This repository contains Ansible configurations for managing a heterogeneous server infrastructure, including LDAP authentication setup and standardized sudo configurations across multiple server categories.
I also wrote a guide on setting up Authentik as an LDAP server and for integrating it into Linux here.
đź”’ Security Note: This is a sanitized public version with example configurations. You'll need to customize the example files with your actual infrastructure details before use.
This Ansible setup manages the following types of servers:
- Proxmox Servers: Virtualization hosts
- Network Services: DNS, VPN, reverse proxy, and networking infrastructure
- Game Servers: Gaming and entertainment services
- Development Servers: Development and testing environments
- Media Servers: Media streaming and storage
- Orchestration Servers: Container orchestration and management
- Web Servers: Web hosting infrastructure
- Security Servers: Security-focused services
- Home Automation: Home assistant and IoT management
├── ansible.cfg.example # Ansible configuration template
├── inventory.example # Server inventory template with host groups
├── playbook-ldap-setup.yml # LDAP client configuration playbook
├── playbook-site-sudoers.yml # Sudo configuration deployment playbook
├── templates/
│ └── site-sudoers.j2.example # Jinja2 template for sudoers configuration
└── files/ # Configuration files for LDAP setup
├── common-account
├── common-auth
├── common-session
├── nslcd.conf
└── nsswitch.conf
Before using this repository, you need to create your actual configuration files from the examples:
# Copy example files to actual config files
cp ansible.cfg.example ansible.cfg
cp inventory.example inventory
cp templates/site-sudoers.j2.example templates/site-sudoers.j2Replace the example values with your actual infrastructure:
# Replace example IPs (10.0.1.x) with your actual server IPs
pve-host1 ansible_host=YOUR_PROXMOX_IP_1
pve-host2 ansible_host=YOUR_PROXMOX_IP_2
# Replace example server names with your actual hostnames
dns-server ansible_host=YOUR_DNS_SERVER_IP
vpn-server ansible_host=YOUR_VPN_SERVER_IP
# ... etcUpdate the user and host aliases:
# Replace example usernames with your actual admin users
User_Alias ITADMINS = your_admin_user1, your_admin_user2
User_Alias DEVELS = your_dev_user1, your_dev_user2
# Replace example hostnames with your actual server hostnames
Host_Alias PROXMOXSERVERS = your-pve-host1, your-pve-host2
Host_Alias NETSERVERS = your-dns-server, your-vpn-server, ...Update the SSH key path if different:
private_key_file = ~/.ssh/your_actual_ssh_keyIf you're using the LDAP setup, you'll also need to create and customize the following files in the files/ directory:
common-account- PAM account configurationcommon-auth- PAM authentication configurationcommon-session- PAM session configurationnslcd.conf- NSLCD daemon configurationnsswitch.conf- Name service switch configuration
The example inventory includes these logical groups:
| Group | Purpose | Example Hosts |
|---|---|---|
proxmoxservers |
Virtualization infrastructure | pve-host1, pve-host2 |
netservers |
Network services (DNS, VPN, etc.) | dns-server, vpn-server, proxy-server |
gameservers |
Gaming infrastructure | game-server1 |
devservers |
Development environments | dev-workstation, dev-server1 |
mediaservers |
Media streaming/storage | media-server |
orchservers |
Container orchestration | orchestrator1 |
- Example Network: 10.0.1.x and 10.0.2.x ranges (customize for your network)
- SSH Key:
~/.ssh/id_ed25519(customize as needed) - Default User: root with sudo escalation
Configures Debian/Ubuntu systems to use LDAP authentication.
Features:
- Installs required LDAP client packages (
libpam-ldapd,libnss-ldapd,libpam-modules) - Backs up existing configuration files with timestamps
- Deploys PAM and NSS configurations
- Configures and starts the
nslcdservice
Usage:
ansible-playbook playbook-ldap-setup.ymlTarget specific groups:
ansible-playbook playbook-ldap-setup.yml --limit netserversDeploys standardized sudo configurations across all servers.
Features:
- Ensures sudo package is installed
- Deploys site-wide sudoers configuration from template
- Validates sudoers syntax automatically
- Sets secure permissions (0440)
Usage:
ansible-playbook playbook-site-sudoers.ymlThe site-sudoers.j2 template provides:
- No TTY requirement for automation
- Secure PATH enforcement
- 5-minute credential timeout
- Comprehensive logging to
/var/log/sudo.log - Input/output logging for audit trails
- ITADMINS: Full sudo access with password (customize with your admin users)
- DEVELS: Limited access for development tasks (customize with your dev users)
Servers are organized into logical groups matching the inventory:
PROXMOXSERVERS,NETSERVERS,GAMESERVERS, etc.
- PKG_MGMT: Package management commands (apt, yum, dnf, etc.)
- SERVICE: Service management (systemctl, service)
- NET_TOOLS: Network troubleshooting tools
- LOGS: Log viewing utilities
- DOCKER: Docker management
- SENSITIVE: Password-protected commands requiring re-authentication
- Install Ansible on your control machine
- Generate SSH key:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 - Copy SSH key to all target hosts:
ssh-copy-id -i ~/.ssh/id_ed25519 root@<host>
- Debian/Ubuntu-based systems
- SSH access configured
- Root access or sudo privileges
- Python installed (for Ansible modules)
-
Clone and enter the repository:
git clone <repository-url> cd inframanagement
-
Set up your configuration files:
cp ansible.cfg.example ansible.cfg cp inventory.example inventory cp templates/site-sudoers.j2.example templates/site-sudoers.j2
-
Customize the files with your infrastructure details (see Initial Setup section above)
-
Verify connectivity:
ansible all -m ping
-
Deploy sudo configuration:
ansible-playbook playbook-site-sudoers.yml
-
Configure LDAP authentication (if needed):
ansible-playbook playbook-ldap-setup.yml
# Only network servers
ansible-playbook playbook-ldap-setup.yml --limit netservers
# Only development servers
ansible-playbook playbook-site-sudoers.yml --limit devserversansible-playbook playbook-ldap-setup.yml --check --diffansible-playbook playbook-site-sudoers.yml -vvv- All sudo configurations require password authentication
- Sensitive commands (user management, SSH) always require re-authentication
- Configuration backups are created before modifications
- Sudoers syntax is validated automatically before deployment
- All changes are logged for audit purposes
- Remember: Customize the example files with your actual infrastructure before use
- Verify SSH key permissions:
chmod 600 ~/.ssh/id_ed25519 - Test manual SSH connection:
ssh -i ~/.ssh/id_ed25519 root@<host>
- Check nslcd service status:
systemctl status nslcd - Review configuration backups in
/etc/*.bak.* - Test LDAP connectivity:
getent passwd
- Validate sudoers manually:
visudo -c - Check logs:
tail -f /var/log/sudo.log - Review file permissions:
ls -la /etc/sudoers.d/site_sudoers
- Ensure you've copied and customized all
.examplefiles - Verify your inventory file has correct IP addresses and hostnames
- Check that your SSH key path in
ansible.cfgis correct
When adding new servers:
- Add entries to the
inventoryfile - Update host aliases in
templates/site-sudoers.j2if needed - Test connectivity with
ansible <hostname> -m ping
When contributing to this repository:
- Always use example data in templates
- Never commit real IP addresses, hostnames, or usernames
- Update documentation when adding new features
This infrastructure configuration is designed for educational and operational use. Modify according to your organization's security policies and requirements.