From 73a828502cab4daf1581cd35e7eaba444f3b5d78 Mon Sep 17 00:00:00 2001
From: Emiliano Vavassori <syntaxerrormmm@gmail.com>
Date: Sun, 13 Jul 2025 22:48:41 +0200
Subject: [PATCH] Ultime modifiche.

---
 deploy.sh                              |  2 +-
 hosts                                  |  3 +-
 roles/gvfs/handlers/main.yml           |  6 +++
 roles/gvfs/tasks/main.yml              | 10 ++++
 roles/pam/tasks/main.yml               | 27 +++++++++++
 roles/pam/templates/pam_mount.conf.xml | 28 +++++++++++
 roles/samba/tasks/main.yml             | 18 +++++++
 roles/samba/templates/smb.conf         |  5 ++
 roles/sssd/handlers/main.yml           |  7 +++
 roles/sssd/tasks/main.yml              | 67 ++++++++++++++++++++++++++
 roles/sudoers/99-domain_admins         |  3 ++
 roles/sudoers/tasks/main.yml           | 11 +++++
 12 files changed, 184 insertions(+), 3 deletions(-)
 create mode 100644 roles/gvfs/handlers/main.yml
 create mode 100644 roles/gvfs/tasks/main.yml
 create mode 100644 roles/pam/tasks/main.yml
 create mode 100644 roles/pam/templates/pam_mount.conf.xml
 create mode 100644 roles/samba/tasks/main.yml
 create mode 100644 roles/samba/templates/smb.conf
 create mode 100644 roles/sssd/handlers/main.yml
 create mode 100644 roles/sssd/tasks/main.yml
 create mode 100644 roles/sudoers/99-domain_admins
 create mode 100644 roles/sudoers/tasks/main.yml

diff --git a/deploy.sh b/deploy.sh
index 4f30806..1c5af83 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ansible-playbook deploy.yml --limit localhost
+ansible-playbook deploy.yml
diff --git a/hosts b/hosts
index 6805eb0..2302eda 100644
--- a/hosts
+++ b/hosts
@@ -1,2 +1 @@
-#localhost ansible_connection=local
-zorin ansible_host=192.168.33.243 ansible_user=utente ansible_connection=ssh
+localhost ansible_connection=local
diff --git a/roles/gvfs/handlers/main.yml b/roles/gvfs/handlers/main.yml
new file mode 100644
index 0000000..3dbc00d
--- /dev/null
+++ b/roles/gvfs/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Daemon reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  become: true
+  become_user: true
diff --git a/roles/gvfs/tasks/main.yml b/roles/gvfs/tasks/main.yml
new file mode 100644
index 0000000..c97da86
--- /dev/null
+++ b/roles/gvfs/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+# Sistemiamo GVFS
+
+- name: Aggiustiamo gvfs
+  ansible.builtin.lineinfile:
+    path: /usr/lib/systemd/user/gvfs-daemon.service
+    line: 'Environment="KRB5CCNAME=FILE:/tmp/.krb5cc_%U"'
+    insertafter: "^[Service]"
+    state: present
+  notify: Daemon reload
diff --git a/roles/pam/tasks/main.yml b/roles/pam/tasks/main.yml
new file mode 100644
index 0000000..d1e5be6
--- /dev/null
+++ b/roles/pam/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+# Impostazioni per pam
+
+- name: Creazione mountpoint in skel
+  ansible.builtin.file:
+    path: /etc/skel/Personale
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Installazione componenti mancanti
+  ansible.builtin.apt:
+    name: libpam-mount
+    state: present
+
+- name: Attivazione servizi pam-mount
+  ansible.builtin.command: pam-auth-update --enable libpam-mount
+
+- name: Configurazione pam_mount
+  ansible.builtin.template:
+    src: pam_mount.conf.xml
+    dest: /etc/security/pam_mount.conf.xml
+    backup: true
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/roles/pam/templates/pam_mount.conf.xml b/roles/pam/templates/pam_mount.conf.xml
new file mode 100644
index 0000000..c209f81
--- /dev/null
+++ b/roles/pam/templates/pam_mount.conf.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
+
+<pam_mount>
+    <debug enable="0" />
+
+    <!--
+    <luserconf name=".pam_mount.conf.xml" />
+    -->
+
+    <mntoptions deny="suid,dev,exec" />
+    <mntoptions allow="*" />
+    <mntoptions require="nosuid,nodev,noexec" />
+
+    <logout wait="0" hup="no" term="no" kill="no" />
+
+    <volume
+	fstype="cifs"
+	sgrp="domain users"
+	server="{{ server }}"
+	path="{{ personal_share }}/%(DOMAIN_USER)"
+	mountpoint="~/Personale"
+	options="vers=3.0,sec=krb5i,cruid=%(USERUID),nodev,nosuid,noexec,rw"
+	/>
+
+    <mkmountpoint enable="1" remove="true" />
+</pam_mount>
+<!-- vim:sts=4:sw=4 -->
diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml
new file mode 100644
index 0000000..cdaa805
--- /dev/null
+++ b/roles/samba/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+# Sistemazione file samba
+
+- name: Installazione prerequisiti
+  ansible.builtin.apt:
+    name:
+      - samba-common
+      - cifs-utils
+    state: present
+
+- name: Configuriamo samba da template
+  ansible.builtin.template:
+    src: smb.conf
+    dest: /etc/samba/smb.conf
+    backup: true
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/roles/samba/templates/smb.conf b/roles/samba/templates/smb.conf
new file mode 100644
index 0000000..f612c06
--- /dev/null
+++ b/roles/samba/templates/smb.conf
@@ -0,0 +1,5 @@
+[global]
+   workgroup = {{ netbios }}
+   realm = {{ realm }}
+   encrypt passwords = yes
+   client protection = encrypt
diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
new file mode 100644
index 0000000..d93380d
--- /dev/null
+++ b/roles/sssd/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart sssd
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+  become: true
+  become_user: root
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 0000000..ddf0ea7
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+# Impostazioni tratte da https://www.pierreblazquez.com/2024/02/04/how-to-join-debian-12-to-an-active-directory-domain/
+#
+# Impostazione del servizio sssd
+
+- name: Aggiunta suffisso di default
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: "default_domain_suffix = {{ domain }}"
+    insertafter: '^domains ='
+  notify: Restart sssd
+
+- name: Disattivazione pac responder
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: implicit_pac_responder = false
+    insertafter: '^config_file_version = 2'
+  notify: Restart sssd
+
+- name: Rimozione services
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: absent
+    line: '^services ='
+  notify: Restart sssd
+
+- name: Aggiunta specifica cachedir per krb5
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: krb5_ccachedir = /tmp
+    insertafter: '^krb5_store_password_if_offline = True'
+  notify: Restart sssd
+
+- name: Aggiunta ccname template per krb5
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: krb5_ccname_template = FILE:%d/.krb5cc_%U
+    insertafter: 'krb5_ccachedir = /tmp'
+  notify: Restart sssd
+
+- name: Aggiunta full name format
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: full_name_format = %1$s
+    insertafter: '^ad_domain ='
+  notify: Restart sssd
+
+- name: Aggiunta override homedir
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: override_homedir = /home/%u@%d
+    insertafter: '^fallback_homedir ='
+  notify: Restart sssd
+
+- name: Aggiunta dydns_update, disabilitato
+  ansible.builtin.lineinfile:
+    path: /etc/sssd/sssd.conf
+    state: present
+    line: dydns_update = False
+    insertafter: '^fallback_homedir ='
+  notify: Restart sssd
diff --git a/roles/sudoers/99-domain_admins b/roles/sudoers/99-domain_admins
new file mode 100644
index 0000000..da5f661
--- /dev/null
+++ b/roles/sudoers/99-domain_admins
@@ -0,0 +1,3 @@
+%domain\ admins			ALL=(ALL) ALL
+%domain\ admins@{{ domain }}	ALL=(ALL) ALL
+%{{ netbios }}\\domain\ admins	ALL=(ALL) ALL
diff --git a/roles/sudoers/tasks/main.yml b/roles/sudoers/tasks/main.yml
new file mode 100644
index 0000000..12cbbcb
--- /dev/null
+++ b/roles/sudoers/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+# Impostiamo che i domain admins siano anche sudoers.
+
+- name: Impostiamo domain admins come sudoers.
+  ansible.builtin.template:
+    src: 99-domain_admins
+    dest: /etc/sudoers.d/99-domain_admins
+    owner: root
+    group: root
+    mode: '0440'
+    validate: visudo -c -f %s