This repository only contains ansible roles usable in an ansible-playbook to install and bootstrap UCS.

• modify_ucs_ca
• improve_usability_ui_changes
• ox_connector
• configure_network_proxy
• install_nextcloud_app
• univention_firewall
• install_service_selfservices
• remove_packages
• configure_apps_postfix_relay
• configure_directory_manager
• configure_error_detail_show
• umc_policies_maintenance
• cleanup_portal
• dovecot_connector
• install_apps_ox_pre
• configure_keycloak
• use_trusted_cert
• install_packages
• deployment_message
• portal_cookie_banner
• univention_repository_component
• configure_office_suite
• configure_repository
• configure_apps_postfix
• univention_remove
• univention_prune_kernels
• set_ldap_index
• improve_usability_nextcloud
• portal_configure_title
• portal_entry
• get_installed_apps
• configure_logrotate
• configure_group_syntax
• configure_saml_single_server
• workaround_acmetiny_upgrade
• install_multitenant_acls
• configure_keycloak_saml
• custom_facts
• intercom_service
• ucs_join
• univention_install
• configure_amazon_metadata_server
• univention_upgrade
• umc_permissions
• ldapsearch_user
• configure_apps_owncloud
• hardening
• configure_ntp_servers
• configure_keycloak_client
• extend_root_lvm_volume
• ucs_add_admin_user
• improve_usability_user_config
• force_package_list_update
• set_feedback_mail_address
• configure_monitoring
• set_dns_glue_record
• configure_sso_openid
• install_lets_encrypt
• install_service_new_portal
• configure_password_policies
• workaround_high_mtu
• configure_network_interface_names
• disable_ipv6
• install_apps_ox_post
• update_users_ssh_keys
• add_local_user
• install_branding
• configure_license
• portal_category
• configure_nextcloud_turn
• disable_piwik_tracking
• configure_nextcloud_saml
• configure_apps_nextcloud
• custom_facts_finished

Modify exisiting univention certificates.

none

• modify_ucs_ca_external_domain_name(string): The external domain name.
• modify_ucs_ca_external_domain_part(string): The part of an external domain eventually excluding fist subdomain.
• modify_ucs_ca_external_domain_prefix(string): The first subdomain if exists.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role will improve ui.

none

• improve_usability_ui_changes_basedn(): The LDAP base domain name.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures and install OX connector.

• univention.ucs_modules
  • univention_config_registry

• ox_connector_basedn(string): The LDAP base dn.
• ox_connector_domain_name(string): The system's dns domain name.
• ox_connector_domain_prefix(string): The system's dns domain prefix. Useful when OX server is in same network
• ox_connector_default_context (string): The default context that is being assigned to objects when there is no explicit definition; default: 9999
• ox_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
• ox_connector_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
• ox_connector_temp_pw_file(map): Tempfile object where univention app password is stored.
• ox_connector_master_admin(string): The name of OX administrator.
• ox_connector_master_password(string): The password of OX administrator.
• ox_connector_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
• ox_connector_template_name(string): The name of default ox access template; default: "standard".
• ox_connector_hide_logging(boolean): Toggle logging of sensitive information like password; default: true.
• ox_connector_usertemplate_name(string): Name of the User Template to be used, while creating a new user; default: "Benutzer mit Groupware-Konto".
• ox_connector_imap_server(string): How the user in OX will connect to the IMAP backend, this value is relative to the OX AppSuite middleware server; default: imap://127.0.0.1:143
• ox_connector_smtp_server(string): How the user in OX will connect to the SMTP service, this value is relative to the OX AppSuite middleware server; default: smtp://127.0.0.1:26

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures network proxy via UCR.

• univention.ucs_modules
  • univention_config_registry

• configure_network_proxy_enabled(boolean): Toggle network proxy usage
• configure_network_proxy_http_proxy(string): The HTTP proxy server, e.g. http://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format http://username:password@192.168.1.100:3128.
• configure_network_proxy_https_proxy(string): The HTTPS proxy server, e.g. https://192.168.1.100:3128. If the proxy requires authentication, the username and the password can be provided in the format https://username:password@192.168.1.100:3128.
• configure_network_proxy_no_proxy(string): A comma-separated list of domain names for which the proxy should not be consulted. An exception for a domain like univention.de also applies to a subdomain like apt.univention.de.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs an app for nextcloud

none

• install_nextcloud_app_name(string): The name of nextcloud app to be installed from store.
• install_nextcloud_app_opertation(string): Define operation mode; default: "install".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Univention firewall rules.

========= Manage predefined univention-firewall rules.

• univention.ucs_modules
  • univention_config_registry

• univention_firewall_telegraf(string): Set firewall status of telegraf service; default: "ACCEPT".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs selfservice services.

• univention.ucs_modules
  • univention_config_registry

• install_service_selfservice_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_selfservice_force_package_upgrade for a way to upgrade already installed software.
• install_service_selfservice_temp_file(map): Ansible temporary dir.
• install_service_selfservice_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_selfservice_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
• install_service_selfservice_external_hostname(string): The host name that is used to talk to the system.
• install_service_selfservice_install_services(list): A list of services to install.
• install_service_selfservice_domain_name(string): The LDAP base domain name.
• install_service_selfservice_password_reset_filename(string): The name of password reset template.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role removes univention apps with/without fixed versions.

none

• remove_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
• remove_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
• remove_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: `false
• remove_packages_remove_apps(list): A list of applications to install.
• remove_packages_app_version_map(map): A map of packages with/without version to be removed.
• remove_packages_service_name_list(list): A list containing application names to be installed.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role modifies postfix relay configuration.

• univention.ucs_modules
  • univention_config_registry

• configure_apps_postfix_relay_enabled(bool): Toggles if a SMTP relay host should be used; default: false.
• configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
• configure_apps_postfix_relay_host(string): The SMTP relay hostname.
• configure_apps_postfix_relay_username(string): The SMTP relay username.
• configure_apps_postfix_relay_password(string): The SMTP relay password.
• configure_apps_postfix_relay_hide_logging(boolean): Toggles output logging for sensible information; default: true.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures directory manager settings.

• univention.ucs_modules
  • univention_config_registry

• configure_directory_manager_mailprimaryaddress_required(bool): Toggles if mailPrimaryAddress should be required; default: false.
• configure_directory_manager_firstname_required(bool): Toggles if forename should be required; default: false.
• configure_directory_manager_wizard_disabled(string): Toggles the wizard. When set to Yes, wizard is enabled; default: No.
• configure_directory_manager_invite_default(string): Toggles the default invitation behaviour; default: "True".
• configure_directory_manager_overridepwlength_visible(string): Toggles wether the password length override is visible; default: "False".
• configure_directory_manager_overridepwlength_default(string): Sets default value for password length override; default: "False".
• configure_directory_manager_pwdchangenextlogin_visible(string): Toggles wether password change on next login is visible; default: "False".
• configure_directory_manager_pwdchangenextlogin_default(string): Sets default value for password change on next login; default: "True".
• configure_directory_manager_autosearch(string): Toggles wether the user autosearch is enabled; default: "False".
• configure_directory_manager_username_syntax(string): Set the username syntax; default "uid".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures if the error messages will display the details.

• univention.ucs_modules
  • univention_config_registry

• configure_error_detail_show_http_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
• configure_error_detail_show_directory_manager_rest_tracebacks(bool): Defines whether tracebacks are shown to the user in error cases; default: false
• configure_error_detail_show_saml_idp_errors(bool): Defines if error information and stack traces allowed to be shown to the user; default: false
• configure_error_detail_show_saml_idp_error_reporting(bool): Defines if error information and stack traces can be reported via email to the technical contact mail address; default: false

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role sets UMC maintenance policies.

none

• umc_policies_maintenance_autoupdate_enabled(bool): Toogle autoupdate status; default: true.
• umc_policies_maintenance_basedn(string): The LDAP base domain name.
• umc_policies_maintenance_patchhour(string): The chosen hour for univention-update; default: 5.
• umc_policies_maintenance_patchminute(string): The choosen minute for univention-update; default: 00.
• umc_policies_maintenance_patchday(String): The chosen day for univention-update; default: Tuesday.
• umc_policies_maintenance_release_version(string): The univention release version.
• umc_policies_maintenance_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Remove default and unused portal entries.

none

• cleanup_portal_basedn(string): The LDAP base domain name.
• cleanup_portal_install_services(list): A list of services to install.
• cleanup_portal_domain_admin_group(string): default: "cn=Domain Admins,cn=groups,{{ cleanup_portal_basedn }}".
• cleanup_portal_portal_dn(string): default: "cn=portals,cn=univention,{{ cleanup_portal_basedn }}".
• cleanup_portal_prometheus_dn(string): default: 'cn=prometheus,cn=entry,{{ cleanup_portal_portal_dn }}'.
• cleanup_portal_admin_dashboard_dn(string): default: 'cn=admin-dashboard,cn=entry,{{ cleanup_portal_portal_dn }}'.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures and install Dovecot (DC) connector.

none

• dovecot_connector_basedn(string): The LDAP base dn.
• dovecot_connector_domain_name(string): The system's dns domain name.
• dovecot_connector_domain_prefix(string): The system's dns domain prefix. Useful when dovecot server is in same network.
• dovecot_connector_soap_prefix(string): The ox soap server prefix; default: ox-provisioning.
• dovecot_connector_server_type(string): Which type of UCS server to set up. The possible options are master and backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
• dovecot_connector_app_version_map(map): A dictionary that maps application names to specific version of dovecot connector. default: ""
• dovecot_connector_temp_pw_file: The tmp file within the administrator password.
• dovecot_connector_adm_accepted_exit_codes(string): DoveAdm-exitCode-Werte, die nicht zum Abbruch führen; default: 68 75
• dovecot_connector_adm_host(string): Der Domänenname des Servers auf dem DoveAdm aktiviert wurde; default: dc-provisioning.dovecot_connector_domain_name
• dovecot_connector_adm_port(string): Der Port auf dem DoveAdm erreichbar ist; default: 443
• dovecot_connector_adm_username(string): Benutzername des DoveAdm; default: ""
• dovecot_connector_adm_password(string): Passwort des DoveAdm; default: ""
• dovecot_connector_adm_uri(string): DoveAdm URL Vorlage. Mögliche Variablen {dcc_adm_host} und {dcc_adm_port}; default: https://{dcc_adm_host}:{dcc_adm_port:d}/doveadm/v1
• dovecot_connector_dc_vmail_template(string): Das vmail Verzeichnis welches Dovecot nutzt. Mögliche Variablen {uuid}, {email}, {domain} und {username}; default: /data/usr/local/dovecot/vmail/{uuid[0]}{uuid[1]}/{uuid}
• dovecot_connector_loglevel(string): Die Log-Stufe der Anwendung. Werte: DEBUG, INFO, WARNING und ERROR; default: INFO
• dovecot_connector_hide_logging(bool): Toggle logging output; default: true

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role prepares OX installation.

• univention.ucs_modules
  • univention_config_registry

• install_apps_ox_pre_external_hostname(string): The host name that is used to talk to the system.
• install_apps_ox_pre_mail_domain(string): The externally managed mail domain.
• install_apps_ox_pre_basedn(string): The LDAP base domain name.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures keycloak, either via KCADM or REST.

none

• configure_keycloak_generate_oidc_broker_secret(bool): If set to true the client password used in the IDP creation is generated dynamically. If it is set to false the value in configure_keycloak_oidc_broker_secret is used instead. If configure_keycloak_config_type is set to static this variable implicitly is set to false; default: true
• configure_keycloak_oidc_broker_secret(string): Client password used in the IDP creation. Only used when configure_keycloak_generate_oidc_broker_secretis set to false.
• configure_keycloak_oidcidp_id(string): The name of the OpenID Connect Identity Provider to be configured when using dynamic configuration; default: "{{ inventory_hostname }}".
• configure_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes and defaults to keycloak.
• configure_keycloak_oidc_username_template(string): default: "${CLAIM.preferred_username}_${ALIAS}"
• configure_keycloak_client_callback_url(string): When configuring a new client on the keycloak server this URL is used as the OpenID callback URL. Defaults to none but has to be set IF the client doesn't exist already. If it does this variable is not used as the client is not going to be updated.
• configure_keycloak_config_method(string): The configuration method against keycloak, either kcadm or rest; default: kcadm
• configure_keycloak_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
• configure_keycloak_keycloak_server(string): The server the UCS system with authenticate against.
• configure_keycloak_auth_realm(string): As the name says, the realm that is used to authenticate our keycloak operations against. This is not the realm used for client configuration, for that the host's domain is used; default: master.
• configure_keycloak_admin_username(string): The username used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault.
• configure_keycloak_admin_password(string): The password used to authenticate to keycloak server when configuring the authentication connection, best stored in a secrets manager or encrypted using ansible-vault
• configure_keycloak_realm(string): default: "{{ hostvars[inventory_hostname]['ansible_domain'] }}"
• configre_keycloak_fqdn(string): default: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
• configure_keycloak_client_id(string): The client's client id used to authenticate.
• configure_keycloak_display_matrix_in_iframe(bool): When set to 'true', the hosts FQDN is added to CSP list. Be careful, the corresponding field has a size limit; default: false.
• configure_keycloak_client_secret(string): default: false
• configure_keycloak_base_url(string): default: "https://{{ configure_keycloak_keycloak_server }}/auth"
• configure_keycloak_realm_base_url(string): default: "{{ configure_keycloak_base_url }}/admin/realms/{{ ansible_domain }}"
• configure_keycloak_protocol_mapper_name(string): default: "identity-provider-mapper"
• configure_keycloak_import_mapper_name(string): default: "append IDP to username"
• configure_keycloak_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures an issues SSL certificate from trusted authorities.

• univention.ucs_modules
  • univention_config_registry

• use_trusted_cert_path_cert(string): Local path to SSL (chained) certificate file.
• use_trusted_cert_path_key(string): Local path to SSL key file.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs univention apps with/without fixed versions.

none

• install_packages_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
• install_packages_service_name_list(list): A list containing application names to be installed.
• install_packages_temp_pw_file(map): Tempfile object where univention app password is stored.
• install_packages_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_packages_app_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
• install_packages_install_apps(list): A list of applications to install.
• install_packages_additional_options(string): Additional option that could be set during install.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role prints information about playbook, its dependencies and configuration.

• univention.ucs_modules
  • univention_config_registry

• deployment_message_verification_pause_duration(number): 20
• deployment_message_external_hostname(string): the host name that is used to talk to the system
• deployment_message_domain_name(string): the system's dns domain name
• deployment_message_basedn(string): the LDAP base domain name
• deployment_message_server_type(string): type of UCS server to set up. The possible options are masterand backup.
• deployment_message_saml_config_type(string): can be set to "failover" or basically anything else. In "failover" mode a part of the SAML configuration is omitted. "failover" in this case refers to a UCS native SAML failover mode. Any other value will result in the same configuration being deployed, the value therefore is more of a descriptive nature. Recommended values are "loadbalancer", "primary-secondary" or "standalone" with the latter being the default value.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This roles enables/disables a cookie banner in portal frontend.

• univention.ucs_modules
  • univention_config_registry

• portal_configure_title_basedn(string): The base DN that has been used when setting up the UCS server
• portal_configure_title_titles(list): The cookie banner title and body.

portal_configure_title_titles:
  de:
    title: "We are using cookies"
    text: ""

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role enables a univention repository component.

none

• univention_repository_component_name(string): The name of customer debian repository.
• univention_repository_component_parts(string): The part of customer debian repository.
• univention_repository_component_prefix(string): The prefix of customer debian repository.
• univention_repository_component_server(string): The server of customer debian repository.
• univention_repository_component_username(string): The username of customer debian repository.
• univention_repository_component_password(string): The password of customer debian repository.
• univention_repository_component_version(string): The version of customer debian repository.
• univention_repository_component_unmaintained(bool): Toggle unmaintained status of customer debian repository.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures the chosen office suite and installs it.

none

• configure_office_suite_office_suite(string): Define the to be installed office suite. Defaults to collabora-online. A list of supported suites is defined in configure_office_suite_supported_office_suites; default: "collabora-online".
• configure_office_suite_supported_office_suites(list): A list of supported office suites that can be installed using this role. This variable is set in the role's defaults/main.yml and should not be changed.
• configure_office_suite_onlyoffice_formats(map): A map of onlyoffice file formats to be enabled or disabled.
• configure_office_suite_collabora_license_key(string): Include a valid license for collabora-online.
• configure_office_suite_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
• configure_office_suite_temp_pw_file(map): Tempfile object where univention app password is stored.
• configure_office_suite_install_apps(list): A list of applications to install.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Configure repository URLs to use own apt repository server.

• univention.ucs_modules
  • univention_config_registry

• configure_repository_default_repository_prefix(string): Define access method, either "http://" or "https://"; default: "https://".
• configure_repository_default_repository_server(string): The repository server without any prefix or suffix or path.
• configure_repository_default_repository_path(string): The repository path/suffix where repository could be found on server.
• configure_repository_default_repository_username(string): Optionally configure username for authentication.
• configure_repository_default_repository_password(string): Optionally configure password for authentication.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role modifies postfix configuration.

• univention.ucs_modules
  • univention_config_registry

• configure_apps_postfix_domain_name(string): The system's dns domain name.
• configure_apps_postfix_external_hostname(string): The host name that is used to talk to the system.
• configure_apps_postfix_relay_port(number): The port that is used to talk to the system; default: 25.
• configure_apps_postfix_use_relay_host(bool): Toggles if a SMTP relay host should be used; default: false.
• configure_apps_postfix_relay_host(string): The SMTP relay hostname.
• configure_apps_postfix_relay_username(string): The SMTP relay username.
• configure_apps_postfix_relay_password(string): The SMTP relay password.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs packages via univention-remove wrapper.

none

• univention_remove_name(string): The name of the package to be removed.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role prunes kernels for UCS servers in order to free space at /boot.

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role adds/removes additional ldap indexes. Slapd.service is stopped. Run this role only in maintenance. Without extra vars nothing will happen.

none

• set_ldap_index_equality_add(string): The name of the ldap attribute for equality searches to add; default: ""
• set_ldap_index_presence_add(string): The name of the ldap attribute for presence searches to add; default: ""
• set_ldap_index_approx_add(string): The name of the ldap attribute for approx searches to add; default: ""
• set_ldap_index_substring_add(string): The name of the ldap attribute for substring searches to add; default: ""
• set_ldap_index_equality_rm(string): The name of the ldap attribute for equality searches to remove; default: ""
• set_ldap_index_presence_rm(string): The name of the ldap attribute for presence searches to remove; default: ""
• set_ldap_index_approx_rm(string): The name of the ldap attribute for approx searches to remove; default: ""
• set_ldap_index_substring_rm(string): The name of the ldap attribute for substring searches to remove; default: ""

none

• hosts: ucs_master become: true tasks:
  • name: "include role for setting ldap index" ansible.builtin.include_role: name: "roles/set_ldap_index" vars: set_ldap_index_equality_add: "isOxUser" set_ldap_index_approx_rm "aAAARecord"

GNU General Public License v3.0

Univention GmbH www.univention.com

This role disables some unused functionality like: contacts, spreed, mail, calendar.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures portal title.

none

• portal_configure_title_basedn(string): The LDAP base domain name.
• portal_configure_title_titles(list): The new portal titles with locale in format like de_DE "Cool Portal (Univention)".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Create, modify, delete and append portal entries.

none

• portal_entry_base_dn(string): The base DN that has been used when setting up the UCS server
• portal_entry_entries(list): The portal entries list.
• portal_entry_install_list(list): Combined apps/services/customization lists.
• portal_entry_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
• portal_entry_remove_unscoped(bool): Toggle removal of undefined entries; default: false.

none

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_entry"
      vars:
        portal_entry_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_entry_install_list: ["nextcloud"]
        portal_entry_drift_detection: true
        portal_entry_remove_unscoped: false
        portal_entry_entries:
          - name: "Anmeldung"
            anonymous: true
            category: "help"
            description:
              de_DE: "Anmelden"
              en_US: "Login"
            display_name:
              de_DE: "Anmelden"
              en_US: "Login"
            icon_file: "ucs_portal_login_icon.svg"
            link:
              de_DE: "/univention/saml/?location=%2Funivention%2Fportal%2F"
              en_US: "/univention/saml/?location=%2Funivention%2Fportal%2F"
            linktarget: "samewindow"
            parent: "category"
            state: "present"
            type: "entries"
          - name: "Dateien"
            activated: true
            allowed_groups: ["cn=Domain Users,cn=groups,dc=ansible,dc=univention,dc=de"]
            anonymous: false
            category: "Kollaboration"
            description:
              de_DE: "Dateienablage und -austausch"
              en_US: "File storage and exchange"
            display_name:
              de_DE: "Eigene Dateien"
              en_US: "My files"
            icon_file: "ucs_portal_files_icon.svg"
            linktarget: "newwindow"
            link:
              de_DE: "/nextcloud"
              en_US: "/nextcloud"
            only: "nextcloud"
            parent: "category"
            state: "present"
            type: "entries"
            target: "tab_nextcloud"
          # ...

portal_entry_entries:
  - name:           # (string, required) | Name of portal entry.
    activated:      # (boolean)          | Enable/Disable portal entry.
    allowed_groups: # (list)             | A list of LDAP groups the entry should be shown.
    anonymous:      # (boolean)          | Show entry for not logged-in user.
    category:       # (string)           | Name of category/portal the entry should be appended.
    description:    # (map)              | I18n description displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    icon_file:      # (string)           | Name of predefined images or local images.
    icon_base64:    # (string)           | Image as base64 encoded string. This variables overrides the input from 'icon_file'!
    link:           # (map)              | Internal or external link.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    linktarget:     # (string)           | Link target f.e. "samewindow", "newwindow", "embedded" or "useportaldefault".
    target:         # (string)           | Link target name, to open link in the same tab_group. Works only from UCS 5.0.
    only:           # (string)           | Modify when app defined is in `portal_entry_install_list`.
    parent:         # (string)           | The type where entry should be appended, f.e. "category" or "portal".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    type:           # (string)           | The list from parent where entry should be appended. For
                    #                    |  - "category" > possible: "entries"
                    #                    |  - "portal" > possible: "menuLinks", "userLinks"

• Modifying/Removing attributes with whitespaces are not supported by UCS 4.4
• Drift detection does not detect changes in icons.

GNU General Public License v3.0

Univention GmbH www.univention.com

This role sets a fact with installed univention apps.

• ansible.utils
  • cli_parse

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

As is defined on the ucr the log files are rotated the set number of times before being removed. This role is used to set those numbers.

• univention.ucs_modules
  • univention_config_registry

• configure_logrotate_compress(bool): If this option is activated, log files are compressed during rotation; default: yes
• configure_logrotate_create(string): Configures mode, owner and group of a log file after rotation; default: 640 root adm
• configure_logrotate_missingok(bool): If this option is activated, proceed without printing an error message if a logfile is missing; default: yes
• configure_logrotate_notifempty(bool): If this option is activated, empty logfiles are not rotated; default: yes
• configure_logrotate_rotate_count(number): The rotation interval for system log files; default: 12
• configure_logrotate_rotate_handling(string): Log files are rotated according to criterion described by man logrotate.conf; default: weekly
• configure_logrotate_syslog_rotate_count(number): The rotation interval for syslog file; default: 7 * "rotate/count"
• configure_logrotate_syslog_rotate_handling(string): Syslog file is rotated according to criterion described by man logrotate.conf; default: daily

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Configure the group syntax and ensure the consistency on all nodes

• univention.ucs_modules
  • univention_config_registry

• configure_group_syntax_group_syntax(string): group syntax desired value; default: gid

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures SAML single server.

• univention.ucs_modules
  • univention_config_registry

• configure_saml_single_server_external_hostname(string): The external hostname that is used to talk to the system.
• configure_saml_single_server_domain_name(string): The systems domain name.
• configure_saml_single_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
• configure_saml_single_temp_file(map): Tempfile object where univention app password is stored.
• configure_saml_single_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. If backup is chosen the following variable also has to be set; default: "master".
• configure_saml_single_server_basedn(string): The LDAP base dn.
• configure_saml_single_server_remove_default_saml_provider(bool): When set to true all builtin SAML provider will be removed; default: true.
• configure_saml_single_server_external_loadbalancer_ip(string): IP address of external load balancer if used.
• configure_saml_single_server_domain_prefix(string): The external prefix of load balancer

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role downloads and patches acme-tiny.

• ansible.posix
  • patch

workaround_acmetiny_upgrade_temp_dir(map): Ansible temporary dir for workaround files.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Install and configure ACL package.

• univention.ucs_modules
  • univention_config_registry

• install_multitenant_acls_customer_name(string): The name of customer used inside ACL package.
• install_multitenant_acls_multitenant_acls(list): A list of acl settings.

  multitenant_acls:
    - tenant_id: "0000"
      admin_password: ""
    - tenant_id: "0001"
      admin_password: ""
    - tenant_id: "0002"
      tenant_short_name: "test"
      admin_password: ""
      mail_domains: []
  

• install_multitenant_acls_json_path(string): The local path for ACL structure json file.
• install_multitenant_acls_package_name(string): The customer specific debian package name.
• install_multitenant_acls_script_name(string): The name of create acl structure script.
• install_multitenant_acls_keycloak_base(string): The base url for keycloak.
• install_multitenant_acls_hide_logging(boolean): Toggle template logging; default: true.
• install_multitenant_acls_server_type(string): The ucs server type; default "master".
• install_multitenant_acls_customer_repo_name(string): The name of customer debian repository.
• install_multitenant_acls_customer_repo_parts(string): The part of customer debian repository.
• install_multitenant_acls_customer_repo_password(string): The password of customer debian repository.
• install_multitenant_acls_customer_repo_server(string): The server of customer debian repository.
• install_multitenant_acls_customer_repo_username(string): The username of customer debian repository.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures Keycloak as SAML provider.

none

• configure_keycloak_saml_basedn(string): The LDAP base dn.
• configure_keycloak_saml_sp_base_url(string): The Service Provider base url.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role gathers release information and store them on remote system.

none

• custom_facts_templates(list): filename(s) of templates which should be applied; default: ["deployment.fact.j2", "hotfixes.fact.j2"]

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs and comfigures the intercom service. For further information have a look at https://docs.software-univention.de/intercom_service/latest/index.html

none

• intercom_service_hide_logging(boolean): Toggle template logging; default: true.
• intercom_service_domain_name(string): The domain name. default: ""
• intercom_service_temp_pw_file: The tmp file within the administrator password.
• intercom_service_settings_proxy(string): Wether to allow connections via proxy server instead of backend directly; default: "False"
• intercom_service_settings_client_id(string): The keycloak client ID; default: intercom
• intercom_service_settings_intercom_url(string): URL where ICS is reachable; default: https://ics.{{ intercom_service_domain_name }}
• intercom_service_settings_base_url(string): Base URL used to identify with the IdP; default: https://ics.{{ intercom_service_domain_name }}
• intercom_service_settings_origin_regex(string): Defines the origin CORS regex; default: {{ intercom_service_domain_name }}
• intercom_service_keycloak_url(string): URL of the Keycloak instance to be used as the IdP; default: https://id.{{ intercom_service_domain_name }}
• intercom_service_keycloak_realm_name(string): Name of the realm containing the configured OIDC Intercom client; default: ucs
• intercom_service_matrix_url(string): The URL on which the Matrix server is reachable default: https://matrix.{{ intercom_service_domain_name }}
• intercom_service_matrix_server_name(string): The server name of the matrix server; default: https://matrix.{{ intercom_service_domain_name }}
• intercom_service_matrix_login_type(string): The login-type ICS should use on the matrix server; default: uk.half-shot.msc2778.login.application_service
• intercom_service_matrix_nordeck_mode(string): The connection mode of the Nordeck-bot; default: test
• intercom_service_nordeck_url(string): The URL on which Nordeck-bot is listening; default: https://meetings-widget-bot.{{ intercom_service_domain_name }}
• intercom_service_portal_url(string): The URL on which the Univention-Portal is listening; default: https://portal.{{ intercom_service_domain_name }}
• intercom_service_ox_origin(string): The OX CORS origin setting; default: https://webmail.{{ intercom_service_domain_name }}
• intercom_service_ox_audience(string): The OIDC audience settings for the OX token request send to the IdP; default: oxoidc
• intercom_service_nc_url(string): The URL on which Nextcloud is listening on; default: https://fs.{{ intercom_service_domain_name }}
• intercom_service_nc_origin(string): The Nextcloud CORS origin; default: https://fs.{{ intercom_service_domain_name }}

none

- hosts: all
  tasks:
    - name: "Install Intercom Service via Appcenter"
      ansible.builtin.include_role:
        name: "univention.ucs_roles.intercom_service"
      vars:
        intercom_service_hide_logging: false
        intercom_service_domain_name: "ucs.test.intranet"
        intercom_service_temp_pw_file: "{{ temp_file }}"
        intercom_service_keycloak_realm_name: "your_keycloak_realm"

GNU General Public License v3.0

Univention GmbH www.univention.com

This role runs a UCS Join on master or backup servers.

• univention.ucs_modules
  • univention_config_registry

• ucs_join_derive_root_password_from_hostname(bool): Creates a unique root/admin password that is derived from the host name, or rather the numeric part of it.
• ucs_join_derive_root_password_prefix(string): The prefix that is used before the numeric part in derived passwords.
• ucs_join_server_type(string): Which type of UCS server to set up. The possible options are master, backup, slave and member. The default is master, which also means "standalone". If not master is chosen the following variable also has to be set, default: master.
• ucs_join_master_server(string): In case of a backup, slave or member server (see previous variable) this declares which master server to join. The variable musst be the ip of the master server. In every other case this variable is ignored.
• ucs_join_admin_user_name(string): The UCS administrator's user name, defaults to "Administrator". This variable only is used when joining a backup server. Changing this will NOT change the UCS admin user name, it will only break the backup join scenario.
• ucs_join_root_password(string): The machine's root password, if you want version control consider using ansible-vault to encrypt it. If ucs_join_derive_root_password_from_hostname is set to true this variables is ignored.
• ucs_join_hostname(string): Remote hostname; default {{ inventory_hostname }}.
• ucs_join_domain_name(string): The system's dns domain name.
• ucs_join_basedn(string): The LDAP base domain name.
• ucs_join_nameservers(dict): Configure the nameservers1-3.
• ucs_join_network_config_type(string): Choose dhcp or static with the former being the default. If you choose static you'll have to add ucs_join_network_config_static-* variable as well; default: dhcp.
• ucs_join_network_config_static_ip_config(map): The server's IPv4 address in one of the following two forms: <ip address>/<netmask> or CIDR form (<ip address>/<prefix length>. Both forms are functionally equal. Example: 192.168.0.1/255.255.255.240 or 192.168.0.1/28.
• ucs_join_network_config_static_dns_servers(list): A list of DNS servers to use in case of static network configuration. If ucs_join_server_type is backup this variable is ignored and the master server will be used instead.
• ucs_join_network_config_static_gateway(string): The server's default router aka internet gateway. This is mandatory for the setup to work.
• ucs_join_network_config_interface(string): The servers default network interface; default: eth0.
• ucs_join_network_config_static_additional_interfaces(list): A list of additional interfaces as dictionary
• ucs_join_network_config_static_routes(list): A list of static routes, which should be attached to interfaces.
• ucs_join_hide_logging(boolean): Toggle template logging; default: true.

none

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_interface: "eth0"
        ucs_join_network_config_static_ip_config: "10.20.30.40/24"
        ucs_join_network_config_static_gateway: "10.20.30.1"
        ucs_join_network_config_static_dns_servers:
          - "8.8.8.8"
          - "8.8.4.4"
        # ...

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_type: "static"
        ucs_join_network_config_static_additional_interfaces:
          ens10: "10.20.30.40/24"
          ens11: "20.30.40.50/24"
        # ...

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_network_config_static_routes:
          - interface: "ens10"
            index: 0
            route: "host 10.10.0.1 metric 200"
          - interface: "ens10"
            index: 1
            route: "net 10.10.0.0 netmask 255.255.0.0 gw 10.10.0.1 metric 100"
        # ...

Matrix: How the nameservers should configured.

All domaincontroller_* has a dns server installed.

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ucs_join"
      vars:
        ucs_join_nameservers:
          nameserver1:
            # local ip
            server: "{{ ansible_local['ucr']['interfaces/' + ansible_local['ucr']['interfaces/primary'] + '/address'] }}"
          nameserver2:
            server: "8.8.8.8"
            state: 'present'
          nameserver3:
            state: 'absent'

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs packages via univention-install wrapper.

none

• univention_install_name(string): The name of the package to be installed.
• univention_install_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Enable or disable UCS calling Amazon's metadata server

• univention.ucs_modules
  • univention_config_registry

• configure_amazon_metadata_server_call(boolen): Defines if the amazon metadata server should be called; default: false

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role upgrade UCS to a specific version.

none

• univention_upgrade_version(string): The UCS' version number to upgrade to; default: "4.4-99".
• univention_upgrade_clear_apt_cache(bool): Clear all downloaded packages to reduce package conflicts; default: false.
• univention_upgrade_removal_check(bool): Check if packages will be removed during upgrade; default: false.
• univention_upgrade_reboot_after_upgrade(bool): Reboot UCS after package upgrade; default: false.
• univention_upgrade_app_updates(bool): Upgrade apps during univention-upgrade; default: false.
• univention_upgrade_username(string): Username of administrative user for app updates; default: Administrator.
• univention_upgrade_password_file(string): Path to the file on the server that contains the user password if univention_upgrade_app_updates=true; default: "".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role updates UMC permissions.

• univention.ucs_modules
  • univention_config_registry

• umc_permissions_basedn(string): The LDAP base domain name.
• umc_permissions_passwordreset_blacklist_groups(string): The name of LDAP groups which are not allowed to reset their password.
• umc_permissions_passwordreset_whitelist_groups(string): The name of LDAP groups which are allowed to reset their password.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role adds specific LDAPSearch users.

none

• ldapsearch_user_basedn(string): The LDAP base DN.
• ldapsearch_user_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.
• ldapsearch_user_hide_logging(boolean): Toggle template logging; default: true.
• ldapsearch_user_list(list): A list of ldapsearch users to create.
• ldapsearch_user_list_tenantbased(list): A list of LDAPSearch users to create.

none

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"           # optional; default value from username
            lastname: "Lastname of LDAPSearch user"   # optional; default value from username
            password: "SuperSecretPassword"
        # ...

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.ldapsearch_user"
      vars:
        ldapsearch_user_list_tenantbased:
          - username: "ldapsearch_example"
            name: "Name of LDAPSearch user"                  # optional; default value from username
            lastname: "Lastname of LDAPSearch user"          # optional; default value from username
            password: "SuperSecretPassword"
            tenant_ou: "ou=users,ou=root,ou=0001,ou=tenants" # position in LDAP
        # ...

GNU General Public License v3.0

Univention GmbH www.univention.com

Configure UCS app owncloud.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role reduces security risks by disabling default settings, like root login.

• univention.ucs_modules
  • univention_config_registry

• hardening_disable_http(bool): If set to true, http will be disabled in apache2. Only https will be available; default: true
• hardening_hsts(bool): If set to true HTTP Strict Transport Security is enabled for apache2 ; default: true
• hardening_apache2_ssl_tlsv13(bool): If set to true ssl tlsv11 and tlsv12 are disabled for apache2; default: true
• hardening_apache2_server_tokens(string): Set apache2 configuration to Prod, Major, Minor, Min, OSor Full. Details: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens ; default: Prod
• hardening_apache2_server_signature(string): Set apache2 configuration to Off , EMail or On. Details: https://httpd.apache.org/docs/2.4/mod/core.html#serversignature ; default: Off
• hardening_honorcipherorder(string): During the negotiation of cryptographic algorithms during the setup of a SSL/TLS connection the preference of the client is used by default. If this option is enabled, the preference of the server is used instead. The list of algorithms offered by Apache can be configured with the variable 'apache2/ssl/ciphersuite'; default: true
• hardening_ciphersuite(string): his configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite; default: HIGH
• hardening_umc_session_cookie(bool): If set to true the login cookie is a session cookie. Closing the browser will delete the cookie, effectively logging out the user; default: true
• hardening_umc_secure_cookie(bool): If set, cookies are set with the secure attribute if the connection is using HTTPS; default: true
• hardening_umc_cookie_samesite(string): Set the SameSite cookie attribute for UMC cookies. Possible values: Strict, Lax and None; default: Strict
• hardening_saml_idp_language_cookie_samesite(string): Set the SameSite attribute in sthe language cookie attribute of SAML IDP. Possible values: Strict, Lax and None; default: Strict
• hardening_saml_idp_session_cookie_samesite(string): Set the "SameSite" attribute in the session cookie of SAML IDP. Possible values: Strict, Lax and None; default: Strict
• hardening_saml_idp_session_cookie(bool): If set to true the "Secure" attribute in the session cookie is activated. default: true
• hardening_saml_idp_language_cookie(bool): If set to true the "Secure" attribute in the language cookie is activated. default: true
• hardening_disable_umc_http_tracebacks(bool): If set to true tracebacks are no longer shown to the user in error case for umc; default: true
• hardening_disable_udm_rest_tracebacks(bool): If set to true tracebacks are no longer shown to the user in ror case for udm REST; default: true
• hardening_disable_saml_idp_errors(bool): If set to true tracebacks are no longer shown to the user in error case for the saml idp; default: true
• hardening_disable_saml_idp_error_reporting(bool): If set to true error information and stack traces can not be reported via email to the technical contact mail address; default: true

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures NTP timeservers.

• univention.ucs_modules
  • univention_config_registry

• configure_ntp_servers_timeservers(list): A list of ntp server addresses; default ["ptbtime1.ptb.de", "ptbtime2.ptb.de", "ptbtime3.ptb.de"]

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures ucs to properly use keycloak.

none

• configure_keycloak_client_oidc_broker_secret(string): The client password used in the IDP creation.
• configure_keycloak_client_keycloak_password(string): The keycloaks password.
• configure_keycloak_client_basedn(string): The LDAP base domain name.
• configure_keycloak_client_keycloak_server_id(string): The OpenID Connect IDP broker ID. This is used in both config modes.
• configure_keycloak_client_keycloak_server(string): The server the UCS system with authenticate against.
• configure_keycloak_client_config_type(string): This variable determines if the keycloak server configuration is done using this role (dynamic) or if things already have been configured and only the UCS side has to be configured (static). dynamic usually is used for setups with a lot of turnover, static is used in a more static environment. If set to 'none' keycloak configuration as a whole will be skipped, including the "client" side; default: dynamic.
• configure_keycloak_client_hostname(string): The systems hostname; default: "{{ inventory_hostname }}"

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Extend the root volume to all available space. Helpful when using a prebuild image and additional space is required.

• community.general
  • parted
  • lvg
  • lvol

• extend_root_lvm_volume_extend_lvm_to_whole_disk(bool): If true, root volume is extended to available space; default: true
• extend_root_lvm_volume_lvm_disk(string): The "physical" disk to partition without the "/dev/" part, for instance "sda" for "/dev/sda". Defaults to what is used in the Univention QCOW image; default: "vda"
• extend_root_lvm_volume_lvm_vg_name(string): The volume group the data volume resides in. Defaults to what is used in the Univention QCOW image; default: "vg_ucs"
• extend_root_lvm_volume_lvm_data_volume(string): The LVM name used for the data volume. Defaults to what is used in the Univention QCOW image; default: "root"
• extend_root_lvm_volume_existing_lvm_partition_number(number): The existing lvm partition number. Defaults to what is used in the Univention QCOW image; default: 2

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role adds an administrative UCS user.

none

• ucs_add_admin_user_basedn(string): The LDAP base domain name.
• ucs_add_admin_user_username(string): The username for the administrative user.
• ucs_add_admin_user_firstname(string): The firstname for the administrative user.
• ucs_add_admin_user_lastname(string): The lastname for the administrative user.
• ucs_add_admin_user_password(string): The password for the administrative user.
• ucs_add_admin_user_recoveryemail(string): The recovery email address for the administrative user.
• ucs_add_admin_user_attrib_list(map): A map of attributes & values to set for the administrative user.
• ucs_add_admin_user_group_list(list): A list of group names to append the administrative user to.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role improves user configuration.

• univention.ucs_modules
  • univention_config_registry

• improve_usability_user_config_basedn(string): The LDAP base domain name.
• improve_usability_user_config_external_hostname(string): The host name that is used to talk to the system.
• improve_usability_user_config_install_apps(list): A list of applications to install.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role updates univention and apt package lists.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

• univention.ucs_modules
  • univention_config_registry

• set_feedback_mail_address_web_feedback_mail(string): Email address configured to send the traceback if occurs an error in the Univention Management Console; default: feedback@univention.de

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures monitoring related settings.

• univention.ucs_modules
  • univention_config_registry

• configure_monitoring_ldap_enabled(string): Toggle ldap/monitor ucr setting; default: "true".

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Set a DNS Nameserver Glue record.

none

• set_dns_glue_record_create_external_hostname_glue_record(bool): If set to true a DNS Glue record is set if not already exists; default: `true
• set_dns_glue_record_fqdn(string): Use this variable if remotes hostname is only available as FQDN or set set_dns_glue_record_host_namedirectly.
• set_dns_glue_record_host_name(string): Use this variable for remotes hostname otherwise use set_dns_glue_record_fqdn for FQDN hostnames.
• set_dns_glue_record_domain_name(string): Use this variable to set remotes domain name or set set_dns_glue_record_superordinatedirectly.
• set_dns_glue_record_basedn(string): Use this variable to set remotes base domain name or set set_dns_glue_record_superordinatedirectly.
• set_dns_glue_record_superordinate(string): Define superordinate user use set_dns_glue_record_domain_name and set_dns_glue_record_basedn.
• set_dns_glue_record_glue_record_nameserver(string): The target nameserver as FQDN that is used to resolve the external hostname.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures OpenID Connect OIDC for apps like open-xchange or nextcloud.

• univention.ucs_modules
  • univention_config_registry

• configure_sso_openid_app_version_map(map): A dictionary that maps application names to specific versions that ought to be installed.
• configure_sso_openid_temp_pw_file(map): Tempfile object where univention app password is stored.
• configure_sso_openid_install_apps(list): A list of applications to install.
• configure_sso_openid_basedn(string): The systems base dn.
• configure_sso_openid_signing_method(string): The signing method; default: "RS256".
• configure_sso_openid_external_hostname(string): The external hostname that is used to talk to the system.
• configure_sso_openid_clients(map): A map of client configurations, supported nexcloud and ox.

none

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.configure_sso_openid"
      vars:
        configure_sso_openid_clients:
          nextcloud:
            name: "nextcloud"
            clientid: "nextcloud"
            clientsecret: "notverysafe"
          ox:
            name: "open-xchange"
            clientid: "open-xchange"
            clientsecret: "notverysafe"
        # ...

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs letsencrypt and configures it. It supports letsencrypt staging as well.

• univention.ucs_modules
  • univention_config_registry

• install_lets_encrypt_use_letsencrypt_staging(bool): When false it uses regular let's encrypt certificates, true switches to the staging area for testing purposes; default: false.
• install_lets_encrypt_implement_ugly_letsencrypt_workaround(bool): Work around bugs in the let's encrypt staging implementation. This patches files in the univention letsencrypt app; default: false.
• install_lets_encrypt_temp_pw_file(map): Ansible temporary password file.
• install_lets_encrypt_temp_dir(map): Ansible temporary dir.
• install_lets_encrypt_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_packages_force_package_upgrade for a way to upgrade already installed software.
• install_lets_encrypt_service_name_list(list): A list containing service names to be installed.
• install_lets_encrypt_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_lets_encrypt_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
• install_lets_encrypt_external_hostname(string): The host name that is used to talk to the system.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs and configures new portal.

none

• install_service_new_portal_service_version_map(map): A dictionary that maps service names to specific versions that ought to be installed. See also install_service_new_portal_force_package_upgrade for a way to upgrade already installed software.
• install_service_new_portal_force_package_upgrade(bool): If set to true already installed application versions are checked and if the installed version differs from what has been specified in install_service_new_portal_service_version_map that version is installed instead. Choosing false results in the role ignoring already installed software and skip installation; default: false.
• install_service_new_portal_temp_file(map): Ansible temporary dir.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures password policies via UCR. A dn of a policy is required. All users with this plocicy referenced will get these settings.

• univention.ucs_modules
  • univention_config_registry
  • univention_directory_manager

• configure_password_policies_dn(string): At least there should be one policy with activated Checks. The full dn is needed; default: not set
• configure_password_policies_quality_min_lenght(string): Sets the minimum password length; default: 8
• configure_password_policies_quality_required_chars(string): Sets required chars for setting new passwords; default: none
• configure_password_policies_quality_forbidden_chars(string): Sets forbidden chars for setting new passwords; default: none
• configure_password_policies_quality_credit_digits(string): Sets the minimum number of digits in the new password; ; default: 1
• configure_password_policies_quality_credit_upper(string): Sets the minimum number of upper case letters; default: 1
• configure_password_policies_quality_credit_other(string): Sets the minimum number of chars wich are neither digits nor letters; default: 1
• configure_password_policies_quality_credit_lower(string): Sets the minimum number of lower case letters; default: 1
• configure_password_policies_quality_mspolicy(string): Sets the microsoft policy complexity criteria. If 1,true or yes this will b eon top of the dafault python-cracklib. If sufficient only ms policy complexity will be used and if false only python-cracklib will be used. default: 1

none

GNU General Public License v3.0

Univention GmbH www.univention.com

When MTU in Docker 1500 is higher than the one for network interface, this role sets the Docker MTU to 1400.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures network interface names as GRUB boot parameter, resulting in network interface names like eth0.

• univention.ucs_modules
  • univention_config_registry

• configure_network_interface_names_use_old_names(boolean): Set the GRUB parameter for old interface names; default: true.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role disables IPv6 on system via modprobe.

• ansible.posix
  • sysctl

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures OX.

• univention.ucs_modules
  • univention_config_registry
• community.crypto
  • openssl_pkcs12
• community.general
  • java_cert

• install_apps_ox_post_basedn(string): The LDAP base domain name.
• install_apps_ox_post_external_hostname(string): The host name that is used to talk to the system.
• install_apps_ox_post_ox_keystore_passphrase(string): The passphrase for ox keystore.
• install_apps_ox_post_ox_drive_default(string): Toggle OXDrive by setting 0for disabled and 1 for enabled; default: 0.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role adds and removes SSH keys from user.

• ansible.posix
  • authorized_key

files/
 |
 +-- ssh_keys/
 |   |
 |   +-- add/
 |   |   |
 |   |   +-- *.pubkey
 |   |
 |   +-- remove/
 |       |
 |       +-- *.pubkey

• update_users_ssh_keys_user(string): Name of local user where SSH keys should be added/removed.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role creates a local user with ssh login permissions.

• univention.ucs_modules
  • univention_config_registry

• add_local_user_user(map): A map containing user information:

add_local_user_user:
    name:         # username; default; "ansible"
    comment:      # user comment; default: "ansible user"
    password:     # hashed password of user; default:  "{{ "ansible"|password_hash('sha512') }}"
    sshkey_file:  # ssh key filename; default: empty
    sshkey:       # ssh key as string; default: empty
    state:        # toggle if user should be present or absent; default: present

• add_local_user_default_shell(string): Default user shell; default: /bin/bash
• add_local_user_default_password_policy(string): Default password update policy. Possible values are "on_create" and "always"; default "on_create".
• add_local_user_system_user(bool): true if the user should be a system user instead of a human; default: true.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role installs a customer branding package.

• univention.ucs_modules
  • univention_config_registry

• install_branding_customer_repo_name(string): The name of customer debian repository.
• install_branding_customer_repo_parts(string): The part of customer debian repository.
• install_branding_customer_repo_password(string): The password of customer debian repository.
• install_branding_customer_repo_server(string): The server of customer debian repository.
• install_branding_customer_repo_username(string): The username of customer debian repository.
• install_branding_customer_branding_package(string): Set the name of the Debian Branding Package in the Univention Customer Repository.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role helps to apply an existing license file or claims a new license from shop.

none

files/
 |
 +-- license_client.py

• configure_license_validity(string): The validity period for the license in a format GNU date is able to understand as a time period, like "12 weeks".
• configure_license_shop_password(string): The shop user's password, best stored in a secrets manager or encrypted via ansible-vault.
• configure_license_shop_id(number): Which license shop to use when obtaining a new license for the server.
• configure_license_shop_username(string): The shop's user name, needed for authentication.
• configure_license_max_users(number): How many users to allow on the server.
• configure_license_basedn(string): The LDAP base domain name.
• configure_license_type(string): Choose one of local_license or server_license. When choosing local_license a license file name has to be provided otherwise choose server_license and one is generated; default: server_license.
• configure_license_file(string): If configure_license_type set to local_license then provide license file name here; default: false.
• configure_license_server_type(string): Which type of UCS server to set up. The possible options are masterand backup. The default is master, which also means "standalone". If backup is chosen the following variable also has to be set; default: master.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Create, modify and delete portal categories

none

• portal_category_base_dn(string): The base DN that has been used when setting up the UCS server
• portal_category_categories(list): The portal categories list.
• portal_category_install_list(list): Combined apps/services/customization lists.
• portal_category_drift_detection(bool): Toggle drift detection and only apply differences; default: true.
• portal_category_remove_unscoped(bool): Toggle removal of undefined categories; default: false.

none

- hosts: all
  tasks:
    - ansible.builtin.include_role:
        name: "univention.ucs_roles.portal_category"
      vars:
        portal_category_base_dn: "dc=ansible,dc=univention,dc=de"
        portal_category_install_list: ["nextcloud"]
        portal_category_drift_detection: true
        portal_category_remove_unscoped: false
        portal_category_categories:
          - name: "domain-service"
            display_name:
              de_DE: "Applikationen"
              en_US: "Applications"
            state: "present"
            parent: "domain"
          - name: "domain-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "domain"
          - name: "local-admin"
            display_name:
              de_DE: "Verwaltung"
              en_US: "Administration"
            state: "present"
            parent: "local"
          # ...

portal_category_categories:
  - name:           # (string, required) | Name of portal category.
    display_name:   # (map)              | I18n name displayed in portal.
      de_DE:        # (string)           | F.e. german translation.
      en_US:        # (string)           | F.e. english translation.
    only:           # (string)           | Modify when app defined is in `portal_category_install_list`.
    parent:         # (string)           | The name of portal where the category should be appended to, f.e. "domain".
    state:          # (string, required) | State of entry, should be "present" or "absent".
    ucs_versions:   # (list)             | A list of UCS version in which the category should be modified. When no
                    #                    |   version is omitted, category will be modified on ALL ucs versions.

• Modifying/Removing attributes with whitespaces are not supported by UCS 4.4

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures the Nextcloud Talk TURN server.

none

• configure_nextcloud_turn_secret(string): The TURN server secret.
• configure_nextcloud_turn_url(string): The URL of the TURN server.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role enables/disables piwik tracking of UCS.

• univention.ucs_modules
  • univention_config_registry

• disable_piwik_tracking_disable(bool): Toggles piwik tracking of installation. When set to true, tracking is disabled; default: true.

none

GNU General Public License v3.0

Univention GmbH www.univention.com

This role configures nextcloud for SAML single server.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Configure UCS app nextcloud.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com

Store rollout finished information in custom facts directory.

none

none

none

GNU General Public License v3.0

Univention GmbH www.univention.com