use FQCN across the board
This commit is contained in:
parent
4c55917561
commit
b97263aae6
@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Check for user variables"
|
- name: "Check for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_binder_name | mandatory
|
- ipa_binder_name | mandatory
|
||||||
- ipa_binder_password | mandatory
|
- ipa_binder_password | mandatory
|
||||||
@ -19,7 +19,7 @@
|
|||||||
fail_msg: "We are missing user information"
|
fail_msg: "We are missing user information"
|
||||||
|
|
||||||
- name: "Creating bind account template - binder"
|
- name: "Creating bind account template - binder"
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "tmp/binder_template.update"
|
src: "tmp/binder_template.update"
|
||||||
dest: "/tmp/binder.update"
|
dest: "/tmp/binder.update"
|
||||||
owner: root
|
owner: root
|
||||||
@ -29,14 +29,14 @@
|
|||||||
- users
|
- users
|
||||||
|
|
||||||
- name: "Adding in the bind account"
|
- name: "Adding in the bind account"
|
||||||
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||||
register: bind_account
|
register: bind_account
|
||||||
changed_when: "bind_account.rc == 0"
|
changed_when: "bind_account.rc == 0"
|
||||||
tags:
|
tags:
|
||||||
- users
|
- users
|
||||||
|
|
||||||
- name: "Remove template"
|
- name: "Remove template"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "/tmp/binder.update"
|
path: "/tmp/binder.update"
|
||||||
state: absent
|
state: absent
|
||||||
...
|
...
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_zone | mandatory
|
- ipa_zone | mandatory
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
@ -31,14 +31,14 @@
|
|||||||
fail_msg: "We are missing required information"
|
fail_msg: "We are missing required information"
|
||||||
|
|
||||||
- name: "Check that a keytab doesn't already exist"
|
- name: "Check that a keytab doesn't already exist"
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ ipa_keytab_fullpath }}"
|
path: "{{ ipa_keytab_fullpath }}"
|
||||||
register: keytab_status
|
register: keytab_status
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
- name: "Verify keytab existence"
|
- name: "Verify keytab existence"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "not keytab_status.stat.exists"
|
- "not keytab_status.stat.exists"
|
||||||
success_msg: "Keytab doesn't exist, moving on..."
|
success_msg: "Keytab doesn't exist, moving on..."
|
||||||
@ -70,14 +70,14 @@
|
|||||||
|
|
||||||
- name: "Get kerberos ticket"
|
- name: "Get kerberos ticket"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
when: not keytab_status.stat.exists
|
when: not keytab_status.stat.exists
|
||||||
|
|
||||||
- name: "Attempt to retrieve keytab"
|
- name: "Attempt to retrieve keytab"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||||
register: ret_result
|
register: ret_result
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
@ -85,30 +85,30 @@
|
|||||||
|
|
||||||
- name: "Create keytab if it didn't exist, based on the last task"
|
- name: "Create keytab if it didn't exist, based on the last task"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||||
when: "'krbPrincipalKey not found' in ret_result.stderr"
|
when: "'krbPrincipalKey not found' in ret_result.stderr"
|
||||||
|
|
||||||
- name: "Destroy admin ticket"
|
- name: "Destroy admin ticket"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
command: "kdestroy -A"
|
ansible.builtin.command: "kdestroy -A"
|
||||||
register: kdestroy_result
|
register: kdestroy_result
|
||||||
changed_when: "kdestroy_result.rc == 0"
|
changed_when: "kdestroy_result.rc == 0"
|
||||||
|
|
||||||
- name: "Put the keytab into a register"
|
- name: "Put the keytab into a register"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
command: "base64 /tmp/{{ host }}.kt"
|
ansible.builtin.command: "base64 /tmp/{{ host }}.kt"
|
||||||
register: keytab
|
register: keytab
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "keytab.rc == 0"
|
changed_when: "keytab.rc == 0"
|
||||||
|
|
||||||
- name: "Destroy local keytab"
|
- name: "Destroy local keytab"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "/tmp/{{ host }}.kt"
|
path: "/tmp/{{ host }}.kt"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: "Deploy keytab to {{ host }} from register"
|
- name: "Deploy keytab to {{ host }} from register"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: "{{ ipa_keytab_fullpath }}.b64"
|
dest: "{{ ipa_keytab_fullpath }}.b64"
|
||||||
content: "{{ keytab.stdout }}"
|
content: "{{ keytab.stdout }}"
|
||||||
owner: "{{ ipa_owner|default('root') }}"
|
owner: "{{ ipa_owner|default('root') }}"
|
||||||
@ -116,16 +116,16 @@
|
|||||||
mode: '0600'
|
mode: '0600'
|
||||||
|
|
||||||
- name: "Decode keytab"
|
- name: "Decode keytab"
|
||||||
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
|
ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
- name: "Destroy encoded keytab"
|
- name: "Destroy encoded keytab"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ ipa_keytab_fullpath }}.b64"
|
path: "{{ ipa_keytab_fullpath }}.b64"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: "Set ownership if applicable, otherwise it's root owned"
|
- name: "Set ownership if applicable, otherwise it's root owned"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ ipa_keytab_fullpath }}"
|
path: "{{ ipa_keytab_fullpath }}"
|
||||||
owner: "{{ ipa_owner|default('root') }}"
|
owner: "{{ ipa_owner|default('root') }}"
|
||||||
group: "{{ ipa_owner|default('root') }}"
|
group: "{{ ipa_owner|default('root') }}"
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipa_admin | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
|
@ -2,3 +2,6 @@
|
|||||||
# Collections
|
# Collections
|
||||||
collections:
|
collections:
|
||||||
- name: freeipa.ansible_freeipa
|
- name: freeipa.ansible_freeipa
|
||||||
|
- name: community.general
|
||||||
|
- name: ansible.posix
|
||||||
|
...
|
||||||
|
@ -48,7 +48,7 @@
|
|||||||
- users
|
- users
|
||||||
|
|
||||||
- name: "Creating bind account template - binder"
|
- name: "Creating bind account template - binder"
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "tmp/binder.update"
|
src: "tmp/binder.update"
|
||||||
dest: "/tmp/binder.update"
|
dest: "/tmp/binder.update"
|
||||||
owner: root
|
owner: root
|
||||||
@ -58,14 +58,14 @@
|
|||||||
- users
|
- users
|
||||||
|
|
||||||
- name: "Adding in the bind account - binder"
|
- name: "Adding in the bind account - binder"
|
||||||
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||||
register: bind_account
|
register: bind_account
|
||||||
changed_when: "bind_account.rc == 0"
|
changed_when: "bind_account.rc == 0"
|
||||||
tags:
|
tags:
|
||||||
- users
|
- users
|
||||||
|
|
||||||
- name: "Remove template"
|
- name: "Remove template"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "/tmp/binder.update"
|
path: "/tmp/binder.update"
|
||||||
state: absent
|
state: absent
|
||||||
...
|
...
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- users | mandatory
|
- users | mandatory
|
||||||
|
@ -9,12 +9,12 @@
|
|||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Check if ansible cannot be run here
|
- name: Check if ansible cannot be run here
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/no-ansible
|
path: /etc/no-ansible
|
||||||
register: no_ansible
|
register: no_ansible
|
||||||
|
|
||||||
- name: Verify if we can run ansible
|
- name: Verify if we can run ansible
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
success_msg: "We are able to run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /var/log/ansible.run
|
path: /var/log/ansible.run
|
||||||
state: touch
|
state: touch
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
@ -11,19 +11,19 @@
|
|||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Check if ansible cannot be run here
|
- name: Check if ansible cannot be run here
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/no-ansible
|
path: /etc/no-ansible
|
||||||
register: no_ansible
|
register: no_ansible
|
||||||
|
|
||||||
- name: Verify if we can run ansible
|
- name: Verify if we can run ansible
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
success_msg: "We are able to run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
- name: Ensure 'dns=none' is set for Network Manager
|
- name: Ensure 'dns=none' is set for Network Manager
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
path: /etc/NetworkManager/NetworkManager.conf
|
path: /etc/NetworkManager/NetworkManager.conf
|
||||||
state: present
|
state: present
|
||||||
no_extra_spaces: true
|
no_extra_spaces: true
|
||||||
@ -43,7 +43,7 @@
|
|||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /var/log/ansible.run
|
path: /var/log/ansible.run
|
||||||
state: touch
|
state: touch
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
@ -16,19 +16,19 @@
|
|||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Check if ansible cannot be run here
|
- name: Check if ansible cannot be run here
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/no-ansible
|
path: /etc/no-ansible
|
||||||
register: no_ansible
|
register: no_ansible
|
||||||
|
|
||||||
- name: Verify if we can run ansible
|
- name: Verify if we can run ansible
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
success_msg: "We are able to run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
- name: Ensure 'dns=none' is set for Network Manager to avoid change
|
- name: Ensure 'dns=none' is set for Network Manager to avoid change
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
path: /etc/NetworkManager/NetworkManager.conf
|
path: /etc/NetworkManager/NetworkManager.conf
|
||||||
state: present
|
state: present
|
||||||
no_extra_spaces: true
|
no_extra_spaces: true
|
||||||
@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /var/log/ansible.run
|
path: /var/log/ansible.run
|
||||||
state: touch
|
state: touch
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
@ -4,3 +4,4 @@ roles:
|
|||||||
- name: rockylinux.ipagetcert
|
- name: rockylinux.ipagetcert
|
||||||
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
|
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
|
||||||
version: main
|
version: main
|
||||||
|
...
|
||||||
|
Loading…
Reference in New Issue
Block a user