infrastructure/ansible-ipa-management
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sync from infra

Browse Source
This commit is contained in:
nazunalika 2022-02-12 14:43:09 -07:00
parent 5c95e4fd60
commit c6486927d8
Signed by: label
GPG Key ID: 6735C0E1BD65D048
17 changed files with 166 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
adhoc-ipabinder.yml
View File

@ -6,7 +6,7 @@
# -> ipa_binder_password: Bind account password
- name: Create binder account
hosts: ipaserver
hosts: all
become: true
tasks:
@ -20,7 +20,7 @@
- name: "Creating bind account template - binder"
template:
src: "tmp/binder.update.j2"
src: "tmp/binder_template.update"
dest: "/tmp/binder.update"
owner: root
group: root
@ -39,3 +39,4 @@
file:
path: "/tmp/binder.update"
state: absent
...

4
adhoc-ipadnsrecord.yml
View File

@ -10,12 +10,13 @@
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
# -> ipa_name_value: Record value (depends on type of record)
# -> ipa_presence: present or absent
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Record
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/hostman.yml
tasks:
- name: "Checking for user variables"
@ -54,3 +55,4 @@
managedby:
- "{{ ipa_name_value[:-1] }}"
ignore_errors: true
...

4
adhoc-ipadnszone.yml
View File

@ -2,12 +2,13 @@
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates dns zones in the idm infrastructure based on the variables
# provided.
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Zone
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/hostman.yml
tasks:
- name: "Checking for user variables"
@ -26,3 +27,4 @@
name: "{{ ipa_zone }}"
tags:
- dns
...

4
adhoc-ipagetcert.yml
View File

@ -9,8 +9,8 @@
# -> getcert_postcmd: command to run after a certificate renews
# -> getcert_chain: true/false, should cert and key be chained together
# -> getcert_chain_location: location for the chain
# -> getcert_service: service name (eg HTTP, host), defaults to host
# TODO: Add CNAME/SAN support
# NOTE: For usage in AWX, select an appropriate server
- name: Request and sign an IPA Certificate
hosts: all
@ -24,6 +24,7 @@
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
postcmd: "{{ getcert_postcmd|default(false) }}"
service: "{{ getcert_service|default('host') }}"
ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
@ -31,3 +32,4 @@
roles:
- role: rockylinux.ipagetcert
state: present
...

6
adhoc-ipagetkeytab.yml
View File

@ -4,7 +4,7 @@
# extended security posture
# What: Pulls keytabs for a kerberos service
# What is expected:
# -> host: The host in the inventory, this MUST be FQDN.
# -> host: The host in the inventory
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# Note: This service MUST exist
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
@ -12,12 +12,13 @@
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user
# NOTE: For usage in AWX, select an appropriate host
- name: Pull keytab from IPA
hosts: all
become: true
gather_facts: false
vars_files:
- vars/vaults/kerbman.yml
tasks:
- name: "Checking for user variables"
@ -134,3 +135,4 @@
state: file
tags:
- keytab
...

5
adhoc-ipagroup.yml
View File

@ -6,9 +6,11 @@
# set to true.
- name: Create our initial users
hosts: ipaserver
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
@ -45,3 +47,4 @@
check_mode: false
changed_when: "1 != 1"
when: ipa_fas
...

5
adhoc-ipaservice.yml
View File

@ -3,9 +3,11 @@
# What: Creates kerberos services in the idm infrastructure based on the variables provided
- name: Create Services
hosts: ipaserver
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/kerbman.yml
tasks:
- name: "Checking for user variables"
@ -26,3 +28,4 @@
force: "{{ ipa_force | default(false) }}"
tags:
- services
...

11
adhoc-ipauser-disable-pdr.yml
View File

@ -10,6 +10,8 @@
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
@ -18,6 +20,7 @@
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_name | mandatory
- ticket_id | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password"
@ -31,7 +34,7 @@
- users
- name: "Remove personal information attributes"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "{{ item }}"
values: []
@ -45,7 +48,6 @@
- fasGitLabUsername
- fasIRCNick
- fasRHBZEmail
- fasStatusNote
- fasWebsiteURL
- fasgpgkeyid
- fasLocale
@ -62,7 +64,7 @@
- homePhone
- name: "Set FAS Status Note"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasStatusNote"
values: "Account Disabled: {{ ticket_id }}"
@ -72,7 +74,7 @@
bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasisprivate"
values: "TRUE"
@ -80,3 +82,4 @@
server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}"
...

4
adhoc-ipauser-disable.yml
View File

@ -1,12 +1,13 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
@ -26,3 +27,4 @@
state: disabled
tags:
- users
...

4
adhoc-ipauser-enable.yml
View File

@ -1,12 +1,13 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
@ -26,3 +27,4 @@
state: enabled
tags:
- users
...

4
adhoc-ipauser.yml
View File

@ -1,12 +1,13 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
@ -37,3 +38,4 @@
update_password: on_create
tags:
- users
...

45
import-rockyipaprivs.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac
...

33
init-rocky-ipa-internal-dns.yml Normal file
View File

@ -0,0 +1,33 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/rdns.yml
- vars/ipa/fdns.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing ipa admin password"
- name: "Create Reverse Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ rdns }}'
- name: "Create Forward Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ fdns }}'
...

36
init-rocky-ipa-team.yml Normal file
View File

@ -0,0 +1,36 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: true
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/users.yml
- vars/ipa/adminusers.yml
- vars/ipa/svcusers.yml
- vars/ipa/groups.yml
- vars/ipa/ipaprivs.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- users | mandatory
- ipagroups | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing users or ipa admin password"
- name: "Start users"
import_tasks: import-rockyusers.yml
- name: "Start groups"
import_tasks: import-rockygroups.yml
- name: "Start sudo for admins"
import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml
...

6
role-rocky-ipa-client.yml
View File

@ -1,9 +1,12 @@
---
# Configures an IPA client for the Rocky infrastructure
# NOTE: For usage in AWX, select an appropriate host
# Define "host" as a hostgroup name or a single host
- name: Configure IPA client
hosts: all
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/ipa/ipaclient.yml
pre_tasks:
- name: Check if ansible cannot be run here
@ -36,3 +39,4 @@
mode: '0644'
owner: root
group: root
...

5
role-rocky-ipa-replica.yml
View File

@ -1,9 +1,11 @@
---
# Creates an IPA replica
# NOTE: Select the appropriate host or hostgroup
# Define "host" as a hostgroup name or a single host
- name: Configure IPA server
hosts: all
become: true
vars_files:
- vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
@ -49,3 +51,4 @@
mode: '0644'
owner: root
group: root
...

4
role-rocky-ipa.yml
View File

@ -6,10 +6,11 @@
# Storage: 10G /var/lib/dirsrv
# System fully up to date
# Define "host" as a hostgroup name or a single host
# NOTE: For AWX, choose the appropriate host or host group
- name: Configure IPA server
hosts: all
become: true
vars_files:
- vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
@ -60,3 +61,4 @@
freeipa.ansible_freeipa.ipadnsconfig:
ipaadmin_password: '{{ ipaadmin_password }}'
allow_sync_ptr: true
...