Задача
Мне нужно создать playbook для ansible, который будет настраивать систему на базе клона CentOS (ОСь от НЦИ - http://www.os-rt.ru/ ).
А именно: устанавливать необходимые пакеты, настраивать систему для авторизации средствами AD, настраивать autodiscovery для почтового клиента evolution для работы с MS Exchange и производить мелкий тюнинг системы.
PlayBook
--- - hosts: nci-os vars: hostname: szud-os1 domain_name: sigma.sbrf.ru dns_servers: - 10.21.7.212 - 10.21.7.213 # - 192.168.122.1 # - 4.2.2.4 domain_search: "{{ domain_name }} sberbank.ru" ca_cert_prefix: SberBank_Root_CA domain_controllers: "{{ dns_servers }}" remote_user: root tasks: #### Setup Network Settings #### - name: setting DNS shell: | nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns-search "{{ domain_search }}" nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns "{{ dns_servers | join(' ') }}" nmcli con down {{ ansible_default_ipv4.interface }} nmcli con up {{ ansible_default_ipv4.interface }} - name: Disable IPv6 sysctl: name: net.ipv6.conf.{{ item }}.disable_ipv6 value: 1 sysctl_set: yes state: present reload: yes with_items: - all - default - lo - "{{ ansible_default_ipv4.interface }}" - name: Set hostname shell: | sysctl kernel.hostname="{{ hostname }}" sysctl -p hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}" sed -i '/^127./D' /etc/hosts - lineinfile: name: /etc/hosts regexp: '^127\.0\.0\.1' line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost' - lineinfile: name: /etc/hosts regexp: '/^::1/D' state: absent - name: restart NetworkManager service service: name=NetworkManager state=restarted #### Import IronPort Certificates #### - name: Import Certificates shell: | update-ca-trust force-enable echo "Trying to reach ya.ru..." ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit csplit -k -f "{{ ca_cert_prefix }}" ./chain.pem '/END CERTIFICATE/+1' {10} find ./ -iname "{{ ca_cert_prefix }}"\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm for file in "{{ ca_cert_prefix }}"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done for file in /etc/pki/ca-trust/source/anchors/"{{ ca_cert_prefix }}"* ; do sudo cp "$file" /etc/ssl/certs/ ; done update-ca-trust extract rm -f ./chain.pem exit 0 #### Setup Software #### - name: upgrade all packages yum: name: '*' state: latest - name: install packages yum: state=present name={{ item }} with_items: - nano - curl - openssl - nss-tools - chrony - authconfig - krb5-workstation - samba - samba-client - samba-winbind - samba-winbind-clients - pam_krb5 - oddjob-mkhomedir - cyrus-sasl-gssapi - cyrus-sasl-ntlm - openldap-clients - cifs-utils - aspell - evolution - evolution-ews - desktop-file-utils - xorg-x11-server-Xvfb - "@Development tools" - glibc.i686 - http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm - java-1.8.0-openjdk - name: install flash-plugin yum: name: flash-plugin state: present #### Setup Chrony NTP Client #### - lineinfile: name: /etc/chrony.conf regexp: "{{ item.regexp }}" state: absent with_items: - { regexp: '^pool.*' } - { regexp: '^server.*' } - lineinfile: name: /etc/chrony.conf line: 'server {{ item }} iburst' with_items: "{{ domain_controllers }}" - service: name: chronyd state: restarted #### Setup Kerberos and Samba #### - name: run Authconfig shell: | DEFAULT_REALM="{{ domain_name | upper }}" DOMAIN_CONTROLLERS="$(host -t srv _ldap._tcp."{{ domain_name }}" | awk {'print $8'} | sed 's/.$//g')" NEW_DOMAINNAME="{{ domain_name }}" mv /etc/krb5.conf /etc/krb5.conf_"$(date +"%d.%m.%y_%H-%M")" touch /etc/krb5.conf authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth \ --smbsecurity=ads --smbworkgroup=$DEFAULT_REALM --smbrealm=$DEFAULT_REALM --enablewinbindusedefaultdomain \ --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=$DEFAULT_REALM \ --disablekrb5realmdns --enablekrb5kdcdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall LIBDEFAULTS="$(cat <<EOF [libdefaults] dns_lookup_kdc = true dns_lookup_realm = false default_realm = $DEFAULT_REALM clockskew = 300 default_ccache_name = FILE:/tmp/krb5cc_%{uid} EOF )" REALMS_KDC="$(for kdc in $DOMAIN_CONTROLLERS; do echo "kdc = $kdc";done)" REALMS="$(cat <<EOF [realms] $DEFAULT_REALM = { $REALMS_KDC default_domain = $DEFAULT_REALM } EOF )" DOMAIN_REALM="$(cat <<EOF [domain_realm] .$NEW_DOMAINNAME = $DEFAULT_REALM $NEW_DOMAINNAME = $DEFAULT_REALM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 } EOF )" echo "$LIBDEFAULTS" > /etc/krb5.conf echo "$REALMS" >> /etc/krb5.conf echo "$DOMAIN_REALM" >> /etc/krb5.conf - name: Setup Samba config shell: | mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_"$(date +"%d.%m.%y_%H-%M")" SMBCONF="$(cat <<EOF [global] workgroup = {{ domain_name.split('.')[0] | upper }} passdb backend = tdbsam map to guest = Bad User include = /etc/samba/dhcp.conf usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = {{ domain_name | upper }} security = ADS template homedir = /home/%D/%U template shell = /bin/bash usershare max shares = 100 encrypt passwords = yes kerberos method = secrets and keytab winbind nested groups = yes winbind offline logon = no winbind refresh tickets = yes winbind use default domain = yes dns proxy = no domain master = no local master = no preferred master = no load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes client use spnego = yes client ntlmv2 auth = yes EOF )" echo "$SMBCONF" > /etc/samba/smb.conf - lineinfile: name: /etc/security/pam_winbind.conf regexp: '^.*krb5_auth' line: 'krb5_auth = yes' #### Install CitrixVDA #### - name: Add Base CentOS repository yum_repository: name: base_centos file: CentOS_Base description: Base CentOS repository # baseurl: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock # baseurl: http://ftp.nsc.ru/pub/centos/7/os/x86_64/ baseurl: http://mirror.yandex.ru/centos/7.3.1611/os/x86_64/ gpgcheck: no - name: Install PostgreSQL yum: state=present name={{ item }} with_items: - postgresql-server - postgresql-jdbc - java-1.8.0-openjdk - open-vm-tools - shell: | postgresql-setup initdb systemctl start postgresql systemctl enable postgresql - name: Install VDA # yum: state=present name=http://szud-linux-repo.sigma.sbrf.ru/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm # yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.14.0.400-1.el7_2.x86_64.rpm - name: Remove CentOS Base Repo yum_repository: name=base_centos state=absent notify: yum-clean-metadata - name: Setup Evolution file: path: /usr/bin/ews_autodiscovery.sh state: absent ignore_errors: yes - blockinfile: path: /usr/bin/ews_autodiscovery.sh create: yes mode: 0755 block: | #!/bin/bash export GIO_USE_NETWORK_MONITOR=base DOMAINNAME=`hostname -d` ################################################## ### Check if Evolution EWS source file exist ################################################## if [ -f ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source ]; then echo else ########################################## ## Check if connected to AD ########################################## if ! wbinfo -P; then echo "NETLOGON test failed" >> ~/.ews_setup.log else echo "NETLOGON test OK" >> ~/.ews_setup.log CURRENT_DC=`wbinfo -P | awk '{print $9}' | awk -F "\"" '{print $2}'` FULL_NAME=`wbinfo -i $USER | awk -F ":" '{print $5}'` BASEDN=`echo $CURRENT_DC | sed s/"\."/,dc=/g | sed -r 's!^[^dc=]+!!'` MAIL=`ldapsearch -h $CURRENT_DC -b "$BASEDN" "sAMAccountName=$USER" | grep mail: | awk '{print $2 }'` ############################################################################################### ### MS Exchange autodiscovery #### https://github.com/sys4/automx/blob/master/src/automx-test #### http://stackoverflow.com/questions/38509837/when-using-negotiate-with-curl-is-a-keytab-file-required #### Joined AD with samba/winbind and have package gss-ntlmssp #### libsasl2-modules-gssapi-mit ############################################################################################### AUTOD_URL="https://autodiscover.`echo $MAIL | sed 's/^.*@//'`"/autodiscover/autodiscover.xml REQUEST=$(cat <<EOF <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>$MAIL</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> EOF ) bash -c "curl -k -d '$REQUEST' --header \"Content-Type: text/xml\" -s --negotiate -u : $AUTOD_URL" > ~/.autodiscover.xml OABUrl=$(cat ~/.autodiscover.xml | grep -m 1 OABUrl | awk -F '[<>]' '{ print $3 }')oab.xml EwsUrl=$(cat ~/.autodiscover.xml | grep -m 1 EwsUrl | awk -F '[<>]' '{ print $3 }') EwsHost=$(echo $EwsUrl | awk -F '/' '{ print $3 }') rm ~/.autodiscover.xml echo CURRENT_DC - $CURRENT_DC > ~/.ews_setup.log echo FULL_NAME - $FULL_NAME >> ~/.ews_setup.log echo BASEDN - $BASEDN >> ~/.ews_setup.log echo MAIL - $MAIL >> ~/.ews_setup.log echo DOMAINNAME - $DOMAINNAME >> ~/.ews_setup.log echo OABUrl - $OABUrl >> ~/.ews_setup.log echo EwsUrl - $EwsUrl >> ~/.ews_setup.log echo EwsHost - $EwsHost >> ~/.ews_setup.log ################################################################ ### Check URLs format ################################################################ echo $OABUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(oab|OAB)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/oab.xml)' OAB_URL_Check=$? echo $EwsUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(ews|EWS)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/exchange.asmx)' EWS_URL_Check=$? if [ $OAB_URL_Check != 0 ] || [ $EWS_URL_Check != 0 ]; then echo "OAB and EWS URLs check failed... Exit..." >> ~/.ews_setup.log else echo "OAB and EWS URLs check OK" >> ~/.ews_setup.log ###################################################################### ### CleaningUp and creating evolution source files ###################################################################### killall evolution-source-registry rm -Rf ~/.config/evolution/sources mkdir --parents ~/.config/evolution/sources ##################################################################################### cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source [Data Source] DisplayName=$MAIL Enabled=true Parent= [Offline] StaySynchronized=true [Authentication] Host=$EwsHost #Method=none Method=GSSAPI Port=443 ProxyUid=system-proxy RememberPassword=true User=$USER CredentialName= [Collection] BackendName=ews CalendarEnabled=true ContactsEnabled=true Identity=$USER MailEnabled=true [Security] Method=none [Ews Backend] FilterInbox=true StoreChangesInterval=3 CheckAll=true ListenNotifications=true Email=$MAIL FilterJunk=true FilterJunkInbox=false FoldersInitialized=true GalUid=ews.$USER.$DOMAINNAME Hosturl=$EwsUrl Oaburl=$OABUrl OabOffline=true OalSelected= Timeout=300 UseImpersonation=false ImpersonateUser= EOF ###################################################################### cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.0.source [Data Source] DisplayName=$MAIL Enabled=true Parent=ews.$USER.$DOMAINNAME.1 [Mail Composition] Bcc= Cc= DraftsFolder=folder://ews.$USER.$DOMAINNAME/%d0%a7%d0%b5%d1%80%d0%bd%d0%be%d0%b2%d0%b8%d0%ba%d0%b8 SignImip=true TemplatesFolder=folder://local/Templates [Mail Identity] Address=$MAIL Name=$FULL_NAME Organization= ReplyTo= SignatureUid=none [Mail Submission] SentFolder=folder://ews.$USER.$DOMAINNAME/%d0%9e%d1%82%d0%bf%d1%80%d0%b0%d0%b2%d0%bb%d0%b5%d0%bd%d0%bd%d1%8b%d0%b5 TransportUid=ews.$USER.$DOMAINNAME.13 RepliesToOriginFolder=false EOF ###################################################################### cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.3.source [Data Source] DisplayName=$MAIL Enabled=true Parent=ews.$USER.$DOMAINNAME.1 [Refresh] Enabled=true IntervalMinutes=3 [Mail Account] BackendName=ews IdentityUid=ews.$USER.$DOMAINNAME ArchiveFolder= EOF ############################################################################### cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.13.source [Data Source] DisplayName=$MAIL Enabled=true Parent=ews.$USER.$DOMAINNAME.1 [Mail Transport] BackendName=ews EOF ################################################################################ cat <<EOF > ~/.config/evolution/sources/local.source # Special built-in mail store. [Data Source] DisplayName=On This Computer Enabled=false Parent= [Mail Account] BackendName=maildir IdentityUid=self ArchiveFolder= [Maildir Backend] FilterInbox=true Path=$HOME/.local/share/evolution/mail/local EOF ######################################################################## cat <<EOF > ~/.config/evolution/sources/vfolder.source # Special built-in mail store. [Data Source] DisplayName=Search Folders Enabled=false Parent= [Mail Account] BackendName=vfolder IdentityUid=self ArchiveFolder= [Vfolder Backend] FilterInbox=true EOF ################################################################## mkdir --parents ~/.config/evolution/mail/ cat <<EOF > ~/.config/evolution/mail/state.ini [GlobalFolder] GroupByThreads=false PreviewVisible=true [Store ews.$USER.$DOMAINNAME.3] Expanded=true [Search Bar] SearchScope=mail-scope-current-folder SearchOption=mail-search-subject-or-addresses-contain [Folder Tree] Selected=folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5 [Folder folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5] GroupByThreads=false PreviewVisible=true Expanded=true EOF fi fi fi - file: path: /etc/skel/.config/autostart/ state: directory mode: 0755 - file: path: /etc/skel/.config/autostart/ews_autodiscovery.desktop state: absent ignore_errors: yes - blockinfile: path: /etc/skel/.config/autostart/ews_autodiscovery.desktop create: yes mode: 0644 marker: "" block: | [Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Name=Evolution Mail Client Preconfigure Comment=Evolution Mail Client Preconfigure Exec=/usr/bin/ews_autodiscovery.sh & StartupNotify=false Terminal=false Hidden=false OnlyShowIn=GNOME;XFCE;LXDE; X-GNOME-Autostart-enabled=true - file: path: /etc/skel/.config/xfce4/ state: directory mode: 0755 - file: path: /etc/skel/.config/xfce4/helpers.rc state: touch mode: 0644 - lineinfile: path: /etc/skel/.config/xfce4/helpers.rc state: present regexp: '^MailReader=' line: 'MailReader=evolution' #### Disable ScreenSaver - name: Disable Screen Saver blockinfile: path: /etc/skel/.Xdefaults create: yes mode: 0644 marker: "" block: | xautolock.locker:z-securelock auth_none saver_z_screensaver xautolock.time:1000 xsaver_xautolock:Случайно xtime_xautolock:0 ...
Join AD Domain Setup Citrix VDA Playbook
--- - hosts: nci_os_szud vars: hostname: szud-os2 tasks: - name: Set hostname shell: | sysctl kernel.hostname="{{ hostname }}" sysctl -p hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}" sed -i '/^127./D' /etc/hosts - lineinfile: name: /etc/hosts regexp: '^127\.0\.0\.1' line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost' - lineinfile: name: /etc/hosts regexp: '/^::1/D' state: absent - name: restart NetworkManager service service: name=NetworkManager state=restarted - shell: | net ads join -U ADDSIGMACA%PASSWORD /opt/Citrix/VDA/sbin/ctxcleanup.sh CTX_XDL_SUPPORT_DDC_AS_CNAME=N \ CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \ CTX_XDL_VDA_PORT=80 \ CTX_XDL_REGISTER_SERVICE=Y \ CTX_XDL_ADD_FIREWALL_RULES=Y \ CTX_XDL_AD_INTEGRATION=1 \ CTX_XDL_HDX_3D_PRO=N \ CTX_XDL_VDI_MODE=Y \ CTX_XDL_SITE_NAME='<none>' \ CTX_XDL_LDAP_LIST='<none>' \ CTX_XDL_SEARCH_BASE='<none>' \ CTX_XDL_START_SERVICE=Y \ /opt/Citrix/VDA/sbin/ctxsetup.sh sleep 10 reboot ...
Discussion