infrastructure/ansible-ipa-management
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: infrastructure:b97263aae6b82681c33e71b9e6509f12b1378371
Branches Tags
infrastructure:main
..
compare: infrastructure:86c94eb7072dd82c909bbb9715e6f216f803fef6
Branches Tags
infrastructure:main

No commits in common. "b97263aae6b82681c33e71b9e6509f12b1378371" and "86c94eb7072dd82c909bbb9715e6f216f803fef6" have entirely different histories.
b97263aae6 ... 86c94eb707

36 changed files with 54 additions and 663 deletions
Show Stats Expand all files Collapse all files

13
adhoc-ipabinder.yml
View File

@ -6,12 +6,12 @@
# -> ipa_binder_password: Bind account password # -> ipa_binder_password: Bind account password
- name: Create binder account - name: Create binder account
hosts: all hosts: ipaserver
become: true become: true
tasks: tasks:
- name: "Check for user variables" - name: "Check for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_binder_name | mandatory - ipa_binder_name | mandatory
- ipa_binder_password | mandatory - ipa_binder_password | mandatory
@ -19,8 +19,8 @@
fail_msg: "We are missing user information" fail_msg: "We are missing user information"
- name: "Creating bind account template - binder" - name: "Creating bind account template - binder"
ansible.builtin.template: template:
src: "tmp/binder_template.update" src: "tmp/binder.update.j2"
dest: "/tmp/binder.update" dest: "/tmp/binder.update"
owner: root owner: root
group: root group: root
@ -29,14 +29,13 @@
- users - users
- name: "Adding in the bind account" - name: "Adding in the bind account"
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update" command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account register: bind_account
changed_when: "bind_account.rc == 0" changed_when: "bind_account.rc == 0"
tags: tags:
- users - users
- name: "Remove template" - name: "Remove template"
ansible.builtin.file: file:
path: "/tmp/binder.update" path: "/tmp/binder.update"
state: absent state: absent
...

4
adhoc-ipadnsrecord.yml
View File

@ -10,6 +10,7 @@
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) # -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
# -> ipa_name_value: Record value (depends on type of record) # -> ipa_name_value: Record value (depends on type of record)
# -> ipa_presence: present or absent # -> ipa_presence: present or absent
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Record - name: Create a DNS Record
hosts: all hosts: all
@ -18,7 +19,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_zone | mandatory - ipa_zone | mandatory
@ -53,4 +54,3 @@
managedby: managedby:
- "{{ ipa_name_value[:-1] }}" - "{{ ipa_name_value[:-1] }}"
ignore_errors: true ignore_errors: true
...

4
adhoc-ipadnszone.yml
View File

@ -2,6 +2,7 @@
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates dns zones in the idm infrastructure based on the variables # What: Creates dns zones in the idm infrastructure based on the variables
# provided. # provided.
# NOTE: For usage in AWX, select an IPA server
- name: Create a DNS Zone - name: Create a DNS Zone
hosts: all hosts: all
@ -10,7 +11,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -25,4 +26,3 @@
name: "{{ ipa_zone }}" name: "{{ ipa_zone }}"
tags: tags:
- dns - dns
...

4
adhoc-ipagetcert.yml
View File

@ -9,8 +9,8 @@
# -> getcert_postcmd: command to run after a certificate renews # -> getcert_postcmd: command to run after a certificate renews
# -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain: true/false, should cert and key be chained together
# -> getcert_chain_location: location for the chain # -> getcert_chain_location: location for the chain
# -> getcert_service: service name (eg HTTP, host), defaults to host
# TODO: Add CNAME/SAN support # TODO: Add CNAME/SAN support
# NOTE: For usage in AWX, select an appropriate server
- name: Request and sign an IPA Certificate - name: Request and sign an IPA Certificate
hosts: all hosts: all
@ -24,7 +24,6 @@
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
postcmd: "{{ getcert_postcmd|default(false) }}" postcmd: "{{ getcert_postcmd|default(false) }}"
service: "{{ getcert_service|default('host') }}"
ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
ipa_getcert_nss: "{{ getcert_nss|default(false) }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
@ -32,4 +31,3 @@
roles: roles:
- role: rockylinux.ipagetcert - role: rockylinux.ipagetcert
state: present state: present
...

30
adhoc-ipagetkeytab.yml
View File

@ -4,7 +4,7 @@
# extended security posture # extended security posture
# What: Pulls keytabs for a kerberos service # What: Pulls keytabs for a kerberos service
# What is expected: # What is expected:
# -> host: The host in the inventory # -> host: The host in the inventory, this MUST be FQDN.
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG # -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# Note: This service MUST exist # Note: This service MUST exist
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
@ -12,6 +12,7 @@
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user # -> ipaadmin_password: This should be the password of the admin user
# NOTE: For usage in AWX, select an appropriate host
- name: Pull keytab from IPA - name: Pull keytab from IPA
hosts: all hosts: all
@ -20,7 +21,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -31,14 +32,14 @@
fail_msg: "We are missing required information" fail_msg: "We are missing required information"
- name: "Check that a keytab doesn't already exist" - name: "Check that a keytab doesn't already exist"
ansible.builtin.stat: stat:
path: "{{ ipa_keytab_fullpath }}" path: "{{ ipa_keytab_fullpath }}"
register: keytab_status register: keytab_status
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
- name: "Verify keytab existence" - name: "Verify keytab existence"
ansible.builtin.assert: assert:
that: that:
- "not keytab_status.stat.exists" - "not keytab_status.stat.exists"
success_msg: "Keytab doesn't exist, moving on..." success_msg: "Keytab doesn't exist, moving on..."
@ -70,14 +71,14 @@
- name: "Get kerberos ticket" - name: "Get kerberos ticket"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: not keytab_status.stat.exists when: not keytab_status.stat.exists
- name: "Attempt to retrieve keytab" - name: "Attempt to retrieve keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
register: ret_result register: ret_result
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
@ -85,30 +86,30 @@
- name: "Create keytab if it didn't exist, based on the last task" - name: "Create keytab if it didn't exist, based on the last task"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
when: "'krbPrincipalKey not found' in ret_result.stderr" when: "'krbPrincipalKey not found' in ret_result.stderr"
- name: "Destroy admin ticket" - name: "Destroy admin ticket"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.command: "kdestroy -A" command: "kdestroy -A"
register: kdestroy_result register: kdestroy_result
changed_when: "kdestroy_result.rc == 0" changed_when: "kdestroy_result.rc == 0"
- name: "Put the keytab into a register" - name: "Put the keytab into a register"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.command: "base64 /tmp/{{ host }}.kt" command: "base64 /tmp/{{ host }}.kt"
register: keytab register: keytab
check_mode: false check_mode: false
changed_when: "keytab.rc == 0" changed_when: "keytab.rc == 0"
- name: "Destroy local keytab" - name: "Destroy local keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.file: file:
path: "/tmp/{{ host }}.kt" path: "/tmp/{{ host }}.kt"
state: absent state: absent
- name: "Deploy keytab to {{ host }} from register" - name: "Deploy keytab to {{ host }} from register"
ansible.builtin.copy: copy:
dest: "{{ ipa_keytab_fullpath }}.b64" dest: "{{ ipa_keytab_fullpath }}.b64"
content: "{{ keytab.stdout }}" content: "{{ keytab.stdout }}"
owner: "{{ ipa_owner|default('root') }}" owner: "{{ ipa_owner|default('root') }}"
@ -116,16 +117,16 @@
mode: '0600' mode: '0600'
- name: "Decode keytab" - name: "Decode keytab"
ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}" shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
changed_when: "1 != 1" changed_when: "1 != 1"
- name: "Destroy encoded keytab" - name: "Destroy encoded keytab"
ansible.builtin.file: file:
path: "{{ ipa_keytab_fullpath }}.b64" path: "{{ ipa_keytab_fullpath }}.b64"
state: absent state: absent
- name: "Set ownership if applicable, otherwise it's root owned" - name: "Set ownership if applicable, otherwise it's root owned"
ansible.builtin.file: file:
path: "{{ ipa_keytab_fullpath }}" path: "{{ ipa_keytab_fullpath }}"
owner: "{{ ipa_owner|default('root') }}" owner: "{{ ipa_owner|default('root') }}"
group: "{{ ipa_owner|default('root') }}" group: "{{ ipa_owner|default('root') }}"
@ -133,4 +134,3 @@
state: file state: file
tags: tags:
- keytab - keytab
...

7
adhoc-ipagroup.yml
View File

@ -6,15 +6,13 @@
# set to true. # set to true.
- name: Create our initial users - name: Create our initial users
hosts: all hosts: ipaserver
become: false become: false
gather_facts: false gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -47,4 +45,3 @@
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: ipa_fas when: ipa_fas
...

5
adhoc-ipaservice.yml
View File

@ -3,13 +3,13 @@
# What: Creates kerberos services in the idm infrastructure based on the variables provided # What: Creates kerberos services in the idm infrastructure based on the variables provided
- name: Create Services - name: Create Services
hosts: all hosts: ipaserver
become: false become: false
gather_facts: false gather_facts: false
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -26,4 +26,3 @@
force: "{{ ipa_force | default(false) }}" force: "{{ ipa_force | default(false) }}"
tags: tags:
- services - services
...

19
adhoc-ipauser-disable-pdr.yml
View File

@ -13,12 +13,11 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
- ticket_id | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password" fail_msg: "We are missing user information or ipa admin password"
@ -32,7 +31,7 @@
- users - users
- name: "Remove personal information attributes" - name: "Remove personal information attributes"
community.general.ldap_attrs: community.general.ldap_attr:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "{{ item }}" name: "{{ item }}"
values: [] values: []
@ -46,6 +45,7 @@
- fasGitLabUsername - fasGitLabUsername
- fasIRCNick - fasIRCNick
- fasRHBZEmail - fasRHBZEmail
- fasStatusNote
- fasWebsiteURL - fasWebsiteURL
- fasgpgkeyid - fasgpgkeyid
- fasLocale - fasLocale
@ -61,18 +61,8 @@
- telephoneNumber - telephoneNumber
- homePhone - homePhone
- name: "Set FAS Status Note"
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasStatusNote"
values: "Account Disabled: {{ ticket_id }}"
state: exact
server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private" - name: "Set FAS Account Information to Private"
community.general.ldap_attrs: community.general.ldap_attr:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org" dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasisprivate" name: "fasisprivate"
values: "TRUE" values: "TRUE"
@ -80,4 +70,3 @@
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
...

4
adhoc-ipauser-disable.yml
View File

@ -1,6 +1,7 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -9,7 +10,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -25,4 +26,3 @@
state: disabled state: disabled
tags: tags:
- users - users
...

4
adhoc-ipauser-enable.yml
View File

@ -1,6 +1,7 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -9,7 +10,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -25,4 +26,3 @@
state: enabled state: enabled
tags: tags:
- users - users
...

4
adhoc-ipauser.yml
View File

@ -1,6 +1,7 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided. # What: Creates users in the idm infrastructure based on the variables provided.
# NOTE: For usage in AWX, select an appropriate host
- name: Create a User - name: Create a User
hosts: all hosts: all
@ -9,7 +10,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: assert:
that: that:
- ipa_admin | mandatory - ipa_admin | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
@ -36,4 +37,3 @@
update_password: on_create update_password: on_create
tags: tags:
- users - users
...

3
collections/requirements.yml
View File

@ -2,6 +2,3 @@
# Collections # Collections
collections: collections:
- name: freeipa.ansible_freeipa - name: freeipa.ansible_freeipa
- name: community.general
- name: ansible.posix
...

15
import-rockygroups.yml
View File

@ -1,15 +0,0 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Creating Mandatory Groups"
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
description: "{{ item.description }}"
nonposix: false
user: "{{ item.user | default(none) }}"
membermanager_user: "{{ item.managers_users | default(omit) }}"
membermanager_group: "{{ item.managers_groups | default(omit) }}"
loop: "{{ ipagroups }}"
tags:
- groups
...

45
import-rockyipaprivs.yml
View File

@ -1,45 +0,0 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user|default(omit) }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac
...

17
import-rockypwpolicy.yml
View File

@ -1,17 +0,0 @@
---
# Creates the first set of groups for the IdM Infrastructure
- name: "Setting up password policies"
freeipa.ansible_freeipa.ipapwpolicy:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
minlife: "{{ item.minlife | default(0) }}"
maxlife: "{{ item.maxlife | default(0) }}"
history: "{{ item.history | default(5) }}"
priority: "{{ item.priority | default(1) }}"
lockouttime: "{{ item.lockout | default(300) }}"
minlength: "{{ item.minlength | default(8) }}"
maxfile: "{{ item.maxfail | default(5) }}"
loop: "{{ ipapwpolicies }}"
tags:
- groups
...

13
import-rockysudo.yml
View File

@ -1,13 +0,0 @@
---
# Currently only one SUDO role should be created, and that is for the
# rocky linux admins
- name: "Creating SUDO Role for Rocky Admins"
freeipa.ansible_freeipa.ipasudorule:
ipaadmin_password: "{{ ipaadmin_password }}"
name: All_RockyAdmins
description: Rocky Linux infrastructure and operations sudo access
group:
- rockyadm
hostcat: all
cmdcat: all
...

71
import-rockyusers.yml
View File

@ -1,71 +0,0 @@
---
# Creates the first set of users for the IdM Infrastructure. This
# should create both regular and admin accounts for separation of
# privilege.
- name: "Creating Initial Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ users }}"
tags:
- users
- name: "Creating Initial Admin Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ adminusers }}"
tags:
- users
- name: "Creating Service Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email|default(omit) }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ svcusers }}"
tags:
- users
- name: "Creating bind account template - binder"
ansible.builtin.template:
src: "tmp/binder.update"
dest: "/tmp/binder.update"
owner: root
group: root
mode: '0600'
tags:
- users
- name: "Adding in the bind account - binder"
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
ansible.builtin.file:
path: "/tmp/binder.update"
state: absent
...

32
init-rocky-ipa-internal-dns.yml
View File

@ -1,32 +0,0 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: false
gather_facts: false
vars_files:
- vars/ipa/rdns.yml
- vars/ipa/fdns.yml
tasks:
- name: "Checking for user variables"
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing ipa admin password"
- name: "Create Reverse Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ rdns }}'
- name: "Create Forward Domains"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ item }}'
dynamic_update: true
with_items: '{{ fdns }}'
...

35
init-rocky-ipa-team.yml
View File

@ -1,35 +0,0 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: all
become: true
gather_facts: false
vars_files:
- vars/ipa/users.yml
- vars/ipa/adminusers.yml
- vars/ipa/svcusers.yml
- vars/ipa/groups.yml
- vars/ipa/ipaprivs.yml
tasks:
- name: "Checking for user variables"
ansible.builtin.assert:
that:
- ipaadmin_password | mandatory
- users | mandatory
- ipagroups | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing users or ipa admin password"
- name: "Start users"
import_tasks: import-rockyusers.yml
- name: "Start groups"
import_tasks: import-rockygroups.yml
- name: "Start sudo for admins"
import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml
...

11
role-rocky-ipa-client.yml
View File

@ -1,20 +1,18 @@
--- ---
# Configures an IPA client for the Rocky infrastructure # Configures an IPA client for the Rocky infrastructure
# Define "host" as a hostgroup name or a single host # NOTE: For usage in AWX, select an appropriate host
- name: Configure IPA client - name: Configure IPA client
hosts: all hosts: all
become: true become: true
vars_files:
- vars/ipa/ipaclient.yml
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
ansible.builtin.stat: stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
ansible.builtin.assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -32,10 +30,9 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
ansible.builtin.file: file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

11
role-rocky-ipa-replica.yml
View File

@ -1,6 +1,6 @@
--- ---
# Creates an IPA replica # Creates an IPA replica
# Define "host" as a hostgroup name or a single host # NOTE: Select the appropriate host or hostgroup
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
@ -11,19 +11,19 @@
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
ansible.builtin.stat: stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
ansible.builtin.assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager - name: Ensure 'dns=none' is set for Network Manager
community.general.ini_file: ini_file:
path: /etc/NetworkManager/NetworkManager.conf path: /etc/NetworkManager/NetworkManager.conf
state: present state: present
no_extra_spaces: true no_extra_spaces: true
@ -43,10 +43,9 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
ansible.builtin.file: file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
owner: root owner: root
group: root group: root
...

10
role-rocky-ipa.yml
View File

@ -6,6 +6,7 @@
# Storage: 10G /var/lib/dirsrv # Storage: 10G /var/lib/dirsrv
# System fully up to date # System fully up to date
# Define "host" as a hostgroup name or a single host # Define "host" as a hostgroup name or a single host
# NOTE: For AWX, choose the appropriate host or host group
- name: Configure IPA server - name: Configure IPA server
hosts: all hosts: all
become: true become: true
@ -16,19 +17,19 @@
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
ansible.builtin.stat: stat:
path: /etc/no-ansible path: /etc/no-ansible
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
ansible.builtin.assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager to avoid change - name: Ensure 'dns=none' is set for Network Manager to avoid change
community.general.ini_file: ini_file:
path: /etc/NetworkManager/NetworkManager.conf path: /etc/NetworkManager/NetworkManager.conf
state: present state: present
no_extra_spaces: true no_extra_spaces: true
@ -48,7 +49,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
ansible.builtin.file: file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'
@ -59,4 +60,3 @@
freeipa.ansible_freeipa.ipadnsconfig: freeipa.ansible_freeipa.ipadnsconfig:
ipaadmin_password: '{{ ipaadmin_password }}' ipaadmin_password: '{{ ipaadmin_password }}'
allow_sync_ptr: true allow_sync_ptr: true
...

1
roles/requirements.yml
View File

@ -4,4 +4,3 @@ roles:
- name: rockylinux.ipagetcert - name: rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main version: main
...

51
vars/ipa/adminusers.yml
View File

@ -1,51 +0,0 @@
---
adminusers:
- name: label2
first: Louis
last: Abel
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Manager
loginshell: /bin/bash
- name: gmk2
first: Gregory
last: Kurtzer
password: ThisIsNotMyPassword1!
title: Executive Director
loginshell: /bin/bash
- name: brian2
first: Brian
last: Clemens
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: neil2
first: Neil
last: Hanlon
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: rlh2
first: R. Leigh
last: Hennig
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: rfelsburg2
first: Rob
last: Felsburg
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: tg2
first: Taylor
last: Goodwill
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner2
first: Benjamin
last: Agner
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash
...

3
vars/ipa/agreements.yml
View File

@ -1,3 +0,0 @@
---
# Vars for Agreements for the Rocky Linux Project
...

5
vars/ipa/fdns.yml
View File

@ -1,5 +0,0 @@
---
fdns:
- rockylinux.org.
- aws.rockylinux.org.
...

99
vars/ipa/groups.yml
View File

@ -1,99 +0,0 @@
---
ipagroups:
- group: infrastructure
description: Infrastructure Team
user:
- label
- neil
- rlh
- rfelsburg
- tg
- bagner
- group: operations
description: Operations Team
user:
- rlh
- rfelsburg
- group: development
description: Development Team
- group: qa
description: Quality Assurance Team
- group: marketing
description: Marketing
- group: rocky
description: Rocky Linux Team
user:
- label
- gmk
- brian
- hbjy
- jorp
- neil
- rlh
- rfelsburg
- tg
- bagner
- group: rockyadm
description: Rocky Linux Administrators - Only Admin Accounts
user:
- label2
- gmk2
- brian2
- hbjy2
- jorp2
- neil2
- rlh2
- rfelsburg2
- tg2
- bagner2
- group: gitadm
description: Rocky Linux GitLab Admins
user:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- group: gitusers
description: Rocky Linux GitLab Users
user:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- rockyautomation
managers_users:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- group: services
description: Rocky Linux Service Accounts
user:
- userman
- hostman
- kerbman
- rockykoji
- pubsub_federation
- rockypubsub
- rockyautomation
- group: iam
description: Rocky Linux Identity Management
user:
- label
managers_users:
- label
- group: releng
description: Rocky Linux Release Engineering
user:
- label
managers_users:
- label
- group: mq_pub_readonly
description: RabbitMQ ReadOnly
...

11
vars/ipa/ipaclient.yml
View File

@ -1,11 +0,0 @@
---
# IPA Client Vars
ipaclient_domain: rockylinux.org
ipaclient_realm: ROCKYLINUX.ORG
ipaadmin_principal: admin
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_ssh_trust_dns: true
ipasssd_enable_dns_updates: true
ipatype: client
...

43
vars/ipa/ipaprivs.yml
View File

@ -1,43 +0,0 @@
---
# privileges
ipaprivileges:
- privilege: Privileges - Kerberos Managers
description: Kerberos Key Managers
permissions:
- "System: Manage Host Keytab"
- "System: Manage Host Keytab Permissions"
- "System: Manage Service Keytab"
- "System: Manage Service Keytab Permissions"
- "System: Manage User Principals"
role: Kerberos Managers
user:
- kerbman
# Standalone Roles
iparoles:
- role: IPA Client Managers
description: IPA Client Managers
privileges:
- "DNS Administrators"
- "DNS Servers"
- "Host Administrators"
- "Host Enrollment"
- "Host Group Administrators"
- "Netgroups Administrators"
user:
- hostman
- role: Kerberos Managers
description: Kerberos Key Managers
privileges:
- "Privileges - Kerberos Managers"
- "Service Administrators"
user:
- kerbman
- role: IPA User Managers
description: Rocky IPA User Managers responsible for idm flow
privileges:
- "Group Administrators"
- "Stage User Administrators"
- "User Administrators"
- "FAS Agreement Administrators"
...

14
vars/ipa/ipareplica.yml
View File

@ -1,14 +0,0 @@
---
# IPA Replica
ipaadmin_principal: admin
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaserver_realm: ROCKYLINUX.ORG
ipareplica_domain: rockylinux.org
ipareplica_auto_forwarders: true
ipareplica_setup_firewalld: true
ipareplica_setup_ca: true
ipareplica_setup_kra: true
ipareplica_setup_dns: true
ipatype: replica
...

16
vars/ipa/ipaserver.yml
View File

@ -1,16 +0,0 @@
---
# IPA Server
ipaserver_domain: rockylinux.org
ipaserver_realm: ROCKYLINUX.ORG
ipaserver_setup_dns: true
ipaserver_setup_kra: true
ipaserver_auto_forwarders: true
ipaserver_no_host_dns: true
ipaserver_allow_zone_overlap: true
ipaserver_setup_firewalld: true
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaserver_no_hbac_allow: true
ipaserver_reverse_zones: ["32.10.in-addr.arpa."]
ipatype: server
...

4
vars/ipa/rdns.yml
View File

@ -1,4 +0,0 @@
---
rdns:
- 32.10.in-addr.arpa.
...

2
vars/ipa/sudorules.yml
View File

@ -1,2 +0,0 @@
---
...

45
vars/ipa/svcusers.yml
View File

@ -1,45 +0,0 @@
---
svcusers:
- name: hostman
first: Host
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Host Manager
loginshell: /sbin/nologin
- name: kerbman
first: Kerberos
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Kerberos Key Manager
loginshell: /sbin/nologin
- name: userman
first: User
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - User Manager
loginshell: /sbin/nologin
- name: rockykoji
first: Koji
last: Manager
password: ThisIsNotMyPassword1!
title: System Account - Koji Manager
loginshell: /sbin/nologin
- name: pubsub_federation
first: pubsub
last: federation
password: ThisIsNotMyPassword1!
title: System Account - pubsub federator
loginshell: /sbin/nologin
- name: rockypubsub
first: rocky
last: pubsub
password: ThisIsNotMyPassword1!
title: System Account - pubsub
loginshell: /sbin/nologin
- name: rockyautomation
first: Rocky
last: Automation
password: ThisIsNotMyPassword1!
title: System Account - Automation
loginshell: /sbin/nologin
...

59
vars/ipa/users.yml
View File

@ -1,59 +0,0 @@
---
users:
- name: label
first: Louis
last: Abel
email: label@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Manager
loginshell: /bin/bash
- name: gmk
first: Gregory
last: Kurtzer
email: gmk@rockylinux.org
password: ThisIsNotMyPassword1!
title: Executive Director
loginshell: /bin/bash
- name: brian
first: Brian
last: Clemens
email: brian@rockylinux.org
password: ThisIsNotMyPassword1!
title: Project Manager
loginshell: /bin/bash
- name: neil
first: Neil
last: Hanlon
email: neil@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: rlh
first: R. Leigh
last: Hennig
email: rlh@rockylinux.org
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: rfelsburg
first: Rob
last: Felsburg
email: rfelsburg@rockylinux.org
password: ThisIsNotMyPassword1!
title: Operations Manager
loginshell: /bin/bash
- name: tg
first: Taylor
last: Goodwill
email: tg@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash
...

3
vars/ipaserver.yml
View File

@ -1,3 +0,0 @@
---
ipatype: server
...