From 57d51024ae3ad7e187a66de8dbbc7ec31ce77458 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Thu, 2 Oct 2025 14:22:30 +0200
Subject: [PATCH] preparation for role domaincontroller

---
 roles/domaincontroller/handlers/main.yml     |  9 +++++
 roles/domaincontroller/tasks/certs.yml       | 37 ++++++++++++++++++++
 roles/domaincontroller/tasks/configure.yml   |  9 +++++
 roles/domaincontroller/tasks/install.yml     | 11 ++++++
 roles/domaincontroller/tasks/main.yml        | 14 ++++++++
 roles/domaincontroller/tasks/provision.yml   | 26 ++++++++++++++
 roles/domaincontroller/templates/smb.conf.j2 | 21 +++++++++++
 roles/domaincontroller/vars/main.yml         | 17 +++++++++
 8 files changed, 144 insertions(+)
 create mode 100644 roles/domaincontroller/handlers/main.yml
 create mode 100644 roles/domaincontroller/tasks/certs.yml
 create mode 100644 roles/domaincontroller/tasks/configure.yml
 create mode 100644 roles/domaincontroller/tasks/install.yml
 create mode 100644 roles/domaincontroller/tasks/main.yml
 create mode 100644 roles/domaincontroller/tasks/provision.yml
 create mode 100644 roles/domaincontroller/templates/smb.conf.j2
 create mode 100644 roles/domaincontroller/vars/main.yml

diff --git a/roles/domaincontroller/handlers/main.yml b/roles/domaincontroller/handlers/main.yml
new file mode 100644
index 0000000..499532d
--- /dev/null
+++ b/roles/domaincontroller/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: restart samba-ad-dc
+  service:
+    name: samba-ad-dc
+    state: restarted
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: true
diff --git a/roles/domaincontroller/tasks/certs.yml b/roles/domaincontroller/tasks/certs.yml
new file mode 100644
index 0000000..634794c
--- /dev/null
+++ b/roles/domaincontroller/tasks/certs.yml
@@ -0,0 +1,37 @@
+---
+- name: domaincontroller | certs | ensure step-ca root cert is trusted
+  include_role:
+    name: base
+    tasks_from: system_setup/import_stepca.yml
+
+- name: domaincontroller | certs | obtain certificate from step-ca via certbot
+  command: >
+    certbot certonly --standalone -n
+    -d {{ ansible_fqdn }}
+    --server {{ samba_stepca_server_url }}/acme/acme/directory
+    --agree-tos
+    --email admin@{{ samba_realm | lower }}
+  args:
+    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
+  notify: restart samba-ad-dc
+
+- name: domaincontroller | certs | create certbot.service override directory
+  file:
+    path: /etc/systemd/system/certbot.service.d
+    state: directory
+    mode: '0755'
+
+- name: domaincontroller | certs | create service override for step-ca
+  copy:
+    dest: /etc/systemd/system/certbot.service.d/override.conf
+    content: |
+      [Service]
+      Environment="REQUESTS_CA_BUNDLE=/root/root_ca.crt"
+    mode: '0644'
+  notify: systemd daemon-reload
+
+- name: domaincontroller | certs | enable and start certbot timer
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
diff --git a/roles/domaincontroller/tasks/configure.yml b/roles/domaincontroller/tasks/configure.yml
new file mode 100644
index 0000000..36392dd
--- /dev/null
+++ b/roles/domaincontroller/tasks/configure.yml
@@ -0,0 +1,9 @@
+---
+- name: domaincontroller | configure | create smb.conf from template
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart samba-ad-dc
diff --git a/roles/domaincontroller/tasks/install.yml b/roles/domaincontroller/tasks/install.yml
new file mode 100644
index 0000000..002932c
--- /dev/null
+++ b/roles/domaincontroller/tasks/install.yml
@@ -0,0 +1,11 @@
+---
+- name: domaincontroller | install | install samba, kerberos and certbot packages
+  package:
+    name:
+      - samba
+      - smbclient
+      - krb5-user
+      - winbind
+      - python3-dnspython
+      - certbot
+    state: present
diff --git a/roles/domaincontroller/tasks/main.yml b/roles/domaincontroller/tasks/main.yml
new file mode 100644
index 0000000..05589b7
--- /dev/null
+++ b/roles/domaincontroller/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: domaincontroller | stop conflicting services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop:
+    - systemd-resolved
+  ignore_errors: true
+
+- import_tasks: install.yml
+- import_tasks: provision.yml
+- import_tasks: certs.yml
+- import_tasks: configure.yml
\ No newline at end of file
diff --git a/roles/domaincontroller/tasks/provision.yml b/roles/domaincontroller/tasks/provision.yml
new file mode 100644
index 0000000..a4e15cc
--- /dev/null
+++ b/roles/domaincontroller/tasks/provision.yml
@@ -0,0 +1,26 @@
+---
+- name: domaincontroller | provision | check if domain is already provisioned
+  stat:
+    path: /var/lib/samba/private/sam.ldb
+  register: samba_db
+
+- name: domaincontroller | provision | provision the domain if not present
+  block:
+    - name: domaincontroller | provision | run samba-tool domain provision
+      command: >
+        samba-tool domain provision
+        --use-rfc2307
+        --realm={{ samba_realm }}
+        --domain={{ samba_workgroup }}
+        --server-role=dc
+        --dns-backend=SAMBA_INTERNAL
+        --adminpass='{{ samba_domain_password }}'
+      args:
+        creates: /var/lib/samba/private/sam.ldb
+
+    - name: domaincontroller | provision | copy kerberos config to system location
+      copy:
+        src: /var/lib/samba/private/krb5.conf
+        dest: /etc/krb5.conf
+        remote_src: true
+  when: not samba_db.stat.exists
diff --git a/roles/domaincontroller/templates/smb.conf.j2 b/roles/domaincontroller/templates/smb.conf.j2
new file mode 100644
index 0000000..80a9964
--- /dev/null
+++ b/roles/domaincontroller/templates/smb.conf.j2
@@ -0,0 +1,21 @@
+# This file is managed by Ansible
+[global]
+        netbios name = {{ ansible_hostname | upper }}
+        realm = {{ samba_realm }}
+        server role = active directory domain controller
+        workgroup = {{ samba_workgroup }}
+
+        tls enabled  = yes
+        tls keyfile  = /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+        tls certfile = /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
+
+        template homedir = /home/%U
+        template shell = /bin/zsh
+
+[sysvol]
+        path = /var/lib/samba/sysvol
+        read only = No
+
+[netlogon]
+        path = /var/lib/samba/sysvol/{{ samba_realm | lower }}/scripts
+        read only = No
diff --git a/roles/domaincontroller/vars/main.yml b/roles/domaincontroller/vars/main.yml
new file mode 100644
index 0000000..49e8471
--- /dev/null
+++ b/roles/domaincontroller/vars/main.yml
@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+31306666653634326663316166336131373337363366356363666331366132613865363161353930
+3966353365343065303563306632643934616239623165370a373330663966363134633964343865
+31613932373764666661373436353438313630373166643737336131656538313538666364653737
+6635303861626335300a653366353730623135373938326539303761623939633631363730636635
+62626138623932373830623735656535666464353265323265626165333232383537333134353536
+36366237643130656335323861623263656364346561383231323533363361663333343065386166
+33613164343635323336343664343861613461623136396430323765616135613364323435326464
+32636634393166663838363731363636666166656337386433323763343062343062353863306338
+39356661356637656334643065393262373234616435356631343862306131326664623265356263
+39313962663266386331373864323866323235616461653066303664373335323039316337316662
+64623932353562396364663435636135613935333631653665323565313131393038653932613533
+36623862326130356561313933313465343531376561383339613363343866336430316665353465
+65643061326330313634303832313663653538303537613235366638656133653135323230623037
+32646638616534653531343332643532303735313165353432306135376438373436353530613365
+38303437353061333337346232333463643762363039663734366133366239366337383837376439
+35373335646137633031