diff --git a/adhoc-ipadnsrecord.yml b/adhoc-ipadnsrecord.yml index 85cbcde..3edf935 100644 --- a/adhoc-ipadnsrecord.yml +++ b/adhoc-ipadnsrecord.yml @@ -15,8 +15,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/hostman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipadnszone.yml b/adhoc-ipadnszone.yml index b66d655..23c75ff 100644 --- a/adhoc-ipadnszone.yml +++ b/adhoc-ipadnszone.yml @@ -7,8 +7,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/hostman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipagetkeytab.yml b/adhoc-ipagetkeytab.yml index 850b37d..ef24c63 100644 --- a/adhoc-ipagetkeytab.yml +++ b/adhoc-ipagetkeytab.yml @@ -17,8 +17,6 @@ hosts: all become: true gather_facts: false - vars_files: - - vars/vaults/kerbman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipaservice.yml b/adhoc-ipaservice.yml index 7f9fbff..05bcb07 100644 --- a/adhoc-ipaservice.yml +++ b/adhoc-ipaservice.yml @@ -6,8 +6,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/kerbman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipauser-disable-pdr.yml b/adhoc-ipauser-disable-pdr.yml index 991f6d9..4623e86 100644 --- a/adhoc-ipauser-disable-pdr.yml +++ b/adhoc-ipauser-disable-pdr.yml @@ -10,8 +10,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/userman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipauser-disable.yml b/adhoc-ipauser-disable.yml index 179b708..7aac935 100644 --- a/adhoc-ipauser-disable.yml +++ b/adhoc-ipauser-disable.yml @@ -6,8 +6,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/userman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipauser-enable.yml b/adhoc-ipauser-enable.yml index 197133e..21c8fd7 100644 --- a/adhoc-ipauser-enable.yml +++ b/adhoc-ipauser-enable.yml @@ -6,8 +6,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/userman.yml tasks: - name: "Checking for user variables" diff --git a/adhoc-ipauser.yml b/adhoc-ipauser.yml index e64cb16..e1cb0aa 100644 --- a/adhoc-ipauser.yml +++ b/adhoc-ipauser.yml @@ -6,8 +6,6 @@ hosts: all become: false gather_facts: false - vars_files: - - vars/vaults/userman.yml tasks: - name: "Checking for user variables" diff --git a/init-rocky-ipa-internal-dns.yml b/init-rocky-ipa-internal-dns.yml index c555a6c..fc87eef 100644 --- a/init-rocky-ipa-internal-dns.yml +++ b/init-rocky-ipa-internal-dns.yml @@ -5,7 +5,6 @@ become: false gather_facts: false vars_files: - - vars/vaults/encpass.yml - vars/ipa/rdns.yml - vars/ipa/fdns.yml diff --git a/init-rocky-ipa-team.yml b/init-rocky-ipa-team.yml index 5c30230..48f5155 100644 --- a/init-rocky-ipa-team.yml +++ b/init-rocky-ipa-team.yml @@ -5,7 +5,6 @@ become: true gather_facts: false vars_files: - - vars/vaults/encpass.yml - vars/ipa/users.yml - vars/ipa/adminusers.yml - vars/ipa/svcusers.yml diff --git a/role-rocky-ipa-client.yml b/role-rocky-ipa-client.yml index e12793c..bb43e38 100644 --- a/role-rocky-ipa-client.yml +++ b/role-rocky-ipa-client.yml @@ -5,7 +5,6 @@ hosts: all become: true vars_files: - - vars/vaults/encpass.yml - vars/ipa/ipaclient.yml pre_tasks: diff --git a/role-rocky-ipa-replica.yml b/role-rocky-ipa-replica.yml index ec5e827..ea5b033 100644 --- a/role-rocky-ipa-replica.yml +++ b/role-rocky-ipa-replica.yml @@ -4,8 +4,6 @@ - name: Configure IPA server hosts: all become: true - vars_files: - - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/role-rocky-ipa.yml b/role-rocky-ipa.yml index ffdc2dc..e2055f8 100644 --- a/role-rocky-ipa.yml +++ b/role-rocky-ipa.yml @@ -9,8 +9,6 @@ - name: Configure IPA server hosts: all become: true - vars_files: - - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/vars/ipa/adminusers.yml b/vars/ipa/adminusers.yml new file mode 100644 index 0000000..4fd54d7 --- /dev/null +++ b/vars/ipa/adminusers.yml @@ -0,0 +1,63 @@ +--- +adminusers: + - name: label2 + first: Louis + last: Abel + password: ThisIsNotMyPassword1! + title: Infrastructure IdM Manager + loginshell: /bin/bash + - name: gmk2 + first: Gregory + last: Kurtzer + password: ThisIsNotMyPassword1! + title: Executive Director + loginshell: /bin/bash + - name: brian2 + first: Brian + last: Clemens + password: ThisIsNotMyPassword1! + title: Project Manager + loginshell: /bin/bash + - name: hbjy2 + first: Hayden + last: Young + password: ThisIsNotMyPassword1! + title: Web & Branding Manager + loginshell: /bin/bash + - name: jorp2 + first: Jordan + last: Pisaniello + password: ThisIsNotMyPassword1! + title: Community Manager + loginshell: /bin/bash + - name: neil2 + first: Neil + last: Hanlon + password: ThisIsNotMyPassword1! + title: Infrastructure Manager + loginshell: /bin/bash + - name: rlh2 + first: R. Leigh + last: Hennig + password: ThisIsNotMyPassword1! + title: Operations Manager + loginshell: /bin/bash + - name: rfelsburg2 + first: Rob + last: Felsburg + password: ThisIsNotMyPassword1! + title: Operations Manager + loginshell: /bin/bash + - name: tg2 + first: Taylor + last: Goodwill + password: ThisIsNotMyPassword1! + title: Infrastructure Manager + loginshell: /bin/bash + - name: bagner2 + first: Benjamin + last: Agner + password: ThisIsNotMyPassword1! + title: Security Director + loginshell: /bin/bash +... diff --git a/vars/ipa/agreements.yml b/vars/ipa/agreements.yml new file mode 100644 index 0000000..2640c2c --- /dev/null +++ b/vars/ipa/agreements.yml @@ -0,0 +1,3 @@ +--- +# Vars for Agreements for the Rocky Linux Project +... diff --git a/vars/ipa/fdns.yml b/vars/ipa/fdns.yml new file mode 100644 index 0000000..06bc340 --- /dev/null +++ b/vars/ipa/fdns.yml @@ -0,0 +1,5 @@ +--- +fdns: + - rockylinux.org. + - aws.rockylinux.org. +... diff --git a/vars/ipa/groups.yml b/vars/ipa/groups.yml new file mode 100644 index 0000000..e3723a9 --- /dev/null +++ b/vars/ipa/groups.yml @@ -0,0 +1,99 @@ +--- +ipagroups: + - group: infrastructure + description: Infrastructure Team + user: + - label + - neil + - rlh + - rfelsburg + - tg + - bagner + - group: operations + description: Operations Team + user: + - rlh + - rfelsburg + - group: development + description: Development Team + - group: qa + description: Quality Assurance Team + - group: marketing + description: Marketing + - group: rocky + description: Rocky Linux Team + user: + - label + - gmk + - brian + - hbjy + - jorp + - neil + - rlh + - rfelsburg + - tg + - bagner + - group: rockyadm + description: Rocky Linux Administrators - Only Admin Accounts + user: + - label2 + - gmk2 + - brian2 + - hbjy2 + - jorp2 + - neil2 + - rlh2 + - rfelsburg2 + - tg2 + - bagner2 + - group: gitadm + description: Rocky Linux GitLab Admins + user: + - label + - neil + - rlh + - rfelsburg + - tg + - hbjy + - group: gitusers + description: Rocky Linux GitLab Users + user: + - label + - neil + - rlh + - rfelsburg + - tg + - hbjy + - rockyautomation + managers_users: + - label + - neil + - rlh + - rfelsburg + - tg + - hbjy + - group: services + description: Rocky Linux Service Accounts + user: + - userman + - hostman + - kerbman + - rockykoji + - pubsub_federation + - rockypubsub + - rockyautomation + - group: iam + description: Rocky Linux Identity Management + user: + - label + managers_users: + - label + - group: releng + description: Rocky Linux Release Engineering + user: + - label + managers_users: + - label + - group: mq_pub_readonly + description: RabbitMQ ReadOnly +... diff --git a/vars/ipa/ipaclient.yml b/vars/ipa/ipaclient.yml new file mode 100644 index 0000000..682098c --- /dev/null +++ b/vars/ipa/ipaclient.yml @@ -0,0 +1,11 @@ +--- +# IPA Client Vars +ipaclient_domain: rockylinux.org +ipaclient_realm: ROCKYLINUX.ORG +ipaadmin_principal: admin +ipaclient_no_ntp: true +ipaclient_mkhomedir: true +ipaclient_ssh_trust_dns: true +ipasssd_enable_dns_updates: true +ipatype: client +... diff --git a/vars/ipa/ipaprivs.yml b/vars/ipa/ipaprivs.yml new file mode 100644 index 0000000..c8bed98 --- /dev/null +++ b/vars/ipa/ipaprivs.yml @@ -0,0 +1,43 @@ +--- +# privileges +ipaprivileges: + - privilege: Privileges - Kerberos Managers + description: Kerberos Key Managers + permissions: + - "System: Manage Host Keytab" + - "System: Manage Host Keytab Permissions" + - "System: Manage Service Keytab" + - "System: Manage Service Keytab Permissions" + - "System: Manage User Principals" + role: Kerberos Managers + user: + - kerbman + +# Standalone Roles +iparoles: + - role: IPA Client Managers + description: IPA Client Managers + privileges: + - "DNS Administrators" + - "DNS Servers" + - "Host Administrators" + - "Host Enrollment" + - "Host Group Administrators" + - "Netgroups Administrators" + user: + - hostman + - role: Kerberos Managers + description: Kerberos Key Managers + privileges: + - "Privileges - Kerberos Managers" + - "Service Administrators" + user: + - kerbman + - role: IPA User Managers + description: Rocky IPA User Managers responsible for idm flow + privileges: + - "Group Administrators" + - "Stage User Administrators" + - "User Administrators" + - "FAS Agreement Administrators" +... diff --git a/vars/ipa/ipareplica.yml b/vars/ipa/ipareplica.yml new file mode 100644 index 0000000..38dd5f4 --- /dev/null +++ b/vars/ipa/ipareplica.yml @@ -0,0 +1,14 @@ +--- +# IPA Replica +ipaadmin_principal: admin +ipaclient_no_ntp: true +ipaclient_mkhomedir: true +ipaserver_realm: ROCKYLINUX.ORG +ipareplica_domain: rockylinux.org +ipareplica_auto_forwarders: true +ipareplica_setup_firewalld: true +ipareplica_setup_ca: true +ipareplica_setup_kra: true +ipareplica_setup_dns: true +ipatype: replica +... diff --git a/vars/ipa/ipaserver.yml b/vars/ipa/ipaserver.yml new file mode 100644 index 0000000..efaefbb --- /dev/null +++ b/vars/ipa/ipaserver.yml @@ -0,0 +1,16 @@ +--- +# IPA Server +ipaserver_domain: rockylinux.org +ipaserver_realm: ROCKYLINUX.ORG +ipaserver_setup_dns: true +ipaserver_setup_kra: true +ipaserver_auto_forwarders: true +ipaserver_no_host_dns: true +ipaserver_allow_zone_overlap: true +ipaserver_setup_firewalld: true +ipaclient_no_ntp: true +ipaclient_mkhomedir: true +ipaserver_no_hbac_allow: true +ipaserver_reverse_zones: ["32.10.in-addr.arpa."] +ipatype: server +... diff --git a/vars/ipa/rdns.yml b/vars/ipa/rdns.yml new file mode 100644 index 0000000..2e52d7b --- /dev/null +++ b/vars/ipa/rdns.yml @@ -0,0 +1,4 @@ +--- +rdns: + - 32.10.in-addr.arpa. +... diff --git a/vars/ipa/sudorules.yml b/vars/ipa/sudorules.yml new file mode 100644 index 0000000..91da2a7 --- /dev/null +++ b/vars/ipa/sudorules.yml @@ -0,0 +1,2 @@ +--- +... diff --git a/vars/ipa/svcusers.yml b/vars/ipa/svcusers.yml new file mode 100644 index 0000000..d5bf8e1 --- /dev/null +++ b/vars/ipa/svcusers.yml @@ -0,0 +1,45 @@ +--- +svcusers: + - name: hostman + first: Host + last: Manager + password: ThisIsNotMyPassword1! + title: System Account - Host Manager + loginshell: /sbin/nologin + - name: kerbman + first: Kerberos + last: Manager + password: ThisIsNotMyPassword1! + title: System Account - Kerberos Key Manager + loginshell: /sbin/nologin + - name: userman + first: User + last: Manager + password: ThisIsNotMyPassword1! + title: System Account - User Manager + loginshell: /sbin/nologin + - name: rockykoji + first: Koji + last: Manager + password: ThisIsNotMyPassword1! + title: System Account - Koji Manager + loginshell: /sbin/nologin + - name: pubsub_federation + first: pubsub + last: federation + password: ThisIsNotMyPassword1! + title: System Account - pubsub federator + loginshell: /sbin/nologin + - name: rockypubsub + first: rocky + last: pubsub + password: ThisIsNotMyPassword1! + title: System Account - pubsub + loginshell: /sbin/nologin + - name: rockyautomation + first: Rocky + last: Automation + password: ThisIsNotMyPassword1! + title: System Account - Automation + loginshell: /sbin/nologin +... diff --git a/vars/ipa/users.yml b/vars/ipa/users.yml new file mode 100644 index 0000000..a291293 --- /dev/null +++ b/vars/ipa/users.yml @@ -0,0 +1,73 @@ +--- +users: + - name: label + first: Louis + last: Abel + email: label@rockylinux.org + password: ThisIsNotMyPassword1! + title: Infrastructure IdM Manager + loginshell: /bin/bash + - name: gmk + first: Gregory + last: Kurtzer + email: gmk@rockylinux.org + password: ThisIsNotMyPassword1! + title: Executive Director + loginshell: /bin/bash + - name: brian + first: Brian + last: Clemens + email: brian@rockylinux.org + password: ThisIsNotMyPassword1! + title: Project Manager + loginshell: /bin/bash + - name: hbjy + first: Hayden + last: Young + email: hbjy@rockylinux.org + password: ThisIsNotMyPassword1! + title: Web & Branding Manager + loginshell: /bin/bash + - name: jorp + first: Jordan + last: Pisaniello + email: jorp@rockylinux.org + password: ThisIsNotMyPassword1! + title: Community Manager + loginshell: /bin/bash + - name: neil + first: Neil + last: Hanlon + email: neil@rockylinux.org + password: ThisIsNotMyPassword1! + title: Infrastructure Manager + loginshell: /bin/bash + - name: rlh + first: R. Leigh + last: Hennig + email: rlh@rockylinux.org + password: ThisIsNotMyPassword1! + title: Operations Manager + loginshell: /bin/bash + - name: rfelsburg + first: Rob + last: Felsburg + email: rfelsburg@rockylinux.org + password: ThisIsNotMyPassword1! + title: Operations Manager + loginshell: /bin/bash + - name: tg + first: Taylor + last: Goodwill + email: tg@rockylinux.org + password: ThisIsNotMyPassword1! + title: Infrastructure Manager + loginshell: /bin/bash + - name: bagner + first: Benjamin + last: Agner + email: bagner@rockylinux.org + password: ThisIsNotMyPassword1! + title: Security Director + loginshell: /bin/bash +... diff --git a/vars/ipaserver.yml b/vars/ipaserver.yml new file mode 100644 index 0000000..b4216b4 --- /dev/null +++ b/vars/ipaserver.yml @@ -0,0 +1,3 @@ +--- +ipatype: server +...