feat(nslcd): add role

feat(nscd): add role
feat(gnupg): configure scdaemon.conf
2022-11-05 12:15:13 +01:00 · 2022-11-05 12:01:30 +01:00 · 2022-08-22 17:04:36 +02:00 · 2022-08-20 21:56:50 +02:00 · 2022-08-20 21:56:49 +02:00 · 2022-08-20 21:56:48 +02:00
16 changed files with 279 additions and 4 deletions
--- a/roles/git/defaults/main.yml
+++ b/roles/git/defaults/main.yml
@ -0,0 +1,15 @@
+---
+
+git_config_file: ~/.gitconfig
+
+git_config_gpg_program: gpg2
+git_config_commit_gpgsign: false
+git_config_pull_rebase: true
+git_config_pull_ff: only
+git_config_rebase_autostash: true
+git_config_merge_autostash: true
+git_config_init_default_branch: main
+git_config_core_editor: vim
+
+git_config_user: []
+git_config_credentials: []
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@ -0,0 +1,45 @@
+---
+
+- name: Ensure git configuration is persisted in git configs file
+  blockinfile:
+    dest: "{{ git_config_file }}"
+    mode: "0660"
+    create: yes
+    state: present
+    marker: "#{mark} ANSIBLE MANAGED BLOCK by finallycoffee.base.git"
+    block: |+2
+      {% if git_config_user_name|default(false, true) and git_config_user_email|default(false, true) %}
+      [user]
+        name = {{ git_config_user_name }}
+        email = {{ git_config_user_email }}
+      {% if git_config_user_signingkey %}
+        signingkey = {{ git_config_user_signingkey }}
+      {% endif %}
+      {% endif %}
+      [gpg]
+        program = {{ git_config_gpg_program }}
+      [core]
+        editor = {{ git_config_core_editor }}
+      [commit]
+        gpgsign = {{ git_config_commit_gpgsign }}
+      [pull]
+        rebase = {{ git_config_pull_rebase }}
+        ff = {{ git_config_pull_ff }}
+      [rebase]
+        autostash = {{ git_config_rebase_autostash }}
+      [merge]
+        autostash = {{ git_config_merge_autostash }}
+      [init]
+        defaultBranch = {{ git_config_init_default_branch }}
+      [alias]
+      {% for alias in git_config_alias %}
+        {{ alias.name }} = {{ alias.command }}
+      {% endfor %}
+      
+      {% for credentialset in git_config_credentials %}
+      [credential "{{ credentialset.remote_url }}"]
+      {% for entry in credentialset.config | dict2items %}
+        {{ entry.key }} = {{ entry.value }}
+      {% endfor %}
+
+      {% endfor %}
--- a/roles/gnupg/defaults/main.yml
+++ b/roles/gnupg/defaults/main.yml
@ -3,10 +3,11 @@
 gpg_config_folder: ~/.gnupg
 gpg_config_file: "{{ gpg_config_folder }}/gpg.conf"
 gpg_agent_config_file: "{{ gpg_config_folder }}/gpg-agent.conf"
+gpg_scdaemon_config_file: "{{ gpg_config_folder }}/scdaemon.conf"
 gpg_agent_sshcontrol_file: "{{ gpg_config_folder }}/sshcontrol"
 gpg_configure_agent_script: "{{ gpg_config_folder }}/gpg-configure-as-ssh-agent.sh"

-gpg_keys_for_ssh: []
+gpg_keygrips_for_ssh: []

 gpg_config_cert_digest_algo: SHA256
 gpg_config_emit_version: false
@ -24,3 +25,8 @@ gpg_agent_config_cache_ttl_ssh: 300
 gpg_agent_config_enable_ssh_support: false
 gpg_agent_config_ignore_cache_for_signing: true
 gpg_agent_config_allow_external_cache: false
+
+gpg_scdaemon_config_driver: ~
+gpg_scdaemon_config_card_timeout: ~
+gpg_scdaemon_config_disable_ccid: false
+gpg_scdaemon_config_pcsc_shared: true
--- a/roles/gnupg/files/gpg-configure-ssh-auth-socket.sh
+++ b/roles/gnupg/files/gpg-configure-ssh-auth-socket.sh
@ -11,3 +11,4 @@ fi

 gpg-connect-agent /bye
 export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+gpgconf --launch gpg-agent
--- a/roles/gnupg/tasks/main.yml
+++ b/roles/gnupg/tasks/main.yml
@ -14,6 +14,12 @@
  become: true
  when: ansible_os_family == "Archlinux"

+- name: Ensure ~/.gnupg folder exists with correct permissions
+  file:
+    path: "{{ gpg_config_folder }}"
+    state: directory
+    mode: 0700
+
 - name: Ensure gpg.conf is templated
  template:
    src: gpg.conf.j2
@ -24,7 +30,10 @@
    src: gpg-agent.conf.j2
    dest: "{{ gpg_agent_config_file }}"

-# attempt to bootstrap the supplied keys here, so the keygrip can be retrieved
+- name: Configure scdaemon.conf (smartcard daemon)
+  template:
+    src: scdaemon.conf.j2
+    dest: "{{ gpg_scdaemon_config_file }}"

 - name: Configure sshcontrol (in order for gpg-agent to act as ssh-agent)
  template:
@ -33,8 +42,15 @@
  when: gpg_agent_config_enable_ssh_support

 - name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
-  file:
+  copy:
    src: gpg-configure-ssh-auth-socket.sh
    dest: "{{ gpg_configure_agent_script }}"
    mode: 0700
  when: gpg_agent_config_enable_ssh_support
+
+- name: Ensure gnupg_agent script is included in bashrc
+  lineinfile:
+    path: "~/.bashrc"
+    line: "source {{ gpg_configure_agent_script }}"
+    state: present
+  when: gpg_agent_config_enable_ssh_support
--- a/roles/gnupg/templates/gpg.conf.j2
+++ b/roles/gnupg/templates/gpg.conf.j2
@ -10,6 +10,9 @@ personal-digest-preferences SHA256 SHA512 SHA384 SHA224
 {% if gpg_config_ignore_time_conflict %}
 ignore-time-conflict
 {% endif %}
+{% if gpg_config_trusted_key %}
+trusted-key {{ gpg_config_trusted_key }}
+{% endif %}

 # How to render keys
 keyid-format {{ gpg_config_keyid_format }}
--- a/roles/gnupg/templates/scdaemon.conf.j2
+++ b/roles/gnupg/templates/scdaemon.conf.j2
@ -0,0 +1,12 @@
+{% if gpg_scdaemon_config_disable_ccid | default(false) %}
+disable-ccid
+{% endif %}
+{% if gpg_scdaemon_config_card_timeout | default(false) %}
+card-timeout {{ gpg_scdaemon_config_card_timeout }}
+{% endif %}
+{% if gpg_scdaemon_config_driver | default(false) %}
+pcsc-driver {{ gpg_scdaemon_config_driver }}
+{% endif %}
+{% if gpg_scdaemon_config_pcsc_shared | default(true) %}
+pcsc-shared
+{% endif %}
--- a/roles/gnupg/templates/sshcontrol.j2
+++ b/roles/gnupg/templates/sshcontrol.j2
@ -9,6 +9,6 @@
 # caching TTL in seconds, and another optional field for arbitrary
 # flags.   Prepend the keygrip with an '!' mark to disable it.

-{% for keygrip in ssh_keygrips %}
+{% for keygrip in gpg_keygrips_for_ssh %}
 {{ keygrip }}
 {% endfor %}
--- a/roles/nscd/defaults/main.yml
+++ b/roles/nscd/defaults/main.yml
@ -0,0 +1,41 @@
+---
+
+nscd_config_file: /etc/nscd.conf
+
+nscd_config_password_enable_cache: true
+nscd_config_password_positive_ttl_seconds: 300
+nscd_config_password_negative_ttl_seconds: 10
+nscd_config_password_suggested_size: 221
+nscd_config_password_check_files: true
+nscd_config_password_persistent: true
+nscd_config_password_shared: true
+nscd_config_password_max_db_size_bytes: 33554432
+nscd_config_password_auto_propagate: yes
+
+nscd_config_group_enable_cache: true
+nscd_config_group_positive_ttl_seconds: 900
+nscd_config_group_negative_ttl_seconds: 30
+nscd_config_group_suggested_size: 221
+nscd_config_group_check_files: true
+nscd_config_group_persistent: true
+nscd_config_group_shared: true
+nscd_config_group_max_db_size_bytes: 33554432
+nscd_config_group_auto_propagate: yes
+
+nscd_config_hosts_enable_cache: true
+nscd_config_hosts_positive_ttl_seconds: 1800
+nscd_config_hosts_negative_ttl_seconds: 60
+nscd_config_hosts_suggested_size: 221
+nscd_config_hosts_check_files: true
+nscd_config_hosts_persistent: true
+nscd_config_hosts_shared: true
+nscd_config_hosts_max_db_size_bytes: 33554432
+
+nscd_config_services_enable_cache: true
+nscd_config_services_positive_ttl_seconds: 28800
+nscd_config_services_negative_ttl_seconds: 20
+nscd_config_services_suggested_size: 221
+nscd_config_services_check_files: true
+nscd_config_services_persistent: true
+nscd_config_services_shared: true
+nscd_config_services_max_db_size_bytes: 33554432
--- a/roles/nscd/tasks/main.yml
+++ b/roles/nscd/tasks/main.yml
@ -0,0 +1,27 @@
+---
+
+- name: Make sure nscd is installed
+  apt:
+    name: "{{ nscd_apt_package_name }}"
+    state: present
+  when: ansible_facts['pkg_mgr'] == 'apt'
+
+- name: Ensure nscd is configured
+  template:
+    src: nscd.conf.j2
+    dest: "{{ nscd_config_file }}"
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Ensure systemd service is enabled
+  systemd:
+    service: "{{ nscd_systemd_service_name }}"
+    enabled: true
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd service is started
+  systemd:
+    service: "{{ nscd_systemd_service_name }}"
+    state: started
+  when: ansible_facts['service_mgr'] == 'systemd'
--- a/roles/nscd/templates/nscd.conf.j2
+++ b/roles/nscd/templates/nscd.conf.j2
@ -0,0 +1,41 @@
+#logfile	/var/log/nscd.log
+#threads	4
+#max-threads	32
+
+enable-cache		passwd	{{ nscd_config_passwd_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	passwd	{{ nscd_config_passwd_positive_ttl_seconds }}
+negative-time-to-live	passwd	{{ nscd_config_passwd_negative_ttl_seconds }}
+suggested-size		passwd	{{ nscd_config_passwd_suggested_size }}
+check-files		passwd	{{ nscd_config_passwd_check_files | ternary('yes', 'no') }}
+persistent		passwd	{{ nscd_config_passwd_persistent | ternary('yes', 'no') }}
+shared			passwd	{{ nscd_config_passwd_shared | ternary('yes', 'no') }}
+max-db-size		passwd	{{ nscd_config_passwd_max_db_size_bytes }}
+auto-propagate		passwd	{{ nscd_config_passwd_auto_propagate | ternary('yes', 'no') }}
+
+enable-cache		group	{{ nscd_config_group_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	group	{{ nscd_config_group_positive_ttl_seconds }}
+negative-time-to-live	group	{{ nscd_config_group_negative_ttl_seconds }}
+suggested-size		group	{{ nscd_config_group_suggested_size }}
+check-files		group	{{ nscd_config_group_check_files | ternary('yes', 'no') }}
+persistent		group	{{ nscd_config_group_persistent | ternary('yes', 'no') }}
+shared			group	{{ nscd_config_group_shared | ternary('yes', 'no') }}
+max-db-size		group	{{ nscd_config_group_max_db_size_bytes }}
+auto-propagate		group	{{ nscd_config_group_auto_propagate | ternary('yes', 'no') }}
+
+enable-cache		hosts	{{ nscd_config_hosts_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	hosts	{{ nscd_config_hosts_positive_ttl_seconds }}
+negative-time-to-live	hosts	{{ nscd_config_hosts_negative_ttl_seconds }}
+suggested-size		hosts	{{ nscd_config_hosts_suggested_size }}
+check-files		hosts	{{ nscd_config_hosts_check_files | ternary('yes', 'no') }}
+persistent		hosts	{{ nscd_config_hosts_persistent | ternary('yes', 'no') }}
+shared			hosts	{{ nscd_config_hosts_shared | ternary('yes', 'no') }}
+max-db-size		hosts	{{ nscd_config_hosts_max_db_size_bytes }}
+
+enable-cache		services	{{ nscd_config_services_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	services	{{ nscd_config_services_positive_ttl_seconds }}
+negative-time-to-live	services	{{ nscd_config_services_negative_ttl_seconds }}
+suggested-size		services	{{ nscd_config_services_suggested_size }}
+check-files		services	{{ nscd_config_services_check_files | ternary('yes', 'no') }}
+persistent		services	{{ nscd_config_services_persistent | ternary('yes', 'no') }}
+shared			services	{{ nscd_config_services_shared | ternary('yes', 'no') }}
+max-db-size		services	{{ nscd_config_services_max_db_size_bytes }}
--- a/roles/nscd/vars/main.yml
+++ b/roles/nscd/vars/main.yml
@ -0,0 +1,4 @@
+---
+
+nscd_apt_package_name: nscd
+nscd_systemd_service_name: nscd.service
--- a/roles/nslcd/defaults/main.yml
+++ b/roles/nslcd/defaults/main.yml
@ -0,0 +1,20 @@
+---
+
+nslcd_config_uid: nslcd
+nslcd_config_gid: nslcd
+
+nslcd_config_ldap_uri: ldaps://127.0.0.1
+nslcd_config_ldap_base: ~
+nslcd_config_ldap_scope: sub
+nslcd_config_ldap_version: 3
+nslcd_config_ldap_bind_dn: ~
+nslcd_config_ldap_bind_pw: ~
+nslcd_config_ldap_root_pw_mod_dn: ~
+nslcd_config_ldap_ssl: on
+nslcd_config_ldap_tls_reqcert: always
+nslcd_config_ldap_tls_cacertfile: /etc/ssl/certs/ca-certificates.crt
+
+nslcd_config_pam_authz_search: >-2
+  (&(objectClass=posixAccount)(uid=$username)(|
+    (host=$hostname)(host=$fqdn)
+  ))
--- a/roles/nslcd/tasks/main.yml
+++ b/roles/nslcd/tasks/main.yml
@ -0,0 +1,27 @@
+---
+
+- name: Ensure nslcd is installed
+  apt:
+    name: "{{ nslcd_apt_package_name }}"
+    state: present
+  when: ansible_facts['pkg_mgr'] == 'apt'
+
+- name: Ensure config is templated
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Ensure systemd service is enabled
+  systemd:
+    service: "{{ nslcd_systemd_service_name }}"
+    enabled: true
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd service is running
+  systemd:
+    service: "{{ nslcd_systemd_service_name }}"
+    state: started
+  when: ansible_facts['service_mgr'] == 'systemd'
--- a/roles/nslcd/templates/nslcd.conf.j2
+++ b/roles/nslcd/templates/nslcd.conf.j2
@ -0,0 +1,17 @@
+uid {{ nslcd_config_uid }}
+gid {{ nslcd_config_gid }}
+
+uri {{ nslcd_config_ldap_uri }}
+base {{ nslcd_config_ldap_base }}
+binddn {{ nslcd_config_ldap_bind_dn }}
+bindpw {{ nslcd_config_ldap_bind_pw }}
+ldap_version {{ nslcd_config_ldap_version }}
+
+rootpwmoddn {{ nslcd_config_ldap_root_pw_mod_dn }}
+
+ssl {{ nslcd_config_ldap_ssl }}
+tls_reqcert {{ nslcd_config_ldap_tls_reqcert }}
+tls_cacertfile {{ nslcd_config_ldap_tls_cacertfile }}
+
+scope {{ nslcd_config_ldap_scope }}
+pam_authz_search {{ nslcd_config_ldap_pam_authz_search }}
--- a/roles/nslcd/vars/main.yml
+++ b/roles/nslcd/vars/main.yml
Author	SHA1	Message	Date
Johanna Dorothea Reichmann	fb13bd55bf	feat(nslcd): add role	2022-11-05 12:15:13 +01:00
Johanna Dorothea Reichmann	c31e13a975	feat(nscd): add role	2022-11-05 12:01:30 +01:00
Johanna Dorothea Reichmann	1e0f4a0dbf	feat(gnupg): configure scdaemon.conf	2022-08-22 17:04:36 +02:00
Johanna Dorothea Reichmann	682307c35d	chore(gnupg): auto-launch a gpg agent instance	2022-08-20 21:56:50 +02:00
Johanna Dorothea Reichmann	27f05a1a34	feat(gnupg): add option for configuring a trusted key	2022-08-20 21:56:49 +02:00
Johanna Dorothea Reichmann	669a97adcb	feat(git): add role for configuring git	2022-08-20 21:56:48 +02:00
Johanna Dorothea Reichmann	8315d822ee	feat(gnupg): add role for configuring gnupg with support to act as an ssh agent	2022-08-20 16:49:19 +02:00