Merge pull request #14960 from rocky-linux/develop

Kojid, Rearranging, Special adhocs
This commit is contained in:
Louis Abel 2021-01-04 01:40:50 -07:00 committed by GitHub
commit 46001435e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
45 changed files with 459 additions and 70 deletions

View File

@ -91,7 +91,8 @@ At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whethe
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# Import roles/tasks here # Import roles/tasks here

View File

@ -8,7 +8,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -0,0 +1,44 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates dns records in the idm infrastructure based on the variables
# provided.
# What is expected:
# -> ipaadmin_password: This should be the password of the admin user
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipa_zone: The zone name (eg, rockylinux.org)
# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org)
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
# -> ipa_name_value: Record value (depends on type of record)
# -> ipa_presence: present or absent
- name: Create a DNS Record
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipa_zone | mandatory
- ipa_name | mandatory
- ipa_name_type | mandatory
- ipa_name_value | mandatory
- ipa_presence | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing zone information or ipa admin password"
- name: "Creating DNS Record"
freeipa.ansible_freeipa.ipadnsrecord:
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
ipaadmin_password: "{{ ipaadmin_password }}"
zone_name: "{{ ipa_zone }}"
name: "{{ ipa_name }}"
record_type: "{{ ipa_name_type }}"
record_value: "{{ ipa_name_value }}"
state: "{{ ipa_presence }}"
tags:
- dns

View File

@ -1,18 +1,24 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# Special thanks to @remyabel for assisting in improving this playbook with
# extended security posture
# What: Pulls keytabs for a kerberos service # What: Pulls keytabs for a kerberos service
# What is expected: # What is expected:
# -> ipa_service, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG # -> host: The host in the inventory, this MUST be FQDN.
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# Note: This service MUST exist
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
# -> ipa_server: This needs to be one of the IPA servers # -> ipa_server: This needs to be one of the IPA servers
# -> ipa_owner: If applicable, the local account that will own this keytab (eg for Apache) # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user
- name: Pull keytab from IPA - name: Pull keytab from IPA
hosts: "{{ host }}" hosts: "{{ host }}"
become: false become: true
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -25,21 +31,106 @@
success_msg: "Required variables provided" success_msg: "Required variables provided"
fail_msg: "We are missing required information" fail_msg: "We are missing required information"
- name: "Pulling keytab" - name: "Check that a keytab doesn't already exist"
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k {{ ipa_keytab_fullpath }}" stat:
register: ipakeytab_result path: "{{ ipa_keytab_fullpath }}"
changed_when: register: keytab_status
- ipakeytab_result.rc == 0 check_mode: false
tags: changed_when: "1 != 1"
- keytab
- name: "Set ownership if applicable" - name: "Verify keytab existence"
assert:
that:
- "not keytab_status.stat.exists"
success_msg: "Keytab doesn't exist, moving on..."
fail_msg: "Keytab with that name already exists, skipping."
- name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab"
delegate_to: "{{ ipa_server }}"
freeipa.ansible_freeipa.ipaservice:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_service }}"
allow_retrieve_keytab_user:
- "{{ ipa_admin }}"
allow_retrieve_keytab_host:
- "{{ host }}"
action: member
- name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab"
delegate_to: "{{ ipa_server }}"
freeipa.ansible_freeipa.ipahost:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ host }}"
state: present
allow_retrieve_keytab_user:
- "{{ ipa_admin }}"
managedby_host: "{{ host }}"
action: member
- name: "Get kerberos ticket"
delegate_to: "{{ ipa_server }}"
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
check_mode: false
changed_when: "1 != 1"
when: not keytab_status.stat.exists
- name: "Attempt to retrieve keytab"
delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
register: ret_result
check_mode: false
changed_when: "1 != 1"
failed_when: "not ('Keytab successfully retrieved' in ret_result.stderr or 'krbPrincipalKey not found' in ret_result.stderr)"
- name: "Create keytab if it didn't exist, based on the last task"
delegate_to: "{{ ipa_server }}"
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
when: "'krbPrincipalKey not found' in ret_result.stderr"
- name: "Destroy admin ticket"
delegate_to: "{{ ipa_server }}"
command: "kdestroy -A"
register: kdestroy_result
changed_when: "kdestroy_result.rc == 0"
- name: "Put the keytab into a register"
delegate_to: "{{ ipa_server }}"
command: "base64 /tmp/{{ host }}.kt"
register: keytab
check_mode: false
changed_when: "keytab.rc == 0"
- name: "Destroy local keytab"
delegate_to: "{{ ipa_server }}"
file:
path: "/tmp/{{ host }}.kt"
state: absent
- name: "Deploy keytab to {{ host }} from register"
copy:
dest: "{{ ipa_keytab_fullpath }}.b64"
content: "{{ keytab.stdout }}"
owner: "{{ ipa_owner|default('root') }}"
group: "{{ ipa_owner|default('root') }}"
mode: '0600'
- name: "Decode keytab"
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
changed_when: "1 != 1"
- name: "Destroy encoded keytab"
file:
path: "{{ ipa_keytab_fullpath }}.b64"
state: absent
- name: "Set ownership if applicable, otherwise it's root owned"
file: file:
path: "{{ ipa_keytab_fullpath }}" path: "{{ ipa_keytab_fullpath }}"
owner: "{{ ipa_owner }}" owner: "{{ ipa_owner|default('root') }}"
group: "{{ ipa_owner }}" group: "{{ ipa_owner|default('root') }}"
mode: '0600' mode: '0600'
state: file state: file
when: ipa_owner
tags: tags:
- keytab - keytab

View File

@ -7,7 +7,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -7,7 +7,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -7,7 +7,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -22,7 +22,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/rabbitmq.yml - vars/rabbitmq.yml
tasks: tasks:

View File

@ -8,7 +8,7 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/rabbitmq.yml - vars/rabbitmq.yml
tasks: tasks:

View File

@ -0,0 +1,51 @@
#!/bin/bash
# Borrowed from Fedora Infra for Rocky Linux
if [ $# -lt 2 ]; then
echo "Usage: $0 [name] [script]"
exit 1;
fi
NAME=$1
SCRIPT=$2
SILENT="no"
if [ $# -ge 3 -a "$3" == "--silent" ]; then
SILENT="yes"
shift
fi
shift 2
LOCKDIR="/var/tmp/$NAME"
PIDFILE="$LOCKDIR/pid"
function cleanup {
rm -rf "$LOCKDIR"
}
RESTORE_UMASK=$(umask -p)
umask 0077
mkdir "$LOCKDIR" >& /dev/null
if [ $? != 0 ]; then
PID=$(cat "$PIDFILE")
if [ -n "$PID" ] && /bin/ps $PID > /dev/null
then
if [ "$SILENT" != "yes" ]; then
echo "$PID is still running"
/bin/ps -o user,pid,start,time,comm $PID
fi
exit 1;
else
echo "$LOCKDIR exists but $PID is dead"
echo "Removing lockdir and re-running"
/bin/rm -rf $LOCKDIR
mkdir $LOCKDIR || exit
fi
fi
trap cleanup EXIT SIGQUIT SIGHUP SIGTERM
echo $$ > "$PIDFILE"
$RESTORE_UMASK
eval "$SCRIPT $*"

View File

@ -46,3 +46,25 @@
loop: "{{ svcusers }}" loop: "{{ svcusers }}"
tags: tags:
- users - users
- name: "Creating bind account template - binder"
template:
src: "tmp/binder.update"
dest: "/tmp/binder.update"
owner: root
group: root
mode: '0600'
tags:
- users
- name: "Adding in the bind account - binder"
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
register: bind_account
changed_when: "bind_account.rc == 0"
tags:
- users
- name: "Remove template"
file:
path: "/tmp/binder.update"
state: absent

View File

@ -23,7 +23,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks: tasks:
- name: Configure Chrony - name: Configure Chrony

View File

@ -16,7 +16,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks: tasks:
- name: Check for CPU Virtualization - name: Check for CPU Virtualization

View File

@ -5,9 +5,9 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/rdns.yml - vars/ipa/rdns.yml
- vars/fdns.yml - vars/ipa/fdns.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -5,12 +5,12 @@
become: false become: false
gather_facts: false gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/users.yml - vars/ipa/users.yml
- vars/adminusers.yml - vars/ipa/adminusers.yml
- vars/svcusers.yml - vars/ipa/svcusers.yml
- vars/groups.yml - vars/ipa/groups.yml
- vars/ipaprivs.yml - vars/ipa/ipaprivs.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"

View File

@ -18,7 +18,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks: tasks:
- name: Loading Variables from OS Common - name: Loading Variables from OS Common
@ -39,6 +40,9 @@
- name: Configure grub - name: Configure grub
import_tasks: tasks/grub.yml import_tasks: tasks/grub.yml
- name: Configure common scripts
import_tasks: tasks/scripts.yml
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: file:

View File

@ -21,7 +21,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping un on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping un on this node"
- name: Install SELinux packages - name: Install SELinux packages
package: package:

View File

@ -5,8 +5,8 @@
hosts: ipaclients hosts: ipaclients
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/ipaclient.yml - vars/ipa/ipaclient.yml
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
@ -18,9 +18,10 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# - name: Check if we can see LDAP srv records # - name: Check if we can see LDAP srv records
roles: roles:

View File

@ -5,7 +5,7 @@
hosts: ipareplicas hosts: ipareplicas
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
handlers: handlers:
@ -21,7 +21,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager - name: Ensure 'dns=none' is set for Network Manager
ini_file: ini_file:

View File

@ -9,7 +9,7 @@
hosts: ipaserver hosts: ipaserver
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
handlers: handlers:
@ -25,7 +25,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Ensure 'dns=none' is set for Network Manager to avoid change - name: Ensure 'dns=none' is set for Network Manager to avoid change
ini_file: ini_file:

View File

@ -4,7 +4,7 @@
hosts: ipsilon hosts: ipsilon
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/ipsilon.yml - vars/ipsilon.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
@ -21,7 +21,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# EPEL and PowerTools are required for ipsilon to function # EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this # I also couldn't find an ansible built-in to do this

View File

@ -0,0 +1,85 @@
---
# Stands up an ipsilon instance for simple SSO
- name: Configure koji hub and web server
hosts: kojihub
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/kojid.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Check for keytabs - kojid
stat:
path: /etc/kojid.keytab
register: kojid_keytab
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "kojid_keytab.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
# EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this
- name: Enable the PowerTools repository
ini_file:
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
section: powertools
option: enabled
value: 1
owner: root
group: root
mode: '0644'
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
name: epel-release
state: present
tags:
- packages
- name: Install rocky-tools copr
yum_repository:
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
description: Copr repo for rockylinux-tools owned by nalika
file: copr_repos
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
enabled: true
# Right now, we are not sure how or where we'll get our certificates. So we
# are presenting a choice by setting a variable, koji_internal_ca. There is a
# change that we will have to do internal certs for mqtt anyway.
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
roles:
- role: rockylinux.kojid
state: present
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

View File

@ -4,7 +4,7 @@
hosts: kojihub hosts: kojihub
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/kojihub.yml - vars/kojihub.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
@ -21,7 +21,42 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Check for keytabs - web
stat:
path: /etc/keytabs/koji-web.keytab
register: koji_keytab
changed_when: "1 != 1"
- name: Check for keytabs - kojira
stat:
path: /etc/keytabs/kojira.keytab
register: kojira_keytab
changed_when: "1 != 1"
- name: Check for keytabs - gc
stat:
path: /etc/keytabs/koji-gc.keytab
register: gc_keytab
changed_when: "1 != 1"
- name: Check for keytabs - host
stat:
path: /etc/keytabs/host.keytab
register: host_keytab
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "koji_keytab.stat.exists"
- "kojira_keytab.stat.exists"
- "gc_keytab.stat.exists"
- "host_keytab.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
# EPEL and PowerTools are required for ipsilon to function # EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this # I also couldn't find an ansible built-in to do this

View File

@ -13,7 +13,9 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages - name: Install SELinux packages
package: package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
@ -50,5 +52,5 @@
- name: Open firewall for node-exporter - name: Open firewall for node-exporter
ansible.posix.firewalld: ansible.posix.firewalld:
port: 9100/tcp port: 9100/tcp
permanent: yes permanent: true
state: enabled state: enabled

View File

@ -4,7 +4,7 @@
hosts: kojihub hosts: kojihub
become: true become: true
vars_files: vars_files:
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/mqtt.yml - vars/mqtt.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
@ -21,7 +21,8 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# EPEL and PowerTools are required for ipsilon to function # EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this # I also couldn't find an ansible built-in to do this

View File

@ -5,7 +5,7 @@
become: true become: true
vars_files: vars_files:
- vars/common.yml - vars/common.yml
- vars/encpass.yml - vars/vaults/encpass.yml
- vars/rabbitmq.yml - vars/rabbitmq.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
@ -22,12 +22,13 @@
assert: assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# We have separate passwords per rabbitmq env # We have separate passwords per rabbitmq env
- name: Import rabbitmq passwords - name: Import rabbitmq passwords
include_vars: include_vars:
file: "vars/rabbitmq_{{ rabbitmq_env }}.yml" file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml"
# EPEL and PowerTools are required for ipsilon to function # EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this # I also couldn't find an ansible built-in to do this

View File

@ -0,0 +1,9 @@
---
# Common scripts that rocky uses on nodes
- name: Lock Wrapper script
copy:
src: "usr/local/bin/lock-wrapper"
dest: "/usr/local/bin/lock-wrapper"
owner: root
group: root
mode: '0755'

View File

@ -0,0 +1,7 @@
dn: uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:binder
add:userPassword:{{ ipa_binder_password }}
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0

View File

@ -1,8 +1,9 @@
--- ---
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
rocky_ldap_bind_pw: "ThisIsNotThePassword!"
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org" rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org" rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org" rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
# Requires jinja 2.9+ # Requires jinja 2.9+
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}" rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
# This will need to be vaulted
# rocky_ldap_bind_pw: "ThisIsNotThePassword!"

View File

@ -26,3 +26,10 @@ iparoles:
- "Netgroups Administrators" - "Netgroups Administrators"
user: user:
- hostman - hostman
- role: IPA User Managers
description: Rocky IPA User Managers responsible for idm flow
privileges:
- "Group Administrators"
- "Stage User Administrators"
- "User Administrators"
- "FAS Agreement Administrators"

View File

@ -14,6 +14,13 @@ svcusers:
password: ThisIsNotMyPassword1! password: ThisIsNotMyPassword1!
title: System Account - Kerberos Key Manager title: System Account - Kerberos Key Manager
loginshell: /sbin/nologin loginshell: /sbin/nologin
- name: userman
first: User
last: Manager
email: infrastructure@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - User Manager
loginshell: /sbin/nologin
- name: rockykoji - name: rockykoji
first: Koji first: Koji
last: Manager last: Manager

View File

@ -0,0 +1,15 @@
---
# vars for kojid
kojid_vendor: Rocky
kojid_packager: infrastructure@rockylinux.org
kojid_distribution: Rocky
# These three should probably be specified by special vars
# kojid_web_url: https://koji.rockylinux.org/koji
# kojid_hub_url: https://koji.rockylinux.org/kojihub
# kojid_files_url: https://koji.rockylinux.org/kojifiles
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
kojid_keytab: /etc/kojid.keytab
kojid_smtp_host: smtp.rockylinux.org
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"

View File

@ -1,5 +1,7 @@
--- ---
# koji hub settings # koji hub settings
# This should be the front-facing URL of koji
#koji_url_name: koji.rockylinux.org
# Use an internal CA (IPA) # Use an internal CA (IPA)
koji_internal_ca: true koji_internal_ca: true
@ -13,9 +15,9 @@ koji_db_user: koji
# This will need to change when koji_postgresql_vm is false # This will need to change when koji_postgresql_vm is false
koji_db_host: "{{ ansible_fqdn }}" koji_db_host: "{{ ansible_fqdn }}"
koji_web_url: "https://{{ ansible_fqdn }}/koji" koji_web_url: "https://{{ koji_url_name }}/koji"
koji_hub_url: "https://{{ ansible_fqdn }}/kojihub" koji_hub_url: "https://{{ koji_url_name }}/kojihub"
koji_files_url: "https://{{ ansible_fqdn }}/kojifiles" koji_files_url: "https://{{ koji_url_name }}/kojifiles"
# The IPA internal CA is combined with the others # The IPA internal CA is combined with the others
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
@ -35,9 +37,9 @@ koji_admin_localuser: true
koji_admin_localuser_name: koji koji_admin_localuser_name: koji
# Hub Settings # Hub Settings
koji_hub_principal: "HTTP/{{ ansible_fqdn }}@ROCKYLINUX.ORG" koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
koji_hub_keytab: /etc/koji.keytab koji_hub_keytab: /etc/keytabs/host.keytab
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
# This should be sufficient even for LE # This should be sufficient even for LE
koji_hub_ca: "{{ koji_web_cacert }}" koji_hub_ca: "{{ koji_web_cacert }}"
@ -47,15 +49,6 @@ koji_hub_ca: "{{ koji_web_cacert }}"
koji_fas_sync: false koji_fas_sync: false
koji_fas_url: https://accounts.rockylinux.org koji_fas_url: https://accounts.rockylinux.org
# Not implemented yet
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
koji_hub_plugin_mqtt_topic: koji
koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"
koji_hub_plugin_mqtt_tls_cert: /etc/pki/tls/certs/mqtt.pem
koji_hub_plugin_mqtt_tls_key: /etc/pki/tls/certs/mqtt.key
koji_hub_plugin_mqtt_excluded_tags:
- testing-tag
# IPA Certs if Required # IPA Certs if Required
ipa_getcert_requested_hostnames: ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}" - name: "{{ ansible_fqdn }}"

View File

@ -10,6 +10,9 @@ ipaadmin_password: !vault |
ipadm_password: !vault | ipadm_password: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
REDACTED REDACTED
ipa_binder_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
REDACTED
ipsilon_db_password: !vault | ipsilon_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
REDACTED REDACTED

View File

@ -16,6 +16,9 @@ roles:
- name: rockylinux.kojihub - name: rockylinux.kojihub
src: https://github.com/rocky-linux/ansible-role-kojihub src: https://github.com/rocky-linux/ansible-role-kojihub
version: main version: main
- name: rockylinux.kojid
src: https://github.com/rocky-linux/ansible-role-kojid
version: main
- name: rockylinux.rabbitmq - name: rockylinux.rabbitmq
src: https://github.com/rocky-linux/ansible-role-rabbitmq src: https://github.com/rocky-linux/ansible-role-rabbitmq
version: main version: main