Adding base-winsvr2012 box and roles activedirectory and oneforestconfig

base-boxes/base-centos/Vagrantfile

@@ -27,7 +27,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
   # Create a private network, which allows host-only access to the machine
   # using a specific IP.
-  config.vm.network "private_network", ip: "192.168.33.10", hostname: "vm"
+  config.vm.network "private_network", ip: "192.168.33.10", hostname: "vm", virtualbox__intnet: "vboxnet0"
 
   config.ssh.insert_key = false
 

base-boxes/base-winsvr2012/Vagrantfile

+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "base-winsvr2012"
+  #config.vm.box_url = "file:///home/cpb113/base_vagrant/psu_winsvr2012_baseBox_1_0_0.tar.gz"
+  config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
+
+  config.winrm.username = "vagrant"
+  config.winrm.password = "P@ssw0rd"
+
+  
+  config.vm.network "forwarded_port", guest: 3389, host: 3389
+
+  config.vm.network "private_network", ip: "192.168.33.11", virtualbox__intnet: "vboxnet0"
+
+  config.ssh.insert_key = false
+
+  config.vm.provider :virtualbox do |vb|
+    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
+  end
+
+  config.vm.provider :virtualbox do |vb|
+    vb.customize ["modifyvm", :id, "--memory", "1024"]
+  end
+  
+  # Enable provisioning with Ansible 
+  config.vm.provision :ansible do |ansible|
+    ansible.playbook = "playbook.yml"
+    ansible.groups = {
+      "vagrant" => ["default"],
+    }
+  end
+
+end

base-boxes/base-winsvr2012/ansible.cfg

+[defaults]
+
+roles_path = ../../roles

base-boxes/base-winsvr2012/playbook.yml

+---
+# file: base-winsvr2012.yml
+- hosts: vagrant
+  roles:
+    - { role: ActiveDirectory }
+    - { role: ONEForest }
+  vars:
+    ad_domain_name: develop.local
+    ad_safe_mode_password: FtPX38qhuaHTaTS4CkZ6Fpsgg5wL883N
+    local_dev_username: secSvc
+    local_dev_password: ONEforestIsAw3some!
\ No newline at end of file

roles/ActiveDirectory/library/domain_controller.ps1

+#!powershell
+
+# WANT_JSON
+# POWERSHELL_COMMON
+
+$params = Parse-Args $args;
+
+$result = New-Object PSObject -Property @{
+    changed = $false
+}
+
+If ($params.domain_name) {
+    $domainName = $params.domain_name
+}
+Else {
+    Fail-Json $result "missing required argument: domain_name"
+}
+
+If ($params.safe_mode_password) {
+    $safeModePassword = $params.safe_mode_password
+}
+Else {
+    Fail-Json $result "missing required argument: safe_mode_password"
+}
+
+try {
+    Import-Module ADDSDeployment
+}
+catch {
+    Fail-Json $result $_.Exception.Message
+}
+
+try {
+    Get-ADDomainController | Out-Null
+    Exit-Json $result
+}
+catch {
+}
+
+$secureSafeModePassword = ConvertTo-SecureString "$safeModePassword" -AsPlainText -Force
+
+try {
+  Install-ADDSForest `
+      -DomainName "$domainName" `
+      -SafeModeAdministratorPassword $secureSafeModePassword `
+      -InstallDns:$true `
+      -NoRebootOnCompletion:$true `
+      -Force:$true
+
+  $result.changed = $true
+
+  Exit-Json $result
+}
+catch {
+  Fail-Json $result $_.Exception.Message
+}
\ No newline at end of file

roles/ActiveDirectory/library/domain_controller.py

+#!/usr/bin/python

roles/ActiveDirectory/tasks/main.yml

+- name: Install AD-Domain-Services feature
+  win_feature: >
+    name=AD-Domain-Services
+    include_management_tools=yes
+    include_sub_features=yes
+    state=present
+    
+- name: Promote to domain controller
+  domain_controller: >
+    domain_name={{ ad_domain_name }}
+    safe_mode_password={{ ad_safe_mode_password }}
+  register: result
+
+- name: Reboot
+  win_shell: restart-computer -force
+  when: result|changed
+  
+#- name: pause for reboot
+#  pause: seconds=30
+  
+#- name: wait for machine start up
+#  win_ping:
+#  register: result
+#  until: result.rc == 0
+#  retries: 30
+#  delay: 10
+  
+- name: wait for reboot
+  local_action: wait_for 
+  args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
\ No newline at end of file

roles/ONEForest/library/ONEForest_Config.ps1

+#!powershell
+
+# WANT_JSON
+# POWERSHELL_COMMON
+
+$ErrorActionPreference = "Stop"
+
+############################################### functions #######################################################
+function createOU([String]$inOuName, [String]$inBaseDN)
+{
+	$ou = Get-ADOrganizationalUnit -filter {name -eq $inOuName}
+	if ($ou.Name -ne $inOuName) {
+		New-ADOrganizationalUnit $inOuName -Path $inBaseDN
+	}
+}
+
+function createGroup([String]$inGroupName, [String]$inDN)
+{
+	$group = Get-ADGroup -filter {name -eq $inGroupName}
+	if ($group.Name -ne $inGroupName) {
+		New-ADGroup $inGroupName -Path $inDN -GroupScope Global
+	}
+}
+
+function createUser([String]$inUserName, [String]$inDN, [String]$inPassword)
+{
+	$user = Get-ADUser -filter {name -eq $inUserName}
+	if ($user.Name -ne $inUserName) {
+        $securePassword = ConvertTo-SecureString $inPassword -AsPlainText -Force
+		New-ADUser $inUserName -Path $inDN -AccountPassword $securePassword
+	}
+}
+
+function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType)
+{
+    $acl = get-acl "ad:$inPermissionApplyToDN"
+    $acl.access
+    $user = get-aduser $inUsername
+    $sid = [System.Security.Principal.SecurityIdentifier] $user.SID
+    
+    $identity = [System.Security.Principal.IdentityReference] $sid
+    $adRights = [System.DirectoryServices.ActiveDirectoryRights] $inPermissionType
+    $type = [System.Security.AccessControl.AccessControlType] "Allow"
+    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
+    
+    $ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $inheritanceType
+    
+    $acl.AddAccessRule($ace)
+    
+    $newACL = set-acl -aclobject $acl "ad:$inPermissionApplyToDN"
+}
+
+
+
+################################################### actual code to execute ##########################################################3
+
+
+$params = Parse-Args $args;
+
+$result = New-Object PSObject -Property @{
+    changed = $false
+}
+
+If ($params.domain_name) {
+    $domainName = $params.domain_name
+}
+Else {
+    Fail-Json $result "missing required argument: domain_name"
+}
+
+If ($params.localDevUsername) {
+    $localDevUsername = $params.localDevUsername
+}
+Else {
+    Fail-Json $result "missing required argument: localDevUsername"
+}
+
+
+If ($params.localDevPassword) {
+    $localDevPassword = $params.localDevPassword
+}
+Else {
+    Fail-Json $result "missing required argument: localDevPassword"
+}
+
+
+#ONEForest Structure
+try {
+    Import-Module ActiveDirectory
+
+    #Get Base DN
+    $baseDN = $(Get-ADDomain $domainName).DistinguishedName
+
+	#OU Structure
+	createOU "PSU-Users" $baseDN
+	createOU "Inactive-Users" "OU=PSU-Users,$baseDN"
+	createOU "Deprovisioned" "OU=Inactive-Users,OU=PSU-Users,$baseDN"
+	createOU "Security-Disabled" "OU=Inactive-Users,OU=PSU-Users,$baseDN"
+
+	createOU "PSU-Groups" $baseDN
+	createOU "PSU-AD-Groups" "OU=PSU-Groups,$baseDN"
+	
+	#Groups
+	$adGroupsDN = "OU=PSU-AD-Groups,OU=PSU-Groups,$baseDN"
+	createGroup "PSU-Users" $adGroupsDN
+	createGroup "PSU-Inactive-Users" $adGroupsDN
+	createGroup "PSU-Security-Disabled-Users" $adGroupsDN
+	createGroup "PSU-Deprovisioned-Users" $adGroupsDN
+	
+	#### LOCAL Configuration ####
+	createOU "LocalConfig" $baseDN
+	createUser $localDevUsername "OU=LocalConfig,$baseDN" $localDevPassword
+    grantUserPermssion $localDevUsername "OU=PSU-Users,$baseDN" "GenericAll"
+    grantUserPermssion $localDevUsername "OU=PSU-Groups,$baseDN" "GenericAll"
+
+    $result.changed = $true
+
+    Exit-Json $result
+}
+catch {
+	Fail-Json $result $_.Exception.Message
+}
+	
+	
+	
+	
+	
+	
\ No newline at end of file

roles/ONEForest/library/ONEForest_Config.py

+#!/usr/bin/python

roles/ONEForest/tasks/main.yml

+- name: Configure OU Structure, Groups, and Local Development Users
+  ONEForest_Config: >
+    domain_name={{ ad_domain_name }}
+    localDevUsername={{ local_dev_username }}
+    localDevPassword={{ local_dev_password }}
+  register: result