trixie/roles/kerberize/tasks/main.yml

- name: Install kerberos packages
  ansible.builtin.apt:
    name: krb5-user

- name: Kerberize sshd server
  ansible.builtin.copy:
    dest: /etc/ssh/sshd_config.d/kerberize.conf
    mode: '0644'
    content: |
      GSSAPIAuthentication yes
  notify: "Reload sshd"

- name: Kerberize ssh client, authenticate and delegate credentials
  ansible.builtin.copy:
    dest: /etc/ssh/ssh_config.d/kerberize.conf
    mode: '0644'
    content: |
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

- name: Check if firefox is available
  ansible.builtin.stat:
    path: /etc/firefox-esr/firefox-esr.js
  register: firefox

- name: Kerberize firefox for sites in the local domain
  ansible.builtin.lineinfile:
    dest: /etc/firefox-esr/firefox-esr.js
    line: "{{ item }}"
  with_items:
    - '// kerberize for sites in the local domain:'
    - 'pref("network.negotiate-auth.delegation-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
    - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
  when: firefox.stat.exists

- name: Ensures /etc/chromium/policies/managed dir exists
  ansible.builtin.file:
    path: "/etc/chromium/policies/managed"
    state: directory
    mode: '0755'

- name: Kerberize chromium for sites in the local domain
  ansible.builtin.copy:
    dest: /etc/chromium/policies/managed/idam.json
    mode: '0644'
    content: |
      {
        "AuthServerAllowlist": "{{ kerberize_uris | default(ansible_domain) }}"
      }
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Install kerberos packages`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`ansible.builtin.apt:`
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`name: krb5-user`
Add kerberize role (providing kerberized ssh so far). 2019-11-29 15:47:45 +01:00
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Kerberize sshd server`
			`ansible.builtin.copy:`
			`dest: /etc/ssh/sshd_config.d/kerberize.conf`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`mode: '0644'`
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`content: \|`
			`GSSAPIAuthentication yes`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`notify: "Reload sshd"`
Kerberize firefox in the local domain. 2019-12-08 08:43:26 +01:00
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Kerberize ssh client, authenticate and delegate credentials`
			`ansible.builtin.copy:`
			`dest: /etc/ssh/ssh_config.d/kerberize.conf`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`mode: '0644'`
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`content: \|`
			`GSSAPIAuthentication yes`
			`GSSAPIDelegateCredentials yes`
Kerberize firefox in the local domain. 2019-12-08 08:43:26 +01:00
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Check if firefox is available`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`ansible.builtin.stat:`
			`path: /etc/firefox-esr/firefox-esr.js`
Kerberize firefox in the local domain. 2019-12-08 08:43:26 +01:00			`register: firefox`

Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Kerberize firefox for sites in the local domain`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`ansible.builtin.lineinfile:`
Kerberize firefox in the local domain. 2019-12-08 08:43:26 +01:00			`dest: /etc/firefox-esr/firefox-esr.js`
			`line: "{{ item }}"`
			`with_items:`
			`- '// kerberize for sites in the local domain:'`
kerberize with kerberize_uri 2023-05-03 18:16:56 +02:00			`- 'pref("network.negotiate-auth.delegation-uris", "{{ kerberize_uris \| default(ansible_domain) }}");'`
			`- 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris \| default(ansible_domain) }}");'`
Kerberize firefox in the local domain. 2019-12-08 08:43:26 +01:00			`when: firefox.stat.exists`
kerberize chromium 2023-09-04 11:38:39 +02:00
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Ensures /etc/chromium/policies/managed dir exists`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`ansible.builtin.file:`
create chromium config directory 2023-09-04 11:52:26 +02:00			`path: "/etc/chromium/policies/managed"`
			`state: directory`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`mode: '0755'`
create chromium config directory 2023-09-04 11:52:26 +02:00
Webserver playbook for linuxmuster. 2024-01-24 13:00:59 +01:00			`- name: Kerberize chromium for sites in the local domain`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`ansible.builtin.copy:`
kerberize chromium 2023-09-04 11:38:39 +02:00			`dest: /etc/chromium/policies/managed/idam.json`
Improve ansible code so that ansibe-lint shows fewer errors 2025-03-24 07:33:56 +01:00			`mode: '0644'`
kerberize chromium 2023-09-04 11:38:39 +02:00			`content: \|`
			`{`
Use `kerberize_uris` for chromium AuthServerAllowlist too 2025-04-01 15:07:33 +02:00			`"AuthServerAllowlist": "{{ kerberize_uris \| default(ansible_domain) }}"`
kerberize chromium 2023-09-04 11:38:39 +02:00			`}`