use FQCN across the board

adhoc-ipabinder.yml

@@ -6,12 +6,12 @@
 #  -> ipa_binder_password: Bind account password
 
 - name: Create binder account
-  hosts: ipaserver
+  hosts: all
   become: true
 
   tasks:
     - name: "Check for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_binder_name | mandatory
           - ipa_binder_password | mandatory
@@ -19,8 +19,8 @@
         fail_msg: "We are missing user information"
 
     - name: "Creating bind account template - binder"
-      template:
+      ansible.builtin.template:
-        src: "tmp/binder.update.j2"
+        src: "tmp/binder_template.update"
         dest: "/tmp/binder.update"
         owner: root
         group: root
@@ -29,13 +29,14 @@
         - users
 
     - name: "Adding in the bind account"
-      command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
+      ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
       register: bind_account
       changed_when: "bind_account.rc == 0"
       tags:
         - users
 
     - name: "Remove template"
-      file:
+      ansible.builtin.file:
         path: "/tmp/binder.update"
         state: absent
+...

adhoc-ipadnsrecord.yml

@@ -10,7 +10,6 @@
 #  -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
 #  -> ipa_name_value: Record value (depends on type of record)
 #  -> ipa_presence: present or absent
-#  NOTE: For usage in AWX, select an IPA server
 
 - name: Create a DNS Record
   hosts: all
@@ -19,7 +18,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipaadmin_password | mandatory
           - ipa_zone | mandatory
@@ -54,3 +53,4 @@
         managedby:
           - "{{ ipa_name_value[:-1] }}"
       ignore_errors: true
+...

adhoc-ipadnszone.yml

@@ -2,7 +2,6 @@
 # This playbook is meant to be used with callable variables, like adhoc or AWX.
 # What: Creates dns zones in the idm infrastructure based on the variables
 #       provided.
-#  NOTE: For usage in AWX, select an IPA server
 
 - name: Create a DNS Zone
   hosts: all
@@ -11,7 +10,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -26,3 +25,4 @@
         name: "{{ ipa_zone }}"
       tags:
         - dns
+...

adhoc-ipagetcert.yml

@@ -9,8 +9,8 @@
 #  -> getcert_postcmd: command to run after a certificate renews
 #  -> getcert_chain: true/false, should cert and key be chained together
 #  -> getcert_chain_location: location for the chain
+#  -> getcert_service: service name (eg HTTP, host), defaults to host
 # TODO: Add CNAME/SAN support
-# NOTE: For usage in AWX, select an appropriate server
 
 - name: Request and sign an IPA Certificate
   hosts: all
@@ -24,6 +24,7 @@
         nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
         nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
         postcmd: "{{ getcert_postcmd|default(false) }}"
+        service: "{{ getcert_service|default('host') }}"
     ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
     ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
     ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
@@ -31,3 +32,4 @@
   roles:
     - role: rockylinux.ipagetcert
       state: present
+...

adhoc-ipagetkeytab.yml

@@ -4,7 +4,7 @@
 # extended security posture
 # What: Pulls keytabs for a kerberos service
 # What is expected:
-#  -> host: The host in the inventory, this MUST be FQDN.
+#  -> host: The host in the inventory
 #  -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
 #     Note: This service MUST exist
 #  -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
@@ -12,7 +12,6 @@
 #  -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
 #  -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
 #  -> ipaadmin_password: This should be the password of the admin user
-# NOTE: For usage in AWX, select an appropriate host
 
 - name: Pull keytab from IPA
   hosts: all
@@ -21,7 +20,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -32,14 +31,14 @@
         fail_msg: "We are missing required information"
 
     - name: "Check that a keytab doesn't already exist"
-      stat:
+      ansible.builtin.stat:
         path: "{{ ipa_keytab_fullpath }}"
       register: keytab_status
       check_mode: false
       changed_when: "1 != 1"
 
     - name: "Verify keytab existence"
-      assert:
+      ansible.builtin.assert:
         that:
           - "not keytab_status.stat.exists"
         success_msg: "Keytab doesn't exist, moving on..."
@@ -71,14 +70,14 @@
 
     - name: "Get kerberos ticket"
       delegate_to: "{{ ipa_server }}"
-      shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
+      ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
       check_mode: false
       changed_when: "1 != 1"
       when: not keytab_status.stat.exists
 
     - name: "Attempt to retrieve keytab"
       delegate_to: "{{ ipa_server }}"
-      command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
+      ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
       register: ret_result
       check_mode: false
       changed_when: "1 != 1"
@@ -86,30 +85,30 @@
 
     - name: "Create keytab if it didn't exist, based on the last task"
       delegate_to: "{{ ipa_server }}"
-      command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
+      ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
       when: "'krbPrincipalKey not found' in ret_result.stderr"
 
     - name: "Destroy admin ticket"
       delegate_to: "{{ ipa_server }}"
-      command: "kdestroy -A"
+      ansible.builtin.command: "kdestroy -A"
       register: kdestroy_result
       changed_when: "kdestroy_result.rc == 0"
 
     - name: "Put the keytab into a register"
       delegate_to: "{{ ipa_server }}"
-      command: "base64 /tmp/{{ host }}.kt"
+      ansible.builtin.command: "base64 /tmp/{{ host }}.kt"
       register: keytab
       check_mode: false
       changed_when: "keytab.rc == 0"
 
     - name: "Destroy local keytab"
       delegate_to: "{{ ipa_server }}"
-      file:
+      ansible.builtin.file:
         path: "/tmp/{{ host }}.kt"
         state: absent
 
     - name: "Deploy keytab to {{ host }} from register"
-      copy:
+      ansible.builtin.copy:
         dest: "{{ ipa_keytab_fullpath }}.b64"
         content: "{{ keytab.stdout }}"
         owner: "{{ ipa_owner|default('root') }}"
@@ -117,16 +116,16 @@
         mode: '0600'
 
     - name: "Decode keytab"
-      shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
+      ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
       changed_when: "1 != 1"
 
     - name: "Destroy encoded keytab"
-      file:
+      ansible.builtin.file:
         path: "{{ ipa_keytab_fullpath }}.b64"
         state: absent
 
     - name: "Set ownership if applicable, otherwise it's root owned"
-      file:
+      ansible.builtin.file:
         path: "{{ ipa_keytab_fullpath }}"
         owner: "{{ ipa_owner|default('root') }}"
         group: "{{ ipa_owner|default('root') }}"
@@ -134,3 +133,4 @@
         state: file
       tags:
         - keytab
+...

adhoc-ipagroup.yml

@@ -6,13 +6,15 @@
 # set to true.
 
 - name: Create our initial users
-  hosts: ipaserver
+  hosts: all
   become: false
   gather_facts: false
+  vars_files:
+  - vars/vaults/userman.yml
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -45,3 +47,4 @@
       check_mode: false
       changed_when: "1 != 1"
       when: ipa_fas
+...

adhoc-ipaservice.yml

@@ -3,13 +3,13 @@
 # What: Creates kerberos services in the idm infrastructure based on the variables provided
 
 - name: Create Services
-  hosts: ipaserver
+  hosts: all
   become: false
   gather_facts: false
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -26,3 +26,4 @@
         force: "{{ ipa_force | default(false) }}"
       tags:
         - services
+...

adhoc-ipauser-disable-pdr.yml

@@ -13,11 +13,12 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
           - ipa_name | mandatory
+          - ticket_id | mandatory
         success_msg: "Required variables provided"
         fail_msg: "We are missing user information or ipa admin password"
 
@@ -31,7 +32,7 @@
         - users
 
     - name: "Remove personal information attributes"
-      community.general.ldap_attr:
+      community.general.ldap_attrs:
         dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
         name: "{{ item }}"
         values: []
@@ -45,7 +46,6 @@
         - fasGitLabUsername
         - fasIRCNick
         - fasRHBZEmail
-        - fasStatusNote
         - fasWebsiteURL
         - fasgpgkeyid
         - fasLocale
@@ -61,8 +61,18 @@
         - telephoneNumber
         - homePhone
 
+    - name: "Set FAS Status Note"
+      community.general.ldap_attrs:
+        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        name: "fasStatusNote"
+        values: "Account Disabled: {{ ticket_id }}"
+        state: exact
+        server_uri: ldap://localhost/
+        bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        bind_pw: "{{ ipaadmin_password }}"
+
     - name: "Set FAS Account Information to Private"
-      community.general.ldap_attr:
+      community.general.ldap_attrs:
         dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
         name: "fasisprivate"
         values: "TRUE"
@@ -70,3 +80,4 @@
         server_uri: ldap://localhost/
         bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
         bind_pw: "{{ ipaadmin_password }}"
+...

adhoc-ipauser-disable.yml

@@ -1,7 +1,6 @@
 ---
 # This playbook is meant to be used with callable variables, like adhoc or AWX.
 # What: Creates users in the idm infrastructure based on the variables provided.
-# NOTE: For usage in AWX, select an appropriate host
 
 - name: Create a User
   hosts: all
@@ -10,7 +9,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -26,3 +25,4 @@
         state: disabled
       tags:
         - users
+...

adhoc-ipauser-enable.yml

@@ -1,7 +1,6 @@
 ---
 # This playbook is meant to be used with callable variables, like adhoc or AWX.
 # What: Creates users in the idm infrastructure based on the variables provided.
-# NOTE: For usage in AWX, select an appropriate host
 
 - name: Create a User
   hosts: all
@@ -10,7 +9,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -26,3 +25,4 @@
         state: enabled
       tags:
         - users
+...

adhoc-ipauser.yml

@@ -1,7 +1,6 @@
 ---
 # This playbook is meant to be used with callable variables, like adhoc or AWX.
 # What: Creates users in the idm infrastructure based on the variables provided.
-# NOTE: For usage in AWX, select an appropriate host
 
 - name: Create a User
   hosts: all
@@ -10,7 +9,7 @@
 
   tasks:
     - name: "Checking for user variables"
-      assert:
+      ansible.builtin.assert:
         that:
           - ipa_admin | mandatory
           - ipaadmin_password | mandatory
@@ -37,3 +36,4 @@
         update_password: on_create
       tags:
         - users
+...

collections/requirements.yml

@@ -2,3 +2,6 @@
 # Collections
 collections:
   - name: freeipa.ansible_freeipa
+  - name: community.general
+  - name: ansible.posix
+...

import-rockygroups.yml

@@ -0,0 +1,15 @@
+---
+# Creates the first set of groups for the IdM Infrastructure
+- name: "Creating Mandatory Groups"
+  freeipa.ansible_freeipa.ipagroup:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.group }}"
+    description: "{{ item.description }}"
+    nonposix: false
+    user: "{{ item.user | default(none) }}"
+    membermanager_user: "{{ item.managers_users | default(omit) }}"
+    membermanager_group: "{{ item.managers_groups | default(omit) }}"
+  loop: "{{ ipagroups }}"
+  tags:
+    - groups
+...

import-rockyipaprivs.yml

@@ -0,0 +1,45 @@
+---
+# Creates necessary privileges for services
+- name: "Creating necessary privileges"
+  freeipa.ansible_freeipa.ipaprivilege:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.privilege }}"
+    description: "{{ item.description }}"
+  loop: "{{ ipaprivileges }}"
+  when: ipaprivileges is defined
+  tags:
+    - rbac
+
+- name: "Creating permissions"
+  freeipa.ansible_freeipa.ipaprivilege:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.privilege }}"
+    permission: "{{ item.permissions }}"
+    action: member
+  loop: "{{ ipaprivileges }}"
+  when: ipaprivileges is defined
+  tags:
+    - rbac
+
+- name: "Creating roles based on custom privileges"
+  freeipa.ansible_freeipa.iparole:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.role }}"
+    privilege: "{{ item.privilege }}"
+    user: "{{ item.user|default(omit) }}"
+  loop: "{{ ipaprivileges }}"
+  when: ipaprivileges is defined
+  tags:
+    - rbac
+
+- name: "Creating roles based on standard privileges"
+  freeipa.ansible_freeipa.iparole:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.role }}"
+    privilege: "{{ item.privileges }}"
+    user: "{{ item.user|default(omit) }}"
+  loop: "{{ iparoles }}"
+  when: iparoles is defined
+  tags:
+    - rbac
+...

import-rockypwpolicy.yml

@@ -0,0 +1,17 @@
+---
+# Creates the first set of groups for the IdM Infrastructure
+- name: "Setting up password policies"
+  freeipa.ansible_freeipa.ipapwpolicy:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.group }}"
+    minlife: "{{ item.minlife | default(0) }}"
+    maxlife: "{{ item.maxlife | default(0) }}"
+    history: "{{ item.history | default(5) }}"
+    priority: "{{ item.priority | default(1) }}"
+    lockouttime: "{{ item.lockout | default(300) }}"
+    minlength: "{{ item.minlength | default(8) }}"
+    maxfile: "{{ item.maxfail | default(5) }}"
+  loop: "{{ ipapwpolicies }}"
+  tags:
+    - groups
+...

import-rockysudo.yml

@@ -0,0 +1,13 @@
+---
+# Currently only one SUDO role should be created, and that is for the
+# rocky linux admins
+- name: "Creating SUDO Role for Rocky Admins"
+  freeipa.ansible_freeipa.ipasudorule:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: All_RockyAdmins
+    description: Rocky Linux infrastructure and operations sudo access
+    group:
+      - rockyadm
+    hostcat: all
+    cmdcat: all
+...

import-rockyusers.yml

@@ -0,0 +1,71 @@
+---
+# Creates the first set of users for the IdM Infrastructure. This
+# should create both regular and admin accounts for separation of
+# privilege.
+- name: "Creating Initial Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ users }}"
+  tags:
+    - users
+
+- name: "Creating Initial Admin Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ adminusers }}"
+  tags:
+    - users
+
+- name: "Creating Service Accounts"
+  freeipa.ansible_freeipa.ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email|default(omit) }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ svcusers }}"
+  tags:
+    - users
+
+- name: "Creating bind account template - binder"
+  ansible.builtin.template:
+    src: "tmp/binder.update"
+    dest: "/tmp/binder.update"
+    owner: root
+    group: root
+    mode: '0600'
+  tags:
+    - users
+
+- name: "Adding in the bind account - binder"
+  ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
+  register: bind_account
+  changed_when: "bind_account.rc == 0"
+  tags:
+    - users
+
+- name: "Remove template"
+  ansible.builtin.file:
+    path: "/tmp/binder.update"
+    state: absent
+...

init-rocky-ipa-internal-dns.yml

@@ -0,0 +1,32 @@
+---
+# This builds out the initial users and groups for the rocky linux infra
+- name: Create our initial users
+  hosts: all
+  become: false
+  gather_facts: false
+  vars_files:
+  - vars/ipa/rdns.yml
+  - vars/ipa/fdns.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      ansible.builtin.assert:
+        that:
+          - ipaadmin_password | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing ipa admin password"
+
+    - name: "Create Reverse Domains"
+      freeipa.ansible_freeipa.ipadnszone:
+        ipaadmin_password: '{{ ipaadmin_password }}'
+        name: '{{ item }}'
+        dynamic_update: true
+      with_items: '{{ rdns }}'
+
+    - name: "Create Forward Domains"
+      freeipa.ansible_freeipa.ipadnszone:
+        ipaadmin_password: '{{ ipaadmin_password }}'
+        name: '{{ item }}'
+        dynamic_update: true
+      with_items: '{{ fdns }}'
+...

init-rocky-ipa-team.yml

@@ -0,0 +1,35 @@
+---
+# This builds out the initial users and groups for the rocky linux infra
+- name: Create our initial users
+  hosts: all
+  become: true
+  gather_facts: false
+  vars_files:
+  - vars/ipa/users.yml
+  - vars/ipa/adminusers.yml
+  - vars/ipa/svcusers.yml
+  - vars/ipa/groups.yml
+  - vars/ipa/ipaprivs.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      ansible.builtin.assert:
+        that:
+          - ipaadmin_password | mandatory
+          - users | mandatory
+          - ipagroups | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing users or ipa admin password"
+
+    - name: "Start users"
+      import_tasks: import-rockyusers.yml
+
+    - name: "Start groups"
+      import_tasks: import-rockygroups.yml
+
+    - name: "Start sudo for admins"
+      import_tasks: import-rockysudo.yml
+
+    - name: "Start privileges for services"
+      import_tasks: import-rockyipaprivs.yml
+...

role-rocky-ipa-client.yml

@@ -1,18 +1,20 @@
 ---
 # Configures an IPA client for the Rocky infrastructure
-# NOTE: For usage in AWX, select an appropriate host
+# Define "host" as a hostgroup name or a single host
 - name: Configure IPA client
   hosts: all
   become: true
+  vars_files:
+  - vars/ipa/ipaclient.yml
 
   pre_tasks:
     - name: Check if ansible cannot be run here
-      stat:
+      ansible.builtin.stat:
         path: /etc/no-ansible
       register: no_ansible
 
     - name: Verify if we can run ansible
-      assert:
+      ansible.builtin.assert:
         that:
           - "not no_ansible.stat.exists"
         success_msg: "We are able to run on this node"
@@ -30,9 +32,10 @@
 
   post_tasks:
     - name: Touching run file that ansible has ran here
-      file:
+      ansible.builtin.file:
         path: /var/log/ansible.run
         state: touch
         mode: '0644'
         owner: root
         group: root
+...

role-rocky-ipa-replica.yml

@@ -1,6 +1,6 @@
 ---
 # Creates an IPA replica
-# NOTE: Select the appropriate host or hostgroup
+# Define "host" as a hostgroup name or a single host
 - name: Configure IPA server
   hosts: all
   become: true
@@ -11,19 +11,19 @@
 
   pre_tasks:
     - name: Check if ansible cannot be run here
-      stat:
+      ansible.builtin.stat:
         path: /etc/no-ansible
       register: no_ansible
 
     - name: Verify if we can run ansible
-      assert:
+      ansible.builtin.assert:
         that:
           - "not no_ansible.stat.exists"
         success_msg: "We are able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
     - name: Ensure 'dns=none' is set for Network Manager
-      ini_file:
+      community.general.ini_file:
         path: /etc/NetworkManager/NetworkManager.conf
         state: present
         no_extra_spaces: true
@@ -43,9 +43,10 @@
 
   post_tasks:
     - name: Touching run file that ansible has ran here
-      file:
+      ansible.builtin.file:
         path: /var/log/ansible.run
         state: touch
         mode: '0644'
         owner: root
         group: root
+...

role-rocky-ipa.yml

@@ -6,7 +6,6 @@
 # Storage: 10G /var/lib/dirsrv
 # System fully up to date
 # Define "host" as a hostgroup name or a single host
-# NOTE: For AWX, choose the appropriate host or host group
 - name: Configure IPA server
   hosts: all
   become: true
@@ -17,19 +16,19 @@
 
   pre_tasks:
     - name: Check if ansible cannot be run here
-      stat:
+      ansible.builtin.stat:
         path: /etc/no-ansible
       register: no_ansible
 
     - name: Verify if we can run ansible
-      assert:
+      ansible.builtin.assert:
         that:
           - "not no_ansible.stat.exists"
         success_msg: "We are able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
     - name: Ensure 'dns=none' is set for Network Manager to avoid change
-      ini_file:
+      community.general.ini_file:
         path: /etc/NetworkManager/NetworkManager.conf
         state: present
         no_extra_spaces: true
@@ -49,7 +48,7 @@
 
   post_tasks:
     - name: Touching run file that ansible has ran here
-      file:
+      ansible.builtin.file:
         path: /var/log/ansible.run
         state: touch
         mode: '0644'
@@ -60,3 +59,4 @@
       freeipa.ansible_freeipa.ipadnsconfig:
         ipaadmin_password: '{{ ipaadmin_password }}'
         allow_sync_ptr: true
+...

roles/requirements.yml

@@ -4,3 +4,4 @@ roles:
   - name: rockylinux.ipagetcert
     src: https://github.com/rocky-linux/ansible-role-ipa-getcert
     version: main
+...

vars/ipa/adminusers.yml

@@ -0,0 +1,51 @@
+---
+adminusers:
+  - name: label2
+    first: Louis
+    last: Abel
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Manager
+    loginshell: /bin/bash
+  - name: gmk2
+    first: Gregory
+    last: Kurtzer
+    password: ThisIsNotMyPassword1!
+    title: Executive Director
+    loginshell: /bin/bash
+  - name: brian2
+    first: Brian
+    last: Clemens
+    password: ThisIsNotMyPassword1!
+    title: Project Manager
+    loginshell: /bin/bash
+  - name: neil2
+    first: Neil
+    last: Hanlon
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: rlh2
+    first: R. Leigh
+    last: Hennig
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: rfelsburg2
+    first: Rob
+    last: Felsburg
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: tg2
+    first: Taylor
+    last: Goodwill
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: bagner2
+    first: Benjamin
+    last: Agner
+    password: ThisIsNotMyPassword1!
+    title: Security Director
+    loginshell: /bin/bash
+...

vars/ipa/agreements.yml

@@ -0,0 +1,3 @@
+---
+# Vars for Agreements for the Rocky Linux Project
+...

vars/ipa/fdns.yml

@@ -0,0 +1,5 @@
+---
+fdns:
+  - rockylinux.org.
+  - aws.rockylinux.org.
+...

vars/ipa/groups.yml

@@ -0,0 +1,99 @@
+---
+ipagroups:
+  - group: infrastructure
+    description: Infrastructure Team
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - bagner
+  - group: operations
+    description: Operations Team
+    user:
+      - rlh
+      - rfelsburg
+  - group: development
+    description: Development Team
+  - group: qa
+    description: Quality Assurance Team
+  - group: marketing
+    description: Marketing
+  - group: rocky
+    description: Rocky Linux Team
+    user:
+      - label
+      - gmk
+      - brian
+      - hbjy
+      - jorp
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - bagner
+  - group: rockyadm
+    description: Rocky Linux Administrators - Only Admin Accounts
+    user:
+      - label2
+      - gmk2
+      - brian2
+      - hbjy2
+      - jorp2
+      - neil2
+      - rlh2
+      - rfelsburg2
+      - tg2
+      - bagner2
+  - group: gitadm
+    description: Rocky Linux GitLab Admins
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+  - group: gitusers
+    description: Rocky Linux GitLab Users
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+      - rockyautomation
+    managers_users:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+  - group: services
+    description: Rocky Linux Service Accounts
+    user:
+      - userman
+      - hostman
+      - kerbman
+      - rockykoji
+      - pubsub_federation
+      - rockypubsub
+      - rockyautomation
+  - group: iam
+    description: Rocky Linux Identity Management
+    user:
+      - label
+    managers_users:
+      - label
+  - group: releng
+    description: Rocky Linux Release Engineering
+    user:
+      - label
+    managers_users:
+      - label
+  - group: mq_pub_readonly
+    description: RabbitMQ ReadOnly
+...

vars/ipa/ipaclient.yml

@@ -0,0 +1,11 @@
+---
+# IPA Client Vars
+ipaclient_domain: rockylinux.org
+ipaclient_realm: ROCKYLINUX.ORG
+ipaadmin_principal: admin
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaclient_ssh_trust_dns: true
+ipasssd_enable_dns_updates: true
+ipatype: client
+...

vars/ipa/ipaprivs.yml

@@ -0,0 +1,43 @@
+---
+# privileges
+ipaprivileges:
+  - privilege: Privileges - Kerberos Managers
+    description: Kerberos Key Managers
+    permissions:
+      - "System: Manage Host Keytab"
+      - "System: Manage Host Keytab Permissions"
+      - "System: Manage Service Keytab"
+      - "System: Manage Service Keytab Permissions"
+      - "System: Manage User Principals"
+    role: Kerberos Managers
+    user:
+      - kerbman
+
+# Standalone Roles
+iparoles:
+  - role: IPA Client Managers
+    description: IPA Client Managers
+    privileges:
+      - "DNS Administrators"
+      - "DNS Servers"
+      - "Host Administrators"
+      - "Host Enrollment"
+      - "Host Group Administrators"
+      - "Netgroups Administrators"
+    user:
+      - hostman
+  - role: Kerberos Managers
+    description: Kerberos Key Managers
+    privileges:
+      - "Privileges - Kerberos Managers"
+      - "Service Administrators"
+    user:
+      - kerbman
+  - role: IPA User Managers
+    description: Rocky IPA User Managers responsible for idm flow
+    privileges:
+      - "Group Administrators"
+      - "Stage User Administrators"
+      - "User Administrators"
+      - "FAS Agreement Administrators"
+...

vars/ipa/ipareplica.yml

@@ -0,0 +1,14 @@
+---
+# IPA Replica
+ipaadmin_principal: admin
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaserver_realm: ROCKYLINUX.ORG
+ipareplica_domain: rockylinux.org
+ipareplica_auto_forwarders: true
+ipareplica_setup_firewalld: true
+ipareplica_setup_ca: true
+ipareplica_setup_kra: true
+ipareplica_setup_dns: true
+ipatype: replica
+...

vars/ipa/ipaserver.yml

@@ -0,0 +1,16 @@
+---
+# IPA Server
+ipaserver_domain: rockylinux.org
+ipaserver_realm: ROCKYLINUX.ORG
+ipaserver_setup_dns: true
+ipaserver_setup_kra: true
+ipaserver_auto_forwarders: true
+ipaserver_no_host_dns: true
+ipaserver_allow_zone_overlap: true
+ipaserver_setup_firewalld: true
+ipaclient_no_ntp: true
+ipaclient_mkhomedir: true
+ipaserver_no_hbac_allow: true
+ipaserver_reverse_zones: ["32.10.in-addr.arpa."]
+ipatype: server
+...

vars/ipa/rdns.yml

@@ -0,0 +1,4 @@
+---
+rdns:
+  - 32.10.in-addr.arpa.
+...

vars/ipa/sudorules.yml

@@ -0,0 +1,2 @@
+---
+...

vars/ipa/svcusers.yml

@@ -0,0 +1,45 @@
+---
+svcusers:
+  - name: hostman
+    first: Host
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Host Manager
+    loginshell: /sbin/nologin
+  - name: kerbman
+    first: Kerberos
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Kerberos Key Manager
+    loginshell: /sbin/nologin
+  - name: userman
+    first: User
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - User Manager
+    loginshell: /sbin/nologin
+  - name: rockykoji
+    first: Koji
+    last: Manager
+    password: ThisIsNotMyPassword1!
+    title: System Account - Koji Manager
+    loginshell: /sbin/nologin
+  - name: pubsub_federation
+    first: pubsub
+    last: federation
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub federator
+    loginshell: /sbin/nologin
+  - name: rockypubsub
+    first: rocky
+    last: pubsub
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub
+    loginshell: /sbin/nologin
+  - name: rockyautomation
+    first: Rocky
+    last: Automation
+    password: ThisIsNotMyPassword1!
+    title: System Account - Automation
+    loginshell: /sbin/nologin
+...

vars/ipa/users.yml

@@ -0,0 +1,59 @@
+---
+users:
+  - name: label
+    first: Louis
+    last: Abel
+    email: label@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Manager
+    loginshell: /bin/bash
+  - name: gmk
+    first: Gregory
+    last: Kurtzer
+    email: gmk@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Executive Director
+    loginshell: /bin/bash
+  - name: brian
+    first: Brian
+    last: Clemens
+    email: brian@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Project Manager
+    loginshell: /bin/bash
+  - name: neil
+    first: Neil
+    last: Hanlon
+    email: neil@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: rlh
+    first: R. Leigh
+    last: Hennig
+    email: rlh@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: rfelsburg
+    first: Rob
+    last: Felsburg
+    email: rfelsburg@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Operations Manager
+    loginshell: /bin/bash
+  - name: tg
+    first: Taylor
+    last: Goodwill
+    email: tg@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure Manager
+    loginshell: /bin/bash
+  - name: bagner
+    first: Benjamin
+    last: Agner
+    email: bagner@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Security Director
+    loginshell: /bin/bash
+...

vars/ipaserver.yml

@@ -0,0 +1,3 @@
+---
+ipatype: server
+...