Задача
Мне нужно создать playbook для ansible, который будет настраивать систему на базе клона CentOS (ОСь от НЦИ - http://www.os-rt.ru/ ).
А именно: устанавливать необходимые пакеты, настраивать систему для авторизации средствами AD, настраивать autodiscovery для почтового клиента evolution для работы с MS Exchange и производить мелкий тюнинг системы.
PlayBook
---
- hosts: nci-os
vars:
hostname: szud-os1
domain_name: sigma.sbrf.ru
dns_servers:
- 10.21.7.212
- 10.21.7.213
# - 192.168.122.1
# - 4.2.2.4
domain_search: "{{ domain_name }} sberbank.ru"
ca_cert_prefix: SberBank_Root_CA
domain_controllers: "{{ dns_servers }}"
remote_user: root
tasks:
#### Setup Network Settings ####
- name: setting DNS
shell: |
nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns-search "{{ domain_search }}"
nmcli con mod {{ ansible_default_ipv4.interface }} ipv4.dns "{{ dns_servers | join(' ') }}"
nmcli con down {{ ansible_default_ipv4.interface }}
nmcli con up {{ ansible_default_ipv4.interface }}
- name: Disable IPv6
sysctl:
name: net.ipv6.conf.{{ item }}.disable_ipv6
value: 1
sysctl_set: yes
state: present
reload: yes
with_items:
- all
- default
- lo
- "{{ ansible_default_ipv4.interface }}"
- name: Set hostname
shell: |
sysctl kernel.hostname="{{ hostname }}"
sysctl -p
hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}"
sed -i '/^127./D' /etc/hosts
- lineinfile:
name: /etc/hosts
regexp: '^127\.0\.0\.1'
line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost'
- lineinfile:
name: /etc/hosts
regexp: '/^::1/D'
state: absent
- name: restart NetworkManager service
service: name=NetworkManager state=restarted
#### Import IronPort Certificates ####
- name: Import Certificates
shell: |
update-ca-trust force-enable
echo "Trying to reach ya.ru..."
ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit
csplit -k -f "{{ ca_cert_prefix }}" ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname "{{ ca_cert_prefix }}"\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "{{ ca_cert_prefix }}"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done
for file in /etc/pki/ca-trust/source/anchors/"{{ ca_cert_prefix }}"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
update-ca-trust extract
rm -f ./chain.pem
exit 0
#### Setup Software ####
- name: upgrade all packages
yum:
name: '*'
state: latest
- name: install packages
yum: state=present name={{ item }}
with_items:
- nano
- curl
- openssl
- nss-tools
- chrony
- authconfig
- krb5-workstation
- samba
- samba-client
- samba-winbind
- samba-winbind-clients
- pam_krb5
- oddjob-mkhomedir
- cyrus-sasl-gssapi
- cyrus-sasl-ntlm
- openldap-clients
- cifs-utils
- aspell
- evolution
- evolution-ews
- desktop-file-utils
- xorg-x11-server-Xvfb
- "@Development tools"
- glibc.i686
- http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
- java-1.8.0-openjdk
- name: install flash-plugin
yum:
name: flash-plugin
state: present
#### Setup Chrony NTP Client ####
- lineinfile:
name: /etc/chrony.conf
regexp: "{{ item.regexp }}"
state: absent
with_items:
- { regexp: '^pool.*' }
- { regexp: '^server.*' }
- lineinfile:
name: /etc/chrony.conf
line: 'server {{ item }} iburst'
with_items: "{{ domain_controllers }}"
- service:
name: chronyd
state: restarted
#### Setup Kerberos and Samba ####
- name: run Authconfig
shell: |
DEFAULT_REALM="{{ domain_name | upper }}"
DOMAIN_CONTROLLERS="$(host -t srv _ldap._tcp."{{ domain_name }}" | awk {'print $8'} | sed 's/.$//g')"
NEW_DOMAINNAME="{{ domain_name }}"
mv /etc/krb5.conf /etc/krb5.conf_"$(date +"%d.%m.%y_%H-%M")"
touch /etc/krb5.conf
authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth \
--smbsecurity=ads --smbworkgroup=$DEFAULT_REALM --smbrealm=$DEFAULT_REALM --enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=$DEFAULT_REALM \
--disablekrb5realmdns --enablekrb5kdcdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
LIBDEFAULTS="$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)"
REALMS_KDC="$(for kdc in $DOMAIN_CONTROLLERS; do echo "kdc = $kdc";done)"
REALMS="$(cat <<EOF
[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)"
DOMAIN_REALM="$(cat <<EOF
[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM
$NEW_DOMAINNAME = $DEFAULT_REALM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
EOF
)"
echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf
- name: Setup Samba config
shell: |
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_"$(date +"%d.%m.%y_%H-%M")"
SMBCONF="$(cat <<EOF
[global]
workgroup = {{ domain_name.split('.')[0] | upper }}
passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = {{ domain_name | upper }}
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
encrypt passwords = yes
kerberos method = secrets and keytab
winbind nested groups = yes
winbind offline logon = no
winbind refresh tickets = yes
winbind use default domain = yes
dns proxy = no
domain master = no
local master = no
preferred master = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
client use spnego = yes
client ntlmv2 auth = yes
EOF
)"
echo "$SMBCONF" > /etc/samba/smb.conf
- lineinfile:
name: /etc/security/pam_winbind.conf
regexp: '^.*krb5_auth'
line: 'krb5_auth = yes'
#### Install CitrixVDA ####
- name: Add Base CentOS repository
yum_repository:
name: base_centos
file: CentOS_Base
description: Base CentOS repository
# baseurl: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock
# baseurl: http://ftp.nsc.ru/pub/centos/7/os/x86_64/
baseurl: http://mirror.yandex.ru/centos/7.3.1611/os/x86_64/
gpgcheck: no
- name: Install PostgreSQL
yum: state=present name={{ item }}
with_items:
- postgresql-server
- postgresql-jdbc
- java-1.8.0-openjdk
- open-vm-tools
- shell: |
postgresql-setup initdb
systemctl start postgresql
systemctl enable postgresql
- name: Install VDA
# yum: state=present name=http://szud-linux-repo.sigma.sbrf.ru/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm
# yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.13.0.382-1.el7_2.x86_64.rpm
yum: state=present name=http://10.38.246.21/XenDesktopVDA-7.14.0.400-1.el7_2.x86_64.rpm
- name: Remove CentOS Base Repo
yum_repository: name=base_centos state=absent
notify: yum-clean-metadata
- name: Setup Evolution
file:
path: /usr/bin/ews_autodiscovery.sh
state: absent
ignore_errors: yes
- blockinfile:
path: /usr/bin/ews_autodiscovery.sh
create: yes
mode: 0755
block: |
#!/bin/bash
export GIO_USE_NETWORK_MONITOR=base
DOMAINNAME=`hostname -d`
##################################################
### Check if Evolution EWS source file exist
##################################################
if [ -f ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source ]; then
echo
else
##########################################
## Check if connected to AD
##########################################
if ! wbinfo -P; then
echo "NETLOGON test failed" >> ~/.ews_setup.log
else
echo "NETLOGON test OK" >> ~/.ews_setup.log
CURRENT_DC=`wbinfo -P | awk '{print $9}' | awk -F "\"" '{print $2}'`
FULL_NAME=`wbinfo -i $USER | awk -F ":" '{print $5}'`
BASEDN=`echo $CURRENT_DC | sed s/"\."/,dc=/g | sed -r 's!^[^dc=]+!!'`
MAIL=`ldapsearch -h $CURRENT_DC -b "$BASEDN" "sAMAccountName=$USER" | grep mail: | awk '{print $2 }'`
###############################################################################################
### MS Exchange autodiscovery
#### https://github.com/sys4/automx/blob/master/src/automx-test
#### http://stackoverflow.com/questions/38509837/when-using-negotiate-with-curl-is-a-keytab-file-required
#### Joined AD with samba/winbind and have package gss-ntlmssp
#### libsasl2-modules-gssapi-mit
###############################################################################################
AUTOD_URL="https://autodiscover.`echo $MAIL | sed 's/^.*@//'`"/autodiscover/autodiscover.xml
REQUEST=$(cat <<EOF
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>$MAIL</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
EOF
)
bash -c "curl -k -d '$REQUEST' --header \"Content-Type: text/xml\" -s --negotiate -u : $AUTOD_URL" > ~/.autodiscover.xml
OABUrl=$(cat ~/.autodiscover.xml | grep -m 1 OABUrl | awk -F '[<>]' '{ print $3 }')oab.xml
EwsUrl=$(cat ~/.autodiscover.xml | grep -m 1 EwsUrl | awk -F '[<>]' '{ print $3 }')
EwsHost=$(echo $EwsUrl | awk -F '/' '{ print $3 }')
rm ~/.autodiscover.xml
echo CURRENT_DC - $CURRENT_DC > ~/.ews_setup.log
echo FULL_NAME - $FULL_NAME >> ~/.ews_setup.log
echo BASEDN - $BASEDN >> ~/.ews_setup.log
echo MAIL - $MAIL >> ~/.ews_setup.log
echo DOMAINNAME - $DOMAINNAME >> ~/.ews_setup.log
echo OABUrl - $OABUrl >> ~/.ews_setup.log
echo EwsUrl - $EwsUrl >> ~/.ews_setup.log
echo EwsHost - $EwsHost >> ~/.ews_setup.log
################################################################
### Check URLs format
################################################################
echo $OABUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(oab|OAB)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/oab.xml)'
OAB_URL_Check=$?
echo $EwsUrl | grep -E '(https|http)://(([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/(ews|EWS)([[:alnum:]]|-|_|\.|~|!|\*|;|:|@|&|=|+|\$|,|/|\?|%|#|\[|\]])*/exchange.asmx)'
EWS_URL_Check=$?
if [ $OAB_URL_Check != 0 ] || [ $EWS_URL_Check != 0 ]; then
echo "OAB and EWS URLs check failed... Exit..." >> ~/.ews_setup.log
else
echo "OAB and EWS URLs check OK" >> ~/.ews_setup.log
######################################################################
### CleaningUp and creating evolution source files
######################################################################
killall evolution-source-registry
rm -Rf ~/.config/evolution/sources
mkdir --parents ~/.config/evolution/sources
#####################################################################################
cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.1.source
[Data Source]
DisplayName=$MAIL
Enabled=true
Parent=
[Offline]
StaySynchronized=true
[Authentication]
Host=$EwsHost
#Method=none
Method=GSSAPI
Port=443
ProxyUid=system-proxy
RememberPassword=true
User=$USER
CredentialName=
[Collection]
BackendName=ews
CalendarEnabled=true
ContactsEnabled=true
Identity=$USER
MailEnabled=true
[Security]
Method=none
[Ews Backend]
FilterInbox=true
StoreChangesInterval=3
CheckAll=true
ListenNotifications=true
Email=$MAIL
FilterJunk=true
FilterJunkInbox=false
FoldersInitialized=true
GalUid=ews.$USER.$DOMAINNAME
Hosturl=$EwsUrl
Oaburl=$OABUrl
OabOffline=true
OalSelected=
Timeout=300
UseImpersonation=false
ImpersonateUser=
EOF
######################################################################
cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.0.source
[Data Source]
DisplayName=$MAIL
Enabled=true
Parent=ews.$USER.$DOMAINNAME.1
[Mail Composition]
Bcc=
Cc=
DraftsFolder=folder://ews.$USER.$DOMAINNAME/%d0%a7%d0%b5%d1%80%d0%bd%d0%be%d0%b2%d0%b8%d0%ba%d0%b8
SignImip=true
TemplatesFolder=folder://local/Templates
[Mail Identity]
Address=$MAIL
Name=$FULL_NAME
Organization=
ReplyTo=
SignatureUid=none
[Mail Submission]
SentFolder=folder://ews.$USER.$DOMAINNAME/%d0%9e%d1%82%d0%bf%d1%80%d0%b0%d0%b2%d0%bb%d0%b5%d0%bd%d0%bd%d1%8b%d0%b5
TransportUid=ews.$USER.$DOMAINNAME.13
RepliesToOriginFolder=false
EOF
######################################################################
cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.3.source
[Data Source]
DisplayName=$MAIL
Enabled=true
Parent=ews.$USER.$DOMAINNAME.1
[Refresh]
Enabled=true
IntervalMinutes=3
[Mail Account]
BackendName=ews
IdentityUid=ews.$USER.$DOMAINNAME
ArchiveFolder=
EOF
###############################################################################
cat <<EOF > ~/.config/evolution/sources/ews.$USER.$DOMAINNAME.13.source
[Data Source]
DisplayName=$MAIL
Enabled=true
Parent=ews.$USER.$DOMAINNAME.1
[Mail Transport]
BackendName=ews
EOF
################################################################################
cat <<EOF > ~/.config/evolution/sources/local.source
# Special built-in mail store.
[Data Source]
DisplayName=On This Computer
Enabled=false
Parent=
[Mail Account]
BackendName=maildir
IdentityUid=self
ArchiveFolder=
[Maildir Backend]
FilterInbox=true
Path=$HOME/.local/share/evolution/mail/local
EOF
########################################################################
cat <<EOF > ~/.config/evolution/sources/vfolder.source
# Special built-in mail store.
[Data Source]
DisplayName=Search Folders
Enabled=false
Parent=
[Mail Account]
BackendName=vfolder
IdentityUid=self
ArchiveFolder=
[Vfolder Backend]
FilterInbox=true
EOF
##################################################################
mkdir --parents ~/.config/evolution/mail/
cat <<EOF > ~/.config/evolution/mail/state.ini
[GlobalFolder]
GroupByThreads=false
PreviewVisible=true
[Store ews.$USER.$DOMAINNAME.3]
Expanded=true
[Search Bar]
SearchScope=mail-scope-current-folder
SearchOption=mail-search-subject-or-addresses-contain
[Folder Tree]
Selected=folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5
[Folder folder://ews.$USER.$DOMAINNAME.3/%d0%92%d1%85%d0%be%d0%b4%d1%8f%d1%89%d0%b8%d0%b5]
GroupByThreads=false
PreviewVisible=true
Expanded=true
EOF
fi
fi
fi
- file:
path: /etc/skel/.config/autostart/
state: directory
mode: 0755
- file:
path: /etc/skel/.config/autostart/ews_autodiscovery.desktop
state: absent
ignore_errors: yes
- blockinfile:
path: /etc/skel/.config/autostart/ews_autodiscovery.desktop
create: yes
mode: 0644
marker: ""
block: |
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Name=Evolution Mail Client Preconfigure
Comment=Evolution Mail Client Preconfigure
Exec=/usr/bin/ews_autodiscovery.sh &
StartupNotify=false
Terminal=false
Hidden=false
OnlyShowIn=GNOME;XFCE;LXDE;
X-GNOME-Autostart-enabled=true
- file:
path: /etc/skel/.config/xfce4/
state: directory
mode: 0755
- file:
path: /etc/skel/.config/xfce4/helpers.rc
state: touch
mode: 0644
- lineinfile:
path: /etc/skel/.config/xfce4/helpers.rc
state: present
regexp: '^MailReader='
line: 'MailReader=evolution'
#### Disable ScreenSaver
- name: Disable Screen Saver
blockinfile:
path: /etc/skel/.Xdefaults
create: yes
mode: 0644
marker: ""
block: |
xautolock.locker:z-securelock auth_none saver_z_screensaver
xautolock.time:1000
xsaver_xautolock:Случайно
xtime_xautolock:0
...
Join AD Domain Setup Citrix VDA Playbook
--- - hosts: nci_os_szud vars: hostname: szud-os2 tasks: - name: Set hostname shell: | sysctl kernel.hostname="{{ hostname }}" sysctl -p hostnamectl set-hostname "{{ hostname }}" ##."{{ domain_name }}" sed -i '/^127./D' /etc/hosts - lineinfile: name: /etc/hosts regexp: '^127\.0\.0\.1' line: '127.0.0.1 {{ hostname }}.{{ domain_name }} {{ hostname }} localhost.localdomain localhost' - lineinfile: name: /etc/hosts regexp: '/^::1/D' state: absent - name: restart NetworkManager service service: name=NetworkManager state=restarted - shell: | net ads join -U ADDSIGMACA%PASSWORD /opt/Citrix/VDA/sbin/ctxcleanup.sh CTX_XDL_SUPPORT_DDC_AS_CNAME=N \ CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \ CTX_XDL_VDA_PORT=80 \ CTX_XDL_REGISTER_SERVICE=Y \ CTX_XDL_ADD_FIREWALL_RULES=Y \ CTX_XDL_AD_INTEGRATION=1 \ CTX_XDL_HDX_3D_PRO=N \ CTX_XDL_VDI_MODE=Y \ CTX_XDL_SITE_NAME='<none>' \ CTX_XDL_LDAP_LIST='<none>' \ CTX_XDL_SEARCH_BASE='<none>' \ CTX_XDL_START_SERVICE=Y \ /opt/Citrix/VDA/sbin/ctxsetup.sh sleep 10 reboot ...
Discussion