This repository only contains ansible roles usable in an ansible-playbook to install and bootstrap UCS.
- modify_ucs_ca
- improve_usability_ui_changes
- ox_connector
- configure_network_proxy
- install_nextcloud_app
- univention_firewall
- install_service_selfservices
- remove_packages
- configure_apps_postfix_relay
- configure_directory_manager
- configure_error_detail_show
- umc_policies_maintenance
- cleanup_portal
- dovecot_connector
- install_apps_ox_pre
- configure_keycloak
- use_trusted_cert
- install_packages
- deployment_message
- portal_cookie_banner
- univention_repository_component
- configure_office_suite
- configure_repository
- configure_apps_postfix
- univention_remove
- univention_prune_kernels
- set_ldap_index
- improve_usability_nextcloud
- portal_configure_title
- portal_entry
- get_installed_apps
- configure_logrotate
- configure_group_syntax
- configure_saml_single_server
- workaround_acmetiny_upgrade
- install_multitenant_acls
- configure_keycloak_saml
- custom_facts
- intercom_service
- ucs_join
- univention_install
- configure_amazon_metadata_server
- univention_upgrade
- umc_permissions
- ldapsearch_user
- configure_apps_owncloud
- hardening
- configure_ntp_servers
- configure_keycloak_client
- extend_root_lvm_volume
- ucs_add_admin_user
- improve_usability_user_config
- force_package_list_update
- set_feedback_mail_address
- configure_monitoring
- set_dns_glue_record
- configure_sso_openid
- install_lets_encrypt
- install_service_new_portal
- configure_password_policies
- workaround_high_mtu
- configure_network_interface_names
- disable_ipv6
- install_apps_ox_post
- update_users_ssh_keys
- add_local_user
- install_branding
- configure_license
- portal_category
- configure_nextcloud_turn
- disable_piwik_tracking
- configure_nextcloud_saml
- configure_apps_nextcloud
- custom_facts_finished
Modify exisiting univention certificates.
none
modify_ucs_ca_external_domain_name
(string): The external domain name.modify_ucs_ca_external_domain_part
(string): The part of an external domain eventually excluding fist subdomain.modify_ucs_ca_external_domain_prefix
(string): The first subdomain if exists.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role will improve ui.
none
improve_usability_ui_changes_basedn
(): The LDAP base domain name.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures and install OX connector.
- univention.ucs_modules
- univention_config_registry
ox_connector_basedn
(string): The LDAP base dn.ox_connector_domain_name
(string): The system's dns domain name.ox_connector_domain_prefix
(string): The system's dns domain prefix. Useful when OX server is in same networkox_connector_default_context
(string): The default context that is being assigned to objects when there is no explicit definition; default:9999
ox_connector_soap_prefix
(string): The ox soap server prefix; default:ox-provisioning
.ox_connector_app_version_map
(map): A dictionary that maps application names to specific versions that ought to be installed.ox_connector_temp_pw_file
(map): Tempfile object where univention app password is stored.ox_connector_master_admin
(string): The name of OX administrator.ox_connector_master_password
(string): The password of OX administrator.ox_connector_server_type
(string): Which type of UCS server to set up. The possible options aremaster
andbackup
. The default ismaster
, which also means "standalone". Ifbackup
is chosen the following variable also has to be set; default:master
.ox_connector_template_name
(string): The name of default ox access template; default:"standard"
.ox_connector_hide_logging
(boolean): Toggle logging of sensitive information like password; default:true
.ox_connector_usertemplate_name
(string): Name of the User Template to be used, while creating a new user; default: "Benutzer mit Groupware-Konto".ox_connector_imap_server
(string): How the user in OX will connect to the IMAP backend, this value is relative to the OX AppSuite middleware server; default:imap://127.0.0.1:143
ox_connector_smtp_server
(string): How the user in OX will connect to the SMTP service, this value is relative to the OX AppSuite middleware server; default:smtp://127.0.0.1:26
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures network proxy via UCR.
- univention.ucs_modules
- univention_config_registry
configure_network_proxy_enabled
(boolean): Toggle network proxy usageconfigure_network_proxy_http_proxy
(string): The HTTP proxy server, e.g.http://192.168.1.100:3128
. If the proxy requires authentication, the username and the password can be provided in the formathttp://username:[email protected]:3128
.configure_network_proxy_https_proxy
(string): The HTTPS proxy server, e.g.https://192.168.1.100:3128
. If the proxy requires authentication, the username and the password can be provided in the formathttps://username:[email protected]:3128
.configure_network_proxy_no_proxy
(string): A comma-separated list of domain names for which the proxy should not be consulted. An exception for a domain like univention.de also applies to a subdomain like apt.univention.de.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs an app for nextcloud
none
install_nextcloud_app_name
(string): The name of nextcloud app to be installed from store.install_nextcloud_app_opertation
(string): Define operation mode; default:"install"
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Univention firewall rules.
========= Manage predefined univention-firewall rules.
- univention.ucs_modules
- univention_config_registry
univention_firewall_telegraf
(string): Set firewall status of telegraf service; default:"ACCEPT"
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs selfservice services.
- univention.ucs_modules
- univention_config_registry
install_service_selfservice_service_version_map
(map): A dictionary that maps service names to specific versions that ought to be installed. See alsoinstall_service_selfservice_force_package_upgrade
for a way to upgrade already installed software.install_service_selfservice_temp_file
(map): Ansible temporary dir.install_service_selfservice_force_package_upgrade
(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified ininstall_service_selfservice_service_version_map
that version is installed instead. Choosingfalse
results in the role ignoring already installed software and skip installation; default:false
.install_service_selfservice_external_hostname
(string): The host name that is used to talk to the system.install_service_selfservice_install_services
(list): A list of services to install.install_service_selfservice_domain_name
(string): The LDAP base domain name.install_service_selfservice_password_reset_filename
(string): The name of password reset template.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role removes univention apps with/without fixed versions.
none
remove_packages_app_version_map
(map): A dictionary that maps application names to specific versions that ought to be installed. See alsoinstall_packages_force_package_upgrade
for a way to upgrade already installed software.remove_packages_temp_pw_file
(map): Tempfile object where univention app password is stored.remove_packages_force_package_upgrade
(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified ininstall_packages_app_version_map
that version is installed instead. Choosingfalse
results in the role ignoring already installed software and skip installation; default: `falseremove_packages_remove_apps
(list): A list of applications to install.remove_packages_app_version_map
(map): A map of packages with/without version to be removed.remove_packages_service_name_list
(list): A list containing application names to be installed.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role modifies postfix relay configuration.
- univention.ucs_modules
- univention_config_registry
configure_apps_postfix_relay_enabled
(bool): Toggles if a SMTP relay host should be used; default:false
.configure_apps_postfix_relay_port
(number): The port that is used to talk to the system; default:25
.configure_apps_postfix_relay_host
(string): The SMTP relay hostname.configure_apps_postfix_relay_username
(string): The SMTP relay username.configure_apps_postfix_relay_password
(string): The SMTP relay password.configure_apps_postfix_relay_hide_logging
(boolean): Toggles output logging for sensible information; default:true
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures directory manager settings.
- univention.ucs_modules
- univention_config_registry
configure_directory_manager_mailprimaryaddress_required
(bool): Toggles if mailPrimaryAddress should be required; default:false
.configure_directory_manager_firstname_required
(bool): Toggles if forename should be required; default:false
.configure_directory_manager_wizard_disabled
(string): Toggles the wizard. When set toYes
, wizard is enabled; default:No
.configure_directory_manager_invite_default
(string): Toggles the default invitation behaviour; default:"True"
.configure_directory_manager_overridepwlength_visible
(string): Toggles wether the password length override is visible; default:"False"
.configure_directory_manager_overridepwlength_default
(string): Sets default value for password length override; default:"False"
.configure_directory_manager_pwdchangenextlogin_visible
(string): Toggles wether password change on next login is visible; default:"False"
.configure_directory_manager_pwdchangenextlogin_default
(string): Sets default value for password change on next login; default:"True"
.configure_directory_manager_autosearch
(string): Toggles wether the user autosearch is enabled; default:"False"
.configure_directory_manager_username_syntax
(string): Set the username syntax; default"uid"
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures if the error messages will display the details.
- univention.ucs_modules
- univention_config_registry
configure_error_detail_show_http_tracebacks
(bool): Defines whether tracebacks are shown to the user in error cases; default:false
configure_error_detail_show_directory_manager_rest_tracebacks
(bool): Defines whether tracebacks are shown to the user in error cases; default:false
configure_error_detail_show_saml_idp_errors
(bool): Defines if error information and stack traces allowed to be shown to the user; default:false
configure_error_detail_show_saml_idp_error_reporting
(bool): Defines if error information and stack traces can be reported via email to the technical contact mail address; default:false
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role sets UMC maintenance policies.
none
umc_policies_maintenance_autoupdate_enabled
(bool): Toogle autoupdate status; default:true
.umc_policies_maintenance_basedn
(string): The LDAP base domain name.umc_policies_maintenance_patchhour
(string): The chosen hour for univention-update; default:5
.umc_policies_maintenance_patchminute
(string): The choosen minute for univention-update; default:00
.umc_policies_maintenance_patchday
(String): The chosen day for univention-update; default:Tuesday
.umc_policies_maintenance_release_version
(string): The univention release version.umc_policies_maintenance_hostname
(string): The systems hostname; default:"{{ inventory_hostname }}"
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Remove default and unused portal entries.
none
cleanup_portal_basedn
(string): The LDAP base domain name.cleanup_portal_install_services
(list): A list of services to install.cleanup_portal_domain_admin_group
(string): default:"cn=Domain Admins,cn=groups,{{ cleanup_portal_basedn }}"
.cleanup_portal_portal_dn
(string): default:"cn=portals,cn=univention,{{ cleanup_portal_basedn }}"
.cleanup_portal_prometheus_dn
(string): default:'cn=prometheus,cn=entry,{{ cleanup_portal_portal_dn }}'
.cleanup_portal_admin_dashboard_dn
(string): default:'cn=admin-dashboard,cn=entry,{{ cleanup_portal_portal_dn }}'
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures and install Dovecot (DC) connector.
none
dovecot_connector_basedn
(string): The LDAP base dn.dovecot_connector_domain_name
(string): The system's dns domain name.dovecot_connector_domain_prefix
(string): The system's dns domain prefix. Useful when dovecot server is in same network.dovecot_connector_soap_prefix
(string): The ox soap server prefix; default:ox-provisioning
.dovecot_connector_server_type
(string): Which type of UCS server to set up. The possible options aremaster
andbackup
. The default ismaster
, which also means "standalone". Ifbackup
is chosen the following variable also has to be set; default:master
.dovecot_connector_app_version_map
(map): A dictionary that maps application names to specific version of dovecot connector. default:""
dovecot_connector_temp_pw_file
: The tmp file within the administrator password.dovecot_connector_adm_accepted_exit_codes
(string): DoveAdm-exitCode-Werte, die nicht zum Abbruch fĂĽhren; default:68 75
dovecot_connector_adm_host
(string): Der Domänenname des Servers auf dem DoveAdm aktiviert wurde; default:dc-provisioning.dovecot_connector_domain_name
dovecot_connector_adm_port
(string): Der Port auf dem DoveAdm erreichbar ist; default:443
dovecot_connector_adm_username
(string): Benutzername des DoveAdm; default:""
dovecot_connector_adm_password
(string): Passwort des DoveAdm; default:""
dovecot_connector_adm_uri
(string): DoveAdm URL Vorlage. Mögliche Variablen{dcc_adm_host}
und{dcc_adm_port}
; default:https://{dcc_adm_host}:{dcc_adm_port:d}/doveadm/v1
dovecot_connector_dc_vmail_template
(string): Das vmail Verzeichnis welches Dovecot nutzt. Mögliche Variablen{uuid}
,{email}
,{domain}
und{username}
; default:/data/usr/local/dovecot/vmail/{uuid[0]}{uuid[1]}/{uuid}
dovecot_connector_loglevel
(string): Die Log-Stufe der Anwendung. Werte:DEBUG
,INFO
,WARNING
undERROR
; default:INFO
dovecot_connector_hide_logging
(bool): Toggle logging output; default:true
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role prepares OX installation.
- univention.ucs_modules
- univention_config_registry
install_apps_ox_pre_external_hostname
(string): The host name that is used to talk to the system.install_apps_ox_pre_mail_domain
(string): The externally managed mail domain.install_apps_ox_pre_basedn
(string): The LDAP base domain name.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures keycloak, either via KCADM or REST.
none
configure_keycloak_generate_oidc_broker_secret
(bool): If set to true the client password used in the IDP creation is generated dynamically. If it is set tofalse
the value inconfigure_keycloak_oidc_broker_secret
is used instead. Ifconfigure_keycloak_config_type
is set tostatic
this variable implicitly is set tofalse
; default:true
configure_keycloak_oidc_broker_secret
(string): Client password used in the IDP creation. Only used whenconfigure_keycloak_generate_oidc_broker_secret
is set to false.configure_keycloak_oidcidp_id
(string): The name of the OpenID Connect Identity Provider to be configured when usingdynamic
configuration; default:"{{ inventory_hostname }}"
.configure_keycloak_server_id
(string): The OpenID Connect IDP broker ID. This is used in both config modes and defaults tokeycloak
.configure_keycloak_oidc_username_template
(string): default:"${CLAIM.preferred_username}_${ALIAS}"
configure_keycloak_client_callback_url
(string): When configuring a new client on the keycloak server this URL is used as the OpenID callback URL. Defaults to none but has to be set IF the client doesn't exist already. If it does this variable is not used as the client is not going to be updated.configure_keycloak_config_method
(string): The configuration method against keycloak, eitherkcadm
orrest
; default:kcadm
configure_keycloak_config_type
(string): This variable determines if the keycloak server configuration is done using this role (dynamic
) or if things already have been configured and only the UCS side has to be configured (static
).dynamic
usually is used for setups with a lot of turnover,static
is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default:dynamic
.configure_keycloak_keycloak_server
(string): The server the UCS system with authenticate against.configure_keycloak_auth_realm
(string): As the name says, the realm that is used to authenticate our keycloak operations against. This is not the realm used for client configuration, for that the host's domain is used; default:master
.configure_keycloak_admin_username
(string): The username used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault.configure_keycloak_admin_password
(string): The password used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vaultconfigure_keycloak_realm
(string): default:"{{ hostvars[inventory_hostname]['ansible_domain'] }}"
configre_keycloak_fqdn
(string): default:"{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
configure_keycloak_client_id
(string): The client's client id used to authenticate.configure_keycloak_display_matrix_in_iframe
(bool): When set to 'true', the hosts FQDN is added to CSP list. Be careful, the corresponding field has a size limit; default:false
.configure_keycloak_client_secret
(string): default:false
configure_keycloak_base_url
(string): default:"https://{{ configure_keycloak_keycloak_server }}/auth"
configure_keycloak_realm_base_url
(string): default:"{{ configure_keycloak_base_url }}/admin/realms/{{ ansible_domain }}"
configure_keycloak_protocol_mapper_name
(string): default:"identity-provider-mapper"
configure_keycloak_import_mapper_name
(string): default:"append IDP to username"
configure_keycloak_hostname
(string): The systems hostname; default:"{{ inventory_hostname }}"
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures an issues SSL certificate from trusted authorities.
- univention.ucs_modules
- univention_config_registry
use_trusted_cert_path_cert
(string): Local path to SSL (chained) certificate file.use_trusted_cert_path_key
(string): Local path to SSL key file.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs univention apps with/without fixed versions.
none
install_packages_app_version_map
(map): A dictionary that maps application names to specific versions that ought to be installed. See alsoinstall_packages_force_package_upgrade
for a way to upgrade already installed software.install_packages_service_name_list
(list): A list containing application names to be installed.install_packages_temp_pw_file
(map): Tempfile object where univention app password is stored.install_packages_force_package_upgrade
(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified ininstall_packages_app_version_map
that version is installed instead. Choosingfalse
results in the role ignoring already installed software and skip installation; default:false
.install_packages_install_apps
(list): A list of applications to install.install_packages_additional_options
(string): Additional option that could be set during install.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role prints information about playbook, its dependencies and configuration.
- univention.ucs_modules
- univention_config_registry
deployment_message_verification_pause_duration
(number): 20deployment_message_external_hostname
(string): the host name that is used to talk to the systemdeployment_message_domain_name
(string): the system's dns domain namedeployment_message_basedn
(string): the LDAP base domain namedeployment_message_server_type
(string): type of UCS server to set up. The possible options aremaster
andbackup
.deployment_message_saml_config_type
(string): can be set to "failover" or basically anything else. In "failover" mode a part of the SAML configuration is omitted. "failover" in this case refers to a UCS native SAML failover mode. Any other value will result in the same configuration being deployed, the value therefore is more of a descriptive nature. Recommended values are "loadbalancer", "primary-secondary" or "standalone" with the latter being the default value.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This roles enables/disables a cookie banner in portal frontend.
- univention.ucs_modules
- univention_config_registry
portal_configure_title_basedn
(string): The base DN that has been used when setting up the UCS serverportal_configure_title_titles
(list): The cookie banner title and body.
portal_configure_title_titles:
de:
title: "We are using cookies"
text: ""
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role enables a univention repository component.
none
univention_repository_component_name
(string): The name of customer debian repository.univention_repository_component_parts
(string): The part of customer debian repository.univention_repository_component_prefix
(string): The prefix of customer debian repository.univention_repository_component_server
(string): The server of customer debian repository.univention_repository_component_username
(string): The username of customer debian repository.univention_repository_component_password
(string): The password of customer debian repository.univention_repository_component_version
(string): The version of customer debian repository.univention_repository_component_unmaintained
(bool): Toggle unmaintained status of customer debian repository.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures the chosen office suite and installs it.
none
configure_office_suite_office_suite
(string): Define the to be installed office suite. Defaults tocollabora-online
. A list of supported suites is defined inconfigure_office_suite_supported_office_suites
; default:"collabora-online"
.configure_office_suite_supported_office_suites
(list): A list of supported office suites that can be installed using this role. This variable is set in the role'sdefaults/main.yml
and should not be changed.configure_office_suite_onlyoffice_formats
(map): A map of onlyoffice file formats to be enabled or disabled.configure_office_suite_collabora_license_key
(string): Include a valid license for collabora-online.configure_office_suite_app_version_map
(map): A dictionary that maps application names to specific versions that ought to be installed.configure_office_suite_temp_pw_file
(map): Tempfile object where univention app password is stored.configure_office_suite_install_apps
(list): A list of applications to install.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Configure repository URLs to use own apt repository server.
- univention.ucs_modules
- univention_config_registry
configure_repository_default_repository_prefix
(string): Define access method, either"http://"
or"https://"
; default:"https://"
.configure_repository_default_repository_server
(string): The repository server without any prefix or suffix or path.configure_repository_default_repository_path
(string): The repository path/suffix where repository could be found on server.configure_repository_default_repository_username
(string): Optionally configure username for authentication.configure_repository_default_repository_password
(string): Optionally configure password for authentication.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role modifies postfix configuration.
- univention.ucs_modules
- univention_config_registry
configure_apps_postfix_domain_name
(string): The system's dns domain name.configure_apps_postfix_external_hostname
(string): The host name that is used to talk to the system.configure_apps_postfix_relay_port
(number): The port that is used to talk to the system; default:25
.configure_apps_postfix_use_relay_host
(bool): Toggles if a SMTP relay host should be used; default:false
.configure_apps_postfix_relay_host
(string): The SMTP relay hostname.configure_apps_postfix_relay_username
(string): The SMTP relay username.configure_apps_postfix_relay_password
(string): The SMTP relay password.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs packages via univention-remove
wrapper.
none
univention_remove_name
(string): The name of the package to be removed.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role prunes kernels for UCS servers in order to free space at /boot.
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role adds/removes additional ldap indexes. Slapd.service is stopped. Run this role only in maintenance. Without extra vars nothing will happen.
none
set_ldap_index_equality_add
(string): The name of the ldap attribute for equality searches to add; default: ""set_ldap_index_presence_add
(string): The name of the ldap attribute for presence searches to add; default: ""set_ldap_index_approx_add
(string): The name of the ldap attribute for approx searches to add; default: ""set_ldap_index_substring_add
(string): The name of the ldap attribute for substring searches to add; default: ""set_ldap_index_equality_rm
(string): The name of the ldap attribute for equality searches to remove; default: ""set_ldap_index_presence_rm
(string): The name of the ldap attribute for presence searches to remove; default: ""set_ldap_index_approx_rm
(string): The name of the ldap attribute for approx searches to remove; default: ""set_ldap_index_substring_rm
(string): The name of the ldap attribute for substring searches to remove; default: ""
none
- hosts: ucs_master
become: true
tasks:
- name: "include role for setting ldap index" ansible.builtin.include_role: name: "roles/set_ldap_index" vars: set_ldap_index_equality_add: "isOxUser" set_ldap_index_approx_rm "aAAARecord"
GNU General Public License v3.0
Univention GmbH www.univention.com
This role disables some unused functionality like: contacts
, spreed
, mail
, calendar
.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures portal title.
none
portal_configure_title_basedn
(string): The LDAP base domain name.portal_configure_title_titles
(list): The new portal titles with locale in format likede_DE "Cool Portal (Univention)"
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Create, modify, delete and append portal entries.
none
portal_entry_base_dn
(string): The base DN that has been used when setting up the UCS serverportal_entry_entries
(list): The portal entries list.portal_entry_install_list
(list): Combined apps/services/customization lists.portal_entry_drift_detection
(bool): Toggle drift detection and only apply differences; default:true
.portal_entry_remove_unscoped
(bool): Toggle removal of undefined entries; default:false
.
none
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.portal_entry"
vars:
portal_entry_base_dn: "dc=ansible,dc=univention,dc=de"
portal_entry_install_list: ["nextcloud"]
portal_entry_drift_detection: true
portal_entry_remove_unscoped: false
portal_entry_entries:
- name: "Anmeldung"
anonymous: true
category: "help"
description:
de_DE: "Anmelden"
en_US: "Login"
display_name:
de_DE: "Anmelden"
en_US: "Login"
icon_file: "ucs_portal_login_icon.svg"
link:
de_DE: "/univention/saml/?location=%2Funivention%2Fportal%2F"
en_US: "/univention/saml/?location=%2Funivention%2Fportal%2F"
linktarget: "samewindow"
parent: "category"
state: "present"
type: "entries"
- name: "Dateien"
activated: true
allowed_groups: ["cn=Domain Users,cn=groups,dc=ansible,dc=univention,dc=de"]
anonymous: false
category: "Kollaboration"
description:
de_DE: "Dateienablage und -austausch"
en_US: "File storage and exchange"
display_name:
de_DE: "Eigene Dateien"
en_US: "My files"
icon_file: "ucs_portal_files_icon.svg"
linktarget: "newwindow"
link:
de_DE: "/nextcloud"
en_US: "/nextcloud"
only: "nextcloud"
parent: "category"
state: "present"
type: "entries"
target: "tab_nextcloud"
# ...
portal_entry_entries:
- name: # (string, required) | Name of portal entry.
activated: # (boolean) | Enable/Disable portal entry.
allowed_groups: # (list) | A list of LDAP groups the entry should be shown.
anonymous: # (boolean) | Show entry for not logged-in user.
category: # (string) | Name of category/portal the entry should be appended.
description: # (map) | I18n description displayed in portal.
de_DE: # (string) | F.e. german translation.
en_US: # (string) | F.e. english translation.
display_name: # (map) | I18n name displayed in portal.
de_DE: # (string) | F.e. german translation.
en_US: # (string) | F.e. english translation.
icon_file: # (string) | Name of predefined images or local images.
icon_base64: # (string) | Image as base64 encoded string. This variables overrides the input from 'icon_file'!
link: # (map) | Internal or external link.
de_DE: # (string) | F.e. german translation.
en_US: # (string) | F.e. english translation.
linktarget: # (string) | Link target f.e. "samewindow", "newwindow", "embedded" or "useportaldefault".
target: # (string) | Link target name, to open link in the same tab_group. Works only from UCS 5.0.
only: # (string) | Modify when app defined is in `portal_entry_install_list`.
parent: # (string) | The type where entry should be appended, f.e. "category" or "portal".
state: # (string, required) | State of entry, should be "present" or "absent".
type: # (string) | The list from parent where entry should be appended. For
# | - "category" > possible: "entries"
# | - "portal" > possible: "menuLinks", "userLinks"
- Modifying/Removing attributes with whitespaces are not supported by UCS 4.4
- Drift detection does not detect changes in icons.
GNU General Public License v3.0
Univention GmbH www.univention.com
This role sets a fact with installed univention apps.
- ansible.utils
- cli_parse
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
As is defined on the ucr
the log files are rotated the set number of times
before being removed. This role is used to set those numbers.
- univention.ucs_modules
- univention_config_registry
configure_logrotate_compress
(bool): If this option is activated, log files are compressed during rotation; default: yesconfigure_logrotate_create
(string): Configures mode, owner and group of a log file after rotation; default: 640 root admconfigure_logrotate_missingok
(bool): If this option is activated, proceed without printing an error message if a logfile is missing; default: yesconfigure_logrotate_notifempty
(bool): If this option is activated, empty logfiles are not rotated; default: yesconfigure_logrotate_rotate_count
(number): The rotation interval for system log files; default: 12configure_logrotate_rotate_handling
(string): Log files are rotated according to criterion described byman logrotate.conf
; default: weeklyconfigure_logrotate_syslog_rotate_count
(number): The rotation interval for syslog file; default: 7 * "rotate/count"configure_logrotate_syslog_rotate_handling
(string): Syslog file is rotated according to criterion described byman logrotate.conf
; default: daily
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Configure the group syntax and ensure the consistency on all nodes
- univention.ucs_modules
- univention_config_registry
configure_group_syntax_group_syntax
(string): group syntax desired value; default:gid
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures SAML single server.
- univention.ucs_modules
- univention_config_registry
configure_saml_single_server_external_hostname
(string): The external hostname that is used to talk to the system.configure_saml_single_server_domain_name
(string): The systems domain name.configure_saml_single_server_admin_user_name
(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.configure_saml_single_server_temp_file
(map): Tempfile object where univention app password is stored.configure_saml_single_server_type
(string): Which type of UCS server to set up. The possible options aremaster
andbackup
. Ifbackup
is chosen the following variable also has to be set; default:"master"
.configure_saml_single_server_basedn
(string): The LDAP base dn.configure_saml_single_server_remove_default_saml_provider
(bool): When set totrue
all builtin SAML provider will be removed; default:true
.configure_saml_single_server_external_loadbalancer_ip
(string): IP address of external load balancer if used.configure_saml_single_server_domain_prefix
(string): The external prefix of load balancer
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role downloads and patches acme-tiny.
- ansible.posix
- patch
workaround_acmetiny_upgrade_temp_dir
(map): Ansible temporary dir for workaround files.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Install and configure ACL package.
- univention.ucs_modules
- univention_config_registry
install_multitenant_acls_customer_name
(string): The name of customer used inside ACL package.install_multitenant_acls_multitenant_acls
(list): A list of acl settings.multitenant_acls: - tenant_id: "0000" admin_password: "" - tenant_id: "0001" admin_password: "" - tenant_id: "0002" tenant_short_name: "test" admin_password: "" mail_domains: []
install_multitenant_acls_json_path
(string): The local path for ACL structure json file.install_multitenant_acls_package_name
(string): The customer specific debian package name.install_multitenant_acls_script_name
(string): The name of create acl structure script.install_multitenant_acls_keycloak_base
(string): The base url for keycloak.install_multitenant_acls_hide_logging
(boolean): Toggle template logging; default:true
.install_multitenant_acls_server_type
(string): The ucs server type; default"master"
.install_multitenant_acls_customer_repo_name
(string): The name of customer debian repository.install_multitenant_acls_customer_repo_parts
(string): The part of customer debian repository.install_multitenant_acls_customer_repo_password
(string): The password of customer debian repository.install_multitenant_acls_customer_repo_server
(string): The server of customer debian repository.install_multitenant_acls_customer_repo_username
(string): The username of customer debian repository.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures Keycloak as SAML provider.
none
configure_keycloak_saml_basedn
(string): The LDAP base dn.configure_keycloak_saml_sp_base_url
(string): The Service Provider base url.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role gathers release information and store them on remote system.
none
custom_facts_templates
(list): filename(s) of templates which should be applied; default:["deployment.fact.j2", "hotfixes.fact.j2"]
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs and comfigures the intercom service. For further information have a look at https://docs.software-univention.de/intercom_service/latest/index.html
none
intercom_service_hide_logging
(boolean): Toggle template logging; default:true
.intercom_service_domain_name
(string): The domain name. default:""
intercom_service_temp_pw_file
: The tmp file within the administrator password.intercom_service_settings_proxy
(string): Wether to allow connections via proxy server instead of backend directly; default:"False"
intercom_service_settings_client_id
(string): The keycloak client ID; default:intercom
intercom_service_settings_intercom_url
(string): URL where ICS is reachable; default:https://ics.{{ intercom_service_domain_name }}
intercom_service_settings_base_url
(string): Base URL used to identify with the IdP; default:https://ics.{{ intercom_service_domain_name }}
intercom_service_settings_origin_regex
(string): Defines the origin CORS regex; default:{{ intercom_service_domain_name }}
intercom_service_keycloak_url
(string): URL of the Keycloak instance to be used as the IdP; default:https://id.{{ intercom_service_domain_name }}
intercom_service_keycloak_realm_name
(string): Name of the realm containing the configured OIDC Intercom client; default:ucs
intercom_service_matrix_url
(string): The URL on which the Matrix server is reachable default:https://matrix.{{ intercom_service_domain_name }}
intercom_service_matrix_server_name
(string): The server name of the matrix server; default:https://matrix.{{ intercom_service_domain_name }}
intercom_service_matrix_login_type
(string): The login-type ICS should use on the matrix server; default:uk.half-shot.msc2778.login.application_service
intercom_service_matrix_nordeck_mode
(string): The connection mode of the Nordeck-bot; default:test
intercom_service_nordeck_url
(string): The URL on which Nordeck-bot is listening; default:https://meetings-widget-bot.{{ intercom_service_domain_name }}
intercom_service_portal_url
(string): The URL on which the Univention-Portal is listening; default:https://portal.{{ intercom_service_domain_name }}
intercom_service_ox_origin
(string): The OX CORS origin setting; default:https://webmail.{{ intercom_service_domain_name }}
intercom_service_ox_audience
(string): The OIDC audience settings for the OX token request send to the IdP; default:oxoidc
intercom_service_nc_url
(string): The URL on which Nextcloud is listening on; default:https://fs.{{ intercom_service_domain_name }}
intercom_service_nc_origin
(string): The Nextcloud CORS origin; default:https://fs.{{ intercom_service_domain_name }}
none
- hosts: all
tasks:
- name: "Install Intercom Service via Appcenter"
ansible.builtin.include_role:
name: "univention.ucs_roles.intercom_service"
vars:
intercom_service_hide_logging: false
intercom_service_domain_name: "ucs.test.intranet"
intercom_service_temp_pw_file: "{{ temp_file }}"
intercom_service_keycloak_realm_name: "your_keycloak_realm"
GNU General Public License v3.0
Univention GmbH www.univention.com
This role runs a UCS Join on master or backup servers.
- univention.ucs_modules
- univention_config_registry
ucs_join_derive_root_password_from_hostname
(bool): Creates a unique root/admin password that is derived from the host name, or rather the numeric part of it.ucs_join_derive_root_password_prefix
(string): The prefix that is used before the numeric part in derived passwords.ucs_join_server_type
(string): Which type of UCS server to set up. The possible options aremaster
,backup
,slave
andmember
. The default ismaster
, which also means "standalone". If notmaster
is chosen the following variable also has to be set, default:master
.ucs_join_master_server
(string): In case of abackup
,slave
ormember
server (see previous variable) this declares which master server to join. The variable musst be the ip of the master server. In every other case this variable is ignored.ucs_join_admin_user_name
(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.ucs_join_root_password
(string): The machine's root password, if you want version control consider using ansible-vault to encrypt it. Ifucs_join_derive_root_password_from_hostname
is set to true this variables is ignored.ucs_join_hostname
(string): Remote hostname; default{{ inventory_hostname }}
.ucs_join_domain_name
(string): The system's dns domain name.ucs_join_basedn
(string): The LDAP base domain name.ucs_join_nameservers
(dict): Configure the nameservers1-3.ucs_join_network_config_type
(string): Choosedhcp
orstatic
with the former being the default. If you choosestatic
you'll have to adducs_join_network_config_static-*
variable as well; default:dhcp
.ucs_join_network_config_static_ip_config
(map): The server's IPv4 address in one of the following two forms:<ip address>/<netmask>
or CIDR form (<ip address>/<prefix length>
. Both forms are functionally equal. Example:192.168.0.1/255.255.255.240
or192.168.0.1/28
.ucs_join_network_config_static_dns_servers
(list): A list of DNS servers to use in case of static network configuration. Ifucs_join_server_type
isbackup
this variable is ignored and themaster
server will be used instead.ucs_join_network_config_static_gateway
(string): The server's default router aka internet gateway. This is mandatory for the setup to work.ucs_join_network_config_interface
(string): The servers default network interface; default:eth0
.ucs_join_network_config_static_additional_interfaces
(list): A list of additional interfaces as dictionaryucs_join_network_config_static_routes
(list): A list of static routes, which should be attached to interfaces.ucs_join_hide_logging
(boolean): Toggle template logging; default:true
.
none
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ucs_join"
vars:
ucs_join_network_config_type: "static"
ucs_join_network_config_interface: "eth0"
ucs_join_network_config_static_ip_config: "10.20.30.40/24"
ucs_join_network_config_static_gateway: "10.20.30.1"
ucs_join_network_config_static_dns_servers:
- "8.8.8.8"
- "8.8.4.4"
# ...
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ucs_join"
vars:
ucs_join_network_config_type: "static"
ucs_join_network_config_static_additional_interfaces:
ens10: "10.20.30.40/24"
ens11: "20.30.40.50/24"
# ...
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ucs_join"
vars:
ucs_join_network_config_static_routes:
- interface: "ens10"
index: 0
route: "host 10.10.0.1 metric 200"
- interface: "ens10"
index: 1
route: "net 10.10.0.0 netmask 255.255.0.0 gw 10.10.0.1 metric 100"
# ...
Matrix: How the nameservers should configured.
All domaincontroller_* has a dns server installed.
domaincontroller_master | domaincontroller_backup | domaincontroller_slave | memberserver | |
---|---|---|---|---|
nameserver1 | host_ip_address | host_ip_address | host_ip_address | domaincontroller_master |
nameserver2 | fallback_nameserver | domaincontroller_master | domaincontroller_master | domaincontroller_backup |
nameserver3 | fallback_nameserver | domaincontroller_backup | domaincontroller_slave |
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ucs_join"
vars:
ucs_join_nameservers:
nameserver1:
# local ip
server: "{{ ansible_local['ucr']['interfaces/' + ansible_local['ucr']['interfaces/primary'] + '/address'] }}"
nameserver2:
server: "8.8.8.8"
state: 'present'
nameserver3:
state: 'absent'
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs packages via univention-install
wrapper.
none
univention_install_name
(string): The name of the package to be installed.univention_install_clear_apt_cache
(bool): Clear all downloaded packages to reduce package conflicts; default:false
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Enable or disable UCS calling Amazon's metadata server
- univention.ucs_modules
- univention_config_registry
configure_amazon_metadata_server_call
(boolen): Defines if the amazon metadata server should be called; default:false
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role upgrade UCS to a specific version.
none
univention_upgrade_version
(string): The UCS' version number to upgrade to; default:"4.4-99"
.univention_upgrade_clear_apt_cache
(bool): Clear all downloaded packages to reduce package conflicts; default:false
.univention_upgrade_removal_check
(bool): Check if packages will be removed during upgrade; default:false
.univention_upgrade_reboot_after_upgrade
(bool): Reboot UCS after package upgrade; default:false
.univention_upgrade_app_updates
(bool): Upgrade apps during univention-upgrade; default:false
.univention_upgrade_username
(string): Username of administrative user for app updates; default:Administrator
.univention_upgrade_password_file
(string): Path to the file on the server that contains the user password ifunivention_upgrade_app_updates=true
; default:""
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role updates UMC permissions.
- univention.ucs_modules
- univention_config_registry
umc_permissions_basedn
(string): The LDAP base domain name.umc_permissions_passwordreset_blacklist_groups
(string): The name of LDAP groups which are not allowed to reset their password.umc_permissions_passwordreset_whitelist_groups
(string): The name of LDAP groups which are allowed to reset their password.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role adds specific LDAPSearch users.
none
ldapsearch_user_basedn
(string): The LDAP base DN.ldapsearch_user_server_type
(string): Which type of UCS server to set up. The possible options aremaster
andbackup
. The default ismaster
, which also means "standalone". Ifbackup
is chosen the following variable also has to be set; default:master
.ldapsearch_user_hide_logging
(boolean): Toggle template logging; default:true
.ldapsearch_user_list
(list): A list of ldapsearch users to create.ldapsearch_user_list_tenantbased
(list): A list of LDAPSearch users to create.
none
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ldapsearch_user"
vars:
ldapsearch_user_list:
- username: "ldapsearch_example"
name: "Name of LDAPSearch user" # optional; default value from username
lastname: "Lastname of LDAPSearch user" # optional; default value from username
password: "SuperSecretPassword"
# ...
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.ldapsearch_user"
vars:
ldapsearch_user_list_tenantbased:
- username: "ldapsearch_example"
name: "Name of LDAPSearch user" # optional; default value from username
lastname: "Lastname of LDAPSearch user" # optional; default value from username
password: "SuperSecretPassword"
tenant_ou: "ou=users,ou=root,ou=0001,ou=tenants" # position in LDAP
# ...
GNU General Public License v3.0
Univention GmbH www.univention.com
Configure UCS app owncloud.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role reduces security risks by disabling default settings, like root login.
- univention.ucs_modules
- univention_config_registry
hardening_disable_http
(bool): If set totrue
,http
will be disabled in apache2. Onlyhttps
will be available; default:true
hardening_hsts
(bool): If set totrue
HTTP Strict Transport Security is enabled for apache2 ; default:true
hardening_apache2_ssl_tlsv13
(bool): If set totrue
ssl tlsv11 and tlsv12 are disabled for apache2; default:true
hardening_apache2_server_tokens
(string): Set apache2 configuration toProd
,Major
,Minor
,Min
,OS
orFull
. Details: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens ; default:Prod
hardening_apache2_server_signature
(string): Set apache2 configuration toOff
,EMail
orOn
. Details: https://httpd.apache.org/docs/2.4/mod/core.html#serversignature ; default:Off
hardening_honorcipherorder
(string): During the negotiation of cryptographic algorithms during the setup of a SSL/TLS connection the preference of the client is used by default. If this option is enabled, the preference of the server is used instead. The list of algorithms offered by Apache can be configured with the variable 'apache2/ssl/ciphersuite'; default:true
hardening_ciphersuite
(string): his configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite; default:HIGH
hardening_umc_session_cookie
(bool): If set totrue
the login cookie is a session cookie. Closing the browser will delete the cookie, effectively logging out the user; default:true
hardening_umc_secure_cookie
(bool): If set, cookies are set with the secure attribute if the connection is using HTTPS; default:true
hardening_umc_cookie_samesite
(string): Set the SameSite cookie attribute for UMC cookies. Possible values:Strict
,Lax
andNone
; default:Strict
hardening_saml_idp_language_cookie_samesite
(string): Set the SameSite attribute in sthe language cookie attribute of SAML IDP. Possible values:Strict
,Lax
andNone
; default:Strict
hardening_saml_idp_session_cookie_samesite
(string): Set the "SameSite" attribute in the session cookie of SAML IDP. Possible values:Strict
,Lax
andNone
; default:Strict
hardening_saml_idp_session_cookie
(bool): If set totrue
the "Secure" attribute in the session cookie is activated. default:true
hardening_saml_idp_language_cookie
(bool): If set totrue
the "Secure" attribute in the language cookie is activated. default:true
hardening_disable_umc_http_tracebacks
(bool): If set totrue
tracebacks are no longer shown to the user in error case for umc; default:true
hardening_disable_udm_rest_tracebacks
(bool): If set totrue
tracebacks are no longer shown to the user in ror case for udm REST; default:true
hardening_disable_saml_idp_errors
(bool): If set totrue
tracebacks are no longer shown to the user in error case for the saml idp; default:true
hardening_disable_saml_idp_error_reporting
(bool): If set totrue
error information and stack traces can not be reported via email to the technical contact mail address; default:true
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures NTP timeservers.
- univention.ucs_modules
- univention_config_registry
configure_ntp_servers_timeservers
(list): A list of ntp server addresses; default["ptbtime1.ptb.de", "ptbtime2.ptb.de", "ptbtime3.ptb.de"]
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures ucs to properly use keycloak.
none
configure_keycloak_client_oidc_broker_secret
(string): The client password used in the IDP creation.configure_keycloak_client_keycloak_password
(string): The keycloaks password.configure_keycloak_client_basedn
(string): The LDAP base domain name.configure_keycloak_client_keycloak_server_id
(string): The OpenID Connect IDP broker ID. This is used in both config modes.configure_keycloak_client_keycloak_server
(string): The server the UCS system with authenticate against.configure_keycloak_client_config_type
(string): This variable determines if the keycloak server configuration is done using this role (dynamic
) or if things already have been configured and only the UCS side has to be configured (static
).dynamic
usually is used for setups with a lot of turnover,static
is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default:dynamic
.configure_keycloak_client_hostname
(string): The systems hostname; default:"{{ inventory_hostname }}"
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Extend the root volume to all available space. Helpful when using a prebuild image and additional space is required.
- community.general
- parted
- lvg
- lvol
extend_root_lvm_volume_extend_lvm_to_whole_disk
(bool): If true, root volume is extended to available space; default:true
extend_root_lvm_volume_lvm_disk
(string): The "physical" disk to partition without the "/dev/" part, for instance "sda" for "/dev/sda". Defaults to what is used in the Univention QCOW image; default:"vda"
extend_root_lvm_volume_lvm_vg_name
(string): The volume group the data volume resides in. Defaults to what is used in the Univention QCOW image; default:"vg_ucs"
extend_root_lvm_volume_lvm_data_volume
(string): The LVM name used for the data volume. Defaults to what is used in the Univention QCOW image; default:"root"
extend_root_lvm_volume_existing_lvm_partition_number
(number): The existing lvm partition number. Defaults to what is used in the Univention QCOW image; default:2
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role adds an administrative UCS user.
none
ucs_add_admin_user_basedn
(string): The LDAP base domain name.ucs_add_admin_user_username
(string): The username for the administrative user.ucs_add_admin_user_firstname
(string): The firstname for the administrative user.ucs_add_admin_user_lastname
(string): The lastname for the administrative user.ucs_add_admin_user_password
(string): The password for the administrative user.ucs_add_admin_user_recoveryemail
(string): The recovery email address for the administrative user.ucs_add_admin_user_attrib_list
(map): A map of attributes & values to set for the administrative user.ucs_add_admin_user_group_list
(list): A list of group names to append the administrative user to.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role improves user configuration.
- univention.ucs_modules
- univention_config_registry
improve_usability_user_config_basedn
(string): The LDAP base domain name.improve_usability_user_config_external_hostname
(string): The host name that is used to talk to the system.improve_usability_user_config_install_apps
(list): A list of applications to install.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role updates univention and apt package lists.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
- univention.ucs_modules
- univention_config_registry
set_feedback_mail_address_web_feedback_mail
(string): Email address configured to send the traceback if occurs an error in the Univention Management Console; default:[email protected]
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures monitoring related settings.
- univention.ucs_modules
- univention_config_registry
configure_monitoring_ldap_enabled
(string): Toggleldap/monitor
ucr setting; default:"true"
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Set a DNS Nameserver Glue record.
none
set_dns_glue_record_create_external_hostname_glue_record
(bool): If set totrue
a DNS Glue record is set if not already exists; default: `trueset_dns_glue_record_fqdn
(string): Use this variable if remotes hostname is only available as FQDN or setset_dns_glue_record_host_name
directly.set_dns_glue_record_host_name
(string): Use this variable for remotes hostname otherwise useset_dns_glue_record_fqdn
for FQDN hostnames.set_dns_glue_record_domain_name
(string): Use this variable to set remotes domain name or setset_dns_glue_record_superordinate
directly.set_dns_glue_record_basedn
(string): Use this variable to set remotes base domain name or setset_dns_glue_record_superordinate
directly.set_dns_glue_record_superordinate
(string): Define superordinate user useset_dns_glue_record_domain_name
andset_dns_glue_record_basedn
.set_dns_glue_record_glue_record_nameserver
(string): The target nameserver as FQDN that is used to resolve the external hostname.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures OpenID Connect OIDC for apps like open-xchange or nextcloud.
- univention.ucs_modules
- univention_config_registry
configure_sso_openid_app_version_map
(map): A dictionary that maps application names to specific versions that ought to be installed.configure_sso_openid_temp_pw_file
(map): Tempfile object where univention app password is stored.configure_sso_openid_install_apps
(list): A list of applications to install.configure_sso_openid_basedn
(string): The systems base dn.configure_sso_openid_signing_method
(string): The signing method; default:"RS256"
.configure_sso_openid_external_hostname
(string): The external hostname that is used to talk to the system.configure_sso_openid_clients
(map): A map of client configurations, supportednexcloud
andox
.
none
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.configure_sso_openid"
vars:
configure_sso_openid_clients:
nextcloud:
name: "nextcloud"
clientid: "nextcloud"
clientsecret: "notverysafe"
ox:
name: "open-xchange"
clientid: "open-xchange"
clientsecret: "notverysafe"
# ...
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs letsencrypt and configures it. It supports letsencrypt staging as well.
- univention.ucs_modules
- univention_config_registry
install_lets_encrypt_use_letsencrypt_staging
(bool): Whenfalse
it uses regular let's encrypt certificates,true
switches to the staging area for testing purposes; default:false
.install_lets_encrypt_implement_ugly_letsencrypt_workaround
(bool): Work around bugs in the let's encrypt staging implementation. This patches files in the univention letsencrypt app; default:false
.install_lets_encrypt_temp_pw_file
(map): Ansible temporary password file.install_lets_encrypt_temp_dir
(map): Ansible temporary dir.install_lets_encrypt_service_version_map
(map): A dictionary that maps service names to specific versions that ought to be installed. See alsoinstall_packages_force_package_upgrade
for a way to upgrade already installed software.install_lets_encrypt_service_name_list
(list): A list containing service names to be installed.install_lets_encrypt_force_package_upgrade
(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified ininstall_lets_encrypt_service_version_map
that version is installed instead. Choosingfalse
results in the role ignoring already installed software and skip installation; default:false
.install_lets_encrypt_external_hostname
(string): The host name that is used to talk to the system.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs and configures new portal.
none
install_service_new_portal_service_version_map
(map): A dictionary that maps service names to specific versions that ought to be installed. See alsoinstall_service_new_portal_force_package_upgrade
for a way to upgrade already installed software.install_service_new_portal_force_package_upgrade
(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified ininstall_service_new_portal_service_version_map
that version is installed instead. Choosingfalse
results in the role ignoring already installed software and skip installation; default:false
.install_service_new_portal_temp_file
(map): Ansible temporary dir.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures password policies via UCR. A dn of a policy is required. All users with this plocicy referenced will get these settings.
- univention.ucs_modules
- univention_config_registry
- univention_directory_manager
configure_password_policies_dn
(string): At least there should be one policy with activated Checks. The full dn is needed; default: not setconfigure_password_policies_quality_min_lenght
(string): Sets the minimum password length; default:8
configure_password_policies_quality_required_chars
(string): Sets required chars for setting new passwords; default:none
configure_password_policies_quality_forbidden_chars
(string): Sets forbidden chars for setting new passwords; default:none
configure_password_policies_quality_credit_digits
(string): Sets the minimum number of digits in the new password; ; default:1
configure_password_policies_quality_credit_upper
(string): Sets the minimum number of upper case letters; default:1
configure_password_policies_quality_credit_other
(string): Sets the minimum number of chars wich are neither digits nor letters; default:1
configure_password_policies_quality_credit_lower
(string): Sets the minimum number of lower case letters; default:1
configure_password_policies_quality_mspolicy
(string): Sets the microsoft policy complexity criteria. If1
,true
oryes
this will b eon top of the dafault python-cracklib. Ifsufficient
only ms policy complexity will be used and iffalse
only python-cracklib will be used. default:1
none
GNU General Public License v3.0
Univention GmbH www.univention.com
When MTU in Docker 1500
is higher than the one for network interface, this
role sets the Docker MTU to 1400
.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures network interface names as GRUB boot parameter, resulting in network interface names like eth0.
- univention.ucs_modules
- univention_config_registry
configure_network_interface_names_use_old_names
(boolean): Set the GRUB parameter for old interface names; default:true
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role disables IPv6 on system via modprobe.
- ansible.posix
- sysctl
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures OX.
- univention.ucs_modules
- univention_config_registry
- community.crypto
- openssl_pkcs12
- community.general
- java_cert
install_apps_ox_post_basedn
(string): The LDAP base domain name.install_apps_ox_post_external_hostname
(string): The host name that is used to talk to the system.install_apps_ox_post_ox_keystore_passphrase
(string): The passphrase for ox keystore.install_apps_ox_post_ox_drive_default
(string): Toggle OXDrive by setting0
for disabled and1
for enabled; default:0
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role adds and removes SSH keys from user.
- ansible.posix
- authorized_key
files/
|
+-- ssh_keys/
| |
| +-- add/
| | |
| | +-- *.pubkey
| |
| +-- remove/
| |
| +-- *.pubkey
update_users_ssh_keys_user
(string): Name of local user where SSH keys should be added/removed.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role creates a local user with ssh login permissions.
- univention.ucs_modules
- univention_config_registry
add_local_user_user
(map): A map containing user information:
add_local_user_user:
name: # username; default; "ansible"
comment: # user comment; default: "ansible user"
password: # hashed password of user; default: "{{ "ansible"|password_hash('sha512') }}"
sshkey_file: # ssh key filename; default: empty
sshkey: # ssh key as string; default: empty
state: # toggle if user should be present or absent; default: present
add_local_user_default_shell
(string): Default user shell; default:/bin/bash
add_local_user_default_password_policy
(string): Default password update policy. Possible values are"on_create"
and"always"
; default"on_create"
.add_local_user_system_user
(bool):true
if the user should be a system user instead of a human; default:true
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role installs a customer branding package.
- univention.ucs_modules
- univention_config_registry
install_branding_customer_repo_name
(string): The name of customer debian repository.install_branding_customer_repo_parts
(string): The part of customer debian repository.install_branding_customer_repo_password
(string): The password of customer debian repository.install_branding_customer_repo_server
(string): The server of customer debian repository.install_branding_customer_repo_username
(string): The username of customer debian repository.install_branding_customer_branding_package
(string): Set the name of the Debian Branding Package in the Univention Customer Repository.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role helps to apply an existing license file or claims a new license from shop.
none
files/
|
+-- license_client.py
configure_license_validity
(string): The validity period for the license in a format GNU date is able to understand as a time period, like "12 weeks".configure_license_shop_password
(string): The shop user's password, best stored in a secrets manager or encrypted via ansible-vault.configure_license_shop_id
(number): Which license shop to use when obtaining a new license for the server.configure_license_shop_username
(string): The shop's user name, needed for authentication.configure_license_max_users
(number): How many users to allow on the server.configure_license_basedn
(string): The LDAP base domain name.configure_license_type
(string): Choose one oflocal_license
orserver_license
. When choosinglocal_license
a license file name has to be provided otherwise chooseserver_license
and one is generated; default:server_license
.configure_license_file
(string): Ifconfigure_license_type
set tolocal_license
then provide license file name here; default:false
.configure_license_server_type
(string): Which type of UCS server to set up. The possible options aremaster
andbackup
. The default ismaster
, which also means "standalone". Ifbackup
is chosen the following variable also has to be set; default:master
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Create, modify and delete portal categories
none
portal_category_base_dn
(string): The base DN that has been used when setting up the UCS serverportal_category_categories
(list): The portal categories list.portal_category_install_list
(list): Combined apps/services/customization lists.portal_category_drift_detection
(bool): Toggle drift detection and only apply differences; default:true
.portal_category_remove_unscoped
(bool): Toggle removal of undefined categories; default:false
.
none
- hosts: all
tasks:
- ansible.builtin.include_role:
name: "univention.ucs_roles.portal_category"
vars:
portal_category_base_dn: "dc=ansible,dc=univention,dc=de"
portal_category_install_list: ["nextcloud"]
portal_category_drift_detection: true
portal_category_remove_unscoped: false
portal_category_categories:
- name: "domain-service"
display_name:
de_DE: "Applikationen"
en_US: "Applications"
state: "present"
parent: "domain"
- name: "domain-admin"
display_name:
de_DE: "Verwaltung"
en_US: "Administration"
state: "present"
parent: "domain"
- name: "local-admin"
display_name:
de_DE: "Verwaltung"
en_US: "Administration"
state: "present"
parent: "local"
# ...
portal_category_categories:
- name: # (string, required) | Name of portal category.
display_name: # (map) | I18n name displayed in portal.
de_DE: # (string) | F.e. german translation.
en_US: # (string) | F.e. english translation.
only: # (string) | Modify when app defined is in `portal_category_install_list`.
parent: # (string) | The name of portal where the category should be appended to, f.e. "domain".
state: # (string, required) | State of entry, should be "present" or "absent".
ucs_versions: # (list) | A list of UCS version in which the category should be modified. When no
# | version is omitted, category will be modified on ALL ucs versions.
- Modifying/Removing attributes with whitespaces are not supported by UCS 4.4
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures the Nextcloud Talk TURN server.
none
configure_nextcloud_turn_secret
(string): The TURN server secret.configure_nextcloud_turn_url
(string): The URL of the TURN server.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role enables/disables piwik tracking of UCS.
- univention.ucs_modules
- univention_config_registry
disable_piwik_tracking_disable
(bool): Toggles piwik tracking of installation. When set totrue
, tracking is disabled; default:true
.
none
GNU General Public License v3.0
Univention GmbH www.univention.com
This role configures nextcloud for SAML single server.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Configure UCS app nextcloud.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com
Store rollout finished information in custom facts directory.
none
none
none
GNU General Public License v3.0
Univention GmbH www.univention.com