9 changed files with 142 additions and 0 deletions
--- a/packer/ansible/playbook.yml
+++ b/packer/ansible/playbook.yml
@ -36,6 +36,10 @@
    auth:
      sudo:
        group: fablab
      ldap:
        protocol: ldap
        server: ldap.fablab-nea.de
        base: dc=ldap,dc=fablab-nea,dc=de
    l10n:
      keyboard:
        layout: de
--- a/packer/ansible/roles/auth/files/ldapca.pem
+++ b/packer/ansible/roles/auth/files/ldapca.pem
@ -0,0 +1,23 @@
 -----BEGIN CERTIFICATE-----
 MIID5jCCAs6gAwIBAgIJAPtqBuTAclYRMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
 VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEWMBQGA1UEBwwNQmFkIFdpbmRzaGVp
 bTETMBEGA1UECgwKRmFiTGFiIE5FQTEWMBQGA1UEAwwNZmFibGFiLW5lYS5kZTEh
 MB8GCSqGSIb3DQEJARYSaW5mb0BmYWJsYWItbmVhLmRlMB4XDTE4MDUxNzE3NDIz
 OFoXDTI4MDIxNDE3NDIzOFowgYcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZh
 cmlhMRYwFAYDVQQHDA1CYWQgV2luZHNoZWltMRMwEQYDVQQKDApGYWJMYWIgTkVB
 MRYwFAYDVQQDDA1mYWJsYWItbmVhLmRlMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGZh
 YmxhYi1uZWEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD8ldQ
 /azjfG6yUPi86f9adQxy4kV/MjSu+VViHILPBYwByB9FpJ9vp6kpTZpWpRk1NHqS
 YYc4MwYNo/bi2hO+b6ZP3D5OGnLdud6X0zHAH9751Svw/4y9CY5a/WrAp/TND7M0
 wpi7SpyMJdJpuPGa53s6hGjIfcFwpF4TJD3UJJZsXghsOsKpq13JRiERZ1BGOJJD
 HPzr6BdWdH40IakNa7PS+ZFdHJ2qTTBinZIjc4lOe5WRK6ZmAB5kZpv3h8vxgpqu
 E6c0IlBu8U+0yQXdxhw98xJ5jwknANROaEWSBqR8tD1LAIARAEbTYWmkmdULnPz3
 Kq86PzZ9ac/vh86TAgMBAAGjUzBRMB0GA1UdDgQWBBRESu5pvADeGZ5BRGep+5g0
 OkulezAfBgNVHSMEGDAWgBRESu5pvADeGZ5BRGep+5g0OkulezAPBgNVHRMBAf8E
 BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCF5nZ/FORMg9ug+kAWTT4NQMt7YALg
 VCYWg34xWLU7Tk9O6yAoa5O+SABYXIr0oNU7mdqZPeOKTNpOQOeg1RyXB74g3wrP
 gKRjbG3vWG53FLuNfeEhC0hC1ThFy2mXsIvgW0Q+29PoCeipT8Q62/UDx4CZkZBO
 uVJ+jjl7WH/MJJWMJXCxDvqyM12MqlLCkfxiVnRD5XNHRRoVK3gHI07FVnTVEjIb
 SQCsn1DtCJG27xbizLuf1ipYwLvLm+zPKBs6pVqqT6oDbgltaDqzg1dvAZuk4XX8
 DcW65+UEiDe7xXmYUREj0E7FvCNHNY2xZPHGEUUbIOvNZmj836gS1/fR
 -----END CERTIFICATE-----
--- a/packer/ansible/roles/auth/files/mkhomedir
+++ b/packer/ansible/roles/auth/files/mkhomedir
@ -0,0 +1,6 @@
 Name: Create home directory during login
 Default: yes
 Priority: 900
 Session-Type: Additional
 Session:
        required        pam_mkhomedir.so umask=0027 skel=/etc/skel
--- a/packer/ansible/roles/auth/files/nsswitch.conf
+++ b/packer/ansible/roles/auth/files/nsswitch.conf
@ -0,0 +1,15 @@
 passwd:         compat ldap
 group:          compat ldap
 shadow:         compat ldap
 gshadow:        files
 hosts:          files dns
 networks:       files ldap
 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files
 netgroup:       nis
--- a/packer/ansible/roles/auth/handlers/main.yml
+++ b/packer/ansible/roles/auth/handlers/main.yml
@ -0,0 +1,14 @@
 ---
 - name: restart nslcd
  service:
    name: nslcd
    state: restarted
  notify: restart nscd
 - name: restart nscd
  service:
    name: nscd
    state: restarted
 - name: update pam
  command: pam-auth-update --package
--- a/packer/ansible/roles/auth/tasks/ldap.yml
+++ b/packer/ansible/roles/auth/tasks/ldap.yml
@ -0,0 +1,39 @@
 ---
 - name: install ldap packages
  apt:
    name: "libnss-ldapd"
    state: present
 # TODO: remove this step and switch to Let’s encrypt
 - name: add ldap ca cert
  copy:
    src: ldapca.pem
    dest: /etc/ssl/certs/ldapca.pem
 - name: add ldap global config
  template:
    src: ldap.conf.j2
    dest: /etc/ldap/ldap.conf
 - name: configure nsswitch
  copy:
    src: nsswitch.conf
    dest: /etc/nsswitch.conf
    owner: root
    group: root
    mode: '0640'
 - name: configure nslcd
  template:
    src: nslcd.conf.j2
    dest: /etc/nslcd.conf
    owner: root
    group: root
    mode: '0640'
  notify: restart nslcd
 - name: add pam config for automated creation of the home directory
  copy:
    src: mkhomedir
    dest: /usr/share/pam-configs/mkhomedir
  notify: update pam
--- a/packer/ansible/roles/auth/tasks/main.yml
+++ b/packer/ansible/roles/auth/tasks/main.yml
@ -1,3 +1,6 @@
 ---
 - import_tasks: debug.yml
 - import_tasks: ldap.yml
  tags:
    - auth:ldap
 - import_tasks: sudo.yml
--- a/packer/ansible/roles/auth/templates/ldap.conf.j2
+++ b/packer/ansible/roles/auth/templates/ldap.conf.j2
@ -0,0 +1,10 @@
 BASE	{{ auth.ldap.base }}
 URI	{{ auth.ldap.protocol }}://{{ auth.ldap.server }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
 # TLS certificates
 # TODO: replace/omit to use system bundle and Let’s encrypt
 TLS_CACERT	/etc/ssl/certs/ldapca.pem
--- a/packer/ansible/roles/auth/templates/nslcd.conf.j2
+++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2
@ -0,0 +1,28 @@
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 # The location at which the LDAP server(s) should be reachable.
 uri {{ auth.ldap.protocol }}://{{ auth.ldap.server }}/
 # The search base that will be used for all queries.
 base {{ auth.ldap.base }}
 # The LDAP protocol version to use.
 #ldap_version 3
 # The DN to bind with for normal lookups.
 #binddn cn=annonymous,dc=example,dc=net
 #bindpw secret
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
 # SSL options
 ssl start_tls
 #tls_reqcert never
 # TODO: replace with system bundle for Let’s encrypt usage
 tls_cacertfile /etc/ssl/certs/ldapca.pem
 # The search scope.
 #scope sub