From dd803b2d1df94fca3e086581dd892ae7c07a91ac Mon Sep 17 00:00:00 2001 From: Ezri Brimhall Date: Tue, 1 Oct 2024 18:54:14 -0600 Subject: [PATCH] Bulk update for roles for homelab --- playbooks/roles/aur/tasks/main.yml | 1 + playbooks/roles/common/tasks/arch.yml | 14 +++++ playbooks/roles/common/tasks/main.yml | 14 +++-- .../roles/common/templates/sshd_config.j2 | 2 +- playbooks/roles/grafana/tasks/main.yml | 6 ++ .../roles/grafana/templates/grafana-server.j2 | 1 - .../files/{first-factor => common-auth} | 3 +- playbooks/roles/kanidm_native/tasks/main.yml | 26 +-------- playbooks/roles/kanidm_sssd/tasks/main.yml | 57 ++++++++++++++++++ .../templates/10-kanidm-keys.conf.j2 | 6 ++ .../templates/ldap-ssh-authorizedkeys.sh.j2 | 18 ++++++ .../roles/kanidm_sssd/templates/nslcd.conf.j2 | 20 +++++++ .../kanidm_sssd/templates/sso_admins.conf.j2 | 9 +++ .../roles/kanidm_sssd/templates/sssd.conf.j2 | 31 ++++++++++ playbooks/roles/nginx/tasks/main.yml | 18 +++++- playbooks/roles/nginx/templates/site.j2 | 3 + playbooks/roles/pamconfig/defaults/main.yml | 7 +++ .../roles/pamconfig/files/common-account | 11 ++++ .../roles/pamconfig/files/common-password | 9 +++ .../roles/pamconfig/files/common-session | 8 +++ .../files/remote-switch.access.conf | 0 playbooks/roles/pamconfig/tasks/arch.yml | 8 +++ playbooks/roles/pamconfig/tasks/debian.yml | 9 +++ playbooks/roles/pamconfig/tasks/main.yml | 58 +++++++++++++++++++ .../roles/pamconfig/templates/common-auth.j2 | 43 ++++++++++++++ .../templates/passkey-users.access.conf.j2 | 15 +++++ .../roles/unifi_network_server/tasks/main.yml | 25 ++++++++ 27 files changed, 388 insertions(+), 34 deletions(-) create mode 100644 playbooks/roles/common/tasks/arch.yml rename playbooks/roles/kanidm_native/files/{first-factor => common-auth} (86%) create mode 100644 playbooks/roles/kanidm_sssd/tasks/main.yml create mode 100644 playbooks/roles/kanidm_sssd/templates/10-kanidm-keys.conf.j2 create mode 100644 playbooks/roles/kanidm_sssd/templates/ldap-ssh-authorizedkeys.sh.j2 create mode 100644 playbooks/roles/kanidm_sssd/templates/nslcd.conf.j2 create mode 100644 playbooks/roles/kanidm_sssd/templates/sso_admins.conf.j2 create mode 100644 playbooks/roles/kanidm_sssd/templates/sssd.conf.j2 create mode 100644 playbooks/roles/pamconfig/defaults/main.yml create mode 100644 playbooks/roles/pamconfig/files/common-account create mode 100644 playbooks/roles/pamconfig/files/common-password create mode 100644 playbooks/roles/pamconfig/files/common-session rename playbooks/roles/{2fa => pamconfig}/files/remote-switch.access.conf (100%) create mode 100644 playbooks/roles/pamconfig/tasks/arch.yml create mode 100644 playbooks/roles/pamconfig/tasks/debian.yml create mode 100644 playbooks/roles/pamconfig/tasks/main.yml create mode 100644 playbooks/roles/pamconfig/templates/common-auth.j2 create mode 100644 playbooks/roles/pamconfig/templates/passkey-users.access.conf.j2 create mode 100644 playbooks/roles/unifi_network_server/tasks/main.yml diff --git a/playbooks/roles/aur/tasks/main.yml b/playbooks/roles/aur/tasks/main.yml index c2b79e0..70de8dd 100644 --- a/playbooks/roles/aur/tasks/main.yml +++ b/playbooks/roles/aur/tasks/main.yml @@ -12,6 +12,7 @@ path: '/etc/makepkg.conf' regexp: "^PKGEXT=.*$" replace: "PKGEXT='.pkg.tar'" + when: ansible_pkg_mgr == "pacman" - name: Create AUR build user ansible.builtin.user: diff --git a/playbooks/roles/common/tasks/arch.yml b/playbooks/roles/common/tasks/arch.yml new file mode 100644 index 0000000..2ea9c11 --- /dev/null +++ b/playbooks/roles/common/tasks/arch.yml @@ -0,0 +1,14 @@ +--- + +- name: Update packages + community.general.pacman: + update_cache: yes + upgrade: yes + +- name: Install packages + ansible.builtin.pacman: + name: + - ufw + - base-devel + - wget + state: present diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml index 3708d28..69940e5 100644 --- a/playbooks/roles/common/tasks/main.yml +++ b/playbooks/roles/common/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Create wheel group + ansible.builtin.group: + name: wheel + state: present + system: yes + - name: Create local administrator ansible.builtin.user: state: present @@ -9,7 +15,7 @@ - wheel create_home: yes # Salt the password with the inventory name, this should be static between runs - password: '{{ admin_password|password_hash("sha512", inventory_hostname) }}' + password: '{{ admin_password|password_hash("sha512", "thisisabadsalt") }}' - name: Load Arch tasks import_tasks: arch.yml @@ -28,10 +34,8 @@ from: "{{ item }}" - name: Start UFW - ansible.builtin.systemd_service: - name: ufw - state: started - enabled: true + community.general.ufw: + state: enabled - name: Allow wheel to use sudo ansible.builtin.copy: diff --git a/playbooks/roles/common/templates/sshd_config.j2 b/playbooks/roles/common/templates/sshd_config.j2 index 684f308..3b29a8c 100644 --- a/playbooks/roles/common/templates/sshd_config.j2 +++ b/playbooks/roles/common/templates/sshd_config.j2 @@ -6,7 +6,7 @@ Include /etc/ssh/sshd_config.d/*.conf Port {{ ssh_port|default(22) }} # If this is initial setup of a container (where we log in as root, so become is disabled), # leave root login enabled so we can finish deploying everything. Otherwise, disable it. -PermitRootLogin {{ ansible_become | ternary("yes", "no") }} +PermitRootLogin {{ ansible_become|default(false) | ternary("yes", "no") }} PubkeyAuthentication yes PasswordAuthentication no diff --git a/playbooks/roles/grafana/tasks/main.yml b/playbooks/roles/grafana/tasks/main.yml index 047c6a6..2d4fb87 100644 --- a/playbooks/roles/grafana/tasks/main.yml +++ b/playbooks/roles/grafana/tasks/main.yml @@ -17,3 +17,9 @@ name: grafana state: present update_cache: yes + +- name: Build envfile + ansible.builtin.template: + src: grafana-server.j2 + dest: /etc/default/grafana-server + diff --git a/playbooks/roles/grafana/templates/grafana-server.j2 b/playbooks/roles/grafana/templates/grafana-server.j2 index 15f5901..d82498c 100644 --- a/playbooks/roles/grafana/templates/grafana-server.j2 +++ b/playbooks/roles/grafana/templates/grafana-server.j2 @@ -25,4 +25,3 @@ PID_FILE_DIR=/run/grafana GF_DEFAULT_INSTANCE_NAME={{ ansible_nodename }} - diff --git a/playbooks/roles/kanidm_native/files/first-factor b/playbooks/roles/kanidm_native/files/common-auth similarity index 86% rename from playbooks/roles/kanidm_native/files/first-factor rename to playbooks/roles/kanidm_native/files/common-auth index df85521..07e3e92 100644 --- a/playbooks/roles/kanidm_native/files/first-factor +++ b/playbooks/roles/kanidm_native/files/common-auth @@ -1,11 +1,10 @@ #%PAM-1.0 -*- mode: conf-space; tab-width: 8 -*- -# First authentication factor for Kanidm-native systems - auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_localuser.so auth [success=3 default=2] pam_kanidm.so auth [sucesss=2 default=ignore] pam_unix.so try_first_pass nullok -auth [success=1 default=ignore] pam_systemd_home.so auth [default=die] pam_faillock.so authfail +auth optional pam_faillock.so authsucc auth optional pam_permit.so diff --git a/playbooks/roles/kanidm_native/tasks/main.yml b/playbooks/roles/kanidm_native/tasks/main.yml index c93d2ba..53d90bb 100644 --- a/playbooks/roles/kanidm_native/tasks/main.yml +++ b/playbooks/roles/kanidm_native/tasks/main.yml @@ -62,38 +62,18 @@ - name: 'Enable kanidm as a passwd db' - ansible.builtin.replace: + ansible.builtin.lineinfile: path: '/etc/nsswitch.conf' regexp: "^{{ item }}:.*$" - replace: "{{ item }}: files {{ (item == 'group') | ternary('[SUCCESS=merge]', '') }} systemd compat kanidm" - # This is a critical system file that could brick the OS. Back it up! - backup: yes + line: "{{ item }}: files {{ (item == 'group') | ternary('[SUCCESS=merge]', '') }} kanidm" with_items: - passwd - group -- name: 'Deploy first-factor PAM configuration' - ansible.builtin.copy: - src: first-factor - dest: /etc/pam.d/first-factor - owner: root - group: root - mode: "0644" - -- name: 'Deploy common PAM modules for kanidm' - ansible.builtin.copy: - src: '{{ item }}' - dest: /etc/pam.d/ - owner: root - group: root - mode: "0644" - with_fileglob: - - "../files/common-*" - - name: 'Deploy SSH key handling' ansible.builtin.template: src: 10-kanidm-keys.conf.j2 - dest: /etc/ssh/sshd_config.d/ + dest: /etc/ssh/sshd_config.d/10-kanidm-keys.conf owner: root group: root mode: "0644" diff --git a/playbooks/roles/kanidm_sssd/tasks/main.yml b/playbooks/roles/kanidm_sssd/tasks/main.yml new file mode 100644 index 0000000..d8b0d18 --- /dev/null +++ b/playbooks/roles/kanidm_sssd/tasks/main.yml @@ -0,0 +1,57 @@ +--- + +- name: 'Install sssd with pacman' + community.general.pacman: + name: sssd + state: present + when: ansible_pkg_mgr == "pacman" + +- name: 'Install sssd with apt' + ansible.builtin.apt: + name: sssd + state: present + when: ansible_pkg_mgr == "apt" + +- name: 'Build sssd config' + ansible.builtin.template: + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + owner: root + group: root + mode: "0600" + +- name: 'Enable SSSD' + ansible.builtin.systemd_service: + name: sssd.service + state: started + enabled: yes + +- name: 'Enable SSSD as a passwd db' + ansible.builtin.lineinfile: + path: '/etc/nsswitch.conf' + regexp: '^passwd:.*$' + line: 'passwd: files sss' + +- name: 'Enable SSSD as a group db' + ansible.builtin.lineinfile: + path: '/etc/nsswitch.conf' + regexp: '^group:.*$' + line: 'group: files [SUCCESS=merge] sss' + +- name: 'Deploy SSH key handling' + ansible.builtin.template: + src: 10-kanidm-keys.conf.j2 + dest: /etc/ssh/sshd_config.d/10-kanidm-keys.conf + owner: root + group: root + mode: "0644" + notify: Restart SSH + +- name: 'Allow sudo for authorized groups' + ansible.builtin.template: + src: sso_admins.conf.j2 + dest: /etc/sudoers.d/10-sso + validate: /usr/sbin/visudo -cf %s + mode: "0440" + owner: root + group: root diff --git a/playbooks/roles/kanidm_sssd/templates/10-kanidm-keys.conf.j2 b/playbooks/roles/kanidm_sssd/templates/10-kanidm-keys.conf.j2 new file mode 100644 index 0000000..58f2bc2 --- /dev/null +++ b/playbooks/roles/kanidm_sssd/templates/10-kanidm-keys.conf.j2 @@ -0,0 +1,6 @@ +PubkeyAuthentication yes +UsePAM yes + +Match Group {{ allowed_groups | join(',') }} + AuthorizedKeysCommand /usr/local/bin/sss_ssh_authorizedkeys %u + AuthorizedKeysCommandUser nobody diff --git a/playbooks/roles/kanidm_sssd/templates/ldap-ssh-authorizedkeys.sh.j2 b/playbooks/roles/kanidm_sssd/templates/ldap-ssh-authorizedkeys.sh.j2 new file mode 100644 index 0000000..3911c2f --- /dev/null +++ b/playbooks/roles/kanidm_sssd/templates/ldap-ssh-authorizedkeys.sh.j2 @@ -0,0 +1,18 @@ +#!/bin/bash + +# This script retrieves SSH keys from LDAP for the passed username +# and prints them to stdout. Intended to be used as the +# AuthorizedKeysCommand in sshd_config. + +# Usage: ldap-ssh-authorizedkeys.sh + +sshkey_attr="{{ sshkey_attr | default('ssh_publickey') }}" +# user_attr should probably be either 'cn' or 'spn' depending on which attribute +# is used for username mapping on the system. +user_attr="{{ user_attr | default('cn') }}" +ldap_base="{{ ldap_search_base }}" +ldap_uri="{{ ldap_uri }}" + +ldap_filter="(&(objectClass=posixAccount)($user_attr=$1))" + +ldapsearch -o ldif-wrap=no -x -LLL -H "$ldap_uri" -b "$ldap_base" "$ldap_filter" "$sshkey_attr" | grep "^$sshkey_attr:" | cut -d' ' -f2- diff --git a/playbooks/roles/kanidm_sssd/templates/nslcd.conf.j2 b/playbooks/roles/kanidm_sssd/templates/nslcd.conf.j2 new file mode 100644 index 0000000..b5afb96 --- /dev/null +++ b/playbooks/roles/kanidm_sssd/templates/nslcd.conf.j2 @@ -0,0 +1,20 @@ +# +# NSLCD.CONF(5) +# + +uri {{ ldap_uri }} +base {{ ldap_search_base }} +ssl on +binddn {{ ldap_bind_dn }} +bindpw {{ secrets.ldap_bind_password }} +scope sub +timelimit 10 +bind_timelimit 10 + +pam_password_prohibit_message "Password changes are not permitted for externally-managed users. To change your password, please visit {{ kanidm_uri }}/ui/profile." +map passwd homeDirectory "${homeDirectory:-{{ homedir_base | default('/home') }}/$uuid}" +map group memberUid member +filter user {{ ldap_user_filter }} +filter group (|(objectClass=posixAccount)(objectClass=posixGroup)) +nss_min_uid 65536 +nss_initgroups_ignoreusers ALLLOCAL diff --git a/playbooks/roles/kanidm_sssd/templates/sso_admins.conf.j2 b/playbooks/roles/kanidm_sssd/templates/sso_admins.conf.j2 new file mode 100644 index 0000000..3fd7845 --- /dev/null +++ b/playbooks/roles/kanidm_sssd/templates/sso_admins.conf.j2 @@ -0,0 +1,9 @@ +# -*-etc-sudoers-*- + +{% for group in sudo_groups|default([]) %} +%{{ group }} ALL=(ALL:ALL) ALL +{% endfor %} + +{% for user in sudo_users|default([]) %} +{{ user }} ALL=(ALL:ALL) ALL +{% endfor %} diff --git a/playbooks/roles/kanidm_sssd/templates/sssd.conf.j2 b/playbooks/roles/kanidm_sssd/templates/sssd.conf.j2 new file mode 100644 index 0000000..20b4d12 --- /dev/null +++ b/playbooks/roles/kanidm_sssd/templates/sssd.conf.j2 @@ -0,0 +1,31 @@ +[sssd] +services = nss, pam, ssh +config_file_version = 2 + +domains = ldap + +[nss] +homedir_substring = /home + +[domain/ldap] + +id_provider = ldap +auth_provider = ldap +access_provider = ldap +chpass_provider = ldap +ldap_schema = rfc2307bis +ldap_search_base = {{ ldap_user_search_base }} + +ldap_uri = {{ ldap_uri }} +ldap_group_object_class = object +ldap_group_search_base = {{ ldap_group_search_base }} + +ldap_access_filter = {{ ldap_access_filter }} + +override_homedir = /home/%U + +ignore_group_members = True +cache_credentials = True + +ldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3 + diff --git a/playbooks/roles/nginx/tasks/main.yml b/playbooks/roles/nginx/tasks/main.yml index ab29115..8978847 100644 --- a/playbooks/roles/nginx/tasks/main.yml +++ b/playbooks/roles/nginx/tasks/main.yml @@ -5,6 +5,14 @@ name: nginx state: present +- name: Allow ports 80 and 443 + loop: + - 80 + - 443 + community.general.ufw: + rule: allow + to_port: '{{ item }}' + - name: Create config directories loop: - /etc/nginx @@ -60,15 +68,21 @@ - name: Enable stream configurations loop: '{{ streams_available }}' - when: item.enabled ansible.builtin.file: src: ../streams-available/{{ item.fqdn }}.conf dest: /etc/nginx/streams-enabled/{{ item.fqdn }}.conf - state: link + state: '{{ item.enabled|ternary("link", "absent") }}' owner: root group: root notify: Reload nginx +- name: Allow connections to enabled streams + loop: '{{ streams_available }}' + community.general.ufw: + rule: allow + to_port: '{{ item.listen_port }}' + delete: '{{ not item.enabled }}' + - name: Enable nginx ansible.builtin.systemd_service: name: nginx diff --git a/playbooks/roles/nginx/templates/site.j2 b/playbooks/roles/nginx/templates/site.j2 index a5111b4..e288f49 100644 --- a/playbooks/roles/nginx/templates/site.j2 +++ b/playbooks/roles/nginx/templates/site.j2 @@ -33,6 +33,9 @@ server { client_max_body_size {{ item.max_upload|default("1M") }}; location / { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; diff --git a/playbooks/roles/pamconfig/defaults/main.yml b/playbooks/roles/pamconfig/defaults/main.yml new file mode 100644 index 0000000..3bcbcc3 --- /dev/null +++ b/playbooks/roles/pamconfig/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +uses_passkey_auth: no +uses_passkey_2fa: no +uses_totp_2fa: no +sso_type: null +totp_2fa_nullok: false diff --git a/playbooks/roles/pamconfig/files/common-account b/playbooks/roles/pamconfig/files/common-account new file mode 100644 index 0000000..faa1572 --- /dev/null +++ b/playbooks/roles/pamconfig/files/common-account @@ -0,0 +1,11 @@ +#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*- + +account [success=2 default=ignore] pam_localuser.so +-account [success=4 ignore=ignore default=3] pam_kanidm.so +-account [success=3 ignore=ignore default=2] pam_ldap.so +-account [success=2 default=ignore] pam_systemd_home.so +account [success=1 default=ignore] pam_unix.so +account [default=die] pam_deny.so +account optional pam_permit.so +account required pam_time.so + diff --git a/playbooks/roles/pamconfig/files/common-password b/playbooks/roles/pamconfig/files/common-password new file mode 100644 index 0000000..0e7db58 --- /dev/null +++ b/playbooks/roles/pamconfig/files/common-password @@ -0,0 +1,9 @@ +#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*- + +password [success=2 default=ignore] pam_localuser.so +-password [success=4 default=3] pam_kanidm.so +-password [sucesss=3 default=2] pam_ldap.so +-password [success=2 default=ignore] pam_systemd_home.so +password [success=1 default=ignore] pam_unix.so try_first_pass nullok shadow sha512 +password [default=die] pam_deny.so +password optional pam_permit.so diff --git a/playbooks/roles/pamconfig/files/common-session b/playbooks/roles/pamconfig/files/common-session new file mode 100644 index 0000000..7ec543c --- /dev/null +++ b/playbooks/roles/pamconfig/files/common-session @@ -0,0 +1,8 @@ +#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*- + +session required pam_limits.so +session optional pam_unix.so +session optional pam_umask.so +-session optional pam_kanidm.so +-session optional pam_ldap.so +session optional pam_env.so diff --git a/playbooks/roles/2fa/files/remote-switch.access.conf b/playbooks/roles/pamconfig/files/remote-switch.access.conf similarity index 100% rename from playbooks/roles/2fa/files/remote-switch.access.conf rename to playbooks/roles/pamconfig/files/remote-switch.access.conf diff --git a/playbooks/roles/pamconfig/tasks/arch.yml b/playbooks/roles/pamconfig/tasks/arch.yml new file mode 100644 index 0000000..804987d --- /dev/null +++ b/playbooks/roles/pamconfig/tasks/arch.yml @@ -0,0 +1,8 @@ +--- + +- name: 'Install 2FA plugins' + community.general.pacman: + name: + - libpam-google-authenticator + - pam-u2f + state: present diff --git a/playbooks/roles/pamconfig/tasks/debian.yml b/playbooks/roles/pamconfig/tasks/debian.yml new file mode 100644 index 0000000..612a647 --- /dev/null +++ b/playbooks/roles/pamconfig/tasks/debian.yml @@ -0,0 +1,9 @@ +--- + +- name: 'Install 2FA plugins' + ansible.builtin.apt: + name: + - libpam-google-authenticator + - libpam-u2f + - pamu2fcfg + state: present diff --git a/playbooks/roles/pamconfig/tasks/main.yml b/playbooks/roles/pamconfig/tasks/main.yml new file mode 100644 index 0000000..d665a05 --- /dev/null +++ b/playbooks/roles/pamconfig/tasks/main.yml @@ -0,0 +1,58 @@ +--- + +- name: 'Install 2FA plugins for Arch' + ansible.builtin.include_tasks: + file: arch.yaml + when: ansible_os_family | lower == "archlinux" + +- name: 'Install 2FA plugins for Debian' + ansible.builtin.include_tasks: + file: debian.yml + when: ansible_os_family | lower == "debian" + +- name: 'Configure Kanidm Native' + ansible.builtin.import_role: + name: kanidm_native + when: sso_type == "native" + +- name: 'Configure Kanidm via SSSD' + ansible.builtin.import_role: + name: kanidm_sssd + when: sso_type == "ldap" + +- name: 'Compile passkey switch' + ansible.builtin.template: + src: passkey-users.access.conf.j2 + dest: /etc/security/passkey-users.access.conf + owner: root + group: root + mode: "0644" + +- name: 'Copy remote session switch' + ansible.builtin.copy: + src: remote-switch.access.conf + dest: /etc/security/remote-sqitch.access.conf + owner: root + group: root + mode: "0644" + +- name: 'Compile common-auth' + ansible.builtin.template: + src: common-auth.j2 + dest: /etc/pam.d/common-auth + owner: root + group: root + mode: "0644" + +- name: 'Copy common PAM configs' + ansible.builtin.copy: + src: common-{{ item }} + dest: /etc/pam.d/ + owner: root + group: root + mode: "0644" + loop: + - account + - password + - session + diff --git a/playbooks/roles/pamconfig/templates/common-auth.j2 b/playbooks/roles/pamconfig/templates/common-auth.j2 new file mode 100644 index 0000000..894cffb --- /dev/null +++ b/playbooks/roles/pamconfig/templates/common-auth.j2 @@ -0,0 +1,43 @@ +#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*- + +auth requisite pam_faillock.so preauth + +{% if uses_passkey_auth %} +auth [success=ignore default=6] pam_access.so accessfile=/etc/security/passkey-users.access.conf +auth [success=5 default=ignore] pam_rootok.so +auth [success=1 default=ignore] pam_u2f.so cue origin=pam://{{ ansible_nodename }} appid=pam://{{ ansible_nodename }} userpresence=0 pinverification=1 +auth requisite pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +{% endif %} +{% if sso_type == "native" %} +auth [success=1 default=ignore] pam_localuser.so +auth [success=3 default=2] pam_kanidm.so +{% elif sso_type == "ldap" %} +auth [success=1 default=ignore] pam_localuser.so +auth [success=3 default=2] pam_ldap.so try_first_pass +{% endif %} +auth [sucesss=2 default=ignore] pam_unix.so try_first_pass nullok +-auth [success=1 default=ignore] pam_systemd_home.so +auth [default=die] pam_faillock.so authfail +{% if uses_passkey_2fa %} +auth [success=ignore default=4] pam_access.so accessfile=/etc/security/remote-switch.access.conf +auth [success=ok default=3] pam_u2f.so cue origin=pam://{{ ansible_nodename }} appid=pam://{{ ansible_nodename }} userpresence=1 +auth optional pam_permit.so +auth requisite pam_env.so +auth sufficient pam_faillock.so authsucc +{% endif %} +{% if uses_totp_2fa %} +auth [success=ok default=3] pam_google_authenticator.so {{ totp_2fa_nullok | ternary("nullok", "") }} echo_verification_code +auth optional pam_permit.so +auth requisite pam_env.so +auth sufficient pam_faillock.so authsucc +{% endif %} +{% if (uses_passkey_2fa) or (uses_totp_2fa) %} +auth [default=die] pam_deny.so +{% else %} +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +{% endif %} diff --git a/playbooks/roles/pamconfig/templates/passkey-users.access.conf.j2 b/playbooks/roles/pamconfig/templates/passkey-users.access.conf.j2 new file mode 100644 index 0000000..213fa54 --- /dev/null +++ b/playbooks/roles/pamconfig/templates/passkey-users.access.conf.j2 @@ -0,0 +1,15 @@ +# This file functions as a switch for passkey access. A user listed in the `passkey_users` variable will have an allow +# line in this file, which will require them to log in using a passkey. Note that THIS CAN LOCK YOU OUT if you do not +# have a passkey set up!! +# +# It only "allows" local connections, as currently there is no way to use a passkey over SSH. + +{% for user in passkey_users | default([]) %} ++:{{ user }}:LOCAL +{% endfor %} + +{% for group in passkey_groups | default([]) %} ++:({{ group }}):LOCAL +{% endfor %} + +-:ALL:ALL diff --git a/playbooks/roles/unifi_network_server/tasks/main.yml b/playbooks/roles/unifi_network_server/tasks/main.yml new file mode 100644 index 0000000..67c529c --- /dev/null +++ b/playbooks/roles/unifi_network_server/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: 'Fetch repository keys' + loop: + - 'https://dl.ui.com/unifi/unifi-repo.gpg' + - 'https://www.mongodb.org/static/pgp/server-7.0.asc' + ansible.builtin.apt_key: + url: '{{ item }}' + state: present + +- name: Add repositories + loop: + - 'deb [ arch=amd64,arm64 ] https://www.ui.com/downloads/unifi/debian stable ubiquiti' + - 'deb [ trusted=yes ] https://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main' + ansible.builtin.apt_repository: + repo: '{{ item }}' + state: present + +- name: Install packages + ansible.builtin.apt: + name: + - mongodb-org + - unifi + state: present + update_cache: yes