diff --git a/adhoc-ipabinder.yml b/adhoc-ipabinder.yml index daeca57..7a6a10c 100644 --- a/adhoc-ipabinder.yml +++ b/adhoc-ipabinder.yml @@ -6,7 +6,7 @@ # -> ipa_binder_password: Bind account password - name: Create binder account - hosts: ipaserver + hosts: all become: true tasks: @@ -20,7 +20,7 @@ - name: "Creating bind account template - binder" template: - src: "tmp/binder.update.j2" + src: "tmp/binder_template.update" dest: "/tmp/binder.update" owner: root group: root @@ -39,3 +39,4 @@ file: path: "/tmp/binder.update" state: absent +... diff --git a/adhoc-ipadnsrecord.yml b/adhoc-ipadnsrecord.yml index a4fc216..85cbcde 100644 --- a/adhoc-ipadnsrecord.yml +++ b/adhoc-ipadnsrecord.yml @@ -10,12 +10,13 @@ # -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) # -> ipa_name_value: Record value (depends on type of record) # -> ipa_presence: present or absent -# NOTE: For usage in AWX, select an IPA server - name: Create a DNS Record hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/hostman.yml tasks: - name: "Checking for user variables" @@ -54,3 +55,4 @@ managedby: - "{{ ipa_name_value[:-1] }}" ignore_errors: true +... diff --git a/adhoc-ipadnszone.yml b/adhoc-ipadnszone.yml index ae81435..b66d655 100644 --- a/adhoc-ipadnszone.yml +++ b/adhoc-ipadnszone.yml @@ -2,12 +2,13 @@ # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Creates dns zones in the idm infrastructure based on the variables # provided. -# NOTE: For usage in AWX, select an IPA server - name: Create a DNS Zone hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/hostman.yml tasks: - name: "Checking for user variables" @@ -26,3 +27,4 @@ name: "{{ ipa_zone }}" tags: - dns +... diff --git a/adhoc-ipagetcert.yml b/adhoc-ipagetcert.yml index 9a67d35..417d671 100644 --- a/adhoc-ipagetcert.yml +++ b/adhoc-ipagetcert.yml @@ -9,8 +9,8 @@ # -> getcert_postcmd: command to run after a certificate renews # -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain_location: location for the chain +# -> getcert_service: service name (eg HTTP, host), defaults to host # TODO: Add CNAME/SAN support -# NOTE: For usage in AWX, select an appropriate server - name: Request and sign an IPA Certificate hosts: all @@ -24,6 +24,7 @@ nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" postcmd: "{{ getcert_postcmd|default(false) }}" + service: "{{ getcert_service|default('host') }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}" @@ -31,3 +32,4 @@ roles: - role: rockylinux.ipagetcert state: present +... diff --git a/adhoc-ipagetkeytab.yml b/adhoc-ipagetkeytab.yml index 02a1a03..850b37d 100644 --- a/adhoc-ipagetkeytab.yml +++ b/adhoc-ipagetkeytab.yml @@ -4,7 +4,7 @@ # extended security posture # What: Pulls keytabs for a kerberos service # What is expected: -# -> host: The host in the inventory, this MUST be FQDN. +# -> host: The host in the inventory # -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG # Note: This service MUST exist # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab @@ -12,12 +12,13 @@ # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) # -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipaadmin_password: This should be the password of the admin user -# NOTE: For usage in AWX, select an appropriate host - name: Pull keytab from IPA hosts: all become: true gather_facts: false + vars_files: + - vars/vaults/kerbman.yml tasks: - name: "Checking for user variables" @@ -134,3 +135,4 @@ state: file tags: - keytab +... diff --git a/adhoc-ipagroup.yml b/adhoc-ipagroup.yml index daa0fe6..a0533e2 100644 --- a/adhoc-ipagroup.yml +++ b/adhoc-ipagroup.yml @@ -6,9 +6,11 @@ # set to true. - name: Create our initial users - hosts: ipaserver + hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/userman.yml tasks: - name: "Checking for user variables" @@ -45,3 +47,4 @@ check_mode: false changed_when: "1 != 1" when: ipa_fas +... diff --git a/adhoc-ipaservice.yml b/adhoc-ipaservice.yml index ab46f60..7f9fbff 100644 --- a/adhoc-ipaservice.yml +++ b/adhoc-ipaservice.yml @@ -3,9 +3,11 @@ # What: Creates kerberos services in the idm infrastructure based on the variables provided - name: Create Services - hosts: ipaserver + hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/kerbman.yml tasks: - name: "Checking for user variables" @@ -26,3 +28,4 @@ force: "{{ ipa_force | default(false) }}" tags: - services +... diff --git a/adhoc-ipauser-disable-pdr.yml b/adhoc-ipauser-disable-pdr.yml index 88e1a36..991f6d9 100644 --- a/adhoc-ipauser-disable-pdr.yml +++ b/adhoc-ipauser-disable-pdr.yml @@ -10,6 +10,8 @@ hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/userman.yml tasks: - name: "Checking for user variables" @@ -18,6 +20,7 @@ - ipa_admin | mandatory - ipaadmin_password | mandatory - ipa_name | mandatory + - ticket_id | mandatory success_msg: "Required variables provided" fail_msg: "We are missing user information or ipa admin password" @@ -31,7 +34,7 @@ - users - name: "Remove personal information attributes" - community.general.ldap_attr: + community.general.ldap_attrs: dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" name: "{{ item }}" values: [] @@ -45,7 +48,6 @@ - fasGitLabUsername - fasIRCNick - fasRHBZEmail - - fasStatusNote - fasWebsiteURL - fasgpgkeyid - fasLocale @@ -62,7 +64,7 @@ - homePhone - name: "Set FAS Status Note" - community.general.ldap_attr: + community.general.ldap_attrs: dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" name: "fasStatusNote" values: "Account Disabled: {{ ticket_id }}" @@ -72,7 +74,7 @@ bind_pw: "{{ ipaadmin_password }}" - name: "Set FAS Account Information to Private" - community.general.ldap_attr: + community.general.ldap_attrs: dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" name: "fasisprivate" values: "TRUE" @@ -80,3 +82,4 @@ server_uri: ldap://localhost/ bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_pw: "{{ ipaadmin_password }}" +... diff --git a/adhoc-ipauser-disable.yml b/adhoc-ipauser-disable.yml index f2454f9..179b708 100644 --- a/adhoc-ipauser-disable.yml +++ b/adhoc-ipauser-disable.yml @@ -1,12 +1,13 @@ --- # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Creates users in the idm infrastructure based on the variables provided. -# NOTE: For usage in AWX, select an appropriate host - name: Create a User hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/userman.yml tasks: - name: "Checking for user variables" @@ -26,3 +27,4 @@ state: disabled tags: - users +... diff --git a/adhoc-ipauser-enable.yml b/adhoc-ipauser-enable.yml index 2394c9e..197133e 100644 --- a/adhoc-ipauser-enable.yml +++ b/adhoc-ipauser-enable.yml @@ -1,12 +1,13 @@ --- # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Creates users in the idm infrastructure based on the variables provided. -# NOTE: For usage in AWX, select an appropriate host - name: Create a User hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/userman.yml tasks: - name: "Checking for user variables" @@ -26,3 +27,4 @@ state: enabled tags: - users +... diff --git a/adhoc-ipauser.yml b/adhoc-ipauser.yml index e533b91..e64cb16 100644 --- a/adhoc-ipauser.yml +++ b/adhoc-ipauser.yml @@ -1,12 +1,13 @@ --- # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Creates users in the idm infrastructure based on the variables provided. -# NOTE: For usage in AWX, select an appropriate host - name: Create a User hosts: all become: false gather_facts: false + vars_files: + - vars/vaults/userman.yml tasks: - name: "Checking for user variables" @@ -37,3 +38,4 @@ update_password: on_create tags: - users +... diff --git a/import-rockyipaprivs.yml b/import-rockyipaprivs.yml new file mode 100644 index 0000000..dd5d012 --- /dev/null +++ b/import-rockyipaprivs.yml @@ -0,0 +1,45 @@ +--- +# Creates necessary privileges for services +- name: "Creating necessary privileges" + freeipa.ansible_freeipa.ipaprivilege: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.privilege }}" + description: "{{ item.description }}" + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating permissions" + freeipa.ansible_freeipa.ipaprivilege: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.privilege }}" + permission: "{{ item.permissions }}" + action: member + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating roles based on custom privileges" + freeipa.ansible_freeipa.iparole: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.role }}" + privilege: "{{ item.privilege }}" + user: "{{ item.user|default(omit) }}" + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating roles based on standard privileges" + freeipa.ansible_freeipa.iparole: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.role }}" + privilege: "{{ item.privileges }}" + user: "{{ item.user|default(omit) }}" + loop: "{{ iparoles }}" + when: iparoles is defined + tags: + - rbac +... diff --git a/init-rocky-ipa-internal-dns.yml b/init-rocky-ipa-internal-dns.yml new file mode 100644 index 0000000..c555a6c --- /dev/null +++ b/init-rocky-ipa-internal-dns.yml @@ -0,0 +1,33 @@ +--- +# This builds out the initial users and groups for the rocky linux infra +- name: Create our initial users + hosts: all + become: false + gather_facts: false + vars_files: + - vars/vaults/encpass.yml + - vars/ipa/rdns.yml + - vars/ipa/fdns.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing ipa admin password" + + - name: "Create Reverse Domains" + freeipa.ansible_freeipa.ipadnszone: + ipaadmin_password: '{{ ipaadmin_password }}' + name: '{{ item }}' + dynamic_update: true + with_items: '{{ rdns }}' + + - name: "Create Forward Domains" + freeipa.ansible_freeipa.ipadnszone: + ipaadmin_password: '{{ ipaadmin_password }}' + name: '{{ item }}' + dynamic_update: true + with_items: '{{ fdns }}' +... diff --git a/init-rocky-ipa-team.yml b/init-rocky-ipa-team.yml new file mode 100644 index 0000000..5c30230 --- /dev/null +++ b/init-rocky-ipa-team.yml @@ -0,0 +1,36 @@ +--- +# This builds out the initial users and groups for the rocky linux infra +- name: Create our initial users + hosts: all + become: true + gather_facts: false + vars_files: + - vars/vaults/encpass.yml + - vars/ipa/users.yml + - vars/ipa/adminusers.yml + - vars/ipa/svcusers.yml + - vars/ipa/groups.yml + - vars/ipa/ipaprivs.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - users | mandatory + - ipagroups | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing users or ipa admin password" + + - name: "Start users" + import_tasks: import-rockyusers.yml + + - name: "Start groups" + import_tasks: import-rockygroups.yml + + - name: "Start sudo for admins" + import_tasks: import-rockysudo.yml + + - name: "Start privileges for services" + import_tasks: import-rockyipaprivs.yml +... diff --git a/role-rocky-ipa-client.yml b/role-rocky-ipa-client.yml index 2bafdb9..e12793c 100644 --- a/role-rocky-ipa-client.yml +++ b/role-rocky-ipa-client.yml @@ -1,9 +1,12 @@ --- # Configures an IPA client for the Rocky infrastructure -# NOTE: For usage in AWX, select an appropriate host +# Define "host" as a hostgroup name or a single host - name: Configure IPA client hosts: all become: true + vars_files: + - vars/vaults/encpass.yml + - vars/ipa/ipaclient.yml pre_tasks: - name: Check if ansible cannot be run here @@ -36,3 +39,4 @@ mode: '0644' owner: root group: root +... diff --git a/role-rocky-ipa-replica.yml b/role-rocky-ipa-replica.yml index d36ed6c..ec5e827 100644 --- a/role-rocky-ipa-replica.yml +++ b/role-rocky-ipa-replica.yml @@ -1,9 +1,11 @@ --- # Creates an IPA replica -# NOTE: Select the appropriate host or hostgroup +# Define "host" as a hostgroup name or a single host - name: Configure IPA server hosts: all become: true + vars_files: + - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: @@ -49,3 +51,4 @@ mode: '0644' owner: root group: root +... diff --git a/role-rocky-ipa.yml b/role-rocky-ipa.yml index 40f1516..ffdc2dc 100644 --- a/role-rocky-ipa.yml +++ b/role-rocky-ipa.yml @@ -6,10 +6,11 @@ # Storage: 10G /var/lib/dirsrv # System fully up to date # Define "host" as a hostgroup name or a single host -# NOTE: For AWX, choose the appropriate host or host group - name: Configure IPA server hosts: all become: true + vars_files: + - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: @@ -60,3 +61,4 @@ freeipa.ansible_freeipa.ipadnsconfig: ipaadmin_password: '{{ ipaadmin_password }}' allow_sync_ptr: true +...