From 4c5591756124d2d44ec7ad46a147c0414c7c153f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sat, 12 Feb 2022 22:41:09 -0700 Subject: [PATCH] fix vars --- import-rockygroups.yml | 15 +++++++++ import-rockypwpolicy.yml | 17 ++++++++++ import-rockysudo.yml | 13 ++++++++ import-rockyusers.yml | 71 ++++++++++++++++++++++++++++++++++++++++ vars/ipa/adminusers.yml | 12 ------- vars/ipa/users.yml | 14 -------- 6 files changed, 116 insertions(+), 26 deletions(-) create mode 100644 import-rockygroups.yml create mode 100644 import-rockypwpolicy.yml create mode 100644 import-rockysudo.yml create mode 100644 import-rockyusers.yml diff --git a/import-rockygroups.yml b/import-rockygroups.yml new file mode 100644 index 0000000..6f9dcec --- /dev/null +++ b/import-rockygroups.yml @@ -0,0 +1,15 @@ +--- +# Creates the first set of groups for the IdM Infrastructure +- name: "Creating Mandatory Groups" + freeipa.ansible_freeipa.ipagroup: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.group }}" + description: "{{ item.description }}" + nonposix: false + user: "{{ item.user | default(none) }}" + membermanager_user: "{{ item.managers_users | default(omit) }}" + membermanager_group: "{{ item.managers_groups | default(omit) }}" + loop: "{{ ipagroups }}" + tags: + - groups +... diff --git a/import-rockypwpolicy.yml b/import-rockypwpolicy.yml new file mode 100644 index 0000000..df4e36b --- /dev/null +++ b/import-rockypwpolicy.yml @@ -0,0 +1,17 @@ +--- +# Creates the first set of groups for the IdM Infrastructure +- name: "Setting up password policies" + freeipa.ansible_freeipa.ipapwpolicy: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.group }}" + minlife: "{{ item.minlife | default(0) }}" + maxlife: "{{ item.maxlife | default(0) }}" + history: "{{ item.history | default(5) }}" + priority: "{{ item.priority | default(1) }}" + lockouttime: "{{ item.lockout | default(300) }}" + minlength: "{{ item.minlength | default(8) }}" + maxfile: "{{ item.maxfail | default(5) }}" + loop: "{{ ipapwpolicies }}" + tags: + - groups +... diff --git a/import-rockysudo.yml b/import-rockysudo.yml new file mode 100644 index 0000000..8705940 --- /dev/null +++ b/import-rockysudo.yml @@ -0,0 +1,13 @@ +--- +# Currently only one SUDO role should be created, and that is for the +# rocky linux admins +- name: "Creating SUDO Role for Rocky Admins" + freeipa.ansible_freeipa.ipasudorule: + ipaadmin_password: "{{ ipaadmin_password }}" + name: All_RockyAdmins + description: Rocky Linux infrastructure and operations sudo access + group: + - rockyadm + hostcat: all + cmdcat: all +... diff --git a/import-rockyusers.yml b/import-rockyusers.yml new file mode 100644 index 0000000..50e01f4 --- /dev/null +++ b/import-rockyusers.yml @@ -0,0 +1,71 @@ +--- +# Creates the first set of users for the IdM Infrastructure. This +# should create both regular and admin accounts for separation of +# privilege. +- name: "Creating Initial Accounts" + freeipa.ansible_freeipa.ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.name }}" + first: "{{ item.first }}" + last: "{{ item.last }}" + email: "{{ item.email|default(omit) }}" + password: "{{ item.password }}" + title: "{{ item.title }}" + loginshell: "{{ item.loginshell }}" + update_password: on_create + loop: "{{ users }}" + tags: + - users + +- name: "Creating Initial Admin Accounts" + freeipa.ansible_freeipa.ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.name }}" + first: "{{ item.first }}" + last: "{{ item.last }}" + email: "{{ item.email|default(omit) }}" + password: "{{ item.password }}" + title: "{{ item.title }}" + loginshell: "{{ item.loginshell }}" + update_password: on_create + loop: "{{ adminusers }}" + tags: + - users + +- name: "Creating Service Accounts" + freeipa.ansible_freeipa.ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.name }}" + first: "{{ item.first }}" + last: "{{ item.last }}" + email: "{{ item.email|default(omit) }}" + password: "{{ item.password }}" + title: "{{ item.title }}" + loginshell: "{{ item.loginshell }}" + update_password: on_create + loop: "{{ svcusers }}" + tags: + - users + +- name: "Creating bind account template - binder" + template: + src: "tmp/binder.update" + dest: "/tmp/binder.update" + owner: root + group: root + mode: '0600' + tags: + - users + +- name: "Adding in the bind account - binder" + command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update" + register: bind_account + changed_when: "bind_account.rc == 0" + tags: + - users + +- name: "Remove template" + file: + path: "/tmp/binder.update" + state: absent +... diff --git a/vars/ipa/adminusers.yml b/vars/ipa/adminusers.yml index 4fd54d7..6fac5e2 100644 --- a/vars/ipa/adminusers.yml +++ b/vars/ipa/adminusers.yml @@ -18,18 +18,6 @@ adminusers: password: ThisIsNotMyPassword1! title: Project Manager loginshell: /bin/bash - - name: hbjy2 - first: Hayden - last: Young - password: ThisIsNotMyPassword1! - title: Web & Branding Manager - loginshell: /bin/bash - - name: jorp2 - first: Jordan - last: Pisaniello - password: ThisIsNotMyPassword1! - title: Community Manager - loginshell: /bin/bash - name: neil2 first: Neil last: Hanlon diff --git a/vars/ipa/users.yml b/vars/ipa/users.yml index a291293..26e6050 100644 --- a/vars/ipa/users.yml +++ b/vars/ipa/users.yml @@ -21,20 +21,6 @@ users: password: ThisIsNotMyPassword1! title: Project Manager loginshell: /bin/bash - - name: hbjy - first: Hayden - last: Young - email: hbjy@rockylinux.org - password: ThisIsNotMyPassword1! - title: Web & Branding Manager - loginshell: /bin/bash - - name: jorp - first: Jordan - last: Pisaniello - email: jorp@rockylinux.org - password: ThisIsNotMyPassword1! - title: Community Manager - loginshell: /bin/bash - name: neil first: Neil last: Hanlon