feat(nslcd): add role

README.md

@@ -5,12 +5,6 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
-- [`git`](roles/git/README.md): configures git on the target system
-- [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
-- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
-- [`nginx`](roles/nginx/README.md): [nginx](https://www.nginx.com/),
-  an advanced load balancer, webserver and reverse proxy.
-
 ## License
 
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License

galaxy.yml

@@ -3,9 +3,10 @@ name: base
 version: 0.0.1
 readme: README.md
 authors:
-- transcaffeine <transcaffeine@finally.coffee>
+- Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
-description: Roles for base services which are common dependencies other services like databases
+description: Roles for bootstrapping tools like gpg, ssh and git
-license_file: LICENSE.md
+license:
+- CNPLv7+
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base

meta/runtime.yml

@@ -1,3 +0,0 @@
----
-
-requires_ansible: ">=2.12"

roles/git/README.md

@@ -1,19 +0,0 @@
-# `finallycoffee.base.git` ansible role
-
-This role configures git for the `ansible_user` and can be used
-to (pre)-configure git.
-
-## Examples
-
-```yaml
-
-git_config_user_name: # user name to use for git
-git_config_user_email: # email to use for git
-
-git_config_core_editor: vim # editor to use
-
-git_config_credentials:
-  - remote_url: https://github.com
-    config:
-      username: my_github_username
-```

roles/gnupg/README.md

@@ -1,4 +0,0 @@
-# `finallycoffee.base.gnupg` ansible role
-
-Configures GnuPG on the target system, including a Smart-Card (SC) daemon
-and can set up gpg-agent as an SSH-agent.

roles/mariadb/README.md

@@ -1,19 +0,0 @@
-# `finallycoffee.base.mariadb` ansible role
-
-This role deploys a MariaDB instance in a docker container.
-
-## Usage
-
-The role expects the following variables to be populated with values and/or secrets:
-
-```yaml
-mariadb_root_password: #mariadb root password
-mariadb_database: # name of the database to create
-mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
-mariadb_password: # password of the user in mariadb_username
-```
-
-## Requirements
-
-- Docker installed
-- python-docker present on target system for ansible to be able to talk with the docker API.

roles/mariadb/defaults/main.yml

@@ -1,32 +0,0 @@
----
-
-mariadb_version: "10.6.11"
-mariadb_base_path: /var/lib/mariadb
-mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
-
-mariadb_root_password: ~
-mariadb_database: ~
-mariadb_username: ~
-mariadb_password: ~
-
-mariadb_container_base_environment:
-  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
-mariadb_container_extra_environment: {}
-
-mariadb_container_name: mariadb
-mariadb_container_image_name: docker.io/mariadb
-mariadb_container_image_tag: ~
-mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
-mariadb_container_base_volumes:
-  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
-mariadb_container_extra_volumes: []
-mariadb_container_base_labels:
-  version: "{{ mariadb_version }}"
-mariadb_container_extra_labels: {}
-mariadb_container_restart_policy: "unless-stopped"
-mariadb_container_environment: >-2
-  {{ mariadb_container_base_environment
-  | combine(mariadb_container_database_environment
-      if (mariadb_database and mariadb_username and mariadb_password)
-      else {}, recursive=True)
-  | combine(mariadb_container_extra_environment) }}

roles/mariadb/tasks/main.yml

@@ -1,20 +0,0 @@
----
-- name: Ensure mariaDB container image is present on host
-  community.docker.docker_image:
-    name: "{{ mariadb_container_image }}"
-    state: present
-    source: pull
-
-- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
-  community.docker.docker_container:
-    name: "{{ mariadb_container_name }}"
-    image: "{{ mariadb_container_image }}"
-    env: "{{ mariadb_container_environment }}"
-    ports: "{{ mariadb_container_ports }}"
-    labels: "{{ mariadb_container_labels }}"
-    volumes: "{{ mariadb_container_volumes }}"
-    networks: "{{ mariadb_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
-    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
-    restart_policy: "{{ mariadb_container_restart_policy }}"
-    state: started

roles/mariadb/vars/main.yml

@@ -1,10 +0,0 @@
----
-
-mariadb_container_database_environment:
-  MARIADB_DATABASE: "{{ mariadb_database }}"
-  MARIADB_USER: "{{ mariadb_username }}"
-  MARIADB_PASSWORD: "{{ mariadb_password }}"
-
-mariadb_container_data_path: /var/lib/mysql
-mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
-mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"

roles/nginx/README.md

@@ -1,28 +0,0 @@
-# `finallycoffee.services.nginx` ansible role
-
-## Description
-
-Runs `nginx`, a HTTP reverse proxy, in a docker container.
-
-## Usage
-
-For the role to do anything, `nginx_config` needs to be populated with the configuration for nginx.
-An example would be:
-
-```yaml
-nginx_config: |+
-  server {
-    listen 80 default_server;
-    server_name my.server.fqdn;
-    location / { return 200; }
-  }
-```
-
-The container is named `nginx` by default, this can be overridden in `nginx_container_name`.
-When running this role multiple times, `nginx_base_path` should also be changed for each run,
-otherwise the configuration files collide in the filesystem.
-
-For exposing this server to the host and/or internet, the `nginx_container_ports` (port forwarding host
-from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
-(for label-based routing discovery like traefik) can be used. The options correspond to the arguments
-of the `community.docker.docker_container` module.

roles/nginx/defaults/main.yml

@@ -1,33 +0,0 @@
----
-
-nginx_version: "1.25.1"
-nginx_flavour: alpine
-nginx_base_path: /opt/nginx
-nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
-
-nginx_container_name: nginx
-nginx_container_image_reference: >-
-  {{
-    nginx_container_image_repository
-    + ':' + (nginx_container_image_tag
-      | default(nginx_version
-      + (('-' + nginx_flavour) if nginx_flavour is defined else ''), true))
-  }}
-nginx_container_image_repository: >-
-  {{
-    (
-      container_registries[nginx_container_image_registry]
-      | default(nginx_container_image_registry)
-    )
-    + '/'
-    + nginx_container_image_namespace | default('')
-    + nginx_container_image_name
-  }}
-nginx_container_image_registry: "docker.io"
-nginx_container_image_name: "nginx"
-nginx_container_image_tag: ~
-
-nginx_container_restart_policy: "unless-stopped"
-nginx_container_volumes:
-  - "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
- 

roles/nginx/handlers/main.yml

@@ -1,8 +0,0 @@
----
-
-- name: Ensure nginx container '{{ nginx_container_name }}' is restarted
-  community.docker.docker_container:
-    name: "{{ nginx_container_name }}"
-    state: started
-    restart: true
-  listen: restart-nginx

roles/nginx/tasks/main.yml

@@ -1,37 +0,0 @@
----
-
-- name: Ensure base path '{{ nginx_base_path }}' exists
-  ansible.builtin.file:
-    path: "{{ nginx_base_path }}"
-    state: directory
-    mode: 0755
-
-- name: Ensure nginx config file is templated
-  ansible.builtin.copy:
-    dest: "{{ nginx_config_file }}"
-    content: "{{ nginx_config }}"
-    mode: 0640
-  notify:
-    - restart-nginx
-
-- name: Ensure docker container image is present
-  community.docker.docker_image:
-    name: "{{ nginx_container_image_reference }}"
-    state: present
-    source: pull
-    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
-
-- name: Ensure docker container '{{ nginx_container_name }}' is running
-  community.docker.docker_container:
-    name: "{{ nginx_container_name }}"
-    image: "{{ nginx_container_image_reference }}"
-    env: "{{ nginx_container_env | default(omit, true) }}"
-    user: "{{ nginx_container_user | default(omit, true) }}"
-    ports: "{{ nginx_container_ports | default(omit, true) }}"
-    labels: "{{ nginx_container_labels | default(omit, true) }}"
-    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
-    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
-    networks: "{{ nginx_container_networks | default(omit, true) }}"
-    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
-    restart_policy: "{{ nginx_container_restart_policy }}"
-    state: started

roles/nscd/defaults/main.yml

@@ -0,0 +1,41 @@
+---
+
+nscd_config_file: /etc/nscd.conf
+
+nscd_config_password_enable_cache: true
+nscd_config_password_positive_ttl_seconds: 300
+nscd_config_password_negative_ttl_seconds: 10
+nscd_config_password_suggested_size: 221
+nscd_config_password_check_files: true
+nscd_config_password_persistent: true
+nscd_config_password_shared: true
+nscd_config_password_max_db_size_bytes: 33554432
+nscd_config_password_auto_propagate: yes
+
+nscd_config_group_enable_cache: true
+nscd_config_group_positive_ttl_seconds: 900
+nscd_config_group_negative_ttl_seconds: 30
+nscd_config_group_suggested_size: 221
+nscd_config_group_check_files: true
+nscd_config_group_persistent: true
+nscd_config_group_shared: true
+nscd_config_group_max_db_size_bytes: 33554432
+nscd_config_group_auto_propagate: yes
+
+nscd_config_hosts_enable_cache: true
+nscd_config_hosts_positive_ttl_seconds: 1800
+nscd_config_hosts_negative_ttl_seconds: 60
+nscd_config_hosts_suggested_size: 221
+nscd_config_hosts_check_files: true
+nscd_config_hosts_persistent: true
+nscd_config_hosts_shared: true
+nscd_config_hosts_max_db_size_bytes: 33554432
+
+nscd_config_services_enable_cache: true
+nscd_config_services_positive_ttl_seconds: 28800
+nscd_config_services_negative_ttl_seconds: 20
+nscd_config_services_suggested_size: 221
+nscd_config_services_check_files: true
+nscd_config_services_persistent: true
+nscd_config_services_shared: true
+nscd_config_services_max_db_size_bytes: 33554432

roles/nscd/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Make sure nscd is installed
+  apt:
+    name: "{{ nscd_apt_package_name }}"
+    state: present
+  when: ansible_facts['pkg_mgr'] == 'apt'
+
+- name: Ensure nscd is configured
+  template:
+    src: nscd.conf.j2
+    dest: "{{ nscd_config_file }}"
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Ensure systemd service is enabled
+  systemd:
+    service: "{{ nscd_systemd_service_name }}"
+    enabled: true
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd service is started
+  systemd:
+    service: "{{ nscd_systemd_service_name }}"
+    state: started
+  when: ansible_facts['service_mgr'] == 'systemd'

roles/nscd/templates/nscd.conf.j2

@@ -0,0 +1,41 @@
+#logfile	/var/log/nscd.log
+#threads	4
+#max-threads	32
+
+enable-cache		passwd	{{ nscd_config_passwd_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	passwd	{{ nscd_config_passwd_positive_ttl_seconds }}
+negative-time-to-live	passwd	{{ nscd_config_passwd_negative_ttl_seconds }}
+suggested-size		passwd	{{ nscd_config_passwd_suggested_size }}
+check-files		passwd	{{ nscd_config_passwd_check_files | ternary('yes', 'no') }}
+persistent		passwd	{{ nscd_config_passwd_persistent | ternary('yes', 'no') }}
+shared			passwd	{{ nscd_config_passwd_shared | ternary('yes', 'no') }}
+max-db-size		passwd	{{ nscd_config_passwd_max_db_size_bytes }}
+auto-propagate		passwd	{{ nscd_config_passwd_auto_propagate | ternary('yes', 'no') }}
+
+enable-cache		group	{{ nscd_config_group_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	group	{{ nscd_config_group_positive_ttl_seconds }}
+negative-time-to-live	group	{{ nscd_config_group_negative_ttl_seconds }}
+suggested-size		group	{{ nscd_config_group_suggested_size }}
+check-files		group	{{ nscd_config_group_check_files | ternary('yes', 'no') }}
+persistent		group	{{ nscd_config_group_persistent | ternary('yes', 'no') }}
+shared			group	{{ nscd_config_group_shared | ternary('yes', 'no') }}
+max-db-size		group	{{ nscd_config_group_max_db_size_bytes }}
+auto-propagate		group	{{ nscd_config_group_auto_propagate | ternary('yes', 'no') }}
+
+enable-cache		hosts	{{ nscd_config_hosts_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	hosts	{{ nscd_config_hosts_positive_ttl_seconds }}
+negative-time-to-live	hosts	{{ nscd_config_hosts_negative_ttl_seconds }}
+suggested-size		hosts	{{ nscd_config_hosts_suggested_size }}
+check-files		hosts	{{ nscd_config_hosts_check_files | ternary('yes', 'no') }}
+persistent		hosts	{{ nscd_config_hosts_persistent | ternary('yes', 'no') }}
+shared			hosts	{{ nscd_config_hosts_shared | ternary('yes', 'no') }}
+max-db-size		hosts	{{ nscd_config_hosts_max_db_size_bytes }}
+
+enable-cache		services	{{ nscd_config_services_auto_propagate | ternary('yes', 'no') }}
+positive-time-to-live	services	{{ nscd_config_services_positive_ttl_seconds }}
+negative-time-to-live	services	{{ nscd_config_services_negative_ttl_seconds }}
+suggested-size		services	{{ nscd_config_services_suggested_size }}
+check-files		services	{{ nscd_config_services_check_files | ternary('yes', 'no') }}
+persistent		services	{{ nscd_config_services_persistent | ternary('yes', 'no') }}
+shared			services	{{ nscd_config_services_shared | ternary('yes', 'no') }}
+max-db-size		services	{{ nscd_config_services_max_db_size_bytes }}

roles/nscd/vars/main.yml

@@ -0,0 +1,4 @@
+---
+
+nscd_apt_package_name: nscd
+nscd_systemd_service_name: nscd.service

roles/nslcd/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+
+nslcd_config_uid: nslcd
+nslcd_config_gid: nslcd
+
+nslcd_config_ldap_uri: ldaps://127.0.0.1
+nslcd_config_ldap_base: ~
+nslcd_config_ldap_scope: sub
+nslcd_config_ldap_version: 3
+nslcd_config_ldap_bind_dn: ~
+nslcd_config_ldap_bind_pw: ~
+nslcd_config_ldap_root_pw_mod_dn: ~
+nslcd_config_ldap_ssl: on
+nslcd_config_ldap_tls_reqcert: always
+nslcd_config_ldap_tls_cacertfile: /etc/ssl/certs/ca-certificates.crt
+
+nslcd_config_pam_authz_search: >-2
+  (&(objectClass=posixAccount)(uid=$username)(|
+    (host=$hostname)(host=$fqdn)
+  ))

roles/nslcd/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Ensure nslcd is installed
+  apt:
+    name: "{{ nslcd_apt_package_name }}"
+    state: present
+  when: ansible_facts['pkg_mgr'] == 'apt'
+
+- name: Ensure config is templated
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Ensure systemd service is enabled
+  systemd:
+    service: "{{ nslcd_systemd_service_name }}"
+    enabled: true
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd service is running
+  systemd:
+    service: "{{ nslcd_systemd_service_name }}"
+    state: started
+  when: ansible_facts['service_mgr'] == 'systemd'

roles/nslcd/templates/nslcd.conf.j2

@@ -0,0 +1,17 @@
+uid {{ nslcd_config_uid }}
+gid {{ nslcd_config_gid }}
+
+uri {{ nslcd_config_ldap_uri }}
+base {{ nslcd_config_ldap_base }}
+binddn {{ nslcd_config_ldap_bind_dn }}
+bindpw {{ nslcd_config_ldap_bind_pw }}
+ldap_version {{ nslcd_config_ldap_version }}
+
+rootpwmoddn {{ nslcd_config_ldap_root_pw_mod_dn }}
+
+ssl {{ nslcd_config_ldap_ssl }}
+tls_reqcert {{ nslcd_config_ldap_tls_reqcert }}
+tls_cacertfile {{ nslcd_config_ldap_tls_cacertfile }}
+
+scope {{ nslcd_config_ldap_scope }}
+pam_authz_search {{ nslcd_config_ldap_pam_authz_search }}