Skip to content

Ansible roles to setup, configure and deploy UCS

Notifications You must be signed in to change notification settings

univention/ansible-roles

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

UCS Ansible Roles

This repository only contains ansible roles usable in an ansible-playbook to install and bootstrap UCS.

Modules


roles/modify_ucs_ca/README.md

Modify UCS certs

Modify exisiting univention certificates.

Requirements

none

Role Variables

  • modify_ucs_ca_external_domain_name(string): The external domain name.
  • modify_ucs_ca_external_domain_part(string): The part of an external domain eventually excluding fist subdomain.
  • modify_ucs_ca_external_domain_prefix(string): The first subdomain if exists.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/improve_usability_ui_changes/README.md

Improve usability ui changes.

This role will improve ui.

Requirements

none

Role Variables

  • improve_usability_ui_changes_basedn(): The LDAP base domain name.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/ox_connector/README.md

OX Connector

This role configures and install OX connector.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • ox_connector_basedn(string): The LDAP base dn.
  • ox_connector_domain_name(string): The system's dns domain name.
  • ox_connector_domain_prefix(string): The system's dns domain prefix. Useful when OX server is in same network
  • ox_connector_default_context (string): The default context that is being assigned to objects when there is no explicit definition; default: 9999
  • ox_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
  • ox_connector_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
  • ox_connector_temp_pw_file(map): Tempfile object where univention app password is stored.
  • ox_connector_master_admin(string): The name of OX administrator.
  • ox_connector_master_password(string): The password of OX administrator.
  • ox_connector_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
  • ox_connector_template_name(string): The name of default ox access template; default: "standard".
  • ox_connector_hide_logging(boolean): Toggle logging of sensitive information like password; default: true.
  • ox_connector_usertemplate_name(string): Name of the User Template to be used, while creating a new user; default: "Benutzer mit Groupware-Konto".
  • ox_connector_imap_server(string): How the user in OX will connect to the IMAP backend, this value is relative to the OX AppSuite middleware server; default: imap://127.0.0.1:143
  • ox_connector_smtp_server(string): How the user in OX will connect to the SMTP service, this value is relative to the OX AppSuite middleware server; default: smtp://127.0.0.1:26

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_network_proxy/README.md

Configure network proxy

This role configures network proxy via UCR.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_network_proxy_enabled(boolean): Toggle network proxy usage
  • configure_network_proxy_http_proxy(string): The HTTP proxy server, e.g. http://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format http://username:[email protected]:3128.
  • configure_network_proxy_https_proxy(string): The HTTPS proxy server, e.g. https://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format https://username:[email protected]:3128.
  • configure_network_proxy_no_proxy(string): A comma-separated list of domain names for which the proxy should not be consulted. An exception for a domain like univention.de also applies to a subdomain like apt.univention.de.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_nextcloud_app/README.md

Install app for nextcloud

This role installs an app for nextcloud

Requirements

none

Role Variables

  • install_nextcloud_app_name(string): The name of nextcloud app to be installed from store.
  • install_nextcloud_app_opertation(string): Define operation mode; default: "install".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_firewall/README.md

Univention firewall rules.

========= Manage predefined univention-firewall rules.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • univention_firewall_telegraf(string): Set firewall status of telegraf service; default: "ACCEPT".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_service_selfservices/README.md

Install selfservices service

This role installs selfservice services.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • install_service_selfservice_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_selfservice_force_package_upgrade for a way to upgrade already installed software.
  • install_service_selfservice_temp_file(map): Ansible temporary dir.
  • install_service_selfservice_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_selfservice_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
  • install_service_selfservice_external_hostname(string): The host name that is used to talk to the system.
  • install_service_selfservice_install_services(list): A list of services to install.
  • install_service_selfservice_domain_name(string): The LDAP base domain name.
  • install_service_selfservice_password_reset_filename(string): The name of password reset template.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/remove_packages/README.md

Remove packages

This role removes univention apps with/without fixed versions.

Requirements

none

Role Variables

  • remove_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
  • remove_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
  • remove_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: `false
  • remove_packages_remove_apps(list): A list of applications to install.
  • remove_packages_app_version_map(map): A map of packages with/without version to be removed.
  • remove_packages_service_name_list(list): A list containing application names to be installed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_apps_postfix_relay/README.md

Configure Postfix relay (apps)

This role modifies postfix relay configuration.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_apps_postfix_relay_enabled(bool): Toggles if a SMTP relay host should be used; default: false.
  • configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
  • configure_apps_postfix_relay_host(string): The SMTP relay hostname.
  • configure_apps_postfix_relay_username(string): The SMTP relay username.
  • configure_apps_postfix_relay_password(string): The SMTP relay password.
  • configure_apps_postfix_relay_hide_logging(boolean): Toggles output logging for sensible information; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_directory_manager/README.md

Configure directory manager

This role configures directory manager settings.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_directory_manager_mailprimaryaddress_required(bool): Toggles if mailPrimaryAddress should be required; default: false.
  • configure_directory_manager_firstname_required(bool): Toggles if forename should be required; default: false.
  • configure_directory_manager_wizard_disabled(string): Toggles the wizard. When set to Yes, wizard is enabled; default: No.
  • configure_directory_manager_invite_default(string): Toggles the default invitation behaviour; default: "True".
  • configure_directory_manager_overridepwlength_visible(string): Toggles wether the password length override is visible; default: "False".
  • configure_directory_manager_overridepwlength_default(string): Sets default value for password length override; default: "False".
  • configure_directory_manager_pwdchangenextlogin_visible(string): Toggles wether password change on next login is visible; default: "False".
  • configure_directory_manager_pwdchangenextlogin_default(string): Sets default value for password change on next login; default: "True".
  • configure_directory_manager_autosearch(string): Toggles wether the user autosearch is enabled; default: "False".
  • configure_directory_manager_username_syntax(string): Set the username syntax; default "uid".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_error_detail_show/README.md

Configure error detail show

This role configures if the error messages will display the details.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_error_detail_show_http_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
  • configure_error_detail_show_directory_manager_rest_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
  • configure_error_detail_show_saml_idp_errors(bool): Defines if error information and stack traces allowed to be shown to the user; default: false
  • configure_error_detail_show_saml_idp_error_reporting(bool): Defines if error information and stack traces can be reported via email to the technical contact mail address; default: false

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/umc_policies_maintenance/README.md

UMC maintenance policies

This role sets UMC maintenance policies.

Requirements

none

Role Variables

  • umc_policies_maintenance_autoupdate_enabled(bool): Toogle autoupdate status; default: true.
  • umc_policies_maintenance_basedn(string): The LDAP base domain name.
  • umc_policies_maintenance_patchhour(string): The chosen hour for univention-update; default: 5.
  • umc_policies_maintenance_patchminute(string): The choosen minute for univention-update; default: 00.
  • umc_policies_maintenance_patchday(String): The chosen day for univention-update; default: Tuesday.
  • umc_policies_maintenance_release_version(string): The univention release version.
  • umc_policies_maintenance_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/cleanup_portal/README.md

Cleanup Portal

Remove default and unused portal entries.

Requirements

none

Role Variables

  • cleanup_portal_basedn(string): The LDAP base domain name.
  • cleanup_portal_install_services(list): A list of services to install.
  • cleanup_portal_domain_admin_group(string): default: "cn=Domain Admins,cn=groups,{{ cleanup_portal_basedn }}".
  • cleanup_portal_portal_dn(string): default: "cn=portals,cn=univention,{{ cleanup_portal_basedn }}".
  • cleanup_portal_prometheus_dn(string): default: 'cn=prometheus,cn=entry,{{ cleanup_portal_portal_dn }}'.
  • cleanup_portal_admin_dashboard_dn(string): default: 'cn=admin-dashboard,cn=entry,{{ cleanup_portal_portal_dn }}'.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/dovecot_connector/README.md

DC Connector

This role configures and install Dovecot (DC) connector.

Requirements

none

Role Variables

  • dovecot_connector_basedn(string): The LDAP base dn.
  • dovecot_connector_domain_name(string): The system's dns domain name.
  • dovecot_connector_domain_prefix(string): The system's dns domain prefix. Useful when dovecot server is in same network.
  • dovecot_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
  • dovecot_connector_server_type(string): Which type of UCS server to set up. The possible options are master and backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
  • dovecot_connector_app_version_map(map): A dictionary that maps application names to specific version of dovecot connector. default: ""
  • dovecot_connector_temp_pw_file: The tmp file within the administrator password.
  • dovecot_connector_adm_accepted_exit_codes(string): DoveAdm-exitCode-Werte, die nicht zum Abbruch fĂĽhren; default: 68 75
  • dovecot_connector_adm_host(string): Der Domänenname des Servers auf dem DoveAdm aktiviert wurde; default: dc-provisioning.dovecot_connector_domain_name
  • dovecot_connector_adm_port(string): Der Port auf dem DoveAdm erreichbar ist; default: 443
  • dovecot_connector_adm_username(string): Benutzername des DoveAdm; default: ""
  • dovecot_connector_adm_password(string): Passwort des DoveAdm; default: ""
  • dovecot_connector_adm_uri(string): DoveAdm URL Vorlage. Mögliche Variablen {dcc_adm_host} und {dcc_adm_port}; default: https://{dcc_adm_host}:{dcc_adm_port:d}/doveadm/v1
  • dovecot_connector_dc_vmail_template(string): Das vmail Verzeichnis welches Dovecot nutzt. Mögliche Variablen {uuid}, {email}, {domain} und {username}; default: /data/usr/local/dovecot/vmail/{uuid[0]}{uuid[1]}/{uuid}
  • dovecot_connector_loglevel(string): Die Log-Stufe der Anwendung. Werte: DEBUG, INFO, WARNING und ERROR; default: INFO
  • dovecot_connector_hide_logging(bool): Toggle logging output; default: true

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_apps_ox_pre/README.md

Pre installation steps of OpenXchange (OX)

This role prepares OX installation.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • install_apps_ox_pre_external_hostname(string): The host name that is used to talk to the system.
  • install_apps_ox_pre_mail_domain(string): The externally managed mail domain.
  • install_apps_ox_pre_basedn(string): The LDAP base domain name.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_keycloak/README.md

Configure Keycloak

This role configures keycloak, either via KCADM or REST.

Requirements

none

Role Variables

  • configure_keycloak_generate_oidc_broker_secret(bool): If set to true the client password used in the IDP creation is generated dynamically. If it is set to false the value in configure_keycloak_oidc_broker_secret is used instead. If configure_keycloak_config_type is set to static this variable implicitly is set to false; default: true
  • configure_keycloak_oidc_broker_secret(string): Client password used in the IDP creation. Only used when configure_keycloak_generate_oidc_broker_secretis set to false.
  • configure_keycloak_oidcidp_id(string): The name of the OpenID Connect Identity Provider to be configured when using dynamic configuration; default: "{{ inventory_hostname }}".
  • configure_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes and defaults to keycloak.
  • configure_keycloak_oidc_username_template(string): default: "${CLAIM.preferred_username}_${ALIAS}"
  • configure_keycloak_client_callback_url(string): When configuring a new client on the keycloak server this URL is used as the OpenID callback URL. Defaults to none but has to be set IF the client doesn't exist already. If it does this variable is not used as the client is not going to be updated.
  • configure_keycloak_config_method(string): The configuration method against keycloak, either kcadm or rest; default: kcadm
  • configure_keycloak_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
  • configure_keycloak_keycloak_server(string): The server the UCS system with authenticate against.
  • configure_keycloak_auth_realm(string): As the name says, the realm that is used to authenticate our keycloak operations against. This is not the realm used for client configuration, for that the host's domain is used; default: master.
  • configure_keycloak_admin_username(string): The username used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault.
  • configure_keycloak_admin_password(string): The password used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault
  • configure_keycloak_realm(string): default: "{{ hostvars[inventory_hostname]['ansible_domain'] }}"
  • configre_keycloak_fqdn(string): default: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
  • configure_keycloak_client_id(string): The client's client id used to authenticate.
  • configure_keycloak_display_matrix_in_iframe(bool): When set to 'true', the hosts FQDN is added to CSP list. Be careful, the corresponding field has a size limit; default: false.
  • configure_keycloak_client_secret(string): default: false
  • configure_keycloak_base_url(string): default: "https://{{ configure_keycloak_keycloak_server }}/auth"
  • configure_keycloak_realm_base_url(string): default: "{{ configure_keycloak_base_url }}/admin/realms/{{ ansible_domain }}"
  • configure_keycloak_protocol_mapper_name(string): default: "identity-provider-mapper"
  • configure_keycloak_import_mapper_name(string): default: "append IDP to username"
  • configure_keycloak_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/use_trusted_cert/README.md

Use trusted SSL certificate

This role configures an issues SSL certificate from trusted authorities.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • use_trusted_cert_path_cert(string): Local path to SSL (chained) certificate file.
  • use_trusted_cert_path_key(string): Local path to SSL key file.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_packages/README.md

Install packages

This role installs univention apps with/without fixed versions.

Requirements

none

Role Variables

  • install_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
  • install_packages_service_name_list(list): A list containing application names to be installed.
  • install_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
  • install_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
  • install_packages_install_apps(list): A list of applications to install.
  • install_packages_additional_options(string): Additional option that could be set during install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/deployment_message/README.md

Print a deployment message

This role prints information about playbook, its dependencies and configuration.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • deployment_message_verification_pause_duration(number): 20
  • deployment_message_external_hostname(string): the host name that is used to talk to the system
  • deployment_message_domain_name(string): the system's dns domain name
  • deployment_message_basedn(string): the LDAP base domain name
  • deployment_message_server_type(string): type of UCS server to set up. The possible options are masterand backup.
  • deployment_message_saml_config_type(string): can be set to "failover" or basically anything else. In "failover" mode a part of the SAML configuration is omitted. "failover" in this case refers to a UCS native SAML failover mode. Any other value will result in the same configuration being deployed, the value therefore is more of a descriptive nature. Recommended values are "loadbalancer", "primary-secondary" or "standalone" with the latter being the default value.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/portal_cookie_banner/README.md

Toggle portal cookie banner

This roles enables/disables a cookie banner in portal frontend.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • portal_configure_title_basedn(string): The base DN that has been used when setting up the UCS server
  • portal_configure_title_titles(list): The cookie banner title and body.
portal_configure_title_titles:
  de:
    title: "We are using cookies"
    text: ""

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_repository_component/README.md

Univention Repository Component

This role enables a univention repository component.

Requirements

none

Role Variables

  • univention_repository_component_name(string): The name of customer debian repository.
  • univention_repository_component_parts(string): The part of customer debian repository.
  • univention_repository_component_prefix(string): The prefix of customer debian repository.
  • univention_repository_component_server(string): The server of customer debian repository.
  • univention_repository_component_username(string): The username of customer debian repository.
  • univention_repository_component_password(string): The password of customer debian repository.
  • univention_repository_component_version(string): The version of customer debian repository.
  • univention_repository_component_unmaintained(bool): Toggle unmaintained status of customer debian repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_office_suite/README.md

Configure office suite

This role configures the chosen office suite and installs it.

Requirements

none

Role Variables

  • configure_office_suite_office_suite(string): Define the to be installed office suite. Defaults to collabora-online. A list of supported suites is defined in configure_office_suite_supported_office_suites; default: "collabora-online".
  • configure_office_suite_supported_office_suites(list): A list of supported office suites that can be installed using this role. This variable is set in the role's defaults/main.yml and should not be changed.
  • configure_office_suite_onlyoffice_formats(map): A map of onlyoffice file formats to be enabled or disabled.
  • configure_office_suite_collabora_license_key(string): Include a valid license for collabora-online.
  • configure_office_suite_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
  • configure_office_suite_temp_pw_file(map): Tempfile object where univention app password is stored.
  • configure_office_suite_install_apps(list): A list of applications to install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_repository/README.md

Configure repository

Configure repository URLs to use own apt repository server.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_repository_default_repository_prefix(string): Define access method, either "http://" or "https://"; default: "https://".
  • configure_repository_default_repository_server(string): The repository server without any prefix or suffix or path.
  • configure_repository_default_repository_path(string): The repository path/suffix where repository could be found on server.
  • configure_repository_default_repository_username(string): Optionally configure username for authentication.
  • configure_repository_default_repository_password(string): Optionally configure password for authentication.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_apps_postfix/README.md

Configure Postfix (apps)

This role modifies postfix configuration.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_apps_postfix_domain_name(string): The system's dns domain name.
  • configure_apps_postfix_external_hostname(string): The host name that is used to talk to the system.
  • configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
  • configure_apps_postfix_use_relay_host(bool): Toggles if a SMTP relay host should be used; default: false.
  • configure_apps_postfix_relay_host(string): The SMTP relay hostname.
  • configure_apps_postfix_relay_username(string): The SMTP relay username.
  • configure_apps_postfix_relay_password(string): The SMTP relay password.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_remove/README.md

Remove packages with univention-remove

This role installs packages via univention-remove wrapper.

Requirements

none

Role Variables

  • univention_remove_name(string): The name of the package to be removed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_prune_kernels/README.md

Prune Kernels Univention UCS

This role prunes kernels for UCS servers in order to free space at /boot.

Requirements

none

Role Variables

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/set_ldap_index/README.md

Configure LDAP Index

This role adds/removes additional ldap indexes. Slapd.service is stopped. Run this role only in maintenance. Without extra vars nothing will happen.

Requirements

none

Role Variables

  • set_ldap_index_equality_add(string): The name of the ldap attribute for equality searches to add; default: ""
  • set_ldap_index_presence_add(string): The name of the ldap attribute for presence searches to add; default: ""
  • set_ldap_index_approx_add(string): The name of the ldap attribute for approx searches to add; default: ""
  • set_ldap_index_substring_add(string): The name of the ldap attribute for substring searches to add; default: ""
  • set_ldap_index_equality_rm(string): The name of the ldap attribute for equality searches to remove; default: ""
  • set_ldap_index_presence_rm(string): The name of the ldap attribute for presence searches to remove; default: ""
  • set_ldap_index_approx_rm(string): The name of the ldap attribute for approx searches to remove; default: ""
  • set_ldap_index_substring_rm(string): The name of the ldap attribute for substring searches to remove; default: ""

Dependencies

none

Example Playbook

  • hosts: ucs_master become: true tasks:
    • name: "include role for setting ldap index" ansible.builtin.include_role: name: "roles/set_ldap_index" vars: set_ldap_index_equality_add: "isOxUser" set_ldap_index_approx_rm "aAAARecord"

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/improve_usability_nextcloud/README.md

Improve usability nextcloud

This role disables some unused functionality like: contacts, spreed, mail, calendar.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/portal_configure_title/README.md

Configure Portal Title

This role configures portal title.

Requirements

none

Role Variables

  • portal_configure_title_basedn(string): The LDAP base domain name.
  • portal_configure_title_titles(list): The new portal titles with locale in format like de_DE "Cool Portal (Univention)".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/portal_entry/README.md

Portal entry

Create, modify, delete and append portal entries.

Requirements

none

Role Variables

  • portal_entry_base_dn(string): The base DN that has been used when setting up the UCS server
  • portal_entry_entries(list): The portal entries list.
  • portal_entry_install_list(list): Combined apps/services/customization lists.
  • portal_entry_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
  • portal_entry_remove_unscoped(bool): Toggle removal of undefined entries; default: false.

Dependencies

none

Example Playbook

Create a public login and file store

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_entry"
      vars:
        portal_entry_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_entry_install_list: ["nextcloud"]
        portal_entry_drift_detection: true
        portal_entry_remove_unscoped: false
        portal_entry_entries:
          - name: "Anmeldung"
            anonymous: true
            category: "help"
            description:
              de_DE: "Anmelden"
              en_US: "Login"
            display_name:
              de_DE: "Anmelden"
              en_US: "Login"
            icon_file: "ucs_portal_login_icon.svg"
            link:
              de_DE: "/univention/saml/?location=%2Funivention%2Fportal%2F"
              en_US: "/univention/saml/?location=%2Funivention%2Fportal%2F"
            linktarget: "samewindow"
            parent: "category"
            state: "present"
            type: "entries"
          - name: "Dateien"
            activated: true
            allowed_groups: ["cn=Domain Users,cn=groups,dc=ansible,dc=univention,dc=de"]
            anonymous: false
            category: "Kollaboration"
            description:
              de_DE: "Dateienablage und -austausch"
              en_US: "File storage and exchange"
            display_name:
              de_DE: "Eigene Dateien"
              en_US: "My files"
            icon_file: "ucs_portal_files_icon.svg"
            linktarget: "newwindow"
            link:
              de_DE: "/nextcloud"
              en_US: "/nextcloud"
            only: "nextcloud"
            parent: "category"
            state: "present"
            type: "entries"
            target: "tab_nextcloud"
          # ...

Portal entries

portal_entry_entries:
  - name:           # (string, required) | Name of portal entry.
    activated:      # (boolean)          | Enable/Disable portal entry.
    allowed_groups: # (list)             | A list of LDAP groups the entry should be shown.
    anonymous:      # (boolean)          | Show entry for not logged-in user.
    category:       # (string)           | Name of category/portal the entry should be appended.
    description:    # (map)              | I18n description displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    icon_file:      # (string)           | Name of predefined images or local images.
    icon_base64:    # (string)           | Image as base64 encoded string. This variables overrides the input from 'icon_file'!
    link:           # (map)              | Internal or external link.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    linktarget:     # (string)           | Link target f.e. "samewindow", "newwindow", "embedded" or "useportaldefault".
    target:         # (string)           | Link target name, to open link in the same tab_group. Works only from UCS 5.0.
    only:           # (string)           | Modify when app defined is in `portal_entry_install_list`.
    parent:         # (string)           | The type where entry should be appended, f.e. "category" or "portal".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    type:           # (string)           | The list from parent where entry should be appended. For
                    #                    |  - "category" > possible: "entries"
                    #                    |  - "portal" > possible: "menuLinks", "userLinks"

Limitations

  • Modifying/Removing attributes with whitespaces are not supported by UCS 4.4
  • Drift detection does not detect changes in icons.

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/get_installed_apps/README.md

Get installed univention apps

This role sets a fact with installed univention apps.

Requirements

  • ansible.utils
    • cli_parse

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_logrotate/README.md

Configure Logrotate

As is defined on the ucr the log files are rotated the set number of times before being removed. This role is used to set those numbers.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_logrotate_compress(bool): If this option is activated, log files are compressed during rotation; default: yes
  • configure_logrotate_create(string): Configures mode, owner and group of a log file after rotation; default: 640 root adm
  • configure_logrotate_missingok(bool): If this option is activated, proceed without printing an error message if a logfile is missing; default: yes
  • configure_logrotate_notifempty(bool): If this option is activated, empty logfiles are not rotated; default: yes
  • configure_logrotate_rotate_count(number): The rotation interval for system log files; default: 12
  • configure_logrotate_rotate_handling(string): Log files are rotated according to criterion described by man logrotate.conf; default: weekly
  • configure_logrotate_syslog_rotate_count(number): The rotation interval for syslog file; default: 7 * "rotate/count"
  • configure_logrotate_syslog_rotate_handling(string): Syslog file is rotated according to criterion described by man logrotate.conf; default: daily

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_group_syntax/README.md

Configure group syntax

Configure the group syntax and ensure the consistency on all nodes

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_group_syntax_group_syntax(string): group syntax desired value; default: gid

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_saml_single_server/README.md

Configure SAML single server

This role configures SAML single server.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_saml_single_server_external_hostname(string): The external hostname that is used to talk to the system.
  • configure_saml_single_server_domain_name(string): The systems domain name.
  • configure_saml_single_server_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
  • configure_saml_single_server_temp_file(map): Tempfile object where univention app password is stored.
  • configure_saml_single_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. If backup is chosen the following variable also has to be set; default: "master".
  • configure_saml_single_server_basedn(string): The LDAP base dn.
  • configure_saml_single_server_remove_default_saml_provider(bool): When set to true all builtin SAML provider will be removed; default: true.
  • configure_saml_single_server_external_loadbalancer_ip(string): IP address of external load balancer if used.
  • configure_saml_single_server_domain_prefix(string): The external prefix of load balancer

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/workaround_acmetiny_upgrade/README.md

Workaround: Use specific acme tiny version

This role downloads and patches acme-tiny.

Requirements

  • ansible.posix
    • patch

Role Variables

workaround_acmetiny_upgrade_temp_dir(map): Ansible temporary dir for workaround files.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_multitenant_acls/README.md

Install multitenant ACLs

Install and configure ACL package.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • install_multitenant_acls_customer_name(string): The name of customer used inside ACL package.
  • install_multitenant_acls_multitenant_acls(list): A list of acl settings.
    multitenant_acls:
      - tenant_id: "0000"
        admin_password: ""
      - tenant_id: "0001"
        admin_password: ""
      - tenant_id: "0002"
        tenant_short_name: "test"
        admin_password: ""
        mail_domains: []
    
  • install_multitenant_acls_json_path(string): The local path for ACL structure json file.
  • install_multitenant_acls_package_name(string): The customer specific debian package name.
  • install_multitenant_acls_script_name(string): The name of create acl structure script.
  • install_multitenant_acls_keycloak_base(string): The base url for keycloak.
  • install_multitenant_acls_hide_logging(boolean): Toggle template logging; default: true.
  • install_multitenant_acls_server_type(string): The ucs server type; default "master".
  • install_multitenant_acls_customer_repo_name(string): The name of customer debian repository.
  • install_multitenant_acls_customer_repo_parts(string): The part of customer debian repository.
  • install_multitenant_acls_customer_repo_password(string): The password of customer debian repository.
  • install_multitenant_acls_customer_repo_server(string): The server of customer debian repository.
  • install_multitenant_acls_customer_repo_username(string): The username of customer debian repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_keycloak_saml/README.md

Configure Keycloak SAML

This role configures Keycloak as SAML provider.

Requirements

none

Role Variables

  • configure_keycloak_saml_basedn(string): The LDAP base dn.
  • configure_keycloak_saml_sp_base_url(string): The Service Provider base url.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/custom_facts/README.md

Custom facts

This role gathers release information and store them on remote system.

Requirements

none

Role Variables

  • custom_facts_templates(list): filename(s) of templates which should be applied; default: ["deployment.fact.j2", "hotfixes.fact.j2"]

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/intercom_service/README.md

Intercom Service

This role installs and comfigures the intercom service. For further information have a look at https://docs.software-univention.de/intercom_service/latest/index.html

Requirements

none

Role Variables

  • intercom_service_hide_logging(boolean): Toggle template logging; default: true.
  • intercom_service_domain_name(string): The domain name. default: ""
  • intercom_service_temp_pw_file: The tmp file within the administrator password.
  • intercom_service_settings_proxy(string): Wether to allow connections via proxy server instead of backend directly; default: "False"
  • intercom_service_settings_client_id(string): The keycloak client ID; default: intercom
  • intercom_service_settings_intercom_url(string): URL where ICS is reachable; default: https://ics.{{ intercom_service_domain_name }}
  • intercom_service_settings_base_url(string): Base URL used to identify with the IdP; default: https://ics.{{ intercom_service_domain_name }}
  • intercom_service_settings_origin_regex(string): Defines the origin CORS regex; default: {{ intercom_service_domain_name }}
  • intercom_service_keycloak_url(string): URL of the Keycloak instance to be used as the IdP; default: https://id.{{ intercom_service_domain_name }}
  • intercom_service_keycloak_realm_name(string): Name of the realm containing the configured OIDC Intercom client; default: ucs
  • intercom_service_matrix_url(string): The URL on which the Matrix server is reachable default: https://matrix.{{ intercom_service_domain_name }}
  • intercom_service_matrix_server_name(string): The server name of the matrix server; default: https://matrix.{{ intercom_service_domain_name }}
  • intercom_service_matrix_login_type(string): The login-type ICS should use on the matrix server; default: uk.half-shot.msc2778.login.application_service
  • intercom_service_matrix_nordeck_mode(string): The connection mode of the Nordeck-bot; default: test
  • intercom_service_nordeck_url(string): The URL on which Nordeck-bot is listening; default: https://meetings-widget-bot.{{ intercom_service_domain_name }}
  • intercom_service_portal_url(string): The URL on which the Univention-Portal is listening; default: https://portal.{{ intercom_service_domain_name }}
  • intercom_service_ox_origin(string): The OX CORS origin setting; default: https://webmail.{{ intercom_service_domain_name }}
  • intercom_service_ox_audience(string): The OIDC audience settings for the OX token request send to the IdP; default: oxoidc
  • intercom_service_nc_url(string): The URL on which Nextcloud is listening on; default: https://fs.{{ intercom_service_domain_name }}
  • intercom_service_nc_origin(string): The Nextcloud CORS origin; default: https://fs.{{ intercom_service_domain_name }}

Dependencies

none

Example Playbook

Intercom Service

- hosts: all
  tasks:
    - name: "Install Intercom Service via Appcenter"
      ansible.builtin.include_role:
        name: "univention.ucs_roles.intercom_service"
      vars:
        intercom_service_hide_logging: false
        intercom_service_domain_name: "ucs.test.intranet"
        intercom_service_temp_pw_file: "{{ temp_file }}"
        intercom_service_keycloak_realm_name: "your_keycloak_realm"

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/ucs_join/README.md

UCS join

This role runs a UCS Join on master or backup servers.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • ucs_join_derive_root_password_from_hostname(bool): Creates a unique root/admin password that is derived from the host name, or rather the numeric part of it.
  • ucs_join_derive_root_password_prefix(string): The prefix that is used before the numeric part in derived passwords.
  • ucs_join_server_type(string): Which type of UCS server to set up. The possible options are master, backup, slave and member. The default is master, which also means "standalone". If not master is chosen the following variable also has to be set, default: master.
  • ucs_join_master_server(string): In case of a backup, slave or member server (see previous variable) this declares which master server to join. The variable musst be the ip of the master server. In every other case this variable is ignored.
  • ucs_join_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
  • ucs_join_root_password(string): The machine's root password, if you want version control consider using ansible-vault to encrypt it. If ucs_join_derive_root_password_from_hostname is set to true this variables is ignored.
  • ucs_join_hostname(string): Remote hostname; default {{ inventory_hostname }}.
  • ucs_join_domain_name(string): The system's dns domain name.
  • ucs_join_basedn(string): The LDAP base domain name.
  • ucs_join_nameservers(dict): Configure the nameservers1-3.
  • ucs_join_network_config_type(string): Choose dhcp or static with the former being the default. If you choose static you'll have to add ucs_join_network_config_static-* variable as well; default: dhcp.
  • ucs_join_network_config_static_ip_config(map): The server's IPv4 address in one of the following two forms: <ip address>/<netmask> or CIDR form (<ip address>/<prefix length>. Both forms are functionally equal. Example: 192.168.0.1/255.255.255.240 or 192.168.0.1/28.
  • ucs_join_network_config_static_dns_servers(list): A list of DNS servers to use in case of static network configuration. If ucs_join_server_type is backup this variable is ignored and the master server will be used instead.
  • ucs_join_network_config_static_gateway(string): The server's default router aka internet gateway. This is mandatory for the setup to work.
  • ucs_join_network_config_interface(string): The servers default network interface; default: eth0.
  • ucs_join_network_config_static_additional_interfaces(list): A list of additional interfaces as dictionary
  • ucs_join_network_config_static_routes(list): A list of static routes, which should be attached to interfaces.
  • ucs_join_hide_logging(boolean): Toggle template logging; default: true.

Dependencies

none

Example Playbook

Configure static network interface

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_interface: "eth0"
        ucs_join_network_config_static_ip_config: "10.20.30.40/24"
        ucs_join_network_config_static_gateway: "10.20.30.1"
        ucs_join_network_config_static_dns_servers:
          - "8.8.8.8"
          - "8.8.4.4"
        # ...

Configure additional network interfaces

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_static_additional_interfaces:
          ens10: "10.20.30.40/24"
          ens11: "20.30.40.50/24"
        # ...

Configure additional network routes

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_static_routes:
          - interface: "ens10"
            index: 0
            route: "host 10.10.0.1 metric 200"
          - interface: "ens10"
            index: 1
            route: "net 10.10.0.0 netmask 255.255.0.0 gw 10.10.0.1 metric 100"
        # ...

Configure nameservers

Matrix: How the nameservers should configured.

All domaincontroller_* has a dns server installed.

domaincontroller_master domaincontroller_backup domaincontroller_slave memberserver
nameserver1 host_ip_address host_ip_address host_ip_address domaincontroller_master
nameserver2 fallback_nameserver domaincontroller_master domaincontroller_master domaincontroller_backup
nameserver3 fallback_nameserver domaincontroller_backup domaincontroller_slave
- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_nameservers:
          nameserver1:
            # local ip
            server: "{{ ansible_local['ucr']['interfaces/' + ansible_local['ucr']['interfaces/primary'] + '/address'] }}"
          nameserver2:
            server: "8.8.8.8"
            state: 'present'
          nameserver3:
            state: 'absent'

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_install/README.md

Install packages with univention-install

This role installs packages via univention-install wrapper.

Requirements

none

Role Variables

  • univention_install_name(string): The name of the package to be installed.
  • univention_install_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_amazon_metadata_server/README.md

Configure amazon metadata server

Enable or disable UCS calling Amazon's metadata server

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_amazon_metadata_server_call(boolen): Defines if the amazon metadata server should be called; default: false

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/univention_upgrade/README.md

Upgrade Univention UCS

This role upgrade UCS to a specific version.

Requirements

none

Role Variables

  • univention_upgrade_version(string): The UCS' version number to upgrade to; default: "4.4-99".
  • univention_upgrade_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.
  • univention_upgrade_removal_check(bool): Check if packages will be removed during upgrade; default: false.
  • univention_upgrade_reboot_after_upgrade(bool): Reboot UCS after package upgrade; default: false.
  • univention_upgrade_app_updates(bool): Upgrade apps during univention-upgrade; default: false.
  • univention_upgrade_username(string): Username of administrative user for app updates; default: Administrator.
  • univention_upgrade_password_file(string): Path to the file on the server that contains the user password if univention_upgrade_app_updates=true; default: "".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/umc_permissions/README.md

Update UMC permissions

This role updates UMC permissions.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • umc_permissions_basedn(string): The LDAP base domain name.
  • umc_permissions_passwordreset_blacklist_groups(string): The name of LDAP groups which are not allowed to reset their password.
  • umc_permissions_passwordreset_whitelist_groups(string): The name of LDAP groups which are allowed to reset their password.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/ldapsearch_user/README.md

LDAPSearch user

This role adds specific LDAPSearch users.

Requirements

none

Role Variables

  • ldapsearch_user_basedn(string): The LDAP base DN.
  • ldapsearch_user_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
  • ldapsearch_user_hide_logging(boolean): Toggle template logging; default: true.
  • ldapsearch_user_list(list): A list of ldapsearch users to create.
  • ldapsearch_user_list_tenantbased(list): A list of LDAPSearch users to create.

Dependencies

none

Example Playbook

Configure LDAPSearch user

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"           # optional; default value from username
            lastname: "Lastname of LDAPSearch user"   # optional; default value from username
            password: "SuperSecretPassword"
        # ...

Configure LDAPSearch user (per tenant)

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list_tenantbased:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"                  # optional; default value from username
            lastname: "Lastname of LDAPSearch user"          # optional; default value from username
            password: "SuperSecretPassword"
            tenant_ou: "ou=users,ou=root,ou=0001,ou=tenants" # position in LDAP
        # ...

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_apps_owncloud/README.md

Configure Owncloud (apps)

Configure UCS app owncloud.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/hardening/README.md

Hardening system

This role reduces security risks by disabling default settings, like root login.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • hardening_disable_http(bool): If set to true, http will be disabled in apache2. Only https will be available; default: true
  • hardening_hsts(bool): If set to true HTTP Strict Transport Security is enabled for apache2 ; default: true
  • hardening_apache2_ssl_tlsv13(bool): If set to true ssl tlsv11 and tlsv12 are disabled for apache2; default: true
  • hardening_apache2_server_tokens(string): Set apache2 configuration to Prod, Major, Minor, Min, OSor Full. Details: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens ; default: Prod
  • hardening_apache2_server_signature(string): Set apache2 configuration to Off , EMail or On. Details: https://httpd.apache.org/docs/2.4/mod/core.html#serversignature ; default: Off
  • hardening_honorcipherorder(string): During the negotiation of cryptographic algorithms during the setup of a SSL/TLS connection the preference of the client is used by default. If this option is enabled, the preference of the server is used instead. The list of algorithms offered by Apache can be configured with the variable 'apache2/ssl/ciphersuite'; default: true
  • hardening_ciphersuite(string): his configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite; default: HIGH
  • hardening_umc_session_cookie(bool): If set to true the login cookie is a session cookie. Closing the browser will delete the cookie, effectively logging out the user; default: true
  • hardening_umc_secure_cookie(bool): If set, cookies are set with the secure attribute if the connection is using HTTPS; default: true
  • hardening_umc_cookie_samesite(string): Set the SameSite cookie attribute for UMC cookies. Possible values: Strict, Lax and None; default: Strict
  • hardening_saml_idp_language_cookie_samesite(string): Set the SameSite attribute in sthe language cookie attribute of SAML IDP. Possible values: Strict, Lax and None; default: Strict
  • hardening_saml_idp_session_cookie_samesite(string): Set the "SameSite" attribute in the session cookie of SAML IDP. Possible values: Strict, Lax and None; default: Strict
  • hardening_saml_idp_session_cookie(bool): If set to true the "Secure" attribute in the session cookie is activated. default: true
  • hardening_saml_idp_language_cookie(bool): If set to true the "Secure" attribute in the language cookie is activated. default: true
  • hardening_disable_umc_http_tracebacks(bool): If set to true tracebacks are no longer shown to the user in error case for umc; default: true
  • hardening_disable_udm_rest_tracebacks(bool): If set to true tracebacks are no longer shown to the user in ror case for udm REST; default: true
  • hardening_disable_saml_idp_errors(bool): If set to true tracebacks are no longer shown to the user in error case for the saml idp; default: true
  • hardening_disable_saml_idp_error_reporting(bool): If set to true error information and stack traces can not be reported via email to the technical contact mail address; default: true

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_ntp_servers/README.md

Configure NTP servers

This role configures NTP timeservers.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_ntp_servers_timeservers(list): A list of ntp server addresses; default ["ptbtime1.ptb.de", "ptbtime2.ptb.de", "ptbtime3.ptb.de"]

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_keycloak_client/README.md

Configure keycloak client

This role configures ucs to properly use keycloak.

Requirements

none

Role Variables

  • configure_keycloak_client_oidc_broker_secret(string): The client password used in the IDP creation.
  • configure_keycloak_client_keycloak_password(string): The keycloaks password.
  • configure_keycloak_client_basedn(string): The LDAP base domain name.
  • configure_keycloak_client_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes.
  • configure_keycloak_client_keycloak_server(string): The server the UCS system with authenticate against.
  • configure_keycloak_client_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
  • configure_keycloak_client_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/extend_root_lvm_volume/README.md

Extend root LVM volume

Extend the root volume to all available space. Helpful when using a prebuild image and additional space is required.

Requirements

  • community.general
    • parted
    • lvg
    • lvol

Role Variables

  • extend_root_lvm_volume_extend_lvm_to_whole_disk(bool): If true, root volume is extended to available space; default: true
  • extend_root_lvm_volume_lvm_disk(string): The "physical" disk to partition without the "/dev/" part, for instance "sda" for "/dev/sda". Defaults to what is used in the Univention QCOW image; default: "vda"
  • extend_root_lvm_volume_lvm_vg_name(string): The volume group the data volume resides in. Defaults to what is used in the Univention QCOW image; default: "vg_ucs"
  • extend_root_lvm_volume_lvm_data_volume(string): The LVM name used for the data volume. Defaults to what is used in the Univention QCOW image; default: "root"
  • extend_root_lvm_volume_existing_lvm_partition_number(number): The existing lvm partition number. Defaults to what is used in the Univention QCOW image; default: 2

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/ucs_add_admin_user/README.md

Add UCS admin user

This role adds an administrative UCS user.

Requirements

none

Role Variables

  • ucs_add_admin_user_basedn(string): The LDAP base domain name.
  • ucs_add_admin_user_username(string): The username for the administrative user.
  • ucs_add_admin_user_firstname(string): The firstname for the administrative user.
  • ucs_add_admin_user_lastname(string): The lastname for the administrative user.
  • ucs_add_admin_user_password(string): The password for the administrative user.
  • ucs_add_admin_user_recoveryemail(string): The recovery email address for the administrative user.
  • ucs_add_admin_user_attrib_list(map): A map of attributes & values to set for the administrative user.
  • ucs_add_admin_user_group_list(list): A list of group names to append the administrative user to.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/improve_usability_user_config/README.md

Improve usability user configuration

This role improves user configuration.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • improve_usability_user_config_basedn(string): The LDAP base domain name.
  • improve_usability_user_config_external_hostname(string): The host name that is used to talk to the system.
  • improve_usability_user_config_install_apps(list): A list of applications to install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/force_package_list_update/README.md

Force package list update

This role updates univention and apt package lists.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/set_feedback_mail_address/README.md

Set feedback mail address

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • set_feedback_mail_address_web_feedback_mail(string): Email address configured to send the traceback if occurs an error in the Univention Management Console; default: [email protected]

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_monitoring/README.md

Configure Monitoring

This role configures monitoring related settings.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_monitoring_ldap_enabled(string): Toggle ldap/monitor ucr setting; default: "true".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/set_dns_glue_record/README.md

Set DNS Glue record

Set a DNS Nameserver Glue record.

Requirements

none

Role Variables

  • set_dns_glue_record_create_external_hostname_glue_record(bool): If set to true a DNS Glue record is set if not already exists; default: `true
  • set_dns_glue_record_fqdn(string): Use this variable if remotes hostname is only available as FQDN or set set_dns_glue_record_host_namedirectly.
  • set_dns_glue_record_host_name(string): Use this variable for remotes hostname otherwise use set_dns_glue_record_fqdn for FQDN hostnames.
  • set_dns_glue_record_domain_name(string): Use this variable to set remotes domain name or set set_dns_glue_record_superordinatedirectly.
  • set_dns_glue_record_basedn(string): Use this variable to set remotes base domain name or set set_dns_glue_record_superordinatedirectly.
  • set_dns_glue_record_superordinate(string): Define superordinate user use set_dns_glue_record_domain_name and set_dns_glue_record_basedn.
  • set_dns_glue_record_glue_record_nameserver(string): The target nameserver as FQDN that is used to resolve the external hostname.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_sso_openid/README.md

Configure SSO OpenID Connect

This role configures OpenID Connect OIDC for apps like open-xchange or nextcloud.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_sso_openid_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
  • configure_sso_openid_temp_pw_file(map): Tempfile object where univention app password is stored.
  • configure_sso_openid_install_apps(list): A list of applications to install.
  • configure_sso_openid_basedn(string): The systems base dn.
  • configure_sso_openid_signing_method(string): The signing method; default: "RS256".
  • configure_sso_openid_external_hostname(string): The external hostname that is used to talk to the system.
  • configure_sso_openid_clients(map): A map of client configurations, supported nexcloud and ox.

Dependencies

none

Example Playbook

Configure OpenID clients

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.configure_sso_openid"
      vars:
        configure_sso_openid_clients:
          nextcloud:
            name: "nextcloud"
            clientid: "nextcloud"
            clientsecret: "notverysafe"
          ox:
            name: "open-xchange"
            clientid: "open-xchange"
            clientsecret: "notverysafe"
        # ...

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_lets_encrypt/README.md

Install letsencrypt

This role installs letsencrypt and configures it. It supports letsencrypt staging as well.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • install_lets_encrypt_use_letsencrypt_staging(bool): When false it uses regular let's encrypt certificates, true switches to the staging area for testing purposes; default: false.
  • install_lets_encrypt_implement_ugly_letsencrypt_workaround(bool): Work around bugs in the let's encrypt staging implementation. This patches files in the univention letsencrypt app; default: false.
  • install_lets_encrypt_temp_pw_file(map): Ansible temporary password file.
  • install_lets_encrypt_temp_dir(map): Ansible temporary dir.
  • install_lets_encrypt_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
  • install_lets_encrypt_service_name_list(list): A list containing service names to be installed.
  • install_lets_encrypt_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_lets_encrypt_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
  • install_lets_encrypt_external_hostname(string): The host name that is used to talk to the system.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_service_new_portal/README.md

Install new portal (service)

This role installs and configures new portal.

Requirements

none

Role Variables

  • install_service_new_portal_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_new_portal_force_package_upgrade for a way to upgrade already installed software.
  • install_service_new_portal_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_new_portal_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
  • install_service_new_portal_temp_file(map): Ansible temporary dir.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_password_policies/README.md

Configure UCS Password Policies

This role configures password policies via UCR. A dn of a policy is required. All users with this plocicy referenced will get these settings.

Requirements

  • univention.ucs_modules
    • univention_config_registry
    • univention_directory_manager

Role Variables

  • configure_password_policies_dn(string): At least there should be one policy with activated Checks. The full dn is needed; default: not set
  • configure_password_policies_quality_min_lenght(string): Sets the minimum password length; default: 8
  • configure_password_policies_quality_required_chars(string): Sets required chars for setting new passwords; default: none
  • configure_password_policies_quality_forbidden_chars(string): Sets forbidden chars for setting new passwords; default: none
  • configure_password_policies_quality_credit_digits(string): Sets the minimum number of digits in the new password; ; default: 1
  • configure_password_policies_quality_credit_upper(string): Sets the minimum number of upper case letters; default: 1
  • configure_password_policies_quality_credit_other(string): Sets the minimum number of chars wich are neither digits nor letters; default: 1
  • configure_password_policies_quality_credit_lower(string): Sets the minimum number of lower case letters; default: 1
  • configure_password_policies_quality_mspolicy(string): Sets the microsoft policy complexity criteria. If 1,true or yes this will b eon top of the dafault python-cracklib. If sufficient only ms policy complexity will be used and if false only python-cracklib will be used. default: 1

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/workaround_high_mtu/README.md

Workaround: Fix MTU for Docker

When MTU in Docker 1500 is higher than the one for network interface, this role sets the Docker MTU to 1400.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_network_interface_names/README.md

Configure network interface names

This role configures network interface names as GRUB boot parameter, resulting in network interface names like eth0.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • configure_network_interface_names_use_old_names(boolean): Set the GRUB parameter for old interface names; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/disable_ipv6/README.md

Disable IPv6

This role disables IPv6 on system via modprobe.

Requirements

  • ansible.posix
    • sysctl

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_apps_ox_post/README.md

Post installation steps of OpenXchange (OX)

This role configures OX.

Requirements

  • univention.ucs_modules
    • univention_config_registry
  • community.crypto
    • openssl_pkcs12
  • community.general
    • java_cert

Role Variables

  • install_apps_ox_post_basedn(string): The LDAP base domain name.
  • install_apps_ox_post_external_hostname(string): The host name that is used to talk to the system.
  • install_apps_ox_post_ox_keystore_passphrase(string): The passphrase for ox keystore.
  • install_apps_ox_post_ox_drive_default(string): Toggle OXDrive by setting 0for disabled and 1 for enabled; default: 0.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/update_users_ssh_keys/README.md

Update users SSH keys

This role adds and removes SSH keys from user.

Requirements

  • ansible.posix
    • authorized_key

File Structure

files/
 |
 +-- ssh_keys/
 |   |
 |   +-- add/
 |   |   |
 |   |   +-- *.pubkey
 |   |
 |   +-- remove/
 |       |
 |       +-- *.pubkey

Role Variables

  • update_users_ssh_keys_user(string): Name of local user where SSH keys should be added/removed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/add_local_user/README.md

Add local user

This role creates a local user with ssh login permissions.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • add_local_user_user(map): A map containing user information:
add_local_user_user:
    name:         # username; default; "ansible"
    comment:      # user comment; default: "ansible user"
    password:     # hashed password of user; default:  "{{ "ansible"|password_hash('sha512') }}"
    sshkey_file:  # ssh key filename; default: empty
    sshkey:       # ssh key as string; default: empty
    state:        # toggle if user should be present or absent; default: present
  • add_local_user_default_shell(string): Default user shell; default: /bin/bash
  • add_local_user_default_password_policy(string): Default password update policy. Possible values are "on_create" and "always"; default "on_create".
  • add_local_user_system_user(bool): true if the user should be a system user instead of a human; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/install_branding/README.md

Install branding package

This role installs a customer branding package.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • install_branding_customer_repo_name(string): The name of customer debian repository.
  • install_branding_customer_repo_parts(string): The part of customer debian repository.
  • install_branding_customer_repo_password(string): The password of customer debian repository.
  • install_branding_customer_repo_server(string): The server of customer debian repository.
  • install_branding_customer_repo_username(string): The username of customer debian repository.
  • install_branding_customer_branding_package(string): Set the name of the Debian Branding Package in the Univention Customer Repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_license/README.md

Configure UCS license

This role helps to apply an existing license file or claims a new license from shop.

Requirements

none

File Structure

files/
 |
 +-- license_client.py

Role Variables

  • configure_license_validity(string): The validity period for the license in a format GNU date is able to understand as a time period, like "12 weeks".
  • configure_license_shop_password(string): The shop user's password, best stored in a secrets manager or encrypted via ansible-vault.
  • configure_license_shop_id(number): Which license shop to use when obtaining a new license for the server.
  • configure_license_shop_username(string): The shop's user name, needed for authentication.
  • configure_license_max_users(number): How many users to allow on the server.
  • configure_license_basedn(string): The LDAP base domain name.
  • configure_license_type(string): Choose one of local_license or server_license. When choosing local_license a license file name has to be provided otherwise choose server_license and one is generated; default: server_license.
  • configure_license_file(string): If configure_license_type set to local_license then provide license file name here; default: false.
  • configure_license_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/portal_category/README.md

Portal category

Create, modify and delete portal categories

Requirements

none

Role Variables

  • portal_category_base_dn(string): The base DN that has been used when setting up the UCS server
  • portal_category_categories(list): The portal categories list.
  • portal_category_install_list(list): Combined apps/services/customization lists.
  • portal_category_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
  • portal_category_remove_unscoped(bool): Toggle removal of undefined categories; default: false.

Dependencies

none

Example Playbook

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_category"
      vars:
        portal_category_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_category_install_list: ["nextcloud"]
        portal_category_drift_detection: true
        portal_category_remove_unscoped: false
        portal_category_categories:
          - name: "domain-service"
            display_name:
              de_DE: "Applikationen"
              en_US: "Applications"
            state: "present"
            parent: "domain"
          - name: "domain-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "domain"
          - name: "local-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "local"
          # ...

Portal categories

portal_category_categories:
  - name:           # (string, required) | Name of portal category.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    only:           # (string)           | Modify when app defined is in `portal_category_install_list`.
    parent:         # (string)           | The name of portal where the category should be appended to, f.e. "domain".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    ucs_versions:   # (list)             | A list of UCS version in which the category should be modified. When no
                    #                    |   version is omitted, category will be modified on ALL ucs versions.

Limitations

  • Modifying/Removing attributes with whitespaces are not supported by UCS 4.4

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_nextcloud_turn/README.md

Configure TURN server of Nextcloud Talk

This role configures the Nextcloud Talk TURN server.

Requirements

none

Role Variables

  • configure_nextcloud_turn_secret(string): The TURN server secret.
  • configure_nextcloud_turn_url(string): The URL of the TURN server.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/disable_piwik_tracking/README.md

Toogle piwik tracking

This role enables/disables piwik tracking of UCS.

Requirements

  • univention.ucs_modules
    • univention_config_registry

Role Variables

  • disable_piwik_tracking_disable(bool): Toggles piwik tracking of installation. When set to true, tracking is disabled; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_nextcloud_saml/README.md

Configure nextcloud SAML

This role configures nextcloud for SAML single server.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/configure_apps_nextcloud/README.md

Configure Nextcloud (apps)

Configure UCS app nextcloud.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com


roles/custom_facts_finished/README.md

Custom facts (finished)

Store rollout finished information in custom facts directory.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

About

Ansible roles to setup, configure and deploy UCS

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published