diff --git a/base-boxes/base-centos/Vagrantfile b/base-boxes/base-centos/Vagrantfile index 2b86dc354cfef2d62bfe70cebc54d05499a6e051..986ac83653c6b8f9143cae0ad560708cc215d9b5 100644 --- a/base-boxes/base-centos/Vagrantfile +++ b/base-boxes/base-centos/Vagrantfile @@ -27,7 +27,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # Create a private network, which allows host-only access to the machine # using a specific IP. - config.vm.network "private_network", ip: "192.168.33.10", hostname: "vm" + config.vm.network "private_network", ip: "192.168.33.10", hostname: "vm", virtualbox__intnet: "vboxnet0" config.ssh.insert_key = false diff --git a/base-boxes/base-winsvr2012/Vagrantfile b/base-boxes/base-winsvr2012/Vagrantfile new file mode 100644 index 0000000000000000000000000000000000000000..0d5b1381752edda7345c38917ee2bc84c53c3255 --- /dev/null +++ b/base-boxes/base-winsvr2012/Vagrantfile @@ -0,0 +1,35 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "base-winsvr2012" + #config.vm.box_url = "file:///home/cpb113/base_vagrant/psu_winsvr2012_baseBox_1_0_0.tar.gz" + config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json" + + config.winrm.username = "vagrant" + config.winrm.password = "P@ssw0rd" + + + config.vm.network "forwarded_port", guest: 3389, host: 3389 + + config.vm.network "private_network", ip: "192.168.33.11", virtualbox__intnet: "vboxnet0" + + config.ssh.insert_key = false + + config.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] + end + + config.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--memory", "1024"] + end + + # Enable provisioning with Ansible + config.vm.provision :ansible do |ansible| + ansible.playbook = "playbook.yml" + ansible.groups = { + "vagrant" => ["default"], + } + end + +end diff --git a/base-boxes/base-winsvr2012/ansible.cfg b/base-boxes/base-winsvr2012/ansible.cfg new file mode 100644 index 0000000000000000000000000000000000000000..920672630bcc61b5a7d60f6b7bb372e0d7e79530 --- /dev/null +++ b/base-boxes/base-winsvr2012/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] + +roles_path = ../../roles diff --git a/base-boxes/base-winsvr2012/playbook.yml b/base-boxes/base-winsvr2012/playbook.yml new file mode 100644 index 0000000000000000000000000000000000000000..cf0ef2806e37b9dcf659f084fc2cbbcaa6ff5429 --- /dev/null +++ b/base-boxes/base-winsvr2012/playbook.yml @@ -0,0 +1,11 @@ +--- +# file: base-winsvr2012.yml +- hosts: vagrant + roles: + - { role: ActiveDirectory } + - { role: ONEForest } + vars: + ad_domain_name: develop.local + ad_safe_mode_password: FtPX38qhuaHTaTS4CkZ6Fpsgg5wL883N + local_dev_username: secSvc + local_dev_password: ONEforestIsAw3some! \ No newline at end of file diff --git a/roles/ActiveDirectory/library/domain_controller.ps1 b/roles/ActiveDirectory/library/domain_controller.ps1 new file mode 100644 index 0000000000000000000000000000000000000000..a710741e5dbeccee81d15ba78b2d0696938f8826 --- /dev/null +++ b/roles/ActiveDirectory/library/domain_controller.ps1 @@ -0,0 +1,56 @@ +#!powershell + +# WANT_JSON +# POWERSHELL_COMMON + +$params = Parse-Args $args; + +$result = New-Object PSObject -Property @{ + changed = $false +} + +If ($params.domain_name) { + $domainName = $params.domain_name +} +Else { + Fail-Json $result "missing required argument: domain_name" +} + +If ($params.safe_mode_password) { + $safeModePassword = $params.safe_mode_password +} +Else { + Fail-Json $result "missing required argument: safe_mode_password" +} + +try { + Import-Module ADDSDeployment +} +catch { + Fail-Json $result $_.Exception.Message +} + +try { + Get-ADDomainController | Out-Null + Exit-Json $result +} +catch { +} + +$secureSafeModePassword = ConvertTo-SecureString "$safeModePassword" -AsPlainText -Force + +try { + Install-ADDSForest ` + -DomainName "$domainName" ` + -SafeModeAdministratorPassword $secureSafeModePassword ` + -InstallDns:$true ` + -NoRebootOnCompletion:$true ` + -Force:$true + + $result.changed = $true + + Exit-Json $result +} +catch { + Fail-Json $result $_.Exception.Message +} \ No newline at end of file diff --git a/roles/ActiveDirectory/library/domain_controller.py b/roles/ActiveDirectory/library/domain_controller.py new file mode 100644 index 0000000000000000000000000000000000000000..013e4b7ec4eaa42e6c73bebdf41ce3e357bc6153 --- /dev/null +++ b/roles/ActiveDirectory/library/domain_controller.py @@ -0,0 +1 @@ +#!/usr/bin/python diff --git a/roles/ActiveDirectory/tasks/main.yml b/roles/ActiveDirectory/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..4217a9b5bbc71dc78f66b5ef650d1f9f732de1f6 --- /dev/null +++ b/roles/ActiveDirectory/tasks/main.yml @@ -0,0 +1,30 @@ +- name: Install AD-Domain-Services feature + win_feature: > + name=AD-Domain-Services + include_management_tools=yes + include_sub_features=yes + state=present + +- name: Promote to domain controller + domain_controller: > + domain_name={{ ad_domain_name }} + safe_mode_password={{ ad_safe_mode_password }} + register: result + +- name: Reboot + win_shell: restart-computer -force + when: result|changed + +#- name: pause for reboot +# pause: seconds=30 + +#- name: wait for machine start up +# win_ping: +# register: result +# until: result.rc == 0 +# retries: 30 +# delay: 10 + +- name: wait for reboot + local_action: wait_for + args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started \ No newline at end of file diff --git a/roles/ONEForest/library/ONEForest_Config.ps1 b/roles/ONEForest/library/ONEForest_Config.ps1 new file mode 100644 index 0000000000000000000000000000000000000000..f7033ac147ef82fd79b1b9ccdfdac5d7b3aeb68b --- /dev/null +++ b/roles/ONEForest/library/ONEForest_Config.ps1 @@ -0,0 +1,128 @@ +#!powershell + +# WANT_JSON +# POWERSHELL_COMMON + +$ErrorActionPreference = "Stop" + +############################################### functions ####################################################### +function createOU([String]$inOuName, [String]$inBaseDN) +{ + $ou = Get-ADOrganizationalUnit -filter {name -eq $inOuName} + if ($ou.Name -ne $inOuName) { + New-ADOrganizationalUnit $inOuName -Path $inBaseDN + } +} + +function createGroup([String]$inGroupName, [String]$inDN) +{ + $group = Get-ADGroup -filter {name -eq $inGroupName} + if ($group.Name -ne $inGroupName) { + New-ADGroup $inGroupName -Path $inDN -GroupScope Global + } +} + +function createUser([String]$inUserName, [String]$inDN, [String]$inPassword) +{ + $user = Get-ADUser -filter {name -eq $inUserName} + if ($user.Name -ne $inUserName) { + $securePassword = ConvertTo-SecureString $inPassword -AsPlainText -Force + New-ADUser $inUserName -Path $inDN -AccountPassword $securePassword + } +} + +function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType) +{ + $acl = get-acl "ad:$inPermissionApplyToDN" + $acl.access + $user = get-aduser $inUsername + $sid = [System.Security.Principal.SecurityIdentifier] $user.SID + + $identity = [System.Security.Principal.IdentityReference] $sid + $adRights = [System.DirectoryServices.ActiveDirectoryRights] $inPermissionType + $type = [System.Security.AccessControl.AccessControlType] "Allow" + $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" + + $ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $inheritanceType + + $acl.AddAccessRule($ace) + + $newACL = set-acl -aclobject $acl "ad:$inPermissionApplyToDN" +} + + + +################################################### actual code to execute ##########################################################3 + + +$params = Parse-Args $args; + +$result = New-Object PSObject -Property @{ + changed = $false +} + +If ($params.domain_name) { + $domainName = $params.domain_name +} +Else { + Fail-Json $result "missing required argument: domain_name" +} + +If ($params.localDevUsername) { + $localDevUsername = $params.localDevUsername +} +Else { + Fail-Json $result "missing required argument: localDevUsername" +} + + +If ($params.localDevPassword) { + $localDevPassword = $params.localDevPassword +} +Else { + Fail-Json $result "missing required argument: localDevPassword" +} + + +#ONEForest Structure +try { + Import-Module ActiveDirectory + + #Get Base DN + $baseDN = $(Get-ADDomain $domainName).DistinguishedName + + #OU Structure + createOU "PSU-Users" $baseDN + createOU "Inactive-Users" "OU=PSU-Users,$baseDN" + createOU "Deprovisioned" "OU=Inactive-Users,OU=PSU-Users,$baseDN" + createOU "Security-Disabled" "OU=Inactive-Users,OU=PSU-Users,$baseDN" + + createOU "PSU-Groups" $baseDN + createOU "PSU-AD-Groups" "OU=PSU-Groups,$baseDN" + + #Groups + $adGroupsDN = "OU=PSU-AD-Groups,OU=PSU-Groups,$baseDN" + createGroup "PSU-Users" $adGroupsDN + createGroup "PSU-Inactive-Users" $adGroupsDN + createGroup "PSU-Security-Disabled-Users" $adGroupsDN + createGroup "PSU-Deprovisioned-Users" $adGroupsDN + + #### LOCAL Configuration #### + createOU "LocalConfig" $baseDN + createUser $localDevUsername "OU=LocalConfig,$baseDN" $localDevPassword + grantUserPermssion $localDevUsername "OU=PSU-Users,$baseDN" "GenericAll" + grantUserPermssion $localDevUsername "OU=PSU-Groups,$baseDN" "GenericAll" + + $result.changed = $true + + Exit-Json $result +} +catch { + Fail-Json $result $_.Exception.Message +} + + + + + + \ No newline at end of file diff --git a/roles/ONEForest/library/ONEForest_Config.py b/roles/ONEForest/library/ONEForest_Config.py new file mode 100644 index 0000000000000000000000000000000000000000..013e4b7ec4eaa42e6c73bebdf41ce3e357bc6153 --- /dev/null +++ b/roles/ONEForest/library/ONEForest_Config.py @@ -0,0 +1 @@ +#!/usr/bin/python diff --git a/roles/ONEForest/tasks/main.yml b/roles/ONEForest/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..cf1be3a866cdeaea4d141794376c6897f987faeb --- /dev/null +++ b/roles/ONEForest/tasks/main.yml @@ -0,0 +1,6 @@ +- name: Configure OU Structure, Groups, and Local Development Users + ONEForest_Config: > + domain_name={{ ad_domain_name }} + localDevUsername={{ local_dev_username }} + localDevPassword={{ local_dev_password }} + register: result