ansible: add work configuration

7997f69d · bbguimaraes · 8dfb8df4 · 7997f69d · 7997f69d · 7997f69d
Commit 7997f69d authored Jun 02, 2022 by bbguimaraes
--- a/ansible/install/README.md
+++ b/ansible/install/README.md
@@ -69,6 +69,13 @@ For personal systems:

    $ ansible-playbook ansible/install/personal.yaml

+For work:
+
+    $ ansible-playbook --user root ansible/install/work.yaml
+    $ ansible-playbook ansible/install/work_user.yaml
+
+Enable Kerberos in Firefox: https://wiki.archlinux.org/title/Kerberos#Firefox.
+
 Conclusion
 ----------


--- a/ansible/install/work.yaml
+++ b/ansible/install/work.yaml
+- hosts: work
+  vars:
+    certificates:
+    - - https://password.corp.redhat.com/legacy.crt
+      - legacy.crt
+      - Red Hat IS CA
+    - - https://password.corp.redhat.com/RH-IT-Root-CA.crt
+      - RH-IT-Root-CA.crt
+      - Red Hat IT Root CA
+    pkgs:
+    - >-
+      krb5 openvpn
+  tasks:
+  - name: install packages
+    package:
+      name: '{{ (pkgs|join(" ")).split(" ") }}'
+  - name: create configuration directories
+    file:
+      state: directory
+      path: "{{ item }}"
+    loop:
+    - /etc/krb5.conf.d
+  - name: initialize Kerberos configuration file
+    copy:
+      content: |
+        includedir /etc/krb5.conf.d
+      dest: /etc/krb5.conf
+  - name: copy configuration files
+    copy:
+      src: "{{ item }}"
+      dest: "{{ item }}"
+      mode: preserve
+    loop:
+    - /etc/krb5.conf.d/redhat.conf
+    - /etc/openvpn/RH-IT-Root-CA.crt
+  - name: copy OpenVPN configuration file
+    copy:
+      src: ../work/openvpn.conf
+      dest: /etc/openvpn/client/redhat_brq.conf
+      mode: preserve
+  - name: copy VPN sudoer script
+    copy:
+      src: ../work/openvpn.sh
+      dest: /usr/local/bin/openvpn.sh
+      mode: preserve
+  - name: allow wheel to start a VPN connection without a password
+    copy:
+      dest: /etc/sudoers.d/openvpn
+      owner: root
+      group: root
+      mode: 0440
+      validate: visudo -cf %s
+      content: |
+        %wheel ALL=(ALL) NOPASSWD: /usr/local/bin/openvpn.sh *
+  - name: list trusted certificates
+    command:
+      argv:
+      - trust
+      - list
+    register: trust
+    changed_when: false
+  - name: download certificates
+    get_url:
+      url: "{{ item.0 }}"
+      dest: /tmp/{{ item.1 }}
+    when: "item.2 not in trust.stdout"
+    loop: "{{ certificates }}"
+  - name: trust certificates
+    command:
+      argv:
+      - trust
+      - anchor
+      - /tmp/{{ item.1 }}
+    when: "item.2 not in trust.stdout"
+    loop: "{{ certificates }}"
--- a/ansible/install/work_user.yaml
+++ b/ansible/install/work_user.yaml
+- hosts: work
+  vars:
+    home: '{{ ansible_env.HOME }}'
+    src_dir: '{{ home }}/src'
+  tasks:
+  - name: setup dotfile symlinks
+    file:
+      state: link
+      src: '{{ src_dir }}/dotfiles/{{ item.0 }}'
+      dest: '{{ home }}/{{ item.1 }}'
+    loop:
+    - ['mutt/muttrc_redhat', '.mutt/muttrc_redhat']
+    - ['offlineimap/redhat', '.config/offlineimap/redhat']
+  - name: setup other symlinks
+    file:
+      state: link
+      src: '{{ home }}/{{ item.0 }}'
+      dest: '{{ home }}/{{ item.1 }}'
+    loop:
+    - ['n/comp/scripts/dev.sh', '.local/bin/d']
+    - ['n/archive/work/redhat', 'rh']
+    - ['rh/scripts/gotestsum.sh', '.local/bin/gotestsum']
+    - ['rh/scripts/redhat.sh', '.local/bin/rh']
+  - name: enable and start services
+    systemd:
+      enabled: true
+      state: started
+      name: '{{ item }}'
+      scope: user
+      daemon_reload: true
+    loop:
+    - offlineimap@redhat
+  - name: make scripts in Nextcloud executable
+    file:
+      state: file
+      path: "{{ home }}/{{ item }}"
+      mode: "0755"
+    loop:
+    - n/comp/scripts/dev.sh
+    - rh/scripts/gotestsum.sh
+    - rh/scripts/redhat.sh
+- hosts: desktops:&work:&arch
+  name: aur pkgs
+  tags: aur
+  tasks:
+  - import_tasks: aur.yaml
+    vars: {"pkg": "gotags"}
+  - import_tasks: aur.yaml
+    vars: {"pkg": "golangci-lint"}
--- a/ansible/work/openvpn.conf
+++ b/ansible/work/openvpn.conf
+remote ovpn-brq.redhat.com 443 udp
+pull
+auth-user-pass
+tls-client
+persist-key
+ping 30
+nobind
+persist-tun
+dev tun
+auth-nocache
+cipher AES-256-CBC
+verify-x509-name ovpn.redhat.com name
+reneg-sec 0
+ping-exit 120
+topology subnet
+route-delay 5
+ca /etc/openvpn/RH-IT-Root-CA.crt
+
+# DNS
+# https://wiki.archlinux.org/title/OpenVPN#DNS
+script-security 2
+up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
+plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/usr/share/openvpn/contrib/pull-resolv-conf/client.down tun0"
--- a/ansible/work/openvpn.sh
+++ b/ansible/work/openvpn.sh
+#!/bin/sh
+set -eu
+
+[ "$#" -eq 1 ] || { echo >&2 Usage: $0 name; exit 1; }
+f=$(basename "$1")
+exec openvpn --daemon --config "/etc/openvpn/client/$f"
--- a/scripts/env.sh
+++ b/scripts/env.sh
@@ -15,20 +15,21 @@ main() {
    tmux split-window -t "$target.0" -l 1000 journalctl -f
    tmux split-window -t "$target.1" -l 1000 ikhal
    tmux split-window -t "$target.2" -l 1000 d todo
-    if [[ "$HOSTNAME" != wamozart ]]; then
-        tmux split-window -t "$target.3" -l 1000 d mutt proton
-        tmux split-window -t "$target.4" -l 1000 d mutt gmail
-        tmux split-window -t "$target.5" -l 1000 d weechat
-        tmux split-window -t "$target.6" -l 1000
-        tmux select-layout -t "$target" tiled
-    else
+    case "$HOSTNAME" in
+    rh*)
        tmux split-window -t "$target.3" -l 1000 d mutt redhat
        tmux split-window -t "$target.4" -l 1000 \
            ssh -t file.emea.redhat.com screen -dR
        tmux split-window -t "$target.5" -l 1000
        tmux select-layout -t "$target" tiled
-        tmux new-window -t "$SESSION:1" d weechat
-    fi
+        tmux new-window -t "$SESSION:1" d weechat;;
+    *)
+        tmux split-window -t "$target.3" -l 1000 d mutt proton
+        tmux split-window -t "$target.4" -l 1000 d mutt gmail
+        tmux split-window -t "$target.5" -l 1000 d weechat
+        tmux split-window -t "$target.6" -l 1000
+        tmux select-layout -t "$target" tiled;;
+    esac
    attach
 }


--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -11,7 +11,7 @@ main() {
    complete) cmd_complete;;
    keyboard) keyboard;;
    services) services;;
-    wamozart) wamozart;;
+    work) work;;
    *) usage;;
    esac
 }
@@ -26,7 +26,7 @@ Commands:
    complete
    keyboard
    services
-    wamozart
+    work
 EOF
    return 1
 }
@@ -41,21 +41,20 @@ cmd_complete() {
 }

 cmd_all() {
-    if [[ "$HOSTNAME" == wamozart ]]; then
-        wamozart
-    else
-        pass show test > /dev/null
-    fi
+    case "$HOSTNAME" in
+    rh*) work;;
+    *) pass show test > /dev/null;;
+    esac
    command d cal
-    command d mail
+    [[ "$HOSTNAME" == rh* ]] && command d mail
    init_temp
    keyboard
    services
 }

-wamozart() {
-    if ! nmcli connection show --active | grep -q brq_vpn; then
-        command d office vpn
+work() {
+    if ! ip link show tun0 > /dev/null ; then
+        sudo /usr/local/bin/openvpn.sh redhat_brq.conf
    fi
    if ! klist > /dev/null; then
        tmux split-window sh -c 'kinit bbarcaro'