Задача

Мне нужно создать playbook для ansible, который будет настраивать систему на базе клона CentOS (ОСь от НЦИ - http://www.os-rt.ru/ ).
А именно: устанавливать необходимые пакеты, настраивать систему для авторизации средствами AD, настраивать autodiscovery для почтового клиента evolution для работы с MS Exchange и производить мелкий тюнинг системы.

PlayBook

---
- hosts: nci-os
  vars:
    hostname: szud-os1
    domain_name: sigma.sbrf.ru
    dns_servers:
      - 10.21.7.212
      - 10.21.7.213
#      - 192.168.122.1
#      - 4.2.2.4
    domain_search: "{{ domain_name }} sberbank.ru"
    ca_cert_prefix: SberBank_Root_CA
    domain_controllers: "{{ dns_servers }}"
  remote_user: root
  tasks:

#### Setup Network Settings ####
  - name: setting DNS
    shell: |
      nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns-search "{{ domain_search }}"
      nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns "{{ dns_servers | join(' ') }}"
      nmcli con down {{ ansible_default_ipv4.interface }}
      nmcli con up {{ ansible_default_ipv4.interface }}

  - name: Disable IPv6
    sysctl:
      name: net.ipv6.conf.{{ item }}.disable_ipv6
      value: 1
      sysctl_set: yes
      state: present
      reload: yes
    with_items:
    - all
    - default
    - lo
    - "{{ ansible_default_ipv4.interface }}"
    
  - name: Set hostname
    shell: |
      sysctl kernel.hostname="{{ hostname }}"
      sysctl -p
      hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}"
      sed -i '/^127./D' /etc/hosts
  - lineinfile:
      name: /etc/hosts 
      regexp: '^127\.0\.0\.1'
      line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost'
  - lineinfile:
      name: /etc/hosts
      regexp: '/^::1/D'
      state: absent
  - name: restart NetworkManager service
    service: name=NetworkManager state=restarted

#### Import IronPort Certificates ####
  - name: Import Certificates
    shell: |
      update-ca-trust force-enable
      echo "Trying to reach ya.ru..."
      ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit
      csplit -k -f "{{ ca_cert_prefix }}" ./chain.pem '/END CERTIFICATE/+1' {10}
      find ./ -iname "{{ ca_cert_prefix }}"\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
      for file in "{{ ca_cert_prefix }}"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done
      for file in /etc/pki/ca-trust/source/anchors/"{{ ca_cert_prefix }}"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
      update-ca-trust extract
      rm -f ./chain.pem
      exit 0

####  Setup Software ####
  - name: upgrade all packages
    yum:
      name: '*'
      state: latest

  - name: install packages
    yum: state=present name={{ item }}
    with_items:
    - nano
    - curl
    - openssl
    - nss-tools
    - chrony
    - authconfig
    - krb5-workstation
    - samba
    - samba-client
    - samba-winbind
    - samba-winbind-clients
    - pam_krb5
    - oddjob-mkhomedir
    - cyrus-sasl-gssapi
    - cyrus-sasl-ntlm
    - openldap-clients
    - cifs-utils
    - aspell
    - evolution
    - evolution-ews
    - desktop-file-utils
    - xorg-x11-server-Xvfb
    - "@Development tools"
    - glibc.i686
    - http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
    - java-1.8.0-openjdk
  - name: install flash-plugin
    yum:
      name: flash-plugin
      state: present

#### Setup Chrony NTP Client ####
  - lineinfile:
      name: /etc/chrony.conf
      regexp: "{{ item.regexp }}"
      state: absent
    with_items:
      - { regexp: '^pool.*' }
      - { regexp: '^server.*' }
  - lineinfile:
      name: /etc/chrony.conf
      line: 'server {{ item }} iburst'
    with_items: "{{ domain_controllers }}"
  - service:
      name: chronyd
      state: restarted
      
#### Setup Kerberos and Samba ####
  - name: run Authconfig
    shell: |
      DEFAULT_REALM="{{ domain_name | upper }}"
      DOMAIN_CONTROLLERS="$(host -t srv _ldap._tcp."{{ domain_name }}" | awk {'print $8'} | sed 's/.$//g')"
      NEW_DOMAINNAME="{{ domain_name }}"
      mv /etc/krb5.conf /etc/krb5.conf_"$(date +"%d.%m.%y_%H-%M")"
      touch /etc/krb5.conf
      authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth \
      --smbsecurity=ads --smbworkgroup=$DEFAULT_REALM --smbrealm=$DEFAULT_REALM --enablewinbindusedefaultdomain \
      --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=$DEFAULT_REALM \
      --disablekrb5realmdns --enablekrb5kdcdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
      
      LIBDEFAULTS="$(cat <<EOF
      [libdefaults]
      dns_lookup_kdc = true
      dns_lookup_realm = false
      default_realm = $DEFAULT_REALM
      clockskew = 300
      default_ccache_name = FILE:/tmp/krb5cc_%{uid}
      EOF
      )"

      REALMS_KDC="$(for kdc in $DOMAIN_CONTROLLERS; do echo "kdc = $kdc";done)"
      REALMS="$(cat <<EOF

      [realms]
      $DEFAULT_REALM = {
      $REALMS_KDC
      default_domain = $DEFAULT_REALM
      }
      EOF
      )"
      DOMAIN_REALM="$(cat <<EOF

      [domain_realm]
      .$NEW_DOMAINNAME = $DEFAULT_REALM
      $NEW_DOMAINNAME = $DEFAULT_REALM

      [appdefaults]
      pam = {
      ticket_lifetime = 1d
      renew_lifetime = 1d
      forwardable = true
      proxiable = false
      minimum_uid = 1
      }
      EOF
      )"
      echo "$LIBDEFAULTS" > /etc/krb5.conf
      echo "$REALMS" >> /etc/krb5.conf
      echo "$DOMAIN_REALM" >> /etc/krb5.conf

  - name: Setup Samba config
    shell: |
      mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_"$(date +"%d.%m.%y_%H-%M")"
      SMBCONF="$(cat <<EOF
      [global]
        workgroup = {{ domain_name.split('.')[0] | upper }}
        passdb backend = tdbsam
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = {{ domain_name | upper }}
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare max shares = 100
        encrypt passwords = yes
        kerberos method = secrets and keytab
        winbind nested groups = yes
        winbind offline logon = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        dns proxy = no
        domain master = no
        local master = no
        preferred master = no
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
        client use spnego = yes
        client ntlmv2 auth = yes
      EOF
      )"
      echo "$SMBCONF" > /etc/samba/smb.conf
  - lineinfile:
      name: /etc/security/pam_winbind.conf
      regexp: '^.*krb5_auth'
      line: 'krb5_auth = yes'
      
#### Install CitrixVDA ####
  - name: Add Base CentOS repository
    yum_repository:
      name: base_centos
      file: CentOS_Base
      description: Base CentOS repository
#      baseurl: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock
#      baseurl: http://ftp.nsc.ru/pub/centos/7/os/x86_64/ 
      baseurl: http://mirror.yandex.ru/centos/7.3.1611/os/x86_64/ 
      gpgcheck: no
  - name: Install PostgreSQL
    yum: state=present name={{ item }}
    with_items:
    - postgresql-server
    - postgresql-jdbc
    - java-1.8.0-openjdk
    - open-vm-tools
  - shell: |
      postgresql-setup initdb
      systemctl start postgresql
      systemctl enable postgresql

  - name: Install VDA
#    yum: state=present name=http://szud-linux-repo.sigma.sbrf.ru/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm
#    yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm
    yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.14.0.400-1.el7_2.x86_64.rpm
  - name: Remove CentOS Base Repo
    yum_repository: name=base_centos state=absent
    notify: yum-clean-metadata

  - name: Setup Evolution
    file:
      path: /usr/bin/ews_autodiscovery.sh
      state: absent
    ignore_errors: yes
  - blockinfile:
      path: /usr/bin/ews_autodiscovery.sh
      create: yes
      mode: 0755
      block: |
        #!/bin/bash
        export GIO_USE_NETWORK_MONITOR=base
        DOMAINNAME=`hostname -d`
        ##################################################
        ### Check if Evolution EWS source file exist
        ##################################################
        if [ -f ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source ]; then
        echo
        else
        ##########################################
        ## Check if connected to AD
        ##########################################
        if ! wbinfo -P; then
        echo "NETLOGON test failed" >> ~/.ews_setup.log
        else
        echo "NETLOGON test OK" >> ~/.ews_setup.log
        CURRENT_DC=`wbinfo -P | awk '{print $9}' | awk -F "\"" '{print $2}'`
        FULL_NAME=`wbinfo -i $USER | awk -F ":" '{print $5}'`
        BASEDN=`echo $CURRENT_DC | sed s/"\."/,dc=/g | sed -r 's!^[^dc=]+!!'`
        MAIL=`ldapsearch -h $CURRENT_DC -b "$BASEDN" "sAMAccountName=$USER" | grep mail: | awk '{print $2 }'`
        ###############################################################################################
        ### MS Exchange autodiscovery
        #### https://github.com/sys4/automx/blob/master/src/automx-test
        #### http://stackoverflow.com/questions/38509837/when-using-negotiate-with-curl-is-a-keytab-file-required
        #### Joined AD with samba/winbind and have package gss-ntlmssp
        #### libsasl2-modules-gssapi-mit
        ###############################################################################################
        AUTOD_URL="https://autodiscover.`echo $MAIL | sed 's/^.*@//'`"/autodiscover/autodiscover.xml
        REQUEST=$(cat <<EOF
        <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
        <Request>
        <EMailAddress>$MAIL</EMailAddress>
        <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
        </Request>
        </Autodiscover>
        EOF
        )
        bash -c "curl -k -d '$REQUEST' --header \"Content-Type: text/xml\" -s --negotiate -u : $AUTOD_URL" > ~/.autodiscover.xml
        OABUrl=$(cat ~/.autodiscover.xml | grep -m 1 OABUrl | awk -F '[<>]' '{ print $3 }')oab.xml
        EwsUrl=$(cat ~/.autodiscover.xml | grep -m 1 EwsUrl | awk -F '[<>]' '{ print $3 }')
        EwsHost=$(echo $EwsUrl | awk -F '/' '{ print $3 }')
        rm ~/.autodiscover.xml     
        echo CURRENT_DC - $CURRENT_DC > ~/.ews_setup.log
        echo FULL_NAME - $FULL_NAME >> ~/.ews_setup.log
        echo BASEDN - $BASEDN >> ~/.ews_setup.log
        echo MAIL - $MAIL >> ~/.ews_setup.log
        echo DOMAINNAME - $DOMAINNAME >> ~/.ews_setup.log
        echo OABUrl - $OABUrl >> ~/.ews_setup.log
        echo EwsUrl - $EwsUrl >> ~/.ews_setup.log
        echo EwsHost - $EwsHost >> ~/.ews_setup.log
        ################################################################
        ### Check URLs format
        ################################################################
        echo $OABUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(oab|OAB)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/oab.xml)'
        OAB_URL_Check=$?
        echo $EwsUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(ews|EWS)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/exchange.asmx)'
        EWS_URL_Check=$?
        if [ $OAB_URL_Check != 0 ] || [ $EWS_URL_Check != 0 ]; then
        echo "OAB and EWS URLs check failed... Exit..." >> ~/.ews_setup.log
        else
        echo "OAB and EWS URLs check OK" >> ~/.ews_setup.log
        ######################################################################
        ### CleaningUp and creating evolution source files
        ######################################################################
        killall evolution-source-registry
        rm -Rf ~/.config/evolution/sources
        mkdir --parents ~/.config/evolution/sources
        #####################################################################################
        cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source
        [Data Source]
        DisplayName=$MAIL
        Enabled=true
        Parent=
        
        [Offline]
        StaySynchronized=true
        
        [Authentication]
        Host=$EwsHost
        #Method=none
        Method=GSSAPI
        Port=443
        ProxyUid=system-proxy
        RememberPassword=true
        User=$USER
        CredentialName=
        
        [Collection]
        BackendName=ews
        CalendarEnabled=true
        ContactsEnabled=true
        Identity=$USER
        MailEnabled=true
        
        [Security]
        Method=none
        
        [Ews Backend]
        FilterInbox=true
        StoreChangesInterval=3
        CheckAll=true
        ListenNotifications=true
        Email=$MAIL
        FilterJunk=true
        FilterJunkInbox=false
        FoldersInitialized=true
        GalUid=ews.$USER.$DOMAINNAME
        Hosturl=$EwsUrl
        Oaburl=$OABUrl
        OabOffline=true
        OalSelected=
        Timeout=300
        UseImpersonation=false
        ImpersonateUser=
        EOF
        
        ######################################################################
        cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.0.source
        [Data Source]
        DisplayName=$MAIL
        Enabled=true
        Parent=ews.$USER.$DOMAINNAME.1
        
        [Mail Composition]
        Bcc=
        Cc=
        DraftsFolder=folder://ews.$USER.$DOMAINNAME/%d0%a7%d0%b5%d1%80%d0%bd%d0%be%d0%b2%d0%b8%d0%ba%d0%b8
        SignImip=true
        TemplatesFolder=folder://local/Templates
        
        [Mail Identity]
        Address=$MAIL
        Name=$FULL_NAME
        Organization=
        ReplyTo=
        SignatureUid=none
        
        [Mail Submission]
        SentFolder=folder://ews.$USER.$DOMAINNAME/%d0%9e%d1%82%d0%bf%d1%80%d0%b0%d0%b2%d0%bb%d0%b5%d0%bd%d0%bd%d1%8b%d0%b5
        TransportUid=ews.$USER.$DOMAINNAME.13
        RepliesToOriginFolder=false
        EOF
        
        ######################################################################
        cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.3.source
        [Data Source]
        DisplayName=$MAIL
        Enabled=true
        Parent=ews.$USER.$DOMAINNAME.1
        
        [Refresh]
        Enabled=true
        IntervalMinutes=3
        
        [Mail Account]
        BackendName=ews
        IdentityUid=ews.$USER.$DOMAINNAME
        ArchiveFolder=
        EOF
        
        ###############################################################################
        cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.13.source
        [Data Source]
        DisplayName=$MAIL
        Enabled=true
        Parent=ews.$USER.$DOMAINNAME.1
        
        [Mail Transport]
        BackendName=ews
        EOF
        
        ################################################################################
        cat <<EOF > ~/.config/evolution/sources/local.source
        # Special built-in mail store.
        [Data Source]
        DisplayName=On This Computer
        Enabled=false
        Parent=
        
        [Mail Account]
        BackendName=maildir
        IdentityUid=self
        ArchiveFolder=
        
        [Maildir Backend]
        FilterInbox=true
        Path=$HOME/.local/share/evolution/mail/local
        EOF
        
        ########################################################################
        cat <<EOF > ~/.config/evolution/sources/vfolder.source
        # Special built-in mail store.
        
        [Data Source]
        DisplayName=Search Folders
        Enabled=false
        Parent=
        
        [Mail Account]
        BackendName=vfolder
        IdentityUid=self
        ArchiveFolder=
        
        [Vfolder Backend]
        FilterInbox=true
        EOF
        
        ##################################################################
        mkdir --parents ~/.config/evolution/mail/
        cat <<EOF > ~/.config/evolution/mail/state.ini
        [GlobalFolder]
        GroupByThreads=false
        PreviewVisible=true
        
        [Store ews.$USER.$DOMAINNAME.3]
        Expanded=true
        
        [Search Bar]
        SearchScope=mail-scope-current-folder
        SearchOption=mail-search-subject-or-addresses-contain
        
        [Folder Tree]
        Selected=folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5
        
        [Folder folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5]
        GroupByThreads=false
        PreviewVisible=true
        Expanded=true
        EOF
        
        fi
        fi
        fi
        
  - file:
      path: /etc/skel/.config/autostart/
      state: directory
      mode: 0755
  - file:
      path: /etc/skel/.config/autostart/ews_autodiscovery.desktop
      state: absent
    ignore_errors: yes            
  - blockinfile:
      path: /etc/skel/.config/autostart/ews_autodiscovery.desktop
      create: yes
      mode: 0644
      marker: ""
      block: |
        [Desktop Entry]
        Encoding=UTF-8
        Version=1.0
        Type=Application
        Name=Evolution Mail Client Preconfigure
        Comment=Evolution Mail Client Preconfigure
        Exec=/usr/bin/ews_autodiscovery.sh &
        StartupNotify=false
        Terminal=false
        Hidden=false
        OnlyShowIn=GNOME;XFCE;LXDE;
        X-GNOME-Autostart-enabled=true
  - file:
      path: /etc/skel/.config/xfce4/
      state: directory
      mode: 0755
  - file: 
      path: /etc/skel/.config/xfce4/helpers.rc
      state: touch
      mode: 0644
  - lineinfile:
      path: /etc/skel/.config/xfce4/helpers.rc
      state: present
      regexp: '^MailReader='
      line: 'MailReader=evolution'

#### Disable ScreenSaver
  - name: Disable Screen Saver
    blockinfile:
      path: /etc/skel/.Xdefaults
      create: yes
      mode: 0644
      marker: ""
      block: |
        xautolock.locker:z-securelock auth_none saver_z_screensaver
        xautolock.time:1000
        xsaver_xautolock:Случайно
        xtime_xautolock:0
...

Join AD Domain Setup Citrix VDA Playbook

---
- hosts: nci_os_szud
  vars:
    hostname: szud-os2
  tasks:

  - name: Set hostname
    shell: |
      sysctl kernel.hostname="{{ hostname }}"
      sysctl -p
      hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}"
      sed -i '/^127./D' /etc/hosts
  - lineinfile:
      name: /etc/hosts 
      regexp: '^127\.0\.0\.1'
      line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost'
  - lineinfile:
      name: /etc/hosts
      regexp: '/^::1/D'
      state: absent
  - name: restart NetworkManager service
    service: name=NetworkManager state=restarted
  - shell: |
      net ads join -U ADDSIGMACA%PASSWORD
      /opt/Citrix/VDA/sbin/ctxcleanup.sh
      CTX_XDL_SUPPORT_DDC_AS_CNAME=N \
      CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \
      CTX_XDL_VDA_PORT=80 \
      CTX_XDL_REGISTER_SERVICE=Y \
      CTX_XDL_ADD_FIREWALL_RULES=Y \
      CTX_XDL_AD_INTEGRATION=1 \
      CTX_XDL_HDX_3D_PRO=N \
      CTX_XDL_VDI_MODE=Y \
      CTX_XDL_SITE_NAME='<none>' \
      CTX_XDL_LDAP_LIST='<none>' \
      CTX_XDL_SEARCH_BASE='<none>' \
      CTX_XDL_START_SERVICE=Y \
      /opt/Citrix/VDA/sbin/ctxsetup.sh

      sleep 10
      reboot
...
Enter your comment. Wiki syntax is allowed:
 
  • linux_faq/setup_centos_workstation_with_ansible_playbook.txt
  • Last modified: 2019/02/11 09:13
  • by 127.0.0.1