Compare commits

..

5 Commits

Author SHA1 Message Date
nazunalika
b97263aae6
use FQCN across the board 2022-03-27 18:54:24 -07:00
nazunalika
4c55917561
fix vars 2022-02-12 22:41:09 -07:00
nazunalika
1a69ead36d
quick fixes 2022-02-12 22:39:32 -07:00
nazunalika
c6486927d8
sync from infra 2022-02-12 14:43:09 -07:00
nazunalika
5c95e4fd60
update PDR 2021-04-04 23:46:23 -07:00
36 changed files with 663 additions and 54 deletions

View File

@ -6,12 +6,12 @@
# -> ipa_binder_password: Bind account password # -> ipa_binder_password: Bind account password
- name: Create binder account - name: Create binder account
hosts: ipaserver hosts: all
become: true become: true
tasks: tasks:
- name: "Check for user variables" - name: "Check for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_binder_name | mandatory - ipa_binder_name | mandatory
- ipa_binder_password | mandatory - ipa_binder_password | mandatory
@ -19,8 +19,8 @@
fail_msg: "We are missing user information" fail_msg: "We are missing user information"
- name: "Creating bind account template - binder" - name: "Creating bind account template - binder"
template: ansible.builtin.template:
src: "tmp/binder.update.j2" src: "tmp/binder_template.update"
dest: "/tmp/binder.update" dest: "/tmp/binder.update"
owner: root owner: root
group: root group: root
@ -29,13 +29,14 @@
- users - users
- name: "Adding in the bind account" - name: "Adding in the bind account"
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update" ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account register: bind_account
changed_when: "bind_account.rc == 0" changed_when: "bind_account.rc == 0"
tags: tags:
- users - users
- name: "Remove template" - name: "Remove template"
file: ansible.builtin.file:
path: "/tmp/binder.update" path: "/tmp/binder.update"
state: absent state: absent
...

View File

@ -10,7 +10,6 @@
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) # -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
# -> ipa_name_value: Record value (depends on type of record) # -> ipa_name_value: Record value (depends on type of record)
# -> ipa_presence: present or absent # -> ipa_presence: present or absent
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Record - name: Create a DNS Record
hosts: all hosts: all
@ -19,7 +18,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_zone | mandatory - ipa_zone | mandatory
@ -54,3 +53,4 @@
managedby: managedby:
- "{{ ipa_name_value[:-1] }}" - "{{ ipa_name_value[:-1] }}"
ignore_errors: true ignore_errors: true
...

View File

@ -2,7 +2,6 @@
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates dns zones in the idm infrastructure based on the variables # What: Creates dns zones in the idm infrastructure based on the variables
# provided. # provided.
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Zone - name: Create a DNS Zone
hosts: all hosts: all
@ -11,7 +10,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -26,3 +25,4 @@
name: "{{ ipa_zone }}" name: "{{ ipa_zone }}"
tags: tags:
- dns - dns
...

View File

@ -9,8 +9,8 @@
# -> getcert_postcmd: command to run after a certificate renews # -> getcert_postcmd: command to run after a certificate renews
# -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain: true/false, should cert and key be chained together
# -> getcert_chain_location: location for the chain # -> getcert_chain_location: location for the chain
# -> getcert_service: service name (eg HTTP, host), defaults to host
# TODO: Add CNAME/SAN support # TODO: Add CNAME/SAN support
# NOTE: For usage in AWX, select an appropriate server
- name: Request and sign an IPA Certificate - name: Request and sign an IPA Certificate
hosts: all hosts: all
@ -24,6 +24,7 @@
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
postcmd: "{{ getcert_postcmd|default(false) }}" postcmd: "{{ getcert_postcmd|default(false) }}"
service: "{{ getcert_service|default('host') }}"
ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
ipa_getcert_nss: "{{ getcert_nss|default(false) }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
@ -31,3 +32,4 @@
roles: roles:
- role: rockylinux.ipagetcert - role: rockylinux.ipagetcert
state: present state: present
...

View File

@ -4,7 +4,7 @@
# extended security posture # extended security posture
# What: Pulls keytabs for a kerberos service # What: Pulls keytabs for a kerberos service
# What is expected: # What is expected:
# -> host: The host in the inventory, this MUST be FQDN. # -> host: The host in the inventory
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG # -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# Note: This service MUST exist # Note: This service MUST exist
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
@ -12,7 +12,6 @@
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user # -> ipaadmin_password: This should be the password of the admin user
# NOTE: For usage in AWX, select an appropriate host
- name: Pull keytab from IPA - name: Pull keytab from IPA
hosts: all hosts: all
@ -21,7 +20,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -32,14 +31,14 @@
fail_msg: "We are missing required information" fail_msg: "We are missing required information"
- name: "Check that a keytab doesn't already exist" - name: "Check that a keytab doesn't already exist"
stat: ansible.builtin.stat:
path: "{{ ipa_keytab_fullpath }}" path: "{{ ipa_keytab_fullpath }}"
register: keytab_status register: keytab_status
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
- name: "Verify keytab existence" - name: "Verify keytab existence"
assert: ansible.builtin.assert:
that: that:
- "not keytab_status.stat.exists" - "not keytab_status.stat.exists"
success_msg: "Keytab doesn't exist, moving on..." success_msg: "Keytab doesn't exist, moving on..."
@ -71,14 +70,14 @@
- name: "Get kerberos ticket" - name: "Get kerberos ticket"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: not keytab_status.stat.exists when: not keytab_status.stat.exists
- name: "Attempt to retrieve keytab" - name: "Attempt to retrieve keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
register: ret_result register: ret_result
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
@ -86,30 +85,30 @@
- name: "Create keytab if it didn't exist, based on the last task" - name: "Create keytab if it didn't exist, based on the last task"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
when: "'krbPrincipalKey not found' in ret_result.stderr" when: "'krbPrincipalKey not found' in ret_result.stderr"
- name: "Destroy admin ticket" - name: "Destroy admin ticket"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
command: "kdestroy -A" ansible.builtin.command: "kdestroy -A"
register: kdestroy_result register: kdestroy_result
changed_when: "kdestroy_result.rc == 0" changed_when: "kdestroy_result.rc == 0"
- name: "Put the keytab into a register" - name: "Put the keytab into a register"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
command: "base64 /tmp/{{ host }}.kt" ansible.builtin.command: "base64 /tmp/{{ host }}.kt"
register: keytab register: keytab
check_mode: false check_mode: false
changed_when: "keytab.rc == 0" changed_when: "keytab.rc == 0"
- name: "Destroy local keytab" - name: "Destroy local keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
file: ansible.builtin.file:
path: "/tmp/{{ host }}.kt" path: "/tmp/{{ host }}.kt"
state: absent state: absent
- name: "Deploy keytab to {{ host }} from register" - name: "Deploy keytab to {{ host }} from register"
copy: ansible.builtin.copy:
dest: "{{ ipa_keytab_fullpath }}.b64" dest: "{{ ipa_keytab_fullpath }}.b64"
content: "{{ keytab.stdout }}" content: "{{ keytab.stdout }}"
owner: "{{ ipa_owner|default('root') }}" owner: "{{ ipa_owner|default('root') }}"
@ -117,16 +116,16 @@
mode: '0600' mode: '0600'
- name: "Decode keytab" - name: "Decode keytab"
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}" ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
changed_when: "1 != 1" changed_when: "1 != 1"
- name: "Destroy encoded keytab" - name: "Destroy encoded keytab"
file: ansible.builtin.file:
path: "{{ ipa_keytab_fullpath }}.b64" path: "{{ ipa_keytab_fullpath }}.b64"
state: absent state: absent
- name: "Set ownership if applicable, otherwise it's root owned" - name: "Set ownership if applicable, otherwise it's root owned"
file: ansible.builtin.file:
path: "{{ ipa_keytab_fullpath }}" path: "{{ ipa_keytab_fullpath }}"
owner: "{{ ipa_owner|default('root') }}" owner: "{{ ipa_owner|default('root') }}"
group: "{{ ipa_owner|default('root') }}" group: "{{ ipa_owner|default('root') }}"
@ -134,3 +133,4 @@
state: file state: file
tags: tags:
- keytab - keytab
...

View File

@ -6,13 +6,15 @@
# set to true. # set to true.
- name: Create our initial users - name: Create our initial users
hosts: ipaserver hosts: all
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -45,3 +47,4 @@
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: ipa_fas when: ipa_fas
...

View File

@ -3,13 +3,13 @@
# What: Creates kerberos services in the idm infrastructure based on the variables provided # What: Creates kerberos services in the idm infrastructure based on the variables provided
- name: Create Services - name: Create Services
hosts: ipaserver hosts: all
become: false become: false
gather_facts: false gather_facts: false
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -26,3 +26,4 @@
force: "{{ ipa_force | default(false) }}" force: "{{ ipa_force | default(false) }}"
tags: tags:
- services - services
...

View File

@ -13,11 +13,12 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
- ticket_id | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password" fail_msg: "We are missing user information or ipa admin password"
@ -31,7 +32,7 @@
- users - users
- name: "Remove personal information attributes" - name: "Remove personal information attributes"
community.general.ldap_attr: community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "{{ item }}" name: "{{ item }}"
values: [] values: []
@ -45,7 +46,6 @@
- fasGitLabUsername - fasGitLabUsername
- fasIRCNick - fasIRCNick
- fasRHBZEmail - fasRHBZEmail
- fasStatusNote
- fasWebsiteURL - fasWebsiteURL
- fasgpgkeyid - fasgpgkeyid
- fasLocale - fasLocale
@ -61,8 +61,18 @@
- telephoneNumber - telephoneNumber
- homePhone - homePhone
- name: "Set FAS Status Note"
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasStatusNote"
values: "Account Disabled: {{ ticket_id }}"
state: exact
server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private" - name: "Set FAS Account Information to Private"
community.general.ldap_attr: community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasisprivate" name: "fasisprivate"
values: "TRUE" values: "TRUE"
@ -70,3 +80,4 @@
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
...

View File

@ -1,7 +1,6 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -10,7 +9,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -26,3 +25,4 @@
state: disabled state: disabled
tags: tags:
- users - users
...

View File

@ -1,7 +1,6 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -10,7 +9,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -26,3 +25,4 @@
state: enabled state: enabled
tags: tags:
- users - users
...

View File

@ -1,7 +1,6 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -10,7 +9,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -37,3 +36,4 @@
update_password: on_create update_password: on_create
tags: tags:
- users - users
...

View File

@ -2,3 +2,6 @@
# Collections # Collections
collections: collections:
- name: freeipa.ansible_freeipa - name: freeipa.ansible_freeipa
- name: community.general
- name: ansible.posix
...

15
import-rockygroups.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Creating Mandatory Groups"
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
description: "{{ item.description }}"
nonposix: false
user: "{{ item.user | default(none) }}"
membermanager_user: "{{ item.managers_users | default(omit) }}"
membermanager_group: "{{ item.managers_groups | default(omit) }}"
loop: "{{ ipagroups }}"
tags:
- groups
...

45
import-rockyipaprivs.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac
...

17
import-rockypwpolicy.yml Normal file
View File

@ -0,0 +1,17 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Setting up password policies"
freeipa.ansible_freeipa.ipapwpolicy:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
minlife: "{{ item.minlife | default(0) }}"
maxlife: "{{ item.maxlife | default(0) }}"
history: "{{ item.history | default(5) }}"
priority: "{{ item.priority | default(1) }}"
lockouttime: "{{ item.lockout | default(300) }}"
minlength: "{{ item.minlength | default(8) }}"
maxfile: "{{ item.maxfail | default(5) }}"
loop: "{{ ipapwpolicies }}"
tags:
- groups
...

13
import-rockysudo.yml Normal file
View File

@ -0,0 +1,13 @@
---
# Currently only one SUDO role should be created, and that is for the
# rocky linux admins
- name: "Creating SUDO Role for Rocky Admins"
freeipa.ansible_freeipa.ipasudorule:
ipaadmin_password: "{{ ipaadmin_password }}"
name: All_RockyAdmins
description: Rocky Linux infrastructure and operations sudo access
group:
- rockyadm
hostcat: all
cmdcat: all
...

71
import-rockyusers.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Creates the first set of users for the IdM Infrastructure. This
# should create both regular and admin accounts for separation of
# privilege.
- name: "Creating Initial Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ users }}"
tags:
- users
- name: "Creating Initial Admin Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ adminusers }}"
tags:
- users
- name: "Creating Service Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ svcusers }}"
tags:
- users
- name: "Creating bind account template - binder"
ansible.builtin.template:
src: "tmp/binder.update"
dest: "/tmp/binder.update"
owner: root
group: root
mode: '0600'
tags:
- users
- name: "Adding in the bind account - binder"
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
ansible.builtin.file:
path: "/tmp/binder.update"
state: absent
...

View File

@ -0,0 +1,32 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: false
gather_facts: false
vars_files:
- vars/ipa/rdns.yml
- vars/ipa/fdns.yml
tasks:
- name: "Checking for user variables"
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing ipa admin password"
- name: "Create Reverse Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ rdns }}'
- name: "Create Forward Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ fdns }}'
...

35
init-rocky-ipa-team.yml Normal file
View File

@ -0,0 +1,35 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: true
gather_facts: false
vars_files:
- vars/ipa/users.yml
- vars/ipa/adminusers.yml
- vars/ipa/svcusers.yml
- vars/ipa/groups.yml
- vars/ipa/ipaprivs.yml
tasks:
- name: "Checking for user variables"
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
- users | mandatory
- ipagroups | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing users or ipa admin password"
- name: "Start users"
import_tasks: import-rockyusers.yml
- name: "Start groups"
import_tasks: import-rockygroups.yml
- name: "Start sudo for admins"
import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml
...

View File

@ -1,18 +1,20 @@
--- ---
# Configures an IPA client for the Rocky infrastructure # Configures an IPA client for the Rocky infrastructure
# NOTE: For usage in AWX, select an appropriate host # Define "host" as a hostgroup name or a single host
- name: Configure IPA client - name: Configure IPA client
hosts: all hosts: all
become: true become: true
vars_files:
- vars/ipa/ipaclient.yml
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
stat: ansible.builtin.stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -30,9 +32,10 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

View File

@ -1,6 +1,6 @@
--- ---
# Creates an IPA replica # Creates an IPA replica
# NOTE: Select the appropriate host or hostgroup # Define "host" as a hostgroup name or a single host
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
@ -11,19 +11,19 @@
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
stat: ansible.builtin.stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager - name: Ensure 'dns=none' is set for Network Manager
ini_file: community.general.ini_file:
path: /etc/NetworkManager/NetworkManager.conf path: /etc/NetworkManager/NetworkManager.conf
state: present state: present
no_extra_spaces: true no_extra_spaces: true
@ -43,9 +43,10 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

View File

@ -6,7 +6,6 @@
# Storage: 10G /var/lib/dirsrv # Storage: 10G /var/lib/dirsrv
# System fully up to date # System fully up to date
# Define "host" as a hostgroup name or a single host # Define "host" as a hostgroup name or a single host
# NOTE: For AWX, choose the appropriate host or host group
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
@ -17,19 +16,19 @@
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
stat: ansible.builtin.stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager to avoid change - name: Ensure 'dns=none' is set for Network Manager to avoid change
ini_file: community.general.ini_file:
path: /etc/NetworkManager/NetworkManager.conf path: /etc/NetworkManager/NetworkManager.conf
state: present state: present
no_extra_spaces: true no_extra_spaces: true
@ -49,7 +48,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
@ -60,3 +59,4 @@
freeipa.ansible_freeipa.ipadnsconfig: freeipa.ansible_freeipa.ipadnsconfig:
ipaadmin_password: '{{ ipaadmin_password }}' ipaadmin_password: '{{ ipaadmin_password }}'
allow_sync_ptr: true allow_sync_ptr: true
...

View File

@ -4,3 +4,4 @@ roles:
- name: rockylinux.ipagetcert - name: rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main version: main
...

51
vars/ipa/adminusers.yml Normal file
View File

@ -0,0 +1,51 @@
---
adminusers:
- name: label2
first: Louis
last: Abel
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Manager
loginshell: /bin/bash
- name: gmk2
first: Gregory
last: Kurtzer
password: ThisIsNotMyPassword1!
title: Executive Director
loginshell: /bin/bash
- name: brian2
first: Brian
last: Clemens
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: neil2
first: Neil
last: Hanlon
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: rlh2
first: R. Leigh
last: Hennig
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: rfelsburg2
first: Rob
last: Felsburg
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: tg2
first: Taylor
last: Goodwill
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner2
first: Benjamin
last: Agner
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash
...

3
vars/ipa/agreements.yml Normal file
View File

@ -0,0 +1,3 @@
---
# Vars for Agreements for the Rocky Linux Project
...

5
vars/ipa/fdns.yml Normal file
View File

@ -0,0 +1,5 @@
---
fdns:
- rockylinux.org.
- aws.rockylinux.org.
...

99
vars/ipa/groups.yml Normal file
View File

@ -0,0 +1,99 @@
---
ipagroups:
- group: infrastructure
description: Infrastructure Team
user:
- label
- neil
- rlh
- rfelsburg
- tg
- bagner
- group: operations
description: Operations Team
user:
- rlh
- rfelsburg
- group: development
description: Development Team
- group: qa
description: Quality Assurance Team
- group: marketing
description: Marketing
- group: rocky
description: Rocky Linux Team
user:
- label
- gmk
- brian
- hbjy
- jorp
- neil
- rlh
- rfelsburg
- tg
- bagner
- group: rockyadm
description: Rocky Linux Administrators - Only Admin Accounts
user:
- label2
- gmk2
- brian2
- hbjy2
- jorp2
- neil2
- rlh2
- rfelsburg2
- tg2
- bagner2
- group: gitadm
description: Rocky Linux GitLab Admins
user:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- group: gitusers
description: Rocky Linux GitLab Users
user:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- rockyautomation
managers_users:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- group: services
description: Rocky Linux Service Accounts
user:
- userman
- hostman
- kerbman
- rockykoji
- pubsub_federation
- rockypubsub
- rockyautomation
- group: iam
description: Rocky Linux Identity Management
user:
- label
managers_users:
- label
- group: releng
description: Rocky Linux Release Engineering
user:
- label
managers_users:
- label
- group: mq_pub_readonly
description: RabbitMQ ReadOnly
...

11
vars/ipa/ipaclient.yml Normal file
View File

@ -0,0 +1,11 @@
---
# IPA Client Vars
ipaclient_domain: rockylinux.org
ipaclient_realm: ROCKYLINUX.ORG
ipaadmin_principal: admin
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_ssh_trust_dns: true
ipasssd_enable_dns_updates: true
ipatype: client
...

43
vars/ipa/ipaprivs.yml Normal file
View File

@ -0,0 +1,43 @@
---
# privileges
ipaprivileges:
- privilege: Privileges - Kerberos Managers
description: Kerberos Key Managers
permissions:
- "System: Manage Host Keytab"
- "System: Manage Host Keytab Permissions"
- "System: Manage Service Keytab"
- "System: Manage Service Keytab Permissions"
- "System: Manage User Principals"
role: Kerberos Managers
user:
- kerbman
# Standalone Roles
iparoles:
- role: IPA Client Managers
description: IPA Client Managers
privileges:
- "DNS Administrators"
- "DNS Servers"
- "Host Administrators"
- "Host Enrollment"
- "Host Group Administrators"
- "Netgroups Administrators"
user:
- hostman
- role: Kerberos Managers
description: Kerberos Key Managers
privileges:
- "Privileges - Kerberos Managers"
- "Service Administrators"
user:
- kerbman
- role: IPA User Managers
description: Rocky IPA User Managers responsible for idm flow
privileges:
- "Group Administrators"
- "Stage User Administrators"
- "User Administrators"
- "FAS Agreement Administrators"
...

14
vars/ipa/ipareplica.yml Normal file
View File

@ -0,0 +1,14 @@
---
# IPA Replica
ipaadmin_principal: admin
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaserver_realm: ROCKYLINUX.ORG
ipareplica_domain: rockylinux.org
ipareplica_auto_forwarders: true
ipareplica_setup_firewalld: true
ipareplica_setup_ca: true
ipareplica_setup_kra: true
ipareplica_setup_dns: true
ipatype: replica
...

16
vars/ipa/ipaserver.yml Normal file
View File

@ -0,0 +1,16 @@
---
# IPA Server
ipaserver_domain: rockylinux.org
ipaserver_realm: ROCKYLINUX.ORG
ipaserver_setup_dns: true
ipaserver_setup_kra: true
ipaserver_auto_forwarders: true
ipaserver_no_host_dns: true
ipaserver_allow_zone_overlap: true
ipaserver_setup_firewalld: true
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaserver_no_hbac_allow: true
ipaserver_reverse_zones: ["32.10.in-addr.arpa."]
ipatype: server
...

4
vars/ipa/rdns.yml Normal file
View File

@ -0,0 +1,4 @@
---
rdns:
- 32.10.in-addr.arpa.
...

2
vars/ipa/sudorules.yml Normal file
View File

@ -0,0 +1,2 @@
---
...

45
vars/ipa/svcusers.yml Normal file
View File

@ -0,0 +1,45 @@
---
svcusers:
- name: hostman
first: Host
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Host Manager
loginshell: /sbin/nologin
- name: kerbman
first: Kerberos
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Kerberos Key Manager
loginshell: /sbin/nologin
- name: userman
first: User
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - User Manager
loginshell: /sbin/nologin
- name: rockykoji
first: Koji
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Koji Manager
loginshell: /sbin/nologin
- name: pubsub_federation
first: pubsub
last: federation
password: ThisIsNotMyPassword1!
title: System Account - pubsub federator
loginshell: /sbin/nologin
- name: rockypubsub
first: rocky
last: pubsub
password: ThisIsNotMyPassword1!
title: System Account - pubsub
loginshell: /sbin/nologin
- name: rockyautomation
first: Rocky
last: Automation
password: ThisIsNotMyPassword1!
title: System Account - Automation
loginshell: /sbin/nologin
...

59
vars/ipa/users.yml Normal file
View File

@ -0,0 +1,59 @@
---
users:
- name: label
first: Louis
last: Abel
email: label@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Manager
loginshell: /bin/bash
- name: gmk
first: Gregory
last: Kurtzer
email: gmk@rockylinux.org
password: ThisIsNotMyPassword1!
title: Executive Director
loginshell: /bin/bash
- name: brian
first: Brian
last: Clemens
email: brian@rockylinux.org
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: neil
first: Neil
last: Hanlon
email: neil@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: rlh
first: R. Leigh
last: Hennig
email: rlh@rockylinux.org
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: rfelsburg
first: Rob
last: Felsburg
email: rfelsburg@rockylinux.org
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: tg
first: Taylor
last: Goodwill
email: tg@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash
...

3
vars/ipaserver.yml Normal file
View File

@ -0,0 +1,3 @@
---
ipatype: server
...