2025-06-26-13-33-49: Cronjob

roles/kerberize/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Reload sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: reloaded
+  when: not run_in_installer|default(false)|bool

roles/kerberize/tasks/main.yml

@@ -0,0 +1,49 @@
+- name: Install kerberos packages
+  ansible.builtin.apt:
+    name: krb5-user
+
+- name: Kerberize sshd server
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/kerberize.conf
+    mode: '0644'
+    content: |
+      GSSAPIAuthentication yes
+  notify: "Reload sshd"
+
+- name: Kerberize ssh client, authenticate and delegate credentials
+  ansible.builtin.copy:
+    dest: /etc/ssh/ssh_config.d/kerberize.conf
+    mode: '0644'
+    content: |
+      GSSAPIAuthentication yes
+      GSSAPIDelegateCredentials yes
+
+- name: Check if firefox is available
+  ansible.builtin.stat:
+    path: /etc/firefox-esr/firefox-esr.js
+  register: firefox
+
+- name: Kerberize firefox for sites in the local domain
+  ansible.builtin.lineinfile:
+    dest: /etc/firefox-esr/firefox-esr.js
+    line: "{{ item }}"
+  with_items:
+    - '// kerberize for sites in the local domain:'
+    - 'pref("network.negotiate-auth.delegation-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
+    - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
+  when: firefox.stat.exists
+
+- name: Ensures /etc/chromium/policies/managed dir exists
+  ansible.builtin.file:
+    path: "/etc/chromium/policies/managed"
+    state: directory
+    mode: '0755'
+
+- name: Kerberize chromium for sites in the local domain
+  ansible.builtin.copy:
+    dest: /etc/chromium/policies/managed/idam.json
+    mode: '0644'
+    content: |
+      {
+        "AuthServerAllowlist": "{{ kerberize_uris | default(ansible_domain) }}"
+      }