Update to 2023-05-03 11:00

roles/postfix/templates/main.cf.j2

@@ -20,7 +20,7 @@ smtpd_recipient_restrictions = permit_mynetworks,reject
 
 {% if postfix_relay_host is defined and postfix_relay_host != False %}
 relayhost = {{ postfix_relay_host }}
-{% if postfix_relay_user is defined and postfix_relay_pass is defined %}
+{% if postfix_relay_user is defined and postfix_relay_user != '' and postfix_relay_pass is defined and postfix_relay_pass != ''%}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/relay_auth
 {% endif %}

roles/ssh/templates/sshd_config.j2

@@ -14,9 +14,10 @@ UseDNS {{ sshd_use_dns | ternary('yes', 'no') }}
 
 {% if sshd_authorized_keys_command is defined %}
 AuthorizedKeysCommand {{ sshd_authorized_keys_command }}
-{% if sshd_authorized_keys_command_user is defined %}
-AuthorizedKeysCommandUser {{ sshd_authorized_keys_command_user }}
-{% endif %}
+AuthorizedKeysCommandUser {{ sshd_authorized_keys_command_user | default('nobody') }}
+{% elif ad_auth | default(False) == True and ad_ldap_user_ssh_public_key is defined %}
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+AuthorizedKeysCommandUser nobody
 {% endif %}
 
 HostKey /etc/ssh/ssh_host_rsa_key

roles/sssd_ad_auth/defaults/main.yml

@@ -39,3 +39,6 @@ ad_default_trusted_domain:
 # You can define a custom search base, with a scope and a filter for groups:
 # ad_ldap_group_search_base: CN=Users,dc=ad,dc=domain,dc=com?sub?(|(cn=Domain Users)(cn=Domain Admins))
 # ad_ldap_user_search_base: OU=IT,DC=AD,DC=DOMAIN,DC=COM?sub
+
+# You can set an attribute holding SSH keys of users
+# ad_ldap_user_ssh_public_key: altSecurityIdentities

roles/sssd_ad_auth/templates/sssd.conf.j2

@@ -1,5 +1,6 @@
 [sssd]
-services = nss, pam, pac
+services = nss, pam, pac{% if ad_ldap_user_ssh_public_key is defined %}, ssh{% endif %}
+
 config_file_version = 2
 domains = {{ ad_realm | upper }}{% for domain in ad_trusted_domains %}, {{ domain.name | upper }}{% endfor %}
 
@@ -39,6 +40,9 @@ dyndns_update = false
 {% if ad_private_groups %}
 auto_private_groups = true
 {% endif %}
+{% if ad_ldap_user_ssh_public_key is defined %}
+ldap_user_ssh_public_key = {{ ad_ldap_user_ssh_public_key }}
+{% endif %}
 
 {% for domain in ad_trusted_domains %}
 
@@ -63,4 +67,7 @@ ldap_user_search_base = {{ domain.ldap_user_search_base }}
 ldap_group_search_base = {{ domain.ldap_group_search_base }}
 {% endif %}
 ad_gpo_access_control = {{ domain.ad_gpo_access_control | default(ad_gpo_access_control) }}
+{% if domain.ad_ldap_user_ssh_public_key is defined or ad_ldap_user_ssh_public_key is defined %}
+ldap_user_ssh_public_key = {{ domain.ad_ldap_user_ssh_public_key | default(ad_ldap_user_ssh_public_key) }}
+{% endif %}
 {% endfor %}

roles/vaultwarden/defaults/main.yml

@@ -4,9 +4,9 @@ vaultwarden_version: 1.28.1
 vaultwarden_archive_url: https://github.com/dani-garcia/vaultwarden/archive/{{ vaultwarden_version }}.tar.gz
 vaultwarden_archive_sha256: d6991cba20d8aaf7559eb4b8a7d82b68476c12d4913142490839addc2562d12a
 
-vaultwarden_web_version: 2023.3.0b
+vaultwarden_web_version: 2023.4.0
 vaultwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ vaultwarden_web_version }}/bw_web_v{{ vaultwarden_web_version }}.tar.gz
-vaultwarden_web_archive_sha256: ac3d27cbbb0dabb09cba0029c0b4d13b4f866fa3ae4eaa2dfd1f3880800ce19c
+vaultwarden_web_archive_sha256: 01d74880c027f74c13a287e1f882bcbfba1771320c2cc516445e6697b768f283
 
 vaultwarden_root_dir: /opt/vaultwarden
 vaultwarden_user: vaultwarden