Compare commits
No commits in common. "b97263aae6b82681c33e71b9e6509f12b1378371" and "86c94eb7072dd82c909bbb9715e6f216f803fef6" have entirely different histories.
b97263aae6
...
86c94eb707
@ -6,12 +6,12 @@
|
||||
# -> ipa_binder_password: Bind account password
|
||||
|
||||
- name: Create binder account
|
||||
hosts: all
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: "Check for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_binder_name | mandatory
|
||||
- ipa_binder_password | mandatory
|
||||
@ -19,8 +19,8 @@
|
||||
fail_msg: "We are missing user information"
|
||||
|
||||
- name: "Creating bind account template - binder"
|
||||
ansible.builtin.template:
|
||||
src: "tmp/binder_template.update"
|
||||
template:
|
||||
src: "tmp/binder.update.j2"
|
||||
dest: "/tmp/binder.update"
|
||||
owner: root
|
||||
group: root
|
||||
@ -29,14 +29,13 @@
|
||||
- users
|
||||
|
||||
- name: "Adding in the bind account"
|
||||
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||
register: bind_account
|
||||
changed_when: "bind_account.rc == 0"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Remove template"
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: "/tmp/binder.update"
|
||||
state: absent
|
||||
...
|
||||
|
@ -10,6 +10,7 @@
|
||||
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
|
||||
# -> ipa_name_value: Record value (depends on type of record)
|
||||
# -> ipa_presence: present or absent
|
||||
# NOTE: For usage in AWX, select an IPA server
|
||||
|
||||
- name: Create a DNS Record
|
||||
hosts: all
|
||||
@ -18,7 +19,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
- ipa_zone | mandatory
|
||||
@ -53,4 +54,3 @@
|
||||
managedby:
|
||||
- "{{ ipa_name_value[:-1] }}"
|
||||
ignore_errors: true
|
||||
...
|
||||
|
@ -2,6 +2,7 @@
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates dns zones in the idm infrastructure based on the variables
|
||||
# provided.
|
||||
# NOTE: For usage in AWX, select an IPA server
|
||||
|
||||
- name: Create a DNS Zone
|
||||
hosts: all
|
||||
@ -10,7 +11,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -25,4 +26,3 @@
|
||||
name: "{{ ipa_zone }}"
|
||||
tags:
|
||||
- dns
|
||||
...
|
||||
|
@ -9,8 +9,8 @@
|
||||
# -> getcert_postcmd: command to run after a certificate renews
|
||||
# -> getcert_chain: true/false, should cert and key be chained together
|
||||
# -> getcert_chain_location: location for the chain
|
||||
# -> getcert_service: service name (eg HTTP, host), defaults to host
|
||||
# TODO: Add CNAME/SAN support
|
||||
# NOTE: For usage in AWX, select an appropriate server
|
||||
|
||||
- name: Request and sign an IPA Certificate
|
||||
hosts: all
|
||||
@ -24,7 +24,6 @@
|
||||
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
|
||||
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
|
||||
postcmd: "{{ getcert_postcmd|default(false) }}"
|
||||
service: "{{ getcert_service|default('host') }}"
|
||||
ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
|
||||
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
|
||||
ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
|
||||
@ -32,4 +31,3 @@
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
...
|
||||
|
@ -4,7 +4,7 @@
|
||||
# extended security posture
|
||||
# What: Pulls keytabs for a kerberos service
|
||||
# What is expected:
|
||||
# -> host: The host in the inventory
|
||||
# -> host: The host in the inventory, this MUST be FQDN.
|
||||
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
|
||||
# Note: This service MUST exist
|
||||
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
|
||||
@ -12,6 +12,7 @@
|
||||
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
|
||||
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
|
||||
# -> ipaadmin_password: This should be the password of the admin user
|
||||
# NOTE: For usage in AWX, select an appropriate host
|
||||
|
||||
- name: Pull keytab from IPA
|
||||
hosts: all
|
||||
@ -20,7 +21,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -31,14 +32,14 @@
|
||||
fail_msg: "We are missing required information"
|
||||
|
||||
- name: "Check that a keytab doesn't already exist"
|
||||
ansible.builtin.stat:
|
||||
stat:
|
||||
path: "{{ ipa_keytab_fullpath }}"
|
||||
register: keytab_status
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: "Verify keytab existence"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- "not keytab_status.stat.exists"
|
||||
success_msg: "Keytab doesn't exist, moving on..."
|
||||
@ -70,14 +71,14 @@
|
||||
|
||||
- name: "Get kerberos ticket"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
||||
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
when: not keytab_status.stat.exists
|
||||
|
||||
- name: "Attempt to retrieve keytab"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||
register: ret_result
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
@ -85,30 +86,30 @@
|
||||
|
||||
- name: "Create keytab if it didn't exist, based on the last task"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||
when: "'krbPrincipalKey not found' in ret_result.stderr"
|
||||
|
||||
- name: "Destroy admin ticket"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.command: "kdestroy -A"
|
||||
command: "kdestroy -A"
|
||||
register: kdestroy_result
|
||||
changed_when: "kdestroy_result.rc == 0"
|
||||
|
||||
- name: "Put the keytab into a register"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.command: "base64 /tmp/{{ host }}.kt"
|
||||
command: "base64 /tmp/{{ host }}.kt"
|
||||
register: keytab
|
||||
check_mode: false
|
||||
changed_when: "keytab.rc == 0"
|
||||
|
||||
- name: "Destroy local keytab"
|
||||
delegate_to: "{{ ipa_server }}"
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: "/tmp/{{ host }}.kt"
|
||||
state: absent
|
||||
|
||||
- name: "Deploy keytab to {{ host }} from register"
|
||||
ansible.builtin.copy:
|
||||
copy:
|
||||
dest: "{{ ipa_keytab_fullpath }}.b64"
|
||||
content: "{{ keytab.stdout }}"
|
||||
owner: "{{ ipa_owner|default('root') }}"
|
||||
@ -116,16 +117,16 @@
|
||||
mode: '0600'
|
||||
|
||||
- name: "Decode keytab"
|
||||
ansible.builtin.shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
|
||||
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: "Destroy encoded keytab"
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: "{{ ipa_keytab_fullpath }}.b64"
|
||||
state: absent
|
||||
|
||||
- name: "Set ownership if applicable, otherwise it's root owned"
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: "{{ ipa_keytab_fullpath }}"
|
||||
owner: "{{ ipa_owner|default('root') }}"
|
||||
group: "{{ ipa_owner|default('root') }}"
|
||||
@ -133,4 +134,3 @@
|
||||
state: file
|
||||
tags:
|
||||
- keytab
|
||||
...
|
||||
|
@ -6,15 +6,13 @@
|
||||
# set to true.
|
||||
|
||||
- name: Create our initial users
|
||||
hosts: all
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/userman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -47,4 +45,3 @@
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
when: ipa_fas
|
||||
...
|
||||
|
@ -3,13 +3,13 @@
|
||||
# What: Creates kerberos services in the idm infrastructure based on the variables provided
|
||||
|
||||
- name: Create Services
|
||||
hosts: all
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -26,4 +26,3 @@
|
||||
force: "{{ ipa_force | default(false) }}"
|
||||
tags:
|
||||
- services
|
||||
...
|
||||
|
@ -13,12 +13,11 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
- ipa_name | mandatory
|
||||
- ticket_id | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing user information or ipa admin password"
|
||||
|
||||
@ -32,7 +31,7 @@
|
||||
- users
|
||||
|
||||
- name: "Remove personal information attributes"
|
||||
community.general.ldap_attrs:
|
||||
community.general.ldap_attr:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "{{ item }}"
|
||||
values: []
|
||||
@ -46,6 +45,7 @@
|
||||
- fasGitLabUsername
|
||||
- fasIRCNick
|
||||
- fasRHBZEmail
|
||||
- fasStatusNote
|
||||
- fasWebsiteURL
|
||||
- fasgpgkeyid
|
||||
- fasLocale
|
||||
@ -61,18 +61,8 @@
|
||||
- telephoneNumber
|
||||
- homePhone
|
||||
|
||||
- name: "Set FAS Status Note"
|
||||
community.general.ldap_attrs:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "fasStatusNote"
|
||||
values: "Account Disabled: {{ ticket_id }}"
|
||||
state: exact
|
||||
server_uri: ldap://localhost/
|
||||
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
bind_pw: "{{ ipaadmin_password }}"
|
||||
|
||||
- name: "Set FAS Account Information to Private"
|
||||
community.general.ldap_attrs:
|
||||
community.general.ldap_attr:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "fasisprivate"
|
||||
values: "TRUE"
|
||||
@ -80,4 +70,3 @@
|
||||
server_uri: ldap://localhost/
|
||||
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
bind_pw: "{{ ipaadmin_password }}"
|
||||
...
|
||||
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates users in the idm infrastructure based on the variables provided.
|
||||
# NOTE: For usage in AWX, select an appropriate host
|
||||
|
||||
- name: Create a User
|
||||
hosts: all
|
||||
@ -9,7 +10,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -25,4 +26,3 @@
|
||||
state: disabled
|
||||
tags:
|
||||
- users
|
||||
...
|
||||
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates users in the idm infrastructure based on the variables provided.
|
||||
# NOTE: For usage in AWX, select an appropriate host
|
||||
|
||||
- name: Create a User
|
||||
hosts: all
|
||||
@ -9,7 +10,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -25,4 +26,3 @@
|
||||
state: enabled
|
||||
tags:
|
||||
- users
|
||||
...
|
||||
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates users in the idm infrastructure based on the variables provided.
|
||||
# NOTE: For usage in AWX, select an appropriate host
|
||||
|
||||
- name: Create a User
|
||||
hosts: all
|
||||
@ -9,7 +10,7 @@
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
@ -36,4 +37,3 @@
|
||||
update_password: on_create
|
||||
tags:
|
||||
- users
|
||||
...
|
||||
|
@ -2,6 +2,3 @@
|
||||
# Collections
|
||||
collections:
|
||||
- name: freeipa.ansible_freeipa
|
||||
- name: community.general
|
||||
- name: ansible.posix
|
||||
...
|
||||
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
# Creates the first set of groups for the IdM Infrastructure
|
||||
- name: "Creating Mandatory Groups"
|
||||
freeipa.ansible_freeipa.ipagroup:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.group }}"
|
||||
description: "{{ item.description }}"
|
||||
nonposix: false
|
||||
user: "{{ item.user | default(none) }}"
|
||||
membermanager_user: "{{ item.managers_users | default(omit) }}"
|
||||
membermanager_group: "{{ item.managers_groups | default(omit) }}"
|
||||
loop: "{{ ipagroups }}"
|
||||
tags:
|
||||
- groups
|
||||
...
|
@ -1,45 +0,0 @@
|
||||
---
|
||||
# Creates necessary privileges for services
|
||||
- name: "Creating necessary privileges"
|
||||
freeipa.ansible_freeipa.ipaprivilege:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.privilege }}"
|
||||
description: "{{ item.description }}"
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating permissions"
|
||||
freeipa.ansible_freeipa.ipaprivilege:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.privilege }}"
|
||||
permission: "{{ item.permissions }}"
|
||||
action: member
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating roles based on custom privileges"
|
||||
freeipa.ansible_freeipa.iparole:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.role }}"
|
||||
privilege: "{{ item.privilege }}"
|
||||
user: "{{ item.user|default(omit) }}"
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating roles based on standard privileges"
|
||||
freeipa.ansible_freeipa.iparole:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.role }}"
|
||||
privilege: "{{ item.privileges }}"
|
||||
user: "{{ item.user|default(omit) }}"
|
||||
loop: "{{ iparoles }}"
|
||||
when: iparoles is defined
|
||||
tags:
|
||||
- rbac
|
||||
...
|
@ -1,17 +0,0 @@
|
||||
---
|
||||
# Creates the first set of groups for the IdM Infrastructure
|
||||
- name: "Setting up password policies"
|
||||
freeipa.ansible_freeipa.ipapwpolicy:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.group }}"
|
||||
minlife: "{{ item.minlife | default(0) }}"
|
||||
maxlife: "{{ item.maxlife | default(0) }}"
|
||||
history: "{{ item.history | default(5) }}"
|
||||
priority: "{{ item.priority | default(1) }}"
|
||||
lockouttime: "{{ item.lockout | default(300) }}"
|
||||
minlength: "{{ item.minlength | default(8) }}"
|
||||
maxfile: "{{ item.maxfail | default(5) }}"
|
||||
loop: "{{ ipapwpolicies }}"
|
||||
tags:
|
||||
- groups
|
||||
...
|
@ -1,13 +0,0 @@
|
||||
---
|
||||
# Currently only one SUDO role should be created, and that is for the
|
||||
# rocky linux admins
|
||||
- name: "Creating SUDO Role for Rocky Admins"
|
||||
freeipa.ansible_freeipa.ipasudorule:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: All_RockyAdmins
|
||||
description: Rocky Linux infrastructure and operations sudo access
|
||||
group:
|
||||
- rockyadm
|
||||
hostcat: all
|
||||
cmdcat: all
|
||||
...
|
@ -1,71 +0,0 @@
|
||||
---
|
||||
# Creates the first set of users for the IdM Infrastructure. This
|
||||
# should create both regular and admin accounts for separation of
|
||||
# privilege.
|
||||
- name: "Creating Initial Accounts"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.name }}"
|
||||
first: "{{ item.first }}"
|
||||
last: "{{ item.last }}"
|
||||
email: "{{ item.email|default(omit) }}"
|
||||
password: "{{ item.password }}"
|
||||
title: "{{ item.title }}"
|
||||
loginshell: "{{ item.loginshell }}"
|
||||
update_password: on_create
|
||||
loop: "{{ users }}"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Creating Initial Admin Accounts"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.name }}"
|
||||
first: "{{ item.first }}"
|
||||
last: "{{ item.last }}"
|
||||
email: "{{ item.email|default(omit) }}"
|
||||
password: "{{ item.password }}"
|
||||
title: "{{ item.title }}"
|
||||
loginshell: "{{ item.loginshell }}"
|
||||
update_password: on_create
|
||||
loop: "{{ adminusers }}"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Creating Service Accounts"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.name }}"
|
||||
first: "{{ item.first }}"
|
||||
last: "{{ item.last }}"
|
||||
email: "{{ item.email|default(omit) }}"
|
||||
password: "{{ item.password }}"
|
||||
title: "{{ item.title }}"
|
||||
loginshell: "{{ item.loginshell }}"
|
||||
update_password: on_create
|
||||
loop: "{{ svcusers }}"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Creating bind account template - binder"
|
||||
ansible.builtin.template:
|
||||
src: "tmp/binder.update"
|
||||
dest: "/tmp/binder.update"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Adding in the bind account - binder"
|
||||
ansible.builtin.command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||
register: bind_account
|
||||
changed_when: "bind_account.rc == 0"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Remove template"
|
||||
ansible.builtin.file:
|
||||
path: "/tmp/binder.update"
|
||||
state: absent
|
||||
...
|
@ -1,32 +0,0 @@
|
||||
---
|
||||
# This builds out the initial users and groups for the rocky linux infra
|
||||
- name: Create our initial users
|
||||
hosts: all
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/ipa/rdns.yml
|
||||
- vars/ipa/fdns.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing ipa admin password"
|
||||
|
||||
- name: "Create Reverse Domains"
|
||||
freeipa.ansible_freeipa.ipadnszone:
|
||||
ipaadmin_password: '{{ ipaadmin_password }}'
|
||||
name: '{{ item }}'
|
||||
dynamic_update: true
|
||||
with_items: '{{ rdns }}'
|
||||
|
||||
- name: "Create Forward Domains"
|
||||
freeipa.ansible_freeipa.ipadnszone:
|
||||
ipaadmin_password: '{{ ipaadmin_password }}'
|
||||
name: '{{ item }}'
|
||||
dynamic_update: true
|
||||
with_items: '{{ fdns }}'
|
||||
...
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
# This builds out the initial users and groups for the rocky linux infra
|
||||
- name: Create our initial users
|
||||
hosts: all
|
||||
become: true
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/ipa/users.yml
|
||||
- vars/ipa/adminusers.yml
|
||||
- vars/ipa/svcusers.yml
|
||||
- vars/ipa/groups.yml
|
||||
- vars/ipa/ipaprivs.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
- users | mandatory
|
||||
- ipagroups | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing users or ipa admin password"
|
||||
|
||||
- name: "Start users"
|
||||
import_tasks: import-rockyusers.yml
|
||||
|
||||
- name: "Start groups"
|
||||
import_tasks: import-rockygroups.yml
|
||||
|
||||
- name: "Start sudo for admins"
|
||||
import_tasks: import-rockysudo.yml
|
||||
|
||||
- name: "Start privileges for services"
|
||||
import_tasks: import-rockyipaprivs.yml
|
||||
...
|
@ -1,20 +1,18 @@
|
||||
---
|
||||
# Configures an IPA client for the Rocky infrastructure
|
||||
# Define "host" as a hostgroup name or a single host
|
||||
# NOTE: For usage in AWX, select an appropriate host
|
||||
- name: Configure IPA client
|
||||
hosts: all
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/ipa/ipaclient.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
ansible.builtin.stat:
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
@ -32,10 +30,9 @@
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
...
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
# Creates an IPA replica
|
||||
# Define "host" as a hostgroup name or a single host
|
||||
# NOTE: Select the appropriate host or hostgroup
|
||||
- name: Configure IPA server
|
||||
hosts: all
|
||||
become: true
|
||||
@ -11,19 +11,19 @@
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
ansible.builtin.stat:
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Ensure 'dns=none' is set for Network Manager
|
||||
community.general.ini_file:
|
||||
ini_file:
|
||||
path: /etc/NetworkManager/NetworkManager.conf
|
||||
state: present
|
||||
no_extra_spaces: true
|
||||
@ -43,10 +43,9 @@
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
...
|
||||
|
@ -6,6 +6,7 @@
|
||||
# Storage: 10G /var/lib/dirsrv
|
||||
# System fully up to date
|
||||
# Define "host" as a hostgroup name or a single host
|
||||
# NOTE: For AWX, choose the appropriate host or host group
|
||||
- name: Configure IPA server
|
||||
hosts: all
|
||||
become: true
|
||||
@ -16,19 +17,19 @@
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
ansible.builtin.stat:
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
ansible.builtin.assert:
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Ensure 'dns=none' is set for Network Manager to avoid change
|
||||
community.general.ini_file:
|
||||
ini_file:
|
||||
path: /etc/NetworkManager/NetworkManager.conf
|
||||
state: present
|
||||
no_extra_spaces: true
|
||||
@ -48,7 +49,7 @@
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
ansible.builtin.file:
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
@ -59,4 +60,3 @@
|
||||
freeipa.ansible_freeipa.ipadnsconfig:
|
||||
ipaadmin_password: '{{ ipaadmin_password }}'
|
||||
allow_sync_ptr: true
|
||||
...
|
||||
|
@ -4,4 +4,3 @@ roles:
|
||||
- name: rockylinux.ipagetcert
|
||||
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
|
||||
version: main
|
||||
...
|
||||
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
adminusers:
|
||||
- name: label2
|
||||
first: Louis
|
||||
last: Abel
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure IdM Manager
|
||||
loginshell: /bin/bash
|
||||
- name: gmk2
|
||||
first: Gregory
|
||||
last: Kurtzer
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Executive Director
|
||||
loginshell: /bin/bash
|
||||
- name: brian2
|
||||
first: Brian
|
||||
last: Clemens
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Project Manager
|
||||
loginshell: /bin/bash
|
||||
- name: neil2
|
||||
first: Neil
|
||||
last: Hanlon
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: rlh2
|
||||
first: R. Leigh
|
||||
last: Hennig
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Operations Manager
|
||||
loginshell: /bin/bash
|
||||
- name: rfelsburg2
|
||||
first: Rob
|
||||
last: Felsburg
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Operations Manager
|
||||
loginshell: /bin/bash
|
||||
- name: tg2
|
||||
first: Taylor
|
||||
last: Goodwill
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: bagner2
|
||||
first: Benjamin
|
||||
last: Agner
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Security Director
|
||||
loginshell: /bin/bash
|
||||
...
|
@ -1,3 +0,0 @@
|
||||
---
|
||||
# Vars for Agreements for the Rocky Linux Project
|
||||
...
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
fdns:
|
||||
- rockylinux.org.
|
||||
- aws.rockylinux.org.
|
||||
...
|
@ -1,99 +0,0 @@
|
||||
---
|
||||
ipagroups:
|
||||
- group: infrastructure
|
||||
description: Infrastructure Team
|
||||
user:
|
||||
- label
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- bagner
|
||||
- group: operations
|
||||
description: Operations Team
|
||||
user:
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- group: development
|
||||
description: Development Team
|
||||
- group: qa
|
||||
description: Quality Assurance Team
|
||||
- group: marketing
|
||||
description: Marketing
|
||||
- group: rocky
|
||||
description: Rocky Linux Team
|
||||
user:
|
||||
- label
|
||||
- gmk
|
||||
- brian
|
||||
- hbjy
|
||||
- jorp
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- bagner
|
||||
- group: rockyadm
|
||||
description: Rocky Linux Administrators - Only Admin Accounts
|
||||
user:
|
||||
- label2
|
||||
- gmk2
|
||||
- brian2
|
||||
- hbjy2
|
||||
- jorp2
|
||||
- neil2
|
||||
- rlh2
|
||||
- rfelsburg2
|
||||
- tg2
|
||||
- bagner2
|
||||
- group: gitadm
|
||||
description: Rocky Linux GitLab Admins
|
||||
user:
|
||||
- label
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- hbjy
|
||||
- group: gitusers
|
||||
description: Rocky Linux GitLab Users
|
||||
user:
|
||||
- label
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- hbjy
|
||||
- rockyautomation
|
||||
managers_users:
|
||||
- label
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- hbjy
|
||||
- group: services
|
||||
description: Rocky Linux Service Accounts
|
||||
user:
|
||||
- userman
|
||||
- hostman
|
||||
- kerbman
|
||||
- rockykoji
|
||||
- pubsub_federation
|
||||
- rockypubsub
|
||||
- rockyautomation
|
||||
- group: iam
|
||||
description: Rocky Linux Identity Management
|
||||
user:
|
||||
- label
|
||||
managers_users:
|
||||
- label
|
||||
- group: releng
|
||||
description: Rocky Linux Release Engineering
|
||||
user:
|
||||
- label
|
||||
managers_users:
|
||||
- label
|
||||
- group: mq_pub_readonly
|
||||
description: RabbitMQ ReadOnly
|
||||
...
|
@ -1,11 +0,0 @@
|
||||
---
|
||||
# IPA Client Vars
|
||||
ipaclient_domain: rockylinux.org
|
||||
ipaclient_realm: ROCKYLINUX.ORG
|
||||
ipaadmin_principal: admin
|
||||
ipaclient_no_ntp: true
|
||||
ipaclient_mkhomedir: true
|
||||
ipaclient_ssh_trust_dns: true
|
||||
ipasssd_enable_dns_updates: true
|
||||
ipatype: client
|
||||
...
|
@ -1,43 +0,0 @@
|
||||
---
|
||||
# privileges
|
||||
ipaprivileges:
|
||||
- privilege: Privileges - Kerberos Managers
|
||||
description: Kerberos Key Managers
|
||||
permissions:
|
||||
- "System: Manage Host Keytab"
|
||||
- "System: Manage Host Keytab Permissions"
|
||||
- "System: Manage Service Keytab"
|
||||
- "System: Manage Service Keytab Permissions"
|
||||
- "System: Manage User Principals"
|
||||
role: Kerberos Managers
|
||||
user:
|
||||
- kerbman
|
||||
|
||||
# Standalone Roles
|
||||
iparoles:
|
||||
- role: IPA Client Managers
|
||||
description: IPA Client Managers
|
||||
privileges:
|
||||
- "DNS Administrators"
|
||||
- "DNS Servers"
|
||||
- "Host Administrators"
|
||||
- "Host Enrollment"
|
||||
- "Host Group Administrators"
|
||||
- "Netgroups Administrators"
|
||||
user:
|
||||
- hostman
|
||||
- role: Kerberos Managers
|
||||
description: Kerberos Key Managers
|
||||
privileges:
|
||||
- "Privileges - Kerberos Managers"
|
||||
- "Service Administrators"
|
||||
user:
|
||||
- kerbman
|
||||
- role: IPA User Managers
|
||||
description: Rocky IPA User Managers responsible for idm flow
|
||||
privileges:
|
||||
- "Group Administrators"
|
||||
- "Stage User Administrators"
|
||||
- "User Administrators"
|
||||
- "FAS Agreement Administrators"
|
||||
...
|
@ -1,14 +0,0 @@
|
||||
---
|
||||
# IPA Replica
|
||||
ipaadmin_principal: admin
|
||||
ipaclient_no_ntp: true
|
||||
ipaclient_mkhomedir: true
|
||||
ipaserver_realm: ROCKYLINUX.ORG
|
||||
ipareplica_domain: rockylinux.org
|
||||
ipareplica_auto_forwarders: true
|
||||
ipareplica_setup_firewalld: true
|
||||
ipareplica_setup_ca: true
|
||||
ipareplica_setup_kra: true
|
||||
ipareplica_setup_dns: true
|
||||
ipatype: replica
|
||||
...
|
@ -1,16 +0,0 @@
|
||||
---
|
||||
# IPA Server
|
||||
ipaserver_domain: rockylinux.org
|
||||
ipaserver_realm: ROCKYLINUX.ORG
|
||||
ipaserver_setup_dns: true
|
||||
ipaserver_setup_kra: true
|
||||
ipaserver_auto_forwarders: true
|
||||
ipaserver_no_host_dns: true
|
||||
ipaserver_allow_zone_overlap: true
|
||||
ipaserver_setup_firewalld: true
|
||||
ipaclient_no_ntp: true
|
||||
ipaclient_mkhomedir: true
|
||||
ipaserver_no_hbac_allow: true
|
||||
ipaserver_reverse_zones: ["32.10.in-addr.arpa."]
|
||||
ipatype: server
|
||||
...
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
rdns:
|
||||
- 32.10.in-addr.arpa.
|
||||
...
|
@ -1,2 +0,0 @@
|
||||
---
|
||||
...
|
@ -1,45 +0,0 @@
|
||||
---
|
||||
svcusers:
|
||||
- name: hostman
|
||||
first: Host
|
||||
last: Manager
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Host Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: kerbman
|
||||
first: Kerberos
|
||||
last: Manager
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Kerberos Key Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: userman
|
||||
first: User
|
||||
last: Manager
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - User Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: rockykoji
|
||||
first: Koji
|
||||
last: Manager
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Koji Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: pubsub_federation
|
||||
first: pubsub
|
||||
last: federation
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - pubsub federator
|
||||
loginshell: /sbin/nologin
|
||||
- name: rockypubsub
|
||||
first: rocky
|
||||
last: pubsub
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - pubsub
|
||||
loginshell: /sbin/nologin
|
||||
- name: rockyautomation
|
||||
first: Rocky
|
||||
last: Automation
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Automation
|
||||
loginshell: /sbin/nologin
|
||||
...
|
@ -1,59 +0,0 @@
|
||||
---
|
||||
users:
|
||||
- name: label
|
||||
first: Louis
|
||||
last: Abel
|
||||
email: label@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure IdM Manager
|
||||
loginshell: /bin/bash
|
||||
- name: gmk
|
||||
first: Gregory
|
||||
last: Kurtzer
|
||||
email: gmk@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Executive Director
|
||||
loginshell: /bin/bash
|
||||
- name: brian
|
||||
first: Brian
|
||||
last: Clemens
|
||||
email: brian@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Project Manager
|
||||
loginshell: /bin/bash
|
||||
- name: neil
|
||||
first: Neil
|
||||
last: Hanlon
|
||||
email: neil@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: rlh
|
||||
first: R. Leigh
|
||||
last: Hennig
|
||||
email: rlh@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Operations Manager
|
||||
loginshell: /bin/bash
|
||||
- name: rfelsburg
|
||||
first: Rob
|
||||
last: Felsburg
|
||||
email: rfelsburg@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Operations Manager
|
||||
loginshell: /bin/bash
|
||||
- name: tg
|
||||
first: Taylor
|
||||
last: Goodwill
|
||||
email: tg@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: bagner
|
||||
first: Benjamin
|
||||
last: Agner
|
||||
email: bagner@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Security Director
|
||||
loginshell: /bin/bash
|
||||
...
|
@ -1,3 +0,0 @@
|
||||
---
|
||||
ipatype: server
|
||||
...
|
Loading…
Reference in New Issue
Block a user