fix vars

2022-02-12 22:41:09 -07:00 · 2022-02-12 22:41:09 -07:00 · 4c55917561
commit 4c55917561
parent 1a69ead36d
6 changed files with 116 additions and 26 deletions
--- a/import-rockygroups.yml
+++ b/import-rockygroups.yml
@ -0,0 +1,15 @@
+---
+# Creates the first set of groups for the IdM Infrastructure
+- name: "Creating Mandatory Groups"
+  freeipa.ansible_freeipa.ipagroup:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.group }}"
+    description: "{{ item.description }}"
+    nonposix: false
+    user: "{{ item.user | default(none) }}"
+    membermanager_user: "{{ item.managers_users | default(omit) }}"
+    membermanager_group: "{{ item.managers_groups | default(omit) }}"
+  loop: "{{ ipagroups }}"
+  tags:
+    - groups
+...
--- a/import-rockypwpolicy.yml
+++ b/import-rockypwpolicy.yml
@ -0,0 +1,17 @@
+---
+# Creates the first set of groups for the IdM Infrastructure
+- name: "Setting up password policies"
+  freeipa.ansible_freeipa.ipapwpolicy:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.group }}"
+    minlife: "{{ item.minlife | default(0) }}"
+    maxlife: "{{ item.maxlife | default(0) }}"
+    history: "{{ item.history | default(5) }}"
+    priority: "{{ item.priority | default(1) }}"
+    lockouttime: "{{ item.lockout | default(300) }}"
+    minlength: "{{ item.minlength | default(8) }}"
+    maxfile: "{{ item.maxfail | default(5) }}"
+  loop: "{{ ipapwpolicies }}"
+  tags:
+    - groups
+...
--- a/import-rockysudo.yml
+++ b/import-rockysudo.yml
@ -0,0 +1,13 @@
+---
+# Currently only one SUDO role should be created, and that is for the
+# rocky linux admins
+- name: "Creating SUDO Role for Rocky Admins"
+  freeipa.ansible_freeipa.ipasudorule:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: All_RockyAdmins
+    description: Rocky Linux infrastructure and operations sudo access
+    group:
+      - rockyadm
+    hostcat: all
+    cmdcat: all
+...
--- a/import-rockyusers.yml
+++ b/import-rockyusers.yml
@ -0,0 +1,71 @@
+---
+# Creates the first set of users for the IdM Infrastructure. This
+# should create both regular and admin accounts for separation of
+# privilege.
+- name: "Creating Initial Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ users }}"
+  tags:
+    - users
+
+- name: "Creating Initial Admin Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ adminusers }}"
+  tags:
+    - users
+
+- name: "Creating Service Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ svcusers }}"
+  tags:
+    - users
+
+- name: "Creating bind account template - binder"
+  template:
+    src: "tmp/binder.update"
+    dest: "/tmp/binder.update"
+    owner: root
+    group: root
+    mode: '0600'
+  tags:
+    - users
+
+- name: "Adding in the bind account - binder"
+  command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
+  register: bind_account
+  changed_when: "bind_account.rc == 0"
+  tags:
+    - users
+
+- name: "Remove template"
+  file:
+    path: "/tmp/binder.update"
+    state: absent
+...
--- a/vars/ipa/adminusers.yml
+++ b/vars/ipa/adminusers.yml
@ -18,18 +18,6 @@ adminusers:
    password: ThisIsNotMyPassword1!
    title: Project Manager
    loginshell: /bin/bash
-  - name: hbjy2
-    first: Hayden
-    last: Young
-    password: ThisIsNotMyPassword1!
-    title: Web & Branding Manager
-    loginshell: /bin/bash
-  - name: jorp2
-    first: Jordan
-    last: Pisaniello
-    password: ThisIsNotMyPassword1!
-    title: Community Manager
-    loginshell: /bin/bash
  - name: neil2
    first: Neil
    last: Hanlon
--- a/vars/ipa/users.yml
+++ b/vars/ipa/users.yml
@ -21,20 +21,6 @@ users:
    password: ThisIsNotMyPassword1!
    title: Project Manager
    loginshell: /bin/bash
-  - name: hbjy
-    first: Hayden
-    last: Young
-    email: hbjy@rockylinux.org
-    password: ThisIsNotMyPassword1!
-    title: Web & Branding Manager
-    loginshell: /bin/bash
-  - name: jorp
-    first: Jordan
-    last: Pisaniello
-    email: jorp@rockylinux.org
-    password: ThisIsNotMyPassword1!
-    title: Community Manager
-    loginshell: /bin/bash
  - name: neil
    first: Neil
    last: Hanlon