preparation for role domaincontroller

roles/domaincontroller/tasks/certs.yml

@@ -0,0 +1,37 @@
+---
+- name: domaincontroller | certs | ensure step-ca root cert is trusted
+  include_role:
+    name: base
+    tasks_from: system_setup/import_stepca.yml
+
+- name: domaincontroller | certs | obtain certificate from step-ca via certbot
+  command: >
+    certbot certonly --standalone -n
+    -d {{ ansible_fqdn }}
+    --server {{ samba_stepca_server_url }}/acme/acme/directory
+    --agree-tos
+    --email admin@{{ samba_realm | lower }}
+  args:
+    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
+  notify: restart samba-ad-dc
+
+- name: domaincontroller | certs | create certbot.service override directory
+  file:
+    path: /etc/systemd/system/certbot.service.d
+    state: directory
+    mode: '0755'
+
+- name: domaincontroller | certs | create service override for step-ca
+  copy:
+    dest: /etc/systemd/system/certbot.service.d/override.conf
+    content: |
+      [Service]
+      Environment="REQUESTS_CA_BUNDLE=/root/root_ca.crt"
+    mode: '0644'
+  notify: systemd daemon-reload
+
+- name: domaincontroller | certs | enable and start certbot timer
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true

roles/domaincontroller/tasks/configure.yml

@@ -0,0 +1,9 @@
+---
+- name: domaincontroller | configure | create smb.conf from template
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart samba-ad-dc

roles/domaincontroller/tasks/install.yml

@@ -0,0 +1,11 @@
+---
+- name: domaincontroller | install | install samba, kerberos and certbot packages
+  package:
+    name:
+      - samba
+      - smbclient
+      - krb5-user
+      - winbind
+      - python3-dnspython
+      - certbot
+    state: present

roles/domaincontroller/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: domaincontroller | stop conflicting services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop:
+    - systemd-resolved
+  ignore_errors: true
+
+- import_tasks: install.yml
+- import_tasks: provision.yml
+- import_tasks: certs.yml
+- import_tasks: configure.yml

roles/domaincontroller/tasks/provision.yml

@@ -0,0 +1,26 @@
+---
+- name: domaincontroller | provision | check if domain is already provisioned
+  stat:
+    path: /var/lib/samba/private/sam.ldb
+  register: samba_db
+
+- name: domaincontroller | provision | provision the domain if not present
+  block:
+    - name: domaincontroller | provision | run samba-tool domain provision
+      command: >
+        samba-tool domain provision
+        --use-rfc2307
+        --realm={{ samba_realm }}
+        --domain={{ samba_workgroup }}
+        --server-role=dc
+        --dns-backend=SAMBA_INTERNAL
+        --adminpass='{{ samba_domain_password }}'
+      args:
+        creates: /var/lib/samba/private/sam.ldb
+
+    - name: domaincontroller | provision | copy kerberos config to system location
+      copy:
+        src: /var/lib/samba/private/krb5.conf
+        dest: /etc/krb5.conf
+        remote_src: true
+  when: not samba_db.stat.exists