infrastructure/ansible-ipa-management
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

use FQCN across the board

Browse Source
This commit is contained in:
nazunalika 2022-03-27 18:54:24 -07:00
parent 4c55917561
commit b97263aae6
Signed by: label
GPG Key ID: 6735C0E1BD65D048
18 changed files with 45 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
adhoc-ipabinder.yml
View File

@ -11,7 +11,7 @@
tasks:
- name: "Check for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_binder_name | mandatory
- ipa_binder_password | mandatory
@ -19,7 +19,7 @@
fail_msg: "We are missing user information"
- name: "Creating bind account template - binder"
template:
ansible.builtin.template:
src: "tmp/binder_template.update"
dest: "/tmp/binder.update"
owner: root
@ -29,14 +29,14 @@
- users
- name: "Adding in the bind account"
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
file:
ansible.builtin.file:
path: "/tmp/binder.update"
state: absent
...

2
adhoc-ipadnsrecord.yml
View File

@ -18,7 +18,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
- ipa_zone | mandatory

2
adhoc-ipadnszone.yml
View File

@ -10,7 +10,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

26
adhoc-ipagetkeytab.yml
View File

@ -20,7 +20,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
@ -31,14 +31,14 @@
fail_msg: "We are missing required information"
- name: "Check that a keytab doesn't already exist"
stat:
ansible.builtin.stat:
path: "{{ ipa_keytab_fullpath }}"
register: keytab_status
check_mode: false
changed_when: "1 != 1"
- name: "Verify keytab existence"
assert:
ansible.builtin.assert:
that:
- "not keytab_status.stat.exists"
success_msg: "Keytab doesn't exist, moving on..."
@ -70,14 +70,14 @@
- name: "Get kerberos ticket"
delegate_to: "{{ ipa_server }}"
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
check_mode: false
changed_when: "1 != 1"
when: not keytab_status.stat.exists
- name: "Attempt to retrieve keytab"
delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
register: ret_result
check_mode: false
changed_when: "1 != 1"
@ -85,30 +85,30 @@
- name: "Create keytab if it didn't exist, based on the last task"
delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
when: "'krbPrincipalKey not found' in ret_result.stderr"
- name: "Destroy admin ticket"
delegate_to: "{{ ipa_server }}"
command: "kdestroy -A"
ansible.builtin.command: "kdestroy -A"
register: kdestroy_result
changed_when: "kdestroy_result.rc == 0"
- name: "Put the keytab into a register"
delegate_to: "{{ ipa_server }}"
command: "base64 /tmp/{{ host }}.kt"
ansible.builtin.command: "base64 /tmp/{{ host }}.kt"
register: keytab
check_mode: false
changed_when: "keytab.rc == 0"
- name: "Destroy local keytab"
delegate_to: "{{ ipa_server }}"
file:
ansible.builtin.file:
path: "/tmp/{{ host }}.kt"
state: absent
- name: "Deploy keytab to {{ host }} from register"
copy:
ansible.builtin.copy:
dest: "{{ ipa_keytab_fullpath }}.b64"
content: "{{ keytab.stdout }}"
owner: "{{ ipa_owner|default('root') }}"
@ -116,16 +116,16 @@
mode: '0600'
- name: "Decode keytab"
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
changed_when: "1 != 1"
- name: "Destroy encoded keytab"
file:
ansible.builtin.file:
path: "{{ ipa_keytab_fullpath }}.b64"
state: absent
- name: "Set ownership if applicable, otherwise it's root owned"
file:
ansible.builtin.file:
path: "{{ ipa_keytab_fullpath }}"
owner: "{{ ipa_owner|default('root') }}"
group: "{{ ipa_owner|default('root') }}"

2
adhoc-ipagroup.yml
View File

@ -14,7 +14,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

2
adhoc-ipaservice.yml
View File

@ -9,7 +9,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

2
adhoc-ipauser-disable-pdr.yml
View File

@ -13,7 +13,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

2
adhoc-ipauser-disable.yml
View File

@ -9,7 +9,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

2
adhoc-ipauser-enable.yml
View File

@ -9,7 +9,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

2
adhoc-ipauser.yml
View File

@ -9,7 +9,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory

3
collections/requirements.yml
View File

@ -2,3 +2,6 @@
# Collections
collections:
- name: freeipa.ansible_freeipa
- name: community.general
- name: ansible.posix
...

6
import-rockyusers.yml
View File

@ -48,7 +48,7 @@
- users
- name: "Creating bind account template - binder"
template:
ansible.builtin.template:
src: "tmp/binder.update"
dest: "/tmp/binder.update"
owner: root
@ -58,14 +58,14 @@
- users
- name: "Adding in the bind account - binder"
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
file:
ansible.builtin.file:
path: "/tmp/binder.update"
state: absent
...

2
init-rocky-ipa-internal-dns.yml
View File

@ -10,7 +10,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
success_msg: "Required variables provided"

2
init-rocky-ipa-team.yml
View File

@ -13,7 +13,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
- users | mandatory

6
role-rocky-ipa-client.yml
View File

@ -9,12 +9,12 @@
pre_tasks:
- name: Check if ansible cannot be run here
stat:
ansible.builtin.stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -32,7 +32,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

8
role-rocky-ipa-replica.yml
View File

@ -11,19 +11,19 @@
pre_tasks:
- name: Check if ansible cannot be run here
stat:
ansible.builtin.stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager
ini_file:
community.general.ini_file:
path: /etc/NetworkManager/NetworkManager.conf
state: present
no_extra_spaces: true
@ -43,7 +43,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

8
role-rocky-ipa.yml
View File

@ -16,19 +16,19 @@
pre_tasks:
- name: Check if ansible cannot be run here
stat:
ansible.builtin.stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager to avoid change
ini_file:
community.general.ini_file:
path: /etc/NetworkManager/NetworkManager.conf
state: present
no_extra_spaces: true
@ -48,7 +48,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

1
roles/requirements.yml
View File

@ -4,3 +4,4 @@ roles:
- name: rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main
...