Added Linux domain join role.

Incremented version.

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: trippsc2
 name: ad
-version: '1.0.0'
+version: '1.1.0'
 readme: README.md
 authors:
   - Jim Tarpley

roles/domain_controller/README.md

@@ -1,7 +1,7 @@
 <!-- BEGIN_ANSIBLE_DOCS -->
 
 # Ansible Role: trippsc2.ad.domain_controller
-Version: 1.0.0
+Version: 1.1.0
 
 This role configures the Windows Server machine as an Active Directory Domain Controller.
 

roles/linux_member/.aar_doc.yml

@@ -0,0 +1,79 @@
+---
+output_file: README.md
+output_mode: replace
+
+output_template: |
+  <!-- BEGIN_ANSIBLE_DOCS -->
+  
+  # Ansible Role: {{ role }}
+  {%- if "version" in galaxy_collection %}
+  Version: {{ galaxy_collection.version }}
+  {% endif %}
+  {{ metadata.galaxy_info.description }}
+  {% if ("galaxy_tags" in metadata.galaxy_info) and (metadata.galaxy_info.galaxy_tags | length > 0) %}
+  Tags: {{ metadata.galaxy_info.galaxy_tags | join(', ') }}
+  {%- endif %}
+  ## Requirements
+  {% if ("platforms" in metadata.galaxy_info) and metadata.galaxy_info.platforms | length > 0 %}
+  | Platform | Versions |
+  | -------- | -------- |
+  {%- for platform in metadata.galaxy_info.platforms %}
+  | {{ platform.name }} | <ul>{% for version in platform.versions | default([]) %}<li>{{ version }}</li>{% endfor %}</ul> |
+  {%- endfor %}
+  {%- endif %}
+
+  ## Dependencies
+  {%- if ("dependencies" in metadata) and (metadata.dependencies | length > 0) %}
+  | Role |
+  | ---- |
+  {%- for dependency in metadata.dependencies %}
+  | {{ dependency.role }} |
+  {%- endfor %}
+  {%- endif %}
+  {% if ("collections" in metadata) and metadata.collections | length > 0 %}
+  | Collection |
+  | ---------- |
+  {%- for collection in metadata.collections %}
+  | {{ collection }} |
+  {%- endfor %}
+  {%- endif %}
+  {%- if (("dependencies" not in metadata) or (metadata.dependencies | length == 0)) and (("collections" not in metadata) or (metadata.collections | length == 0)) %}
+  None.
+  {%- endif %}
+
+  ## Role Arguments
+  {% for entrypoint in argument_specs.keys() %}
+  {%- set path, options=entrypoint_options[entrypoint][0] -%}
+
+  |Option|Description|Type|Required|Choices|Default|
+  |---|---|---|---|---|---|
+  {%- for name, details in options.items() %}
+  | {{ name }} | {{ details.display_description }} | {{ details.display_type }} | {{ details.display_required }} | {% if ("choices" in details) %}<ul>{% for choice in details.choices %}<li>{{ choice }}</li>{% endfor %}</ul>{% endif %} | {{ details.display_default }} |
+  {%- endfor %}
+
+  {% if entrypoint_options[entrypoint] | length > 1 -%}
+  {% for path, options in entrypoint_options[entrypoint][1:] -%}
+  ### Options for {{ path[1:] | join(" > ") }}
+  |Option|Description|Type|Required|Choices|Default|
+  |---|---|---|---|---|---|
+  {%- for name, details in options.items() %}
+  | {{ name }} | {{ details.display_description }} | {{ details.display_type }} | {{ details.display_required }} | {% if ("choices" in details) %}<ul>{% for choice in details.choices %}<li>{{ choice }}</li>{% endfor %}</ul>{% endif %} | {{ details.display_default }} |
+  {%- endfor %}
+
+  {% endfor -%}
+  {% endif -%}
+  {% endfor %}
+  ## License
+  {{ metadata.galaxy_info.license }}
+
+  ## Author and Project Information
+  {%- if "company" in metadata.galaxy_info %}
+  {{ metadata.galaxy_info.author }} @ {{ metadata.galaxy_info.company }}
+  {%- else %}
+  {{ metadata.galaxy_info.author }}
+  {%- endif %}
+  {% if metadata.galaxy_info.issue_tracker_url is defined and metadata.galaxy_info.issue_tracker_url | length > 0 %}
+  Issues: [tracker]({{ metadata.galaxy_info.issue_tracker_url }})
+  {%- endif -%}
+
+  <!-- END_ANSIBLE_DOCS -->

roles/linux_member/.ansible-lint

@@ -0,0 +1,2 @@
+---
+var_naming_pattern: '.*'

roles/linux_member/.yamllint

@@ -0,0 +1,30 @@
+---
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable

roles/linux_member/README.md

@@ -0,0 +1,48 @@
+<!-- BEGIN_ANSIBLE_DOCS -->
+
+# Ansible Role: trippsc2.ad.linux_member
+Version: 1.1.0
+
+This role joins a Linux machine to a Windows domain.
+
+## Requirements
+
+| Platform | Versions |
+| -------- | -------- |
+| Debian | <ul><li>bullseye</li><li>bookworm</li></ul> |
+| EL | <ul><li>8</li></ul> |
+| Ubuntu | <ul><li>focal</li><li>jammy</li><li>noble</li></ul> |
+
+## Dependencies
+
+| Collection |
+| ---------- |
+| community.general |
+
+## Role Arguments
+|Option|Description|Type|Required|Choices|Default|
+|---|---|---|---|---|---|
+| domjoin_domain_name | The name of the domain to which the Linux machine will be joined. | str | yes |  |  |
+| domjoin_computer_ou | The OU in which the computer account will be created. This is the distinguished name of the OU relative to the base of the domain (e.g. 'OU=Linux' not 'OU=Linux,DC=test,DC=loc'). | str | no |  |  |
+| domjoin_domain_user | The user account to use for joining the Linux machine to the domain. | str | yes |  |  |
+| domjoin_domain_password | The password for the domain user account. | str | yes |  |  |
+| domjoin_override_space | The character used to override spaces in user or group names. | str | no |  |  |
+| domjoin_default_shell | The default shell for domain users. | str | no |  | /bin/bash |
+| domjoin_use_fully_qualified_names | Whether to use fully qualified names for domain users and groups. | bool | no |  | true |
+| domjoin_fallback_homedir | The fallback home directory for domain users. | str | no |  | /home/%u@%d |
+| domjoin_enable_gc | Whether to enable the Global Catalog for the domain. If disabled, trust relationships with other domains will not be available, but logins will be faster. | bool | no |  | false |
+| domjoin_gpo_access_control | The access control mode for Group Policy Objects. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details. | str | no | <ul><li>disabled</li><li>permissive</li><li>enforcing</li></ul> | disabled |
+| domjoin_sudoers_users | A list of domain users who should be added to the sudoers file. Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. | list of 'str' | no |  |  |
+| domjoin_sudoers_groups | A list of domain groups who should be added to the sudoers file. Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. | list of 'str' | no |  |  |
+| domjoin_add_ssh_allowusers | A list of domain users who should be added to the AllowUsers directive in the SSH configuration. Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. If no users are currently in the AllowUsers directive, the directive will **not** be created. | list of 'str' | no |  |  |
+| domjoin_add_ssh_allowgroups | A list of domain groups who should be added to the AllowGroups directive in the SSH configuration. Space characters in the group names will be replaced with the character specified in `domjoin_override_space`. If no groups are currently in the AllowGroups directive, the directive will **not** be created. | list of 'str' | no |  |  |
+| domjoin_add_ssh_denyusers | A list of domain users who should be added to the DenyUsers directive in the SSH configuration. Space characters in the user names will be replaced with the character specified in `domjoin_override_space`. | list of 'str' | no |  |  |
+| domjoin_add_ssh_denygroups | A list of domain groups who should be added to the DenyGroups directive in the SSH configuration. Space characters in the group names will be replaced with the character specified in `domjoin_override_space`. | list of 'str' | no |  |  |
+
+
+## License
+MIT
+
+## Author and Project Information
+Jim Tarpley
+<!-- END_ANSIBLE_DOCS -->

roles/linux_member/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+domjoin_default_shell: /bin/bash
+domjoin_use_fully_qualified_names: true
+domjoin_fallback_homedir: /home/%u@%d
+domjoin_enable_gc: true
+domjoin_gpo_access_control: enforcing
+
+domjoin_sudoers_users: []
+domjoin_sudoers_groups: []
+
+domjoin_add_ssh_allowusers: []
+domjoin_add_ssh_allowgroups: []
+domjoin_add_ssh_denyusers: []
+domjoin_add_ssh_denygroups: []

roles/linux_member/handlers/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Enable mkhomedir in PAM
+  listen: _domjoin_enable_pam_mkhomedir
+  when:
+    - ansible_os_family != 'RedHat'
+  become: true
+  ansible.builtin.command: pam-auth-update --enable mkhomedir
+  changed_when: true
+
+- name: Restart SSSD
+  listen: _domjoin_sssd_restart
+  become: true
+  ansible.builtin.systemd_service:
+    name: sssd.service
+    state: restarted
+
+- name: Restart SSHD
+  listen: _domjoin_sshd_restart
+  become: true
+  ansible.builtin.systemd_service:
+    name: "{{ _domjoin_ssh_service }}"
+    state: restarted

roles/linux_member/meta/argument_specs.yml

@@ -0,0 +1,119 @@
+---
+argument_specs:
+  main:
+    short_description: Linux Domain Join
+    description:
+      - This role joins a Linux machine to a Windows domain.
+    author: Jim Tarpley
+    options:
+      domjoin_domain_name:
+        type: str
+        required: true
+        description:
+          - The name of the domain to which the Linux machine will be joined.
+      domjoin_computer_ou:
+        type: str
+        required: false
+        description:
+          - The OU in which the computer account will be created.
+          - This is the distinguished name of the OU relative to the base of the domain (e.g. 'OU=Linux' not 'OU=Linux,DC=test,DC=loc').
+      domjoin_domain_user:
+        type: str
+        required: true
+        description:
+          - The user account to use for joining the Linux machine to the domain.
+      domjoin_domain_password:
+        type: str
+        required: true
+        no_log: true
+        description:
+          - The password for the domain user account.
+      domjoin_override_space:
+        type: str
+        required: false
+        description:
+          - The character used to override spaces in user or group names.
+      domjoin_default_shell:
+        type: str
+        required: false
+        default: /bin/bash
+        description:
+          - The default shell for domain users.
+      domjoin_use_fully_qualified_names:
+        type: bool
+        required: false
+        default: true
+        description:
+          - Whether to use fully qualified names for domain users and groups.
+      domjoin_fallback_homedir:
+        type: str
+        required: false
+        default: /home/%u@%d
+        description:
+          - The fallback home directory for domain users.
+      domjoin_enable_gc:
+        type: bool
+        required: false
+        default: false
+        description:
+          - Whether to enable the Global Catalog for the domain.
+          - If disabled, trust relationships with other domains will not be available, but logins will be faster.
+      domjoin_gpo_access_control:
+        type: str
+        required: false
+        default: disabled
+        choices:
+          - disabled
+          - permissive
+          - enforcing
+        description:
+          - The access control mode for Group Policy Objects.
+          - See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad for details.
+      domjoin_sudoers_users:
+        type: list
+        elements: str
+        required: false
+        description:
+          - A list of domain users who should be added to the sudoers file.
+          - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
+      domjoin_sudoers_groups:
+        type: list
+        elements: str
+        required: false
+        description:
+          - A list of domain groups who should be added to the sudoers file.
+          - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
+      domjoin_add_ssh_allowusers:
+        type: list
+        elements: str
+        required: false
+        default: []
+        description:
+          - A list of domain users who should be added to the AllowUsers directive in the SSH configuration.
+          - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
+          - If no users are currently in the AllowUsers directive, the directive will **not** be created.
+      domjoin_add_ssh_allowgroups:
+        type: list
+        elements: str
+        required: false
+        default: []
+        description:
+          - A list of domain groups who should be added to the AllowGroups directive in the SSH configuration.
+          - Space characters in the group names will be replaced with the character specified in `domjoin_override_space`.
+          - If no groups are currently in the AllowGroups directive, the directive will **not** be created.
+      domjoin_add_ssh_denyusers:
+        type: list
+        elements: str
+        required: false
+        default: []
+        description:
+          - A list of domain users who should be added to the DenyUsers directive in the SSH configuration.
+          - Space characters in the user names will be replaced with the character specified in `domjoin_override_space`.
+      domjoin_add_ssh_denygroups:
+        type: list
+        elements: str
+        required: false
+        default: []
+        description:
+          - A list of domain groups who should be added to the DenyGroups directive in the SSH configuration.
+          - Space characters in the group names will be replaced with the character specified in `domjoin_override_space`.

roles/linux_member/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+    author: Jim Tarpley
+    namespace: trippsc2
+    role_name: linux_member
+    description: This role joins a Linux machine to a Windows domain.
+    license: MIT
+
+    min_ansible_version: '2.14'
+
+    platforms:
+      - name: Debian
+        versions:
+          - bullseye
+          - bookworm
+      - name: EL
+        versions:
+          - '8'
+      - name: Ubuntu
+        versions:
+          - focal
+          - jammy
+          - noble
+
+collections:
+  - community.general
+
+dependencies: []

roles/linux_member/molecule-tests.sh

@@ -0,0 +1,13 @@
+#! /bin/bash
+
+set -e
+
+MOLECULE_BOX="rocky8_cis" molecule test
+MOLECULE_BOX="rocky9_base" molecule test
+
+MOLECULE_BOX="debian12_base" molecule test
+MOLECULE_BOX="debian11_base" molecule test
+
+MOLECULE_BOX="ubuntu2404_base" molecule test
+MOLECULE_BOX="ubuntu2204_base" molecule test
+MOLECULE_BOX="ubuntu2004_base" molecule test

roles/linux_member/molecule/default/converge.yml

@@ -0,0 +1,6 @@
+---
+- name: Converge
+  hosts:
+    - subjects
+  roles:
+    - role: trippsc2.ad.linux_member