add system of lock screen and suspend computer

juan jose lopez · juan jose lopez · commit f4b4067d1881 · 2020-11-23T17:22:07.000+01:00
diff --git a/ansible.yml b/ansible.yml
@@ -27,3 +27,8 @@
   gather_facts: true
   roles:
     - apple
+
+- hosts: screen_lock
+  gather_facts: true
+  roles:
+    - screen_lock
diff --git a/inventory/local/group_vars/all/all.yml b/inventory/local/group_vars/all/all.yml
@@ -5,13 +5,15 @@ ldap_setup: true
 kerberos_setup: true
 sssd_setup: true
 apple_blk_setup: true
+screen_lock_setup: true
 
 main_uninstall: false
 bind9_uninstall: false
 ldap_uninstall: false
 kerberos_uninstall: false
 sssd_uninstall: false
 apple_blk_uninstall: false
+screen_lock_uninstall: false
 
 domain: '{{ domainbase }}'
 openldap_org: '{{ organization }}'
@@ -20,4 +22,10 @@ sudoers: "SUDOers"
 
 backup_hour: 1
 backup_minute: 24
-backup_days_to_delete: 10
+backup_days_to_delete: 10
+
+#Lock screen and suspend computer
+name_lock: screen_lock
+time_lock: 600
+name_suspend: suspend
+time_suspend: 1800
diff --git a/inventory/local/group_vars/all/screen_lock.yml b/inventory/local/group_vars/all/screen_lock.yml
@@ -0,0 +1,2 @@
+---
+# vars file for universal-domain-controller
diff --git a/inventory/local/hosts.ini b/inventory/local/hosts.ini
@@ -1,17 +1,20 @@
-node-1 ansible_host=192.168.1.44 ansible_port=22 ansible_user='usuario' ansible_sudo_pass=usuario ansible_ssh_private_key_file='~/.ssh/id_rsa.pub'
-node-2 ansible_host=192.168.1.36 ansible_port=22 ansible_user='usuario' ansible_sudo_pass=usuario ansible_ssh_private_key_file='~/.ssh/id_rsa.pub'
+node-1 ansible_host=192.168.1.35 ansible_port=22 ansible_user='usuario' ansible_sudo_pass=usuario ansible_ssh_private_key_file='~/.ssh/id_rsa.pub'
+node-2 ansible_host=192.168.1.33 ansible_port=22 ansible_user='usuario' ansible_sudo_pass=usuario ansible_ssh_private_key_file='~/.ssh/id_rsa.pub'
 
-; [bind9]
-; node-1
+[bind9]
+node-1
 
-; [ldap]
-; node-1
+[ldap]
+node-1
 
-; [kerberos]
-; node-1
+[kerberos]
+node-1
 
 ; [apple]
 ; node-2
 
 [sssd]
+node-2
+
+[screen_lock]
 node-2
diff --git a/roles/ldap/tasks/install_openldap.yml b/roles/ldap/tasks/install_openldap.yml
@@ -54,6 +54,7 @@
 
 - include: config_openldap.yml
 - include: read_only_openldap.yml
+- include: time_lock_screen_and_suspend_openldap.yml
 - include: apple_openldap.yml
 
 - name: Copy script backup and logrotate
diff --git a/roles/ldap/tasks/time_lock_screen_and_suspend_openldap.yml b/roles/ldap/tasks/time_lock_screen_and_suspend_openldap.yml
@@ -0,0 +1,12 @@
+- name: Generate ldif, time lock screen
+  template:
+    src: "ldap/slapd.d/time_lock_and_suspend_screen.ldif.j2"
+    dest: "/etc/ldap/slapd.d/time_lock_and_suspend_screen.ldif"
+    owner: root
+    group: root
+    mode: 0640
+
+- name: Create user, time lock screen
+  shell: 'ldapadd -x -D {{ openldap_bind_id }} -w {{ openldap_admin_password }} -f /etc/ldap/slapd.d/time_lock_and_suspend_screen.ldif'
+  ignore_errors: yes
+  
diff --git a/roles/ldap/templates/ldap/slapd.d/time_lock_and_suspend_screen.ldif.j2 b/roles/ldap/templates/ldap/slapd.d/time_lock_and_suspend_screen.ldif.j2
@@ -0,0 +1,9 @@
+dn: cn={{ name_lock }},{{ openldap_base }}
+cn: {{ name_lock }}
+objectClass: organizationalRole
+description: {{ name_lock }}-{{ time_lock }}
+
+dn: cn={{ name_suspend }},{{ openldap_base }}
+cn: {{ name_suspend }}
+objectClass: organizationalRole
+description: {{ name_suspend }}-{{ time_suspend }}
diff --git a/roles/screen_lock/README.md b/roles/screen_lock/README.md
@@ -0,0 +1,3 @@
+# SSSD Role
+
+Guide: https://aws.nz/best-practice/sssd-ldap/
diff --git a/roles/screen_lock/defaults/main.yml b/roles/screen_lock/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/screen_lock/handlers/main.yml b/roles/screen_lock/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for screen-lock
diff --git a/roles/screen_lock/meta/main.yml b/roles/screen_lock/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Guadaltech
+  description: BLK (Bind9 + LDAP + Kerberos)
+  license: license (GPLv2, CC-BY, etc)
+  min_ansible_version: 2.4
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+  galaxy_tags: ['kerberos', 'ldap', 'samba', 'sssd', 'xautolock', 'xss-lock', 'domain', 'ubuntu']
+dependencies: []
diff --git a/roles/screen_lock/tasks/config_lock.yml b/roles/screen_lock/tasks/config_lock.yml
@@ -0,0 +1,26 @@
+- name: config_systemd | configuring xss
+  template:
+    src: "lock.service.j2"
+    dest: "/etc/systemd/system/lock.service"
+    owner: root
+    group: root
+    mode: 0755
+
+
+- name: Enable service xss and ensure it is not masked
+  systemd:
+    name: lock.service
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+    masked: no
+
+- name: config_systemd | configuring xss
+  template:
+    src: "init-time-lock.sh.j2"
+    dest: "/usr/bin/init-time-lock.sh"
+    owner: root
+    group: root
+    mode: 0700
+
+- include: config_suspend.yml
diff --git a/roles/screen_lock/tasks/config_suspend.yml b/roles/screen_lock/tasks/config_suspend.yml
@@ -0,0 +1,24 @@
+- name: config_systemd | configuring suspend
+  template:
+    src: "suspend.service.j2"
+    dest: "/etc/systemd/system/suspend.service"
+    owner: root
+    group: root
+    mode: 0755
+
+
+- name: Enable service suspend and ensure it is not masked
+  systemd:
+    name: suspend.service
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+    masked: no
+
+- name: config_systemd | configuring suspend
+  template:
+    src: "init-time-suspend.sh.j2"
+    dest: "/usr/bin/init-time-suspend.sh"
+    owner: root
+    group: root
+    mode: 0700
diff --git a/roles/screen_lock/tasks/delete_config_lock.yml b/roles/screen_lock/tasks/delete_config_lock.yml
@@ -0,0 +1,19 @@
+- name: Recursively remove service lock
+  file:
+    path: /etc/systemd/system/lock.service
+    state: absent
+
+- name: Recursively remove service suspend
+  file:
+    path: /etc/systemd/system/suspend.service
+    state: absent
+
+- name: Recursively remove script lock
+  file:
+    path: /usr/bin/init-time-lock.sh
+    state: absent
+  
+- name: Recursively remove script suspend
+  file:
+    path: /usr/bin/init-time-suspend.sh
+    state: absent
diff --git a/roles/screen_lock/tasks/main.yml b/roles/screen_lock/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- include_tasks: config_lock.yml
+  when: screen_lock_setup == true
+
+- include_tasks: delete_config_lock.yml
+  when: screen_lock_uninstall == true
diff --git a/roles/screen_lock/templates/init-time-lock.sh.j2 b/roles/screen_lock/templates/init-time-lock.sh.j2
@@ -0,0 +1,35 @@
+#!/bin/sh
+lock () {
+lock_second=$1
+for x in /tmp/.X11-unix/*; do
+    for i in $(loginctl list-users | awk '{ print $1}' | tail -n +2 | head -n -2); do
+            runuser -l $(id -un $i) -c "DISPLAY=\":${x#/tmp/.X11-unix/X}\" /usr/bin/xprintidle"
+            time=$(runuser -l $(id -un $i) -c "DISPLAY=\":${x#/tmp/.X11-unix/X}\" /usr/bin/xprintidle")
+            if [ $time ] ; then
+               result=$(($time/1000))
+               if [ $result -ge $lock_second ]; then
+                  /bin/loginctl lock-sessions
+               fi
+            fi
+    done
+    sleep 5
+done
+}
+
+if ldapsearch -x -b "cn={{ name_lock }},{{ openldap_base }}" -H ldap://ldap.{{ domain }} ; then
+    lock_second=$(ldapsearch -x -b "cn={{ name_lock }},{{ openldap_base }}" -H ldap://ldap.{{ domain }}  | grep 'description' | cut -d '-' -f 2)
+    echo "$lock_second" > /etc/lock
+else
+    if -f /etc/lock ; then
+        lock_second=$(cat /etc/lock)
+    else
+        echo "300" > /etc/lock
+        lock_second=$(cat /etc/lock)
+    fi
+fi
+
+while :
+do
+    lock $lock_second
+    sleep 1
+done
diff --git a/roles/screen_lock/templates/init-time-suspend.sh.j2 b/roles/screen_lock/templates/init-time-suspend.sh.j2
@@ -0,0 +1,36 @@
+#!/bin/sh
+suspend () {
+suspend_second=$1
+for x in /tmp/.X11-unix/*; do
+    for i in $(loginctl list-users | awk '{ print $1}' | tail -n +2 | head -n -2); do
+            runuser -l $(id -un $i) -c "DISPLAY=\":${x#/tmp/.X11-unix/X}\" /usr/bin/xprintidle"
+            time=$(runuser -l $(id -un $i) -c "DISPLAY=\":${x#/tmp/.X11-unix/X}\" /usr/bin/xprintidle")
+            if [ $time ] ; then
+               result=$(($time/1000))
+               if [ $result -ge $suspend_second ]; then
+                  systemctl suspend
+               fi
+            fi
+    done
+    sleep 5
+done
+}
+
+
+if ldapsearch -x -b "cn={{ name_suspend }},{{ openldap_base }}" -H ldap://ldap.{{ domain }} ; then
+    suspend_second=$(ldapsearch -x -b "cn={{ name_suspend }},{{ openldap_base }}" -H ldap://ldap.{{ domain }} | grep 'description' | cut -d '-' -f 2)
+    echo "$suspend_second" > /etc/time_suspend
+else
+    if ! -f /etc/time_suspend ; then
+        suspend_second=$(cat /etc/time_suspend)
+    else
+        echo "300" > /etc/time_suspend
+        suspend_second=$(cat /etc/time_suspend)
+    fi
+fi
+
+while :
+do
+    suspend $suspend_second
+    sleep 1
+done
diff --git a/roles/screen_lock/templates/lock.service.j2 b/roles/screen_lock/templates/lock.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=LOCK
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+User=root
+ExecStart=/usr/bin/init-time-lock.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/screen_lock/templates/suspend.service.j2 b/roles/screen_lock/templates/suspend.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=XAUTOLOCK-SUSPEND
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+User=root
+ExecStart=/usr/bin/init-time-suspend.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/screen_lock/vars/main.yml b/roles/screen_lock/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for sssd

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+# vars file for universal-domain-controller`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# SSSD Role`
	`2`	`+`
	`3`	`+Guide: https://aws.nz/best-practice/sssd-ldap/`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+# handlers file for screen-lock`