This commit is contained in:
nazunalika 2022-02-12 22:41:09 -07:00
parent 1a69ead36d
commit 4c55917561
Signed by: label
GPG Key ID: 6735C0E1BD65D048
6 changed files with 116 additions and 26 deletions

15
import-rockygroups.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Creating Mandatory Groups"
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
description: "{{ item.description }}"
nonposix: false
user: "{{ item.user | default(none) }}"
membermanager_user: "{{ item.managers_users | default(omit) }}"
membermanager_group: "{{ item.managers_groups | default(omit) }}"
loop: "{{ ipagroups }}"
tags:
- groups
...

17
import-rockypwpolicy.yml Normal file
View File

@ -0,0 +1,17 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Setting up password policies"
freeipa.ansible_freeipa.ipapwpolicy:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
minlife: "{{ item.minlife | default(0) }}"
maxlife: "{{ item.maxlife | default(0) }}"
history: "{{ item.history | default(5) }}"
priority: "{{ item.priority | default(1) }}"
lockouttime: "{{ item.lockout | default(300) }}"
minlength: "{{ item.minlength | default(8) }}"
maxfile: "{{ item.maxfail | default(5) }}"
loop: "{{ ipapwpolicies }}"
tags:
- groups
...

13
import-rockysudo.yml Normal file
View File

@ -0,0 +1,13 @@
---
# Currently only one SUDO role should be created, and that is for the
# rocky linux admins
- name: "Creating SUDO Role for Rocky Admins"
freeipa.ansible_freeipa.ipasudorule:
ipaadmin_password: "{{ ipaadmin_password }}"
name: All_RockyAdmins
description: Rocky Linux infrastructure and operations sudo access
group:
- rockyadm
hostcat: all
cmdcat: all
...

71
import-rockyusers.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Creates the first set of users for the IdM Infrastructure. This
# should create both regular and admin accounts for separation of
# privilege.
- name: "Creating Initial Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ users }}"
tags:
- users
- name: "Creating Initial Admin Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ adminusers }}"
tags:
- users
- name: "Creating Service Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ svcusers }}"
tags:
- users
- name: "Creating bind account template - binder"
template:
src: "tmp/binder.update"
dest: "/tmp/binder.update"
owner: root
group: root
mode: '0600'
tags:
- users
- name: "Adding in the bind account - binder"
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
file:
path: "/tmp/binder.update"
state: absent
...

View File

@ -18,18 +18,6 @@ adminusers:
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: hbjy2
first: Hayden
last: Young
password: ThisIsNotMyPassword1!
title: Web & Branding Manager
loginshell: /bin/bash
- name: jorp2
first: Jordan
last: Pisaniello
password: ThisIsNotMyPassword1!
title: Community Manager
loginshell: /bin/bash
- name: neil2
first: Neil
last: Hanlon

View File

@ -21,20 +21,6 @@ users:
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: hbjy
first: Hayden
last: Young
email: hbjy@rockylinux.org
password: ThisIsNotMyPassword1!
title: Web & Branding Manager
loginshell: /bin/bash
- name: jorp
first: Jordan
last: Pisaniello
email: jorp@rockylinux.org
password: ThisIsNotMyPassword1!
title: Community Manager
loginshell: /bin/bash
- name: neil
first: Neil
last: Hanlon