mirror of https://github.com/univention/ansible-roles.git synced 2025-10-26 11:17:24 +00:00

Ansible roles to setup, configure and deploy UCS

Go to file

Univention Commit Service b40f7d407a Release (23.08.2024)		2024-08-23 15:40:12 +00:00
meta	Release (03.05.2023)	2023-05-03 21:00:39 +00:00
roles	Release (23.08.2024)	2024-08-23 15:40:12 +00:00
.ansible-lint	Release (08.05.2023)	2023-05-08 10:24:00 +00:00
.flake8	Release (31.08.2021)	2021-08-31 14:46:22 +00:00
.gitignore	Release (06.12.2021)	2021-12-06 11:37:46 +00:00
.pre-commit-config.yaml	Release (03.05.2023)	2023-05-03 21:00:39 +00:00
.releaserc	Release (28.05.2021)	2021-05-28 20:57:09 +00:00
.yamllint	Release (28.10.2021)	2021-10-28 10:46:04 +00:00
galaxy.yml	Release (03.05.2023)	2023-05-03 21:00:39 +00:00
README.md	Release (23.08.2024)	2024-08-23 15:40:12 +00:00

README.md

UCS Ansible Roles

This repository only contains ansible roles usable in an ansible-playbook to install and bootstrap UCS.

Modules

roles/modify_ucs_ca/README.md

Modify UCS certs

Modify exisiting univention certificates.

Requirements

none

Role Variables

modify_ucs_ca_external_domain_name(string): The external domain name.
modify_ucs_ca_external_domain_part(string): The part of an external domain eventually excluding fist subdomain.
modify_ucs_ca_external_domain_prefix(string): The first subdomain if exists.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/improve_usability_ui_changes/README.md

Improve usability ui changes.

This role will improve ui.

Requirements

none

Role Variables

improve_usability_ui_changes_basedn(): The LDAP base domain name.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/ox_connector/README.md

OX Connector

This role configures and install OX connector.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

ox_connector_basedn(string): The LDAP base dn.
ox_connector_domain_name(string): The system's dns domain name.
ox_connector_domain_prefix(string): The system's dns domain prefix. Useful when OX server is in same network
ox_connector_default_context (string): The default context that is being assigned to objects when there is no explicit definition; default: 9999
ox_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
ox_connector_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
ox_connector_temp_pw_file(map): Tempfile object where univention app password is stored.
ox_connector_master_admin(string): The name of OX administrator.
ox_connector_master_password(string): The password of OX administrator.
ox_connector_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
ox_connector_template_name(string): The name of default ox access template; default: "standard".
ox_connector_hide_logging(boolean): Toggle logging of sensitive information like password; default: true.
ox_connector_usertemplate_name(string): Name of the User Template to be used, while creating a new user; default: "Benutzer mit Groupware-Konto".
ox_connector_imap_server(string): How the user in OX will connect to the IMAP backend, this value is relative to the OX AppSuite middleware server; default: imap://127.0.0.1:143
ox_connector_smtp_server(string): How the user in OX will connect to the SMTP service, this value is relative to the OX AppSuite middleware server; default: smtp://127.0.0.1:26

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_network_proxy/README.md

Configure network proxy

This role configures network proxy via UCR.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_network_proxy_enabled(boolean): Toggle network proxy usage
configure_network_proxy_http_proxy(string): The HTTP proxy server, e.g. http://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format http://username:password@192.168.1.100:3128.
configure_network_proxy_https_proxy(string): The HTTPS proxy server, e.g. https://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format https://username:password@192.168.1.100:3128.
configure_network_proxy_no_proxy(string): A comma-separated list of domain names for which the proxy should not be consulted. An exception for a domain like univention.de also applies to a subdomain like apt.univention.de.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_nextcloud_app/README.md

Install app for nextcloud

This role installs an app for nextcloud

Requirements

none

Role Variables

install_nextcloud_app_name(string): The name of nextcloud app to be installed from store.
install_nextcloud_app_opertation(string): Define operation mode; default: "install".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_firewall/README.md

Univention firewall rules.

========= Manage predefined univention-firewall rules.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

univention_firewall_telegraf(string): Set firewall status of telegraf service; default: "ACCEPT".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_service_selfservices/README.md

Install selfservices service

This role installs selfservice services.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

install_service_selfservice_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_selfservice_force_package_upgrade for a way to upgrade already installed software.
install_service_selfservice_temp_file(map): Ansible temporary dir.
install_service_selfservice_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_selfservice_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
install_service_selfservice_external_hostname(string): The host name that is used to talk to the system.
install_service_selfservice_install_services(list): A list of services to install.
install_service_selfservice_domain_name(string): The LDAP base domain name.
install_service_selfservice_password_reset_filename(string): The name of password reset template.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/remove_packages/README.md

Remove packages

This role removes univention apps with/without fixed versions.

Requirements

none

Role Variables

remove_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
remove_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
remove_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: `false
remove_packages_remove_apps(list): A list of applications to install.
remove_packages_app_version_map(map): A map of packages with/without version to be removed.
remove_packages_service_name_list(list): A list containing application names to be installed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_apps_postfix_relay/README.md

Configure Postfix relay (apps)

This role modifies postfix relay configuration.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_apps_postfix_relay_enabled(bool): Toggles if a SMTP relay host should be used; default: false.
configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
configure_apps_postfix_relay_host(string): The SMTP relay hostname.
configure_apps_postfix_relay_username(string): The SMTP relay username.
configure_apps_postfix_relay_password(string): The SMTP relay password.
configure_apps_postfix_relay_hide_logging(boolean): Toggles output logging for sensible information; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_directory_manager/README.md

Configure directory manager

This role configures directory manager settings.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_directory_manager_mailprimaryaddress_required(bool): Toggles if mailPrimaryAddress should be required; default: false.
configure_directory_manager_firstname_required(bool): Toggles if forename should be required; default: false.
configure_directory_manager_wizard_disabled(string): Toggles the wizard. When set to Yes, wizard is enabled; default: No.
configure_directory_manager_invite_default(string): Toggles the default invitation behaviour; default: "True".
configure_directory_manager_overridepwlength_visible(string): Toggles wether the password length override is visible; default: "False".
configure_directory_manager_overridepwlength_default(string): Sets default value for password length override; default: "False".
configure_directory_manager_pwdchangenextlogin_visible(string): Toggles wether password change on next login is visible; default: "False".
configure_directory_manager_pwdchangenextlogin_default(string): Sets default value for password change on next login; default: "True".
configure_directory_manager_autosearch(string): Toggles wether the user autosearch is enabled; default: "False".
configure_directory_manager_username_syntax(string): Set the username syntax; default "uid".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_error_detail_show/README.md

Configure error detail show

This role configures if the error messages will display the details.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_error_detail_show_http_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
configure_error_detail_show_directory_manager_rest_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
configure_error_detail_show_saml_idp_errors(bool): Defines if error information and stack traces allowed to be shown to the user; default: false
configure_error_detail_show_saml_idp_error_reporting(bool): Defines if error information and stack traces can be reported via email to the technical contact mail address; default: false

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/umc_policies_maintenance/README.md

UMC maintenance policies

This role sets UMC maintenance policies.

Requirements

none

Role Variables

umc_policies_maintenance_autoupdate_enabled(bool): Toogle autoupdate status; default: true.
umc_policies_maintenance_basedn(string): The LDAP base domain name.
umc_policies_maintenance_patchhour(string): The chosen hour for univention-update; default: 5.
umc_policies_maintenance_patchminute(string): The choosen minute for univention-update; default: 00.
umc_policies_maintenance_patchday(String): The chosen day for univention-update; default: Tuesday.
umc_policies_maintenance_release_version(string): The univention release version.
umc_policies_maintenance_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/cleanup_portal/README.md

Cleanup Portal

Remove default and unused portal entries.

Requirements

none

Role Variables

cleanup_portal_basedn(string): The LDAP base domain name.
cleanup_portal_install_services(list): A list of services to install.
cleanup_portal_domain_admin_group(string): default: "cn=Domain Admins,cn=groups,{{ cleanup_portal_basedn }}".
cleanup_portal_portal_dn(string): default: "cn=portals,cn=univention,{{ cleanup_portal_basedn }}".
cleanup_portal_prometheus_dn(string): default: 'cn=prometheus,cn=entry,{{ cleanup_portal_portal_dn }}'.
cleanup_portal_admin_dashboard_dn(string): default: 'cn=admin-dashboard,cn=entry,{{ cleanup_portal_portal_dn }}'.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/dovecot_connector/README.md

DC Connector

This role configures and install Dovecot (DC) connector.

Requirements

none

Role Variables

dovecot_connector_basedn(string): The LDAP base dn.
dovecot_connector_domain_name(string): The system's dns domain name.
dovecot_connector_domain_prefix(string): The system's dns domain prefix. Useful when dovecot server is in same network.
dovecot_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
dovecot_connector_server_type(string): Which type of UCS server to set up. The possible options are master and backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
dovecot_connector_app_version_map(map): A dictionary that maps application names to specific version of dovecot connector. default: ""
dovecot_connector_temp_pw_file: The tmp file within the administrator password.
dovecot_connector_adm_accepted_exit_codes(string): DoveAdm-exitCode-Werte, die nicht zum Abbruch führen; default: 68 75
dovecot_connector_adm_host(string): Der Domänenname des Servers auf dem DoveAdm aktiviert wurde; default: dc-provisioning.dovecot_connector_domain_name
dovecot_connector_adm_port(string): Der Port auf dem DoveAdm erreichbar ist; default: 443
dovecot_connector_adm_username(string): Benutzername des DoveAdm; default: ""
dovecot_connector_adm_password(string): Passwort des DoveAdm; default: ""
dovecot_connector_adm_uri(string): DoveAdm URL Vorlage. Mögliche Variablen {dcc_adm_host} und {dcc_adm_port}; default: https://{dcc_adm_host}:{dcc_adm_port:d}/doveadm/v1
dovecot_connector_dc_vmail_template(string): Das vmail Verzeichnis welches Dovecot nutzt. Mögliche Variablen {uuid}, {email}, {domain} und {username}; default: /data/usr/local/dovecot/vmail/{uuid[0]}{uuid[1]}/{uuid}
dovecot_connector_loglevel(string): Die Log-Stufe der Anwendung. Werte: DEBUG, INFO, WARNING und ERROR; default: INFO
dovecot_connector_hide_logging(bool): Toggle logging output; default: true

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_apps_ox_pre/README.md

Pre installation steps of OpenXchange (OX)

This role prepares OX installation.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

install_apps_ox_pre_external_hostname(string): The host name that is used to talk to the system.
install_apps_ox_pre_mail_domain(string): The externally managed mail domain.
install_apps_ox_pre_basedn(string): The LDAP base domain name.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_keycloak/README.md

Configure Keycloak

This role configures keycloak, either via KCADM or REST.

Requirements

none

Role Variables

configure_keycloak_generate_oidc_broker_secret(bool): If set to true the client password used in the IDP creation is generated dynamically. If it is set to false the value in configure_keycloak_oidc_broker_secret is used instead. If configure_keycloak_config_type is set to static this variable implicitly is set to false; default: true
configure_keycloak_oidc_broker_secret(string): Client password used in the IDP creation. Only used when configure_keycloak_generate_oidc_broker_secretis set to false.
configure_keycloak_oidcidp_id(string): The name of the OpenID Connect Identity Provider to be configured when using dynamic configuration; default: "{{ inventory_hostname }}".
configure_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes and defaults to keycloak.
configure_keycloak_oidc_username_template(string): default: "${CLAIM.preferred_username}_${ALIAS}"
configure_keycloak_client_callback_url(string): When configuring a new client on the keycloak server this URL is used as the OpenID callback URL. Defaults to none but has to be set IF the client doesn't exist already. If it does this variable is not used as the client is not going to be updated.
configure_keycloak_config_method(string): The configuration method against keycloak, either kcadm or rest; default: kcadm
configure_keycloak_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
configure_keycloak_keycloak_server(string): The server the UCS system with authenticate against.
configure_keycloak_auth_realm(string): As the name says, the realm that is used to authenticate our keycloak operations against. This is not the realm used for client configuration, for that the host's domain is used; default: master.
configure_keycloak_admin_username(string): The username used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault.
configure_keycloak_admin_password(string): The password used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault
configure_keycloak_realm(string): default: "{{ hostvars[inventory_hostname]['ansible_domain'] }}"
configre_keycloak_fqdn(string): default: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
configure_keycloak_client_id(string): The client's client id used to authenticate.
configure_keycloak_display_matrix_in_iframe(bool): When set to 'true', the hosts FQDN is added to CSP list. Be careful, the corresponding field has a size limit; default: false.
configure_keycloak_client_secret(string): default: false
configure_keycloak_base_url(string): default: "https://{{ configure_keycloak_keycloak_server }}/auth"
configure_keycloak_realm_base_url(string): default: "{{ configure_keycloak_base_url }}/admin/realms/{{ ansible_domain }}"
configure_keycloak_protocol_mapper_name(string): default: "identity-provider-mapper"
configure_keycloak_import_mapper_name(string): default: "append IDP to username"
configure_keycloak_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/use_trusted_cert/README.md

Use trusted SSL certificate

This role configures an issues SSL certificate from trusted authorities.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

use_trusted_cert_path_cert(string): Local path to SSL (chained) certificate file.
use_trusted_cert_path_key(string): Local path to SSL key file.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_packages/README.md

Install packages

This role installs univention apps with/without fixed versions.

Requirements

none

Role Variables

install_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
install_packages_service_name_list(list): A list containing application names to be installed.
install_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
install_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
install_packages_install_apps(list): A list of applications to install.
install_packages_additional_options(string): Additional option that could be set during install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/deployment_message/README.md

Print a deployment message

This role prints information about playbook, its dependencies and configuration.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

deployment_message_verification_pause_duration(number): 20
deployment_message_external_hostname(string): the host name that is used to talk to the system
deployment_message_domain_name(string): the system's dns domain name
deployment_message_basedn(string): the LDAP base domain name
deployment_message_server_type(string): type of UCS server to set up. The possible options are masterand backup.
deployment_message_saml_config_type(string): can be set to "failover" or basically anything else. In "failover" mode a part of the SAML configuration is omitted. "failover" in this case refers to a UCS native SAML failover mode. Any other value will result in the same configuration being deployed, the value therefore is more of a descriptive nature. Recommended values are "loadbalancer", "primary-secondary" or "standalone" with the latter being the default value.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/portal_cookie_banner/README.md

This roles enables/disables a cookie banner in portal frontend.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

portal_configure_title_basedn(string): The base DN that has been used when setting up the UCS server
portal_configure_title_titles(list): The cookie banner title and body.

portal_configure_title_titles:
  de:
    title: "We are using cookies"
    text: ""

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_repository_component/README.md

Univention Repository Component

This role enables a univention repository component.

Requirements

none

Role Variables

univention_repository_component_name(string): The name of customer debian repository.
univention_repository_component_parts(string): The part of customer debian repository.
univention_repository_component_prefix(string): The prefix of customer debian repository.
univention_repository_component_server(string): The server of customer debian repository.
univention_repository_component_username(string): The username of customer debian repository.
univention_repository_component_password(string): The password of customer debian repository.
univention_repository_component_version(string): The version of customer debian repository.
univention_repository_component_unmaintained(bool): Toggle unmaintained status of customer debian repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_office_suite/README.md

Configure office suite

This role configures the chosen office suite and installs it.

Requirements

none

Role Variables

configure_office_suite_office_suite(string): Define the to be installed office suite. Defaults to collabora-online. A list of supported suites is defined in configure_office_suite_supported_office_suites; default: "collabora-online".
configure_office_suite_supported_office_suites(list): A list of supported office suites that can be installed using this role. This variable is set in the role's defaults/main.yml and should not be changed.
configure_office_suite_onlyoffice_formats(map): A map of onlyoffice file formats to be enabled or disabled.
configure_office_suite_collabora_license_key(string): Include a valid license for collabora-online.
configure_office_suite_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
configure_office_suite_temp_pw_file(map): Tempfile object where univention app password is stored.
configure_office_suite_install_apps(list): A list of applications to install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_repository/README.md

Configure repository

Configure repository URLs to use own apt repository server.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_repository_default_repository_prefix(string): Define access method, either "http://" or "https://"; default: "https://".
configure_repository_default_repository_server(string): The repository server without any prefix or suffix or path.
configure_repository_default_repository_path(string): The repository path/suffix where repository could be found on server.
configure_repository_default_repository_username(string): Optionally configure username for authentication.
configure_repository_default_repository_password(string): Optionally configure password for authentication.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_apps_postfix/README.md

Configure Postfix (apps)

This role modifies postfix configuration.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_apps_postfix_domain_name(string): The system's dns domain name.
configure_apps_postfix_external_hostname(string): The host name that is used to talk to the system.
configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
configure_apps_postfix_use_relay_host(bool): Toggles if a SMTP relay host should be used; default: false.
configure_apps_postfix_relay_host(string): The SMTP relay hostname.
configure_apps_postfix_relay_username(string): The SMTP relay username.
configure_apps_postfix_relay_password(string): The SMTP relay password.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_remove/README.md

Remove packages with univention-remove

This role installs packages via univention-remove wrapper.

Requirements

none

Role Variables

univention_remove_name(string): The name of the package to be removed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_prune_kernels/README.md

Prune Kernels Univention UCS

This role prunes kernels for UCS servers in order to free space at /boot.

Requirements

none

Role Variables

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/set_ldap_index/README.md

Configure LDAP Index

This role adds/removes additional ldap indexes. Slapd.service is stopped. Run this role only in maintenance. Without extra vars nothing will happen.

Requirements

none

Role Variables

set_ldap_index_equality_add(string): The name of the ldap attribute for equality searches to add; default: ""
set_ldap_index_presence_add(string): The name of the ldap attribute for presence searches to add; default: ""
set_ldap_index_approx_add(string): The name of the ldap attribute for approx searches to add; default: ""
set_ldap_index_substring_add(string): The name of the ldap attribute for substring searches to add; default: ""
set_ldap_index_equality_rm(string): The name of the ldap attribute for equality searches to remove; default: ""
set_ldap_index_presence_rm(string): The name of the ldap attribute for presence searches to remove; default: ""
set_ldap_index_approx_rm(string): The name of the ldap attribute for approx searches to remove; default: ""
set_ldap_index_substring_rm(string): The name of the ldap attribute for substring searches to remove; default: ""

Dependencies

none

Example Playbook

hosts: ucs_master become: true tasks:
- name: "include role for setting ldap index" ansible.builtin.include_role: name: "roles/set_ldap_index" vars: set_ldap_index_equality_add: "isOxUser" set_ldap_index_approx_rm "aAAARecord"

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/improve_usability_nextcloud/README.md

Improve usability nextcloud

This role disables some unused functionality like: contacts, spreed, mail, calendar.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/portal_configure_title/README.md

Configure Portal Title

This role configures portal title.

Requirements

none

Role Variables

portal_configure_title_basedn(string): The LDAP base domain name.
portal_configure_title_titles(list): The new portal titles with locale in format like de_DE "Cool Portal (Univention)".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/portal_entry/README.md

Portal entry

Create, modify, delete and append portal entries.

Requirements

none

Role Variables

portal_entry_base_dn(string): The base DN that has been used when setting up the UCS server
portal_entry_entries(list): The portal entries list.
portal_entry_install_list(list): Combined apps/services/customization lists.
portal_entry_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
portal_entry_remove_unscoped(bool): Toggle removal of undefined entries; default: false.

Dependencies

none

Example Playbook

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_entry"
      vars:
        portal_entry_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_entry_install_list: ["nextcloud"]
        portal_entry_drift_detection: true
        portal_entry_remove_unscoped: false
        portal_entry_entries:
          - name: "Anmeldung"
            anonymous: true
            category: "help"
            description:
              de_DE: "Anmelden"
              en_US: "Login"
            display_name:
              de_DE: "Anmelden"
              en_US: "Login"
            icon_file: "ucs_portal_login_icon.svg"
            link:
              de_DE: "/univention/saml/?location=%2Funivention%2Fportal%2F"
              en_US: "/univention/saml/?location=%2Funivention%2Fportal%2F"
            linktarget: "samewindow"
            parent: "category"
            state: "present"
            type: "entries"
          - name: "Dateien"
            activated: true
            allowed_groups: ["cn=Domain Users,cn=groups,dc=ansible,dc=univention,dc=de"]
            anonymous: false
            category: "Kollaboration"
            description:
              de_DE: "Dateienablage und -austausch"
              en_US: "File storage and exchange"
            display_name:
              de_DE: "Eigene Dateien"
              en_US: "My files"
            icon_file: "ucs_portal_files_icon.svg"
            linktarget: "newwindow"
            link:
              de_DE: "/nextcloud"
              en_US: "/nextcloud"
            only: "nextcloud"
            parent: "category"
            state: "present"
            type: "entries"
            target: "tab_nextcloud"
          # ...

Portal entries

portal_entry_entries:
  - name:           # (string, required) | Name of portal entry.
    activated:      # (boolean)          | Enable/Disable portal entry.
    allowed_groups: # (list)             | A list of LDAP groups the entry should be shown.
    anonymous:      # (boolean)          | Show entry for not logged-in user.
    category:       # (string)           | Name of category/portal the entry should be appended.
    description:    # (map)              | I18n description displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    icon_file:      # (string)           | Name of predefined images or local images.
    icon_base64:    # (string)           | Image as base64 encoded string. This variables overrides the input from 'icon_file'!
    link:           # (map)              | Internal or external link.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    linktarget:     # (string)           | Link target f.e. "samewindow", "newwindow", "embedded" or "useportaldefault".
    target:         # (string)           | Link target name, to open link in the same tab_group. Works only from UCS 5.0.
    only:           # (string)           | Modify when app defined is in `portal_entry_install_list`.
    parent:         # (string)           | The type where entry should be appended, f.e. "category" or "portal".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    type:           # (string)           | The list from parent where entry should be appended. For
                    #                    |  - "category" > possible: "entries"
                    #                    |  - "portal" > possible: "menuLinks", "userLinks"

Limitations

Modifying/Removing attributes with whitespaces are not supported by UCS 4.4
Drift detection does not detect changes in icons.

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/get_installed_apps/README.md

Get installed univention apps

This role sets a fact with installed univention apps.

Requirements

ansible.utils
- cli_parse

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_logrotate/README.md

Configure Logrotate

As is defined on the ucr the log files are rotated the set number of times before being removed. This role is used to set those numbers.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_logrotate_compress(bool): If this option is activated, log files are compressed during rotation; default: yes
configure_logrotate_create(string): Configures mode, owner and group of a log file after rotation; default: 640 root adm
configure_logrotate_missingok(bool): If this option is activated, proceed without printing an error message if a logfile is missing; default: yes
configure_logrotate_notifempty(bool): If this option is activated, empty logfiles are not rotated; default: yes
configure_logrotate_rotate_count(number): The rotation interval for system log files; default: 12
configure_logrotate_rotate_handling(string): Log files are rotated according to criterion described by man logrotate.conf; default: weekly
configure_logrotate_syslog_rotate_count(number): The rotation interval for syslog file; default: 7 * "rotate/count"
configure_logrotate_syslog_rotate_handling(string): Syslog file is rotated according to criterion described by man logrotate.conf; default: daily

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_group_syntax/README.md

Configure group syntax

Configure the group syntax and ensure the consistency on all nodes

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_group_syntax_group_syntax(string): group syntax desired value; default: gid

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_saml_single_server/README.md

Configure SAML single server

This role configures SAML single server.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_saml_single_server_external_hostname(string): The external hostname that is used to talk to the system.
configure_saml_single_server_domain_name(string): The systems domain name.
configure_saml_single_server_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
configure_saml_single_server_temp_file(map): Tempfile object where univention app password is stored.
configure_saml_single_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. If backup is chosen the following variable also has to be set; default: "master".
configure_saml_single_server_basedn(string): The LDAP base dn.
configure_saml_single_server_remove_default_saml_provider(bool): When set to true all builtin SAML provider will be removed; default: true.
configure_saml_single_server_external_loadbalancer_ip(string): IP address of external load balancer if used.
configure_saml_single_server_domain_prefix(string): The external prefix of load balancer

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/workaround_acmetiny_upgrade/README.md

Workaround: Use specific acme tiny version

This role downloads and patches acme-tiny.

Requirements

ansible.posix
- patch

Role Variables

workaround_acmetiny_upgrade_temp_dir(map): Ansible temporary dir for workaround files.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_multitenant_acls/README.md

Install multitenant ACLs

Install and configure ACL package.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

install_multitenant_acls_customer_name(string): The name of customer used inside ACL package.

install_multitenant_acls_multitenant_acls(list): A list of acl settings.

multitenant_acls:
  - tenant_id: "0000"
    admin_password: ""
  - tenant_id: "0001"
    admin_password: ""
  - tenant_id: "0002"
    tenant_short_name: "test"
    admin_password: ""
    mail_domains: []

install_multitenant_acls_json_path(string): The local path for ACL structure json file.
install_multitenant_acls_package_name(string): The customer specific debian package name.
install_multitenant_acls_script_name(string): The name of create acl structure script.
install_multitenant_acls_keycloak_base(string): The base url for keycloak.
install_multitenant_acls_hide_logging(boolean): Toggle template logging; default: true.
install_multitenant_acls_server_type(string): The ucs server type; default "master".
install_multitenant_acls_customer_repo_name(string): The name of customer debian repository.
install_multitenant_acls_customer_repo_parts(string): The part of customer debian repository.
install_multitenant_acls_customer_repo_password(string): The password of customer debian repository.
install_multitenant_acls_customer_repo_server(string): The server of customer debian repository.
install_multitenant_acls_customer_repo_username(string): The username of customer debian repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_keycloak_saml/README.md

Configure Keycloak SAML

This role configures Keycloak as SAML provider.

Requirements

none

Role Variables

configure_keycloak_saml_basedn(string): The LDAP base dn.
configure_keycloak_saml_sp_base_url(string): The Service Provider base url.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/custom_facts/README.md

Custom facts

This role gathers release information and store them on remote system.

Requirements

none

Role Variables

custom_facts_templates(list): filename(s) of templates which should be applied; default: ["deployment.fact.j2", "hotfixes.fact.j2"]

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/intercom_service/README.md

Intercom Service

This role installs and comfigures the intercom service. For further information have a look at https://docs.software-univention.de/intercom_service/latest/index.html

Requirements

none

Role Variables

intercom_service_hide_logging(boolean): Toggle template logging; default: true.
intercom_service_domain_name(string): The domain name. default: ""
intercom_service_temp_pw_file: The tmp file within the administrator password.
intercom_service_settings_proxy(string): Wether to allow connections via proxy server instead of backend directly; default: "False"
intercom_service_settings_client_id(string): The keycloak client ID; default: intercom
intercom_service_settings_intercom_url(string): URL where ICS is reachable; default: https://ics.{{ intercom_service_domain_name }}
intercom_service_settings_base_url(string): Base URL used to identify with the IdP; default: https://ics.{{ intercom_service_domain_name }}
intercom_service_settings_origin_regex(string): Defines the origin CORS regex; default: {{ intercom_service_domain_name }}
intercom_service_keycloak_url(string): URL of the Keycloak instance to be used as the IdP; default: https://id.{{ intercom_service_domain_name }}
intercom_service_keycloak_realm_name(string): Name of the realm containing the configured OIDC Intercom client; default: ucs
intercom_service_matrix_url(string): The URL on which the Matrix server is reachable default: https://matrix.{{ intercom_service_domain_name }}
intercom_service_matrix_server_name(string): The server name of the matrix server; default: https://matrix.{{ intercom_service_domain_name }}
intercom_service_matrix_login_type(string): The login-type ICS should use on the matrix server; default: uk.half-shot.msc2778.login.application_service
intercom_service_matrix_nordeck_mode(string): The connection mode of the Nordeck-bot; default: test
intercom_service_nordeck_url(string): The URL on which Nordeck-bot is listening; default: https://meetings-widget-bot.{{ intercom_service_domain_name }}
intercom_service_portal_url(string): The URL on which the Univention-Portal is listening; default: https://portal.{{ intercom_service_domain_name }}
intercom_service_ox_origin(string): The OX CORS origin setting; default: https://webmail.{{ intercom_service_domain_name }}
intercom_service_ox_audience(string): The OIDC audience settings for the OX token request send to the IdP; default: oxoidc
intercom_service_nc_url(string): The URL on which Nextcloud is listening on; default: https://fs.{{ intercom_service_domain_name }}
intercom_service_nc_origin(string): The Nextcloud CORS origin; default: https://fs.{{ intercom_service_domain_name }}

Dependencies

none

Example Playbook

Intercom Service

- hosts: all
  tasks:
    - name: "Install Intercom Service via Appcenter"
      ansible.builtin.include_role:
        name: "univention.ucs_roles.intercom_service"
      vars:
        intercom_service_hide_logging: false
        intercom_service_domain_name: "ucs.test.intranet"
        intercom_service_temp_pw_file: "{{ temp_file }}"
        intercom_service_keycloak_realm_name: "your_keycloak_realm"

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/ucs_join/README.md

UCS join

This role runs a UCS Join on master or backup servers.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

ucs_join_derive_root_password_from_hostname(bool): Creates a unique root/admin password that is derived from the host name, or rather the numeric part of it.
ucs_join_derive_root_password_prefix(string): The prefix that is used before the numeric part in derived passwords.
ucs_join_server_type(string): Which type of UCS server to set up. The possible options are master, backup, slave and member. The default is master, which also means "standalone". If not master is chosen the following variable also has to be set, default: master.
ucs_join_master_server(string): In case of a backup, slave or member server (see previous variable) this declares which master server to join. The variable musst be the ip of the master server. In every other case this variable is ignored.
ucs_join_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
ucs_join_root_password(string): The machine's root password, if you want version control consider using ansible-vault to encrypt it. If ucs_join_derive_root_password_from_hostname is set to true this variables is ignored.
ucs_join_hostname(string): Remote hostname; default {{ inventory_hostname }}.
ucs_join_domain_name(string): The system's dns domain name.
ucs_join_basedn(string): The LDAP base domain name.
ucs_join_nameservers(dict): Configure the nameservers1-3.
ucs_join_network_config_type(string): Choose dhcp or static with the former being the default. If you choose static you'll have to add ucs_join_network_config_static-* variable as well; default: dhcp.
ucs_join_network_config_static_ip_config(map): The server's IPv4 address in one of the following two forms: <ip address>/<netmask> or CIDR form (<ip address>/<prefix length>. Both forms are functionally equal. Example: 192.168.0.1/255.255.255.240 or 192.168.0.1/28.
ucs_join_network_config_static_dns_servers(list): A list of DNS servers to use in case of static network configuration. If ucs_join_server_type is backup this variable is ignored and the master server will be used instead.
ucs_join_network_config_static_gateway(string): The server's default router aka internet gateway. This is mandatory for the setup to work.
ucs_join_network_config_interface(string): The servers default network interface; default: eth0.
ucs_join_network_config_static_additional_interfaces(list): A list of additional interfaces as dictionary
ucs_join_network_config_static_routes(list): A list of static routes, which should be attached to interfaces.
ucs_join_hide_logging(boolean): Toggle template logging; default: true.

Dependencies

none

Example Playbook

Configure static network interface

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_interface: "eth0"
        ucs_join_network_config_static_ip_config: "10.20.30.40/24"
        ucs_join_network_config_static_gateway: "10.20.30.1"
        ucs_join_network_config_static_dns_servers:
          - "8.8.8.8"
          - "8.8.4.4"
        # ...

Configure additional network interfaces

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_static_additional_interfaces:
          ens10: "10.20.30.40/24"
          ens11: "20.30.40.50/24"
        # ...

Configure additional network routes

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_static_routes:
          - interface: "ens10"
            index: 0
            route: "host 10.10.0.1 metric 200"
          - interface: "ens10"
            index: 1
            route: "net 10.10.0.0 netmask 255.255.0.0 gw 10.10.0.1 metric 100"
        # ...

Configure nameservers

Matrix: How the nameservers should configured.

All domaincontroller_* has a dns server installed.

	domaincontroller_master	domaincontroller_backup	domaincontroller_slave	memberserver
nameserver1	host_ip_address	host_ip_address	host_ip_address	domaincontroller_master
nameserver2	fallback_nameserver	domaincontroller_master	domaincontroller_master	domaincontroller_backup
nameserver3		fallback_nameserver	domaincontroller_backup	domaincontroller_slave

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_nameservers:
          nameserver1:
            # local ip
            server: "{{ ansible_local['ucr']['interfaces/' + ansible_local['ucr']['interfaces/primary'] + '/address'] }}"
          nameserver2:
            server: "8.8.8.8"
            state: 'present'
          nameserver3:
            state: 'absent'

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_install/README.md

Install packages with univention-install

This role installs packages via univention-install wrapper.

Requirements

none

Role Variables

univention_install_name(string): The name of the package to be installed.
univention_install_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_amazon_metadata_server/README.md

Configure amazon metadata server

Enable or disable UCS calling Amazon's metadata server

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_amazon_metadata_server_call(boolen): Defines if the amazon metadata server should be called; default: false

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/univention_upgrade/README.md

Upgrade Univention UCS

This role upgrade UCS to a specific version.

Requirements

none

Role Variables

univention_upgrade_version(string): The UCS' version number to upgrade to; default: "4.4-99".
univention_upgrade_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.
univention_upgrade_removal_check(bool): Check if packages will be removed during upgrade; default: false.
univention_upgrade_reboot_after_upgrade(bool): Reboot UCS after package upgrade; default: false.
univention_upgrade_app_updates(bool): Upgrade apps during univention-upgrade; default: false.
univention_upgrade_username(string): Username of administrative user for app updates; default: Administrator.
univention_upgrade_password_file(string): Path to the file on the server that contains the user password if univention_upgrade_app_updates=true; default: "".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/umc_permissions/README.md

Update UMC permissions

This role updates UMC permissions.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

umc_permissions_basedn(string): The LDAP base domain name.
umc_permissions_passwordreset_blacklist_groups(string): The name of LDAP groups which are not allowed to reset their password.
umc_permissions_passwordreset_whitelist_groups(string): The name of LDAP groups which are allowed to reset their password.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/ldapsearch_user/README.md

LDAPSearch user

This role adds specific LDAPSearch users.

Requirements

none

Role Variables

ldapsearch_user_basedn(string): The LDAP base DN.
ldapsearch_user_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
ldapsearch_user_hide_logging(boolean): Toggle template logging; default: true.
ldapsearch_user_list(list): A list of ldapsearch users to create.
ldapsearch_user_list_tenantbased(list): A list of LDAPSearch users to create.

Dependencies

none

Example Playbook

Configure LDAPSearch user

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"           # optional; default value from username
            lastname: "Lastname of LDAPSearch user"   # optional; default value from username
            password: "SuperSecretPassword"
        # ...

Configure LDAPSearch user (per tenant)

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list_tenantbased:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"                  # optional; default value from username
            lastname: "Lastname of LDAPSearch user"          # optional; default value from username
            password: "SuperSecretPassword"
            tenant_ou: "ou=users,ou=root,ou=0001,ou=tenants" # position in LDAP
        # ...

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_apps_owncloud/README.md

Configure Owncloud (apps)

Configure UCS app owncloud.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/hardening/README.md

Hardening system

This role reduces security risks by disabling default settings, like root login.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

hardening_disable_http(bool): If set to true, http will be disabled in apache2. Only https will be available; default: true
hardening_hsts(bool): If set to true HTTP Strict Transport Security is enabled for apache2 ; default: true
hardening_apache2_ssl_tlsv13(bool): If set to true ssl tlsv11 and tlsv12 are disabled for apache2; default: true
hardening_apache2_server_tokens(string): Set apache2 configuration to Prod, Major, Minor, Min, OSor Full. Details: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens ; default: Prod
hardening_apache2_server_signature(string): Set apache2 configuration to Off , EMail or On. Details: https://httpd.apache.org/docs/2.4/mod/core.html#serversignature ; default: Off
hardening_honorcipherorder(string): During the negotiation of cryptographic algorithms during the setup of a SSL/TLS connection the preference of the client is used by default. If this option is enabled, the preference of the server is used instead. The list of algorithms offered by Apache can be configured with the variable 'apache2/ssl/ciphersuite'; default: true
hardening_ciphersuite(string): his configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite; default: HIGH
hardening_umc_session_cookie(bool): If set to true the login cookie is a session cookie. Closing the browser will delete the cookie, effectively logging out the user; default: true
hardening_umc_secure_cookie(bool): If set, cookies are set with the secure attribute if the connection is using HTTPS; default: true
hardening_umc_cookie_samesite(string): Set the SameSite cookie attribute for UMC cookies. Possible values: Strict, Lax and None; default: Strict
hardening_saml_idp_language_cookie_samesite(string): Set the SameSite attribute in sthe language cookie attribute of SAML IDP. Possible values: Strict, Lax and None; default: Strict
hardening_saml_idp_session_cookie_samesite(string): Set the "SameSite" attribute in the session cookie of SAML IDP. Possible values: Strict, Lax and None; default: Strict
hardening_saml_idp_session_cookie(bool): If set to true the "Secure" attribute in the session cookie is activated. default: true
hardening_saml_idp_language_cookie(bool): If set to true the "Secure" attribute in the language cookie is activated. default: true
hardening_disable_umc_http_tracebacks(bool): If set to true tracebacks are no longer shown to the user in error case for umc; default: true
hardening_disable_udm_rest_tracebacks(bool): If set to true tracebacks are no longer shown to the user in ror case for udm REST; default: true
hardening_disable_saml_idp_errors(bool): If set to true tracebacks are no longer shown to the user in error case for the saml idp; default: true
hardening_disable_saml_idp_error_reporting(bool): If set to true error information and stack traces can not be reported via email to the technical contact mail address; default: true

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_ntp_servers/README.md

Configure NTP servers

This role configures NTP timeservers.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_ntp_servers_timeservers(list): A list of ntp server addresses; default ["ptbtime1.ptb.de", "ptbtime2.ptb.de", "ptbtime3.ptb.de"]

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_keycloak_client/README.md

Configure keycloak client

This role configures ucs to properly use keycloak.

Requirements

none

Role Variables

configure_keycloak_client_oidc_broker_secret(string): The client password used in the IDP creation.
configure_keycloak_client_keycloak_password(string): The keycloaks password.
configure_keycloak_client_basedn(string): The LDAP base domain name.
configure_keycloak_client_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes.
configure_keycloak_client_keycloak_server(string): The server the UCS system with authenticate against.
configure_keycloak_client_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
configure_keycloak_client_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/extend_root_lvm_volume/README.md

Extend root LVM volume

Extend the root volume to all available space. Helpful when using a prebuild image and additional space is required.

Requirements

community.general
- parted
- lvg
- lvol

Role Variables

extend_root_lvm_volume_extend_lvm_to_whole_disk(bool): If true, root volume is extended to available space; default: true
extend_root_lvm_volume_lvm_disk(string): The "physical" disk to partition without the "/dev/" part, for instance "sda" for "/dev/sda". Defaults to what is used in the Univention QCOW image; default: "vda"
extend_root_lvm_volume_lvm_vg_name(string): The volume group the data volume resides in. Defaults to what is used in the Univention QCOW image; default: "vg_ucs"
extend_root_lvm_volume_lvm_data_volume(string): The LVM name used for the data volume. Defaults to what is used in the Univention QCOW image; default: "root"
extend_root_lvm_volume_existing_lvm_partition_number(number): The existing lvm partition number. Defaults to what is used in the Univention QCOW image; default: 2

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/ucs_add_admin_user/README.md

Add UCS admin user

This role adds an administrative UCS user.

Requirements

none

Role Variables

ucs_add_admin_user_basedn(string): The LDAP base domain name.
ucs_add_admin_user_username(string): The username for the administrative user.
ucs_add_admin_user_firstname(string): The firstname for the administrative user.
ucs_add_admin_user_lastname(string): The lastname for the administrative user.
ucs_add_admin_user_password(string): The password for the administrative user.
ucs_add_admin_user_recoveryemail(string): The recovery email address for the administrative user.
ucs_add_admin_user_attrib_list(map): A map of attributes & values to set for the administrative user.
ucs_add_admin_user_group_list(list): A list of group names to append the administrative user to.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/improve_usability_user_config/README.md

Improve usability user configuration

This role improves user configuration.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

improve_usability_user_config_basedn(string): The LDAP base domain name.
improve_usability_user_config_external_hostname(string): The host name that is used to talk to the system.
improve_usability_user_config_install_apps(list): A list of applications to install.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/force_package_list_update/README.md

Force package list update

This role updates univention and apt package lists.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/set_feedback_mail_address/README.md

Set feedback mail address

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

set_feedback_mail_address_web_feedback_mail(string): Email address configured to send the traceback if occurs an error in the Univention Management Console; default: feedback@univention.de

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_monitoring/README.md

Configure Monitoring

This role configures monitoring related settings.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_monitoring_ldap_enabled(string): Toggle ldap/monitor ucr setting; default: "true".

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/set_dns_glue_record/README.md

Set DNS Glue record

Set a DNS Nameserver Glue record.

Requirements

none

Role Variables

set_dns_glue_record_create_external_hostname_glue_record(bool): If set to true a DNS Glue record is set if not already exists; default: `true
set_dns_glue_record_fqdn(string): Use this variable if remotes hostname is only available as FQDN or set set_dns_glue_record_host_namedirectly.
set_dns_glue_record_host_name(string): Use this variable for remotes hostname otherwise use set_dns_glue_record_fqdn for FQDN hostnames.
set_dns_glue_record_domain_name(string): Use this variable to set remotes domain name or set set_dns_glue_record_superordinatedirectly.
set_dns_glue_record_basedn(string): Use this variable to set remotes base domain name or set set_dns_glue_record_superordinatedirectly.
set_dns_glue_record_superordinate(string): Define superordinate user use set_dns_glue_record_domain_name and set_dns_glue_record_basedn.
set_dns_glue_record_glue_record_nameserver(string): The target nameserver as FQDN that is used to resolve the external hostname.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_sso_openid/README.md

Configure SSO OpenID Connect

This role configures OpenID Connect OIDC for apps like open-xchange or nextcloud.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_sso_openid_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
configure_sso_openid_temp_pw_file(map): Tempfile object where univention app password is stored.
configure_sso_openid_install_apps(list): A list of applications to install.
configure_sso_openid_basedn(string): The systems base dn.
configure_sso_openid_signing_method(string): The signing method; default: "RS256".
configure_sso_openid_external_hostname(string): The external hostname that is used to talk to the system.
configure_sso_openid_clients(map): A map of client configurations, supported nexcloud and ox.

Dependencies

none

Example Playbook

Configure OpenID clients

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.configure_sso_openid"
      vars:
        configure_sso_openid_clients:
          nextcloud:
            name: "nextcloud"
            clientid: "nextcloud"
            clientsecret: "notverysafe"
          ox:
            name: "open-xchange"
            clientid: "open-xchange"
            clientsecret: "notverysafe"
        # ...

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_lets_encrypt/README.md

Install letsencrypt

This role installs letsencrypt and configures it. It supports letsencrypt staging as well.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

install_lets_encrypt_use_letsencrypt_staging(bool): When false it uses regular let's encrypt certificates, true switches to the staging area for testing purposes; default: false.
install_lets_encrypt_implement_ugly_letsencrypt_workaround(bool): Work around bugs in the let's encrypt staging implementation. This patches files in the univention letsencrypt app; default: false.
install_lets_encrypt_temp_pw_file(map): Ansible temporary password file.
install_lets_encrypt_temp_dir(map): Ansible temporary dir.
install_lets_encrypt_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
install_lets_encrypt_service_name_list(list): A list containing service names to be installed.
install_lets_encrypt_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_lets_encrypt_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
install_lets_encrypt_external_hostname(string): The host name that is used to talk to the system.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_service_new_portal/README.md

Install new portal (service)

This role installs and configures new portal.

Requirements

none

Role Variables

install_service_new_portal_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_new_portal_force_package_upgrade for a way to upgrade already installed software.
install_service_new_portal_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_new_portal_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
install_service_new_portal_temp_file(map): Ansible temporary dir.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_password_policies/README.md

Configure UCS Password Policies

This role configures password policies via UCR. A dn of a policy is required. All users with this plocicy referenced will get these settings.

Requirements

univention.ucs_modules
- univention_config_registry
- univention_directory_manager

Role Variables

configure_password_policies_dn(string): At least there should be one policy with activated Checks. The full dn is needed; default: not set
configure_password_policies_quality_min_lenght(string): Sets the minimum password length; default: 8
configure_password_policies_quality_required_chars(string): Sets required chars for setting new passwords; default: none
configure_password_policies_quality_forbidden_chars(string): Sets forbidden chars for setting new passwords; default: none
configure_password_policies_quality_credit_digits(string): Sets the minimum number of digits in the new password; ; default: 1
configure_password_policies_quality_credit_upper(string): Sets the minimum number of upper case letters; default: 1
configure_password_policies_quality_credit_other(string): Sets the minimum number of chars wich are neither digits nor letters; default: 1
configure_password_policies_quality_credit_lower(string): Sets the minimum number of lower case letters; default: 1
configure_password_policies_quality_mspolicy(string): Sets the microsoft policy complexity criteria. If 1,true or yes this will b eon top of the dafault python-cracklib. If sufficient only ms policy complexity will be used and if false only python-cracklib will be used. default: 1

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/workaround_high_mtu/README.md

Workaround: Fix MTU for Docker

When MTU in Docker 1500 is higher than the one for network interface, this role sets the Docker MTU to 1400.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_network_interface_names/README.md

Configure network interface names

This role configures network interface names as GRUB boot parameter, resulting in network interface names like eth0.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

configure_network_interface_names_use_old_names(boolean): Set the GRUB parameter for old interface names; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/disable_ipv6/README.md

Disable IPv6

This role disables IPv6 on system via modprobe.

Requirements

ansible.posix
- sysctl

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_apps_ox_post/README.md

Post installation steps of OpenXchange (OX)

This role configures OX.

Requirements

univention.ucs_modules
- univention_config_registry
community.crypto
- openssl_pkcs12
community.general
- java_cert

Role Variables

install_apps_ox_post_basedn(string): The LDAP base domain name.
install_apps_ox_post_external_hostname(string): The host name that is used to talk to the system.
install_apps_ox_post_ox_keystore_passphrase(string): The passphrase for ox keystore.
install_apps_ox_post_ox_drive_default(string): Toggle OXDrive by setting 0for disabled and 1 for enabled; default: 0.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/update_users_ssh_keys/README.md

Update users SSH keys

This role adds and removes SSH keys from user.

Requirements

ansible.posix
- authorized_key

File Structure

files/
 |
 +-- ssh_keys/
 |   |
 |   +-- add/
 |   |   |
 |   |   +-- *.pubkey
 |   |
 |   +-- remove/
 |       |
 |       +-- *.pubkey

Role Variables

update_users_ssh_keys_user(string): Name of local user where SSH keys should be added/removed.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/add_local_user/README.md

Add local user

This role creates a local user with ssh login permissions.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

add_local_user_user(map): A map containing user information:

add_local_user_user:
    name:         # username; default; "ansible"
    comment:      # user comment; default: "ansible user"
    password:     # hashed password of user; default:  "{{ "ansible"|password_hash('sha512') }}"
    sshkey_file:  # ssh key filename; default: empty
    sshkey:       # ssh key as string; default: empty
    state:        # toggle if user should be present or absent; default: present

add_local_user_default_shell(string): Default user shell; default: /bin/bash
add_local_user_default_password_policy(string): Default password update policy. Possible values are "on_create" and "always"; default "on_create".
add_local_user_system_user(bool): true if the user should be a system user instead of a human; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/install_branding/README.md

Install branding package

This role installs a customer branding package.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

install_branding_customer_repo_name(string): The name of customer debian repository.
install_branding_customer_repo_parts(string): The part of customer debian repository.
install_branding_customer_repo_password(string): The password of customer debian repository.
install_branding_customer_repo_server(string): The server of customer debian repository.
install_branding_customer_repo_username(string): The username of customer debian repository.
install_branding_customer_branding_package(string): Set the name of the Debian Branding Package in the Univention Customer Repository.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_license/README.md

Configure UCS license

This role helps to apply an existing license file or claims a new license from shop.

Requirements

none

File Structure

files/
 |
 +-- license_client.py

Role Variables

configure_license_validity(string): The validity period for the license in a format GNU date is able to understand as a time period, like "12 weeks".
configure_license_shop_password(string): The shop user's password, best stored in a secrets manager or encrypted via ansible-vault.
configure_license_shop_id(number): Which license shop to use when obtaining a new license for the server.
configure_license_shop_username(string): The shop's user name, needed for authentication.
configure_license_max_users(number): How many users to allow on the server.
configure_license_basedn(string): The LDAP base domain name.
configure_license_type(string): Choose one of local_license or server_license. When choosing local_license a license file name has to be provided otherwise choose server_license and one is generated; default: server_license.
configure_license_file(string): If configure_license_type set to local_license then provide license file name here; default: false.
configure_license_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/portal_category/README.md

Portal category

Create, modify and delete portal categories

Requirements

none

Role Variables

portal_category_base_dn(string): The base DN that has been used when setting up the UCS server
portal_category_categories(list): The portal categories list.
portal_category_install_list(list): Combined apps/services/customization lists.
portal_category_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
portal_category_remove_unscoped(bool): Toggle removal of undefined categories; default: false.

Dependencies

none

Example Playbook

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_category"
      vars:
        portal_category_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_category_install_list: ["nextcloud"]
        portal_category_drift_detection: true
        portal_category_remove_unscoped: false
        portal_category_categories:
          - name: "domain-service"
            display_name:
              de_DE: "Applikationen"
              en_US: "Applications"
            state: "present"
            parent: "domain"
          - name: "domain-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "domain"
          - name: "local-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "local"
          # ...

Portal categories

portal_category_categories:
  - name:           # (string, required) | Name of portal category.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    only:           # (string)           | Modify when app defined is in `portal_category_install_list`.
    parent:         # (string)           | The name of portal where the category should be appended to, f.e. "domain".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    ucs_versions:   # (list)             | A list of UCS version in which the category should be modified. When no
                    #                    |   version is omitted, category will be modified on ALL ucs versions.

Limitations

Modifying/Removing attributes with whitespaces are not supported by UCS 4.4

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_nextcloud_turn/README.md

Configure TURN server of Nextcloud Talk

This role configures the Nextcloud Talk TURN server.

Requirements

none

Role Variables

configure_nextcloud_turn_secret(string): The TURN server secret.
configure_nextcloud_turn_url(string): The URL of the TURN server.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/disable_piwik_tracking/README.md

Toogle piwik tracking

This role enables/disables piwik tracking of UCS.

Requirements

univention.ucs_modules
- univention_config_registry

Role Variables

disable_piwik_tracking_disable(bool): Toggles piwik tracking of installation. When set to true, tracking is disabled; default: true.

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_nextcloud_saml/README.md

Configure nextcloud SAML

This role configures nextcloud for SAML single server.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/configure_apps_nextcloud/README.md

Configure Nextcloud (apps)

Configure UCS app nextcloud.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com

roles/custom_facts_finished/README.md

Custom facts (finished)

Store rollout finished information in custom facts directory.

Requirements

none

Role Variables

none

Dependencies

none

Example Playbook

License

GNU General Public License v3.0

Author Information

Univention GmbH www.univention.com