quick fixes

adhoc-ipadnsrecord.yml

@@ -15,8 +15,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/hostman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipadnszone.yml

@@ -7,8 +7,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/hostman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipagetkeytab.yml

@@ -17,8 +17,6 @@
   hosts: all
   become: true
   gather_facts: false
-  vars_files:
-    - vars/vaults/kerbman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipaservice.yml

@@ -6,8 +6,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-    - vars/vaults/kerbman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipauser-disable-pdr.yml

@@ -10,8 +10,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/userman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipauser-disable.yml

@@ -6,8 +6,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/userman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipauser-enable.yml

@@ -6,8 +6,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/userman.yml
 
   tasks:
     - name: "Checking for user variables"

adhoc-ipauser.yml

@@ -6,8 +6,6 @@
   hosts: all
   become: false
   gather_facts: false
-  vars_files:
-  - vars/vaults/userman.yml
 
   tasks:
     - name: "Checking for user variables"

init-rocky-ipa-internal-dns.yml

@@ -5,7 +5,6 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/vaults/encpass.yml
   - vars/ipa/rdns.yml
   - vars/ipa/fdns.yml
 

init-rocky-ipa-team.yml

@@ -5,7 +5,6 @@
   become: true
   gather_facts: false
   vars_files:
-  - vars/vaults/encpass.yml
   - vars/ipa/users.yml
   - vars/ipa/adminusers.yml
   - vars/ipa/svcusers.yml

role-rocky-ipa-client.yml

@@ -5,7 +5,6 @@
   hosts: all
   become: true
   vars_files:
-  - vars/vaults/encpass.yml
   - vars/ipa/ipaclient.yml
 
   pre_tasks:

role-rocky-ipa-replica.yml

@@ -4,8 +4,6 @@
 - name: Configure IPA server
   hosts: all
   become: true
-  vars_files:
-  - vars/vaults/encpass.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:

role-rocky-ipa.yml

@@ -9,8 +9,6 @@
 - name: Configure IPA server
   hosts: all
   become: true
-  vars_files:
-  - vars/vaults/encpass.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:

vars/ipa/adminusers.yml

@@ -0,0 +1,63 @@
+---
+adminusers:
+  - name: label2
+    first: Louis
+    last: Abel
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Manager
+    loginshell: /bin/bash
+  - name: gmk2
+    first: Gregory
+    last: Kurtzer
+    password: ThisIsNotMyPassword1!
+    title: Executive Director
+    loginshell: /bin/bash
+  - name: brian2
+    first: Brian
+    last: Clemens
+    password: ThisIsNotMyPassword1!
+    title: Project Manager
+    loginshell: /bin/bash
+  - name: hbjy2
+    first: Hayden
+    last: Young
+    password: ThisIsNotMyPassword1!
+    title: Web & Branding Manager
+    loginshell: /bin/bash
+  - name: jorp2
+    first: Jordan
+    last: Pisaniello
+    password: ThisIsNotMyPassword1!
+    title: Community Manager
+    loginshell: /bin/bash
+  - name: neil2
+    first: Neil
+    last: Hanlon
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: rlh2
+    first: R. Leigh
+    last: Hennig
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: rfelsburg2
+    first: Rob
+    last: Felsburg
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: tg2
+    first: Taylor
+    last: Goodwill
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: bagner2
+    first: Benjamin
+    last: Agner
+    password: ThisIsNotMyPassword1!
+    title: Security Director
+    loginshell: /bin/bash
+...

vars/ipa/agreements.yml

@@ -0,0 +1,3 @@
+---
+# Vars for Agreements for the Rocky Linux Project
+...

vars/ipa/fdns.yml

@@ -0,0 +1,5 @@
+---
+fdns:
+  - rockylinux.org.
+  - aws.rockylinux.org.
+...

vars/ipa/groups.yml

@@ -0,0 +1,99 @@
+---
+ipagroups:
+  - group: infrastructure
+    description: Infrastructure Team
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - bagner
+  - group: operations
+    description: Operations Team
+    user:
+      - rlh
+      - rfelsburg
+  - group: development
+    description: Development Team
+  - group: qa
+    description: Quality Assurance Team
+  - group: marketing
+    description: Marketing
+  - group: rocky
+    description: Rocky Linux Team
+    user:
+      - label
+      - gmk
+      - brian
+      - hbjy
+      - jorp
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - bagner
+  - group: rockyadm
+    description: Rocky Linux Administrators - Only Admin Accounts
+    user:
+      - label2
+      - gmk2
+      - brian2
+      - hbjy2
+      - jorp2
+      - neil2
+      - rlh2
+      - rfelsburg2
+      - tg2
+      - bagner2
+  - group: gitadm
+    description: Rocky Linux GitLab Admins
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+  - group: gitusers
+    description: Rocky Linux GitLab Users
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+      - rockyautomation
+    managers_users:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+  - group: services
+    description: Rocky Linux Service Accounts
+    user:
+      - userman
+      - hostman
+      - kerbman
+      - rockykoji
+      - pubsub_federation
+      - rockypubsub
+      - rockyautomation
+  - group: iam
+    description: Rocky Linux Identity Management
+    user:
+      - label
+    managers_users:
+      - label
+  - group: releng
+    description: Rocky Linux Release Engineering
+    user:
+      - label
+    managers_users:
+      - label
+  - group: mq_pub_readonly
+    description: RabbitMQ ReadOnly
+...

vars/ipa/ipaclient.yml

@@ -0,0 +1,11 @@
+---
+# IPA Client Vars
+ipaclient_domain: rockylinux.org
+ipaclient_realm: ROCKYLINUX.ORG
+ipaadmin_principal: admin
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaclient_ssh_trust_dns: true
+ipasssd_enable_dns_updates: true
+ipatype: client
+...

vars/ipa/ipaprivs.yml

@@ -0,0 +1,43 @@
+---
+# privileges
+ipaprivileges:
+  - privilege: Privileges - Kerberos Managers
+    description: Kerberos Key Managers
+    permissions:
+      - "System: Manage Host Keytab"
+      - "System: Manage Host Keytab Permissions"
+      - "System: Manage Service Keytab"
+      - "System: Manage Service Keytab Permissions"
+      - "System: Manage User Principals"
+    role: Kerberos Managers
+    user:
+      - kerbman
+
+# Standalone Roles
+iparoles:
+  - role: IPA Client Managers
+    description: IPA Client Managers
+    privileges:
+      - "DNS Administrators"
+      - "DNS Servers"
+      - "Host Administrators"
+      - "Host Enrollment"
+      - "Host Group Administrators"
+      - "Netgroups Administrators"
+    user:
+      - hostman
+  - role: Kerberos Managers
+    description: Kerberos Key Managers
+    privileges:
+      - "Privileges - Kerberos Managers"
+      - "Service Administrators"
+    user:
+      - kerbman
+  - role: IPA User Managers
+    description: Rocky IPA User Managers responsible for idm flow
+    privileges:
+      - "Group Administrators"
+      - "Stage User Administrators"
+      - "User Administrators"
+      - "FAS Agreement Administrators"
+...

vars/ipa/ipareplica.yml

@@ -0,0 +1,14 @@
+---
+# IPA Replica
+ipaadmin_principal: admin
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaserver_realm: ROCKYLINUX.ORG
+ipareplica_domain: rockylinux.org
+ipareplica_auto_forwarders: true
+ipareplica_setup_firewalld: true
+ipareplica_setup_ca: true
+ipareplica_setup_kra: true
+ipareplica_setup_dns: true
+ipatype: replica
+...

vars/ipa/ipaserver.yml

@@ -0,0 +1,16 @@
+---
+# IPA Server
+ipaserver_domain: rockylinux.org
+ipaserver_realm: ROCKYLINUX.ORG
+ipaserver_setup_dns: true
+ipaserver_setup_kra: true
+ipaserver_auto_forwarders: true
+ipaserver_no_host_dns: true
+ipaserver_allow_zone_overlap: true
+ipaserver_setup_firewalld: true
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaserver_no_hbac_allow: true
+ipaserver_reverse_zones: ["32.10.in-addr.arpa."]
+ipatype: server
+...

vars/ipa/rdns.yml

@@ -0,0 +1,4 @@
+---
+rdns:
+  - 32.10.in-addr.arpa.
+...

vars/ipa/sudorules.yml

@@ -0,0 +1,2 @@
+---
+...

vars/ipa/svcusers.yml

@@ -0,0 +1,45 @@
+---
+svcusers:
+  - name: hostman
+    first: Host
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Host Manager
+    loginshell: /sbin/nologin
+  - name: kerbman
+    first: Kerberos
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Kerberos Key Manager
+    loginshell: /sbin/nologin
+  - name: userman
+    first: User
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - User Manager
+    loginshell: /sbin/nologin
+  - name: rockykoji
+    first: Koji
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Koji Manager
+    loginshell: /sbin/nologin
+  - name: pubsub_federation
+    first: pubsub
+    last: federation
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub federator
+    loginshell: /sbin/nologin
+  - name: rockypubsub
+    first: rocky
+    last: pubsub
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub
+    loginshell: /sbin/nologin
+  - name: rockyautomation
+    first: Rocky
+    last: Automation
+    password: ThisIsNotMyPassword1!
+    title: System Account - Automation
+    loginshell: /sbin/nologin
+...

vars/ipa/users.yml

@@ -0,0 +1,73 @@
+---
+users:
+  - name: label
+    first: Louis
+    last: Abel
+    email: label@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Manager
+    loginshell: /bin/bash
+  - name: gmk
+    first: Gregory
+    last: Kurtzer
+    email: gmk@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Executive Director
+    loginshell: /bin/bash
+  - name: brian
+    first: Brian
+    last: Clemens
+    email: brian@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Project Manager
+    loginshell: /bin/bash
+  - name: hbjy
+    first: Hayden
+    last: Young
+    email: hbjy@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Web & Branding Manager
+    loginshell: /bin/bash
+  - name: jorp
+    first: Jordan
+    last: Pisaniello
+    email: jorp@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Community Manager
+    loginshell: /bin/bash
+  - name: neil
+    first: Neil
+    last: Hanlon
+    email: neil@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: rlh
+    first: R. Leigh
+    last: Hennig
+    email: rlh@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: rfelsburg
+    first: Rob
+    last: Felsburg
+    email: rfelsburg@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: tg
+    first: Taylor
+    last: Goodwill
+    email: tg@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: bagner
+    first: Benjamin
+    last: Agner
+    email: bagner@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Security Director
+    loginshell: /bin/bash
+...

vars/ipaserver.yml

@@ -0,0 +1,3 @@
+---
+ipatype: server
+...