sync from infra

This commit is contained in:
nazunalika 2022-02-12 14:43:09 -07:00
parent 5c95e4fd60
commit c6486927d8
Signed by: label
GPG Key ID: 6735C0E1BD65D048
17 changed files with 166 additions and 19 deletions

View File

@ -6,7 +6,7 @@
# -> ipa_binder_password: Bind account password # -> ipa_binder_password: Bind account password
- name: Create binder account - name: Create binder account
hosts: ipaserver hosts: all
become: true become: true
tasks: tasks:
@ -20,7 +20,7 @@
- name: "Creating bind account template - binder" - name: "Creating bind account template - binder"
template: template:
src: "tmp/binder.update.j2" src: "tmp/binder_template.update"
dest: "/tmp/binder.update" dest: "/tmp/binder.update"
owner: root owner: root
group: root group: root
@ -39,3 +39,4 @@
file: file:
path: "/tmp/binder.update" path: "/tmp/binder.update"
state: absent state: absent
...

View File

@ -10,12 +10,13 @@
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) # -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
# -> ipa_name_value: Record value (depends on type of record) # -> ipa_name_value: Record value (depends on type of record)
# -> ipa_presence: present or absent # -> ipa_presence: present or absent
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Record - name: Create a DNS Record
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/hostman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -54,3 +55,4 @@
managedby: managedby:
- "{{ ipa_name_value[:-1] }}" - "{{ ipa_name_value[:-1] }}"
ignore_errors: true ignore_errors: true
...

View File

@ -2,12 +2,13 @@
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates dns zones in the idm infrastructure based on the variables # What: Creates dns zones in the idm infrastructure based on the variables
# provided. # provided.
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Zone - name: Create a DNS Zone
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/hostman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -26,3 +27,4 @@
name: "{{ ipa_zone }}" name: "{{ ipa_zone }}"
tags: tags:
- dns - dns
...

View File

@ -9,8 +9,8 @@
# -> getcert_postcmd: command to run after a certificate renews # -> getcert_postcmd: command to run after a certificate renews
# -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain: true/false, should cert and key be chained together
# -> getcert_chain_location: location for the chain # -> getcert_chain_location: location for the chain
# -> getcert_service: service name (eg HTTP, host), defaults to host
# TODO: Add CNAME/SAN support # TODO: Add CNAME/SAN support
# NOTE: For usage in AWX, select an appropriate server
- name: Request and sign an IPA Certificate - name: Request and sign an IPA Certificate
hosts: all hosts: all
@ -24,6 +24,7 @@
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
postcmd: "{{ getcert_postcmd|default(false) }}" postcmd: "{{ getcert_postcmd|default(false) }}"
service: "{{ getcert_service|default('host') }}"
ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
ipa_getcert_nss: "{{ getcert_nss|default(false) }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
@ -31,3 +32,4 @@
roles: roles:
- role: rockylinux.ipagetcert - role: rockylinux.ipagetcert
state: present state: present
...

View File

@ -4,7 +4,7 @@
# extended security posture # extended security posture
# What: Pulls keytabs for a kerberos service # What: Pulls keytabs for a kerberos service
# What is expected: # What is expected:
# -> host: The host in the inventory, this MUST be FQDN. # -> host: The host in the inventory
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG # -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# Note: This service MUST exist # Note: This service MUST exist
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
@ -12,12 +12,13 @@
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user # -> ipaadmin_password: This should be the password of the admin user
# NOTE: For usage in AWX, select an appropriate host
- name: Pull keytab from IPA - name: Pull keytab from IPA
hosts: all hosts: all
become: true become: true
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/kerbman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -134,3 +135,4 @@
state: file state: file
tags: tags:
- keytab - keytab
...

View File

@ -6,9 +6,11 @@
# set to true. # set to true.
- name: Create our initial users - name: Create our initial users
hosts: ipaserver hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -45,3 +47,4 @@
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: ipa_fas when: ipa_fas
...

View File

@ -3,9 +3,11 @@
# What: Creates kerberos services in the idm infrastructure based on the variables provided # What: Creates kerberos services in the idm infrastructure based on the variables provided
- name: Create Services - name: Create Services
hosts: ipaserver hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/kerbman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -26,3 +28,4 @@
force: "{{ ipa_force | default(false) }}" force: "{{ ipa_force | default(false) }}"
tags: tags:
- services - services
...

View File

@ -10,6 +10,8 @@
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -18,6 +20,7 @@
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
- ticket_id | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password" fail_msg: "We are missing user information or ipa admin password"
@ -31,7 +34,7 @@
- users - users
- name: "Remove personal information attributes" - name: "Remove personal information attributes"
community.general.ldap_attr: community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "{{ item }}" name: "{{ item }}"
values: [] values: []
@ -45,7 +48,6 @@
- fasGitLabUsername - fasGitLabUsername
- fasIRCNick - fasIRCNick
- fasRHBZEmail - fasRHBZEmail
- fasStatusNote
- fasWebsiteURL - fasWebsiteURL
- fasgpgkeyid - fasgpgkeyid
- fasLocale - fasLocale
@ -62,7 +64,7 @@
- homePhone - homePhone
- name: "Set FAS Status Note" - name: "Set FAS Status Note"
community.general.ldap_attr: community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasStatusNote" name: "fasStatusNote"
values: "Account Disabled: {{ ticket_id }}" values: "Account Disabled: {{ ticket_id }}"
@ -72,7 +74,7 @@
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private" - name: "Set FAS Account Information to Private"
community.general.ldap_attr: community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasisprivate" name: "fasisprivate"
values: "TRUE" values: "TRUE"
@ -80,3 +82,4 @@
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
...

View File

@ -1,12 +1,13 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -26,3 +27,4 @@
state: disabled state: disabled
tags: tags:
- users - users
...

View File

@ -1,12 +1,13 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -26,3 +27,4 @@
state: enabled state: enabled
tags: tags:
- users - users
...

View File

@ -1,12 +1,13 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -37,3 +38,4 @@
update_password: on_create update_password: on_create
tags: tags:
- users - users
...

45
import-rockyipaprivs.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac
...

View File

@ -0,0 +1,33 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/rdns.yml
- vars/ipa/fdns.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing ipa admin password"
- name: "Create Reverse Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ rdns }}'
- name: "Create Forward Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ fdns }}'
...

36
init-rocky-ipa-team.yml Normal file
View File

@ -0,0 +1,36 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: true
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/users.yml
- vars/ipa/adminusers.yml
- vars/ipa/svcusers.yml
- vars/ipa/groups.yml
- vars/ipa/ipaprivs.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- users | mandatory
- ipagroups | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing users or ipa admin password"
- name: "Start users"
import_tasks: import-rockyusers.yml
- name: "Start groups"
import_tasks: import-rockygroups.yml
- name: "Start sudo for admins"
import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml
...

View File

@ -1,9 +1,12 @@
--- ---
# Configures an IPA client for the Rocky infrastructure # Configures an IPA client for the Rocky infrastructure
# NOTE: For usage in AWX, select an appropriate host # Define "host" as a hostgroup name or a single host
- name: Configure IPA client - name: Configure IPA client
hosts: all hosts: all
become: true become: true
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/ipaclient.yml
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
@ -36,3 +39,4 @@
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

View File

@ -1,9 +1,11 @@
--- ---
# Creates an IPA replica # Creates an IPA replica
# NOTE: Select the appropriate host or hostgroup # Define "host" as a hostgroup name or a single host
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
vars_files:
- vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
handlers: handlers:
@ -49,3 +51,4 @@
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

View File

@ -6,10 +6,11 @@
# Storage: 10G /var/lib/dirsrv # Storage: 10G /var/lib/dirsrv
# System fully up to date # System fully up to date
# Define "host" as a hostgroup name or a single host # Define "host" as a hostgroup name or a single host
# NOTE: For AWX, choose the appropriate host or host group
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
vars_files:
- vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
handlers: handlers:
@ -60,3 +61,4 @@
freeipa.ansible_freeipa.ipadnsconfig: freeipa.ansible_freeipa.ipadnsconfig:
ipaadmin_password: '{{ ipaadmin_password }}' ipaadmin_password: '{{ ipaadmin_password }}'
allow_sync_ptr: true allow_sync_ptr: true
...