53zjyY2aOqzhQ
+4OM1K13S6ux4ARZBMJANjklkZgPewZ5s8GpcTOKnzRH9k9fCXL0QqeKrCw46X3Mk
+0cyg8t0gAkZ+LYdLIBrmuk/DOwugZwkK1eh5QIc5+3MXwsYMELc+DyNQDTm+1FD4
+SGuQBzlVRfB8lTeYtxZc9FmZ9Qq+T26IUKR77rbwRrXG/54TBjD4KQIXlHPtcbBn
+AqcSW8pTjRxNRoBZwSBMH5ySw4WlSlQ8DNk3HSSTNelpAYdvV4qXumowRpIxoMVu
+E0IG5CaA0+0sk1Vr+nBk1jaxohSekY3aydJbam6IuOLa2N8+4gfK+rfw/JB6QXMB
+CAbGGVLAqTUiKV0/XPBm7F0j7Euy88uRnuHLr168OQIDAQABo38wfTAOBgNVHQ8B
+Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUtOU9/iq2lknkGMp
+8IEuGsNDktIwHwYDVR0jBBgwFoAUUtOU9/iq2lknkGMp8IEuGsNDktIwGgYDVR0R
+BBMwEYIPQ0FPLVBLSS1ST09ULUNBMA0GCSqGSIb3DQEBCwUAA4ICAQCzL3XviOcv
+5M2uRF6DW1ZU8bbUo63quKnq4MAudQiEMDGy6+UIfDzoK+NmHl+vRF7sNldSNKDT
+PUJAAP54rd1WylL6kBpkY8fI9vevO2gKuD9CTTif6+E5TklGx45KpcgsMdZ7pscf
+DtNpCcNIV0HW4gpG5gRiOCTP/z5Gc3u+6Kc9wEdtFAxG4fG2+mtz1L18IVQVanY/
+o6YWOe83pZCaXX62M9cZtCaFwNaYq0M6vmdJQ2hqfoiTLehsG93Vi5ix96Y2iQ7s
+dB27UlWWomG4u6tnwEzr0RhIzD3FcCcuMh2kQXar7+wA203GVcYvzRhBbLXv+N4N
+ITzceMhh4Crshktl3+3fA8R7LY4sN/EdsEnQMaxEYoKyXWKISPPnFe6FmvZHTNeY
+/EnNtRbnwelxej5T10Vqt383Nzswt/3sKnGrwa94Q/MWzbi3GAmD/2p58ArLwiih
+1/TqkHuKhAWXtdJ5uu65aUXjhmE0X7cgxHiDXJtRU+bRrJaWzO4En3/Tgq+64LOq
+CkSsvjJZrVQMxgPGBnj+kibW0y2TllS3qIgCRsnqOs9RJt+/qf6UTlBxX3zJWkbC
+2r16wYpUkvt5FyouWArQf3W9WPIlq26BB6pFDY/alwrLpMG4CPO+AxIDItKbVsqv
+GU935iH06SzEMZ5OunM/FndFmMoZim/2LA==
+-----END CERTIFICATE-----
+

contents/sssd.conf

@@ -0,0 +1,37 @@
+[sssd]
+config_file_version = 2
+domains = home.fr
+
+[nss]
+
+[pam]
+
+[domain/home.fr]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307
+ldap_uri = ldap://ldap.home.fr:3890/
+ldap_search_base = dc=home,dc=fr
+
+ldap_default_bind_dn = uid=unix_bind,ou=people,dc=home,dc=fr
+ldap_default_authtok = CucNvPPqfbKkSqSEhnyf
+
+ldap_user_search_base = ou=people,dc=home,dc=fr
+ldap_user_object_class = posixAccount
+ldap_user_name = uid
+ldap_user_gecos = uid
+ldap_user_uid_number = uidnumber
+ldap_user_gid_number = gidnumber
+ldap_user_home_directory = homedirectory
+ldap_user_shell = unixshell
+ldap_user_ssh_public_key = sshpublickey
+
+ldap_group_search_base = ou=groups,dc=home,dc=fr
+ldap_group_object_class = groupOfUniqueNames
+ldap_group_name = cn
+ldap_group_member = uniqueMember
+
+access_provider = permit
+cache_credentials = true
+simple_allow_groups = unix_admin

init.yml

@@ -0,0 +1,12 @@
+- hosts: all
+  remote_user: root
+  tasks:
+  - name: Install Python
+    package: 
+      name: python3
+      state: present
+  - name: Init SSH Key
+    authorized_key:
+      user: root
+      key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+      state: 'present'

ldap_unix.yml

@@ -0,0 +1,60 @@
+- hosts: proxmox_all_lxc
+  remote_user: root
+  tasks:
+  - name: Install sssd
+    package: 
+      name: 
+      - sssd
+      - sssd-tools
+      - libnss-sss
+      - libpam-sss
+      - libsss-sudo
+      - sudo
+      state: latest
+  
+  - name: Create sssd.conf
+    copy: 
+      src: /home/ansible/playbooks/contents/sssd.conf
+      dest: /etc/sssd/sssd.conf
+      mode: '0600'
+      owner: root
+      group: root
+
+  - name: Start sssd
+    service: 
+      name: sssd
+      state: restarted
+  
+  - name: Update PAM
+    shell: 
+      cmd: pam-auth-update --enable mkhomedir
+
+  - name: Create sudoers file
+    file:
+      path: /etc/sudoers.d/unix_admin
+      state: touch
+      mode: '0440'
+  
+  - name: Add unix_admin to sudoers
+    community.general.sudoers:
+      name: unix_admin
+      state: present
+      group: unix_admin
+      commands: ALL
+
+  - name: Edit sshd_config - AuthorizedKeysCommand
+    lineinfile: 
+      path: /etc/ssh/sshd_config
+      search_string: 'AuthorizedKeysCommand'
+      line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+
+  - name: Edit sshd_config - AuthorizedKeysCommand
+    lineinfile: 
+      path: /etc/ssh/sshd_config
+      search_string: 'AuthorizedKeysCommandUser'
+      line: AuthorizedKeysCommandUser nobody
+
+  - name: Restart ssh
+    service: 
+      name: ssh
+      state: restarted