From 528d35b1e132f2315f40ee42fe0eabd7a93183ac Mon Sep 17 00:00:00 2001 From: nazunalika Date: Thu, 10 Dec 2020 00:33:09 -0700 Subject: [PATCH] First commit for infra - IPA --- README.md | 10 +++++++ ansible/README.md | 3 ++ ansible/adhoc-facts-refresh.yml | 7 +++++ ansible/adhoc-ipagroups.yml | 32 +++++++++++++++++++++ ansible/adhoc-ipausers.yml | 40 ++++++++++++++++++++++++++ ansible/handlers/main.yml | 10 +++++++ ansible/import-rockygroups.yml | 11 ++++++++ ansible/import-rockysudo.yml | 11 ++++++++ ansible/import-rockyusers.yml | 16 +++++++++++ ansible/init-rocky-ipa-team.yml | 28 +++++++++++++++++++ ansible/inventory/ipainventory | 45 ++++++++++++++++++++++++++++++ ansible/role-rocky-ipa-client.yml | 30 ++++++++++++++++++++ ansible/role-rocky-ipa-replica.yml | 29 +++++++++++++++++++ ansible/role-rocky-ipa.yml | 11 ++++++++ ansible/tasks/main.yml | 1 + ansible/vars/encpass.yml | 8 ++++++ ansible/vars/groups.yml | 14 ++++++++++ ansible/vars/sudorules.yml | 2 ++ ansible/vars/users.yml | 16 +++++++++++ 19 files changed, 324 insertions(+) create mode 100644 README.md create mode 100644 ansible/README.md create mode 100644 ansible/adhoc-facts-refresh.yml create mode 100644 ansible/adhoc-ipagroups.yml create mode 100644 ansible/adhoc-ipausers.yml create mode 100644 ansible/handlers/main.yml create mode 100644 ansible/import-rockygroups.yml create mode 100644 ansible/import-rockysudo.yml create mode 100644 ansible/import-rockyusers.yml create mode 100644 ansible/init-rocky-ipa-team.yml create mode 100644 ansible/inventory/ipainventory create mode 100644 ansible/role-rocky-ipa-client.yml create mode 100644 ansible/role-rocky-ipa-replica.yml create mode 100644 ansible/role-rocky-ipa.yml create mode 100644 ansible/tasks/main.yml create mode 100644 ansible/vars/encpass.yml create mode 100644 ansible/vars/groups.yml create mode 100644 ansible/vars/sudorules.yml create mode 100644 ansible/vars/users.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..bddaf8c --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# Infrastructure + +We will add more data here soon + +``` +ansible -> All ansible playbooks, modules, etc are here +scripts -> Scripts for infrastructure go here +tests -> Repo specific tests +utils -> Utilities focused for infrastructure or testing this repo +``` diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..629a33b --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,3 @@ +# Ansible + +Ansible playbooks, roles, modules, etc will come here. Documentation to come soon. diff --git a/ansible/adhoc-facts-refresh.yml b/ansible/adhoc-facts-refresh.yml new file mode 100644 index 0000000..8e80fe1 --- /dev/null +++ b/ansible/adhoc-facts-refresh.yml @@ -0,0 +1,7 @@ +--- +- hosts: all + become: True + tasks: + - name: Force a fact refresh to have those available in local cache + setup: + gather_timeout: 30 diff --git a/ansible/adhoc-ipagroups.yml b/ansible/adhoc-ipagroups.yml new file mode 100644 index 0000000..d651bc3 --- /dev/null +++ b/ansible/adhoc-ipagroups.yml @@ -0,0 +1,32 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# However, adhoc, it works fine as long as you mention all required variables. +# +# What: Creates groups in the idm infrastructure + +- name: Create our initial users + hosts: ipaserver + become: false + vars_files: + - vars/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - ipaGroup | mandatory + - ipaDescription | mandatory + - ipaPosix | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing group information or ipa admin password" + + - name: "Creating Mandatory Groups" + ipagroup: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ ipaGroup }}" + description: "{{ ipaDescription }}" + nonposix: "{{ ipaPosix }}" + tags: + - groups + diff --git a/ansible/adhoc-ipausers.yml b/ansible/adhoc-ipausers.yml new file mode 100644 index 0000000..bfec2b1 --- /dev/null +++ b/ansible/adhoc-ipausers.yml @@ -0,0 +1,40 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# However, adhoc, it works fine as long as you mention all required variables. +# +# What: Creates users in the idm infrastructure + +- name: Create a User + hosts: ipaserver + become: false + vars_files: + - vars/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - ipaName | mandatory + - ipaFirst | mandatory + - ipaLast | mandatory + - ipaEmail | mandatory + - ipaPassword | mandatory + - ipaTitle | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing user information or ipa admin password" + + - name: "Creating User Account" + ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ ipaName }}" + first: "{{ ipaFirst }}" + last: "{{ ipaLast }}" + email: "{{ ipaEmail }}" + password: "{{ ipaPassword }}" + title: "{{ ipaTitle }}" + loginshell: "{{ ipaLoginshell|default('/sbin/nologin', True) }}" + update_password: on_create + tags: + - users + diff --git a/ansible/handlers/main.yml b/ansible/handlers/main.yml new file mode 100644 index 0000000..732c82c --- /dev/null +++ b/ansible/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart_ssh + service: + name: sshd + state: restarted + +- name: restart_httpd + service: + name: httpd + state: restarted diff --git a/ansible/import-rockygroups.yml b/ansible/import-rockygroups.yml new file mode 100644 index 0000000..d714417 --- /dev/null +++ b/ansible/import-rockygroups.yml @@ -0,0 +1,11 @@ +--- +- name: "Creating Mandatory Groups" + ipagroup: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.group }}" + description: "{{ item.description }}" + nonposix: no + loop: "{{ ipagroups }}" + tags: + - groups + diff --git a/ansible/import-rockysudo.yml b/ansible/import-rockysudo.yml new file mode 100644 index 0000000..c4043dc --- /dev/null +++ b/ansible/import-rockysudo.yml @@ -0,0 +1,11 @@ +--- +- name: "Creating SUDO Role for Rocky Admins" + ipasudorule: + ipaadmin_password: "{{ ipaadmin_password }}" + name: All_RockyAdmins + description: Rocky Linux infrastructure and operations sudo access + group: + - rockyadm + hostcat: all + cmdcat: all + diff --git a/ansible/import-rockyusers.yml b/ansible/import-rockyusers.yml new file mode 100644 index 0000000..3d5a3ea --- /dev/null +++ b/ansible/import-rockyusers.yml @@ -0,0 +1,16 @@ +--- +- name: "Creating Initial Accounts" + ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.name }}" + first: "{{ item.first }}" + last: "{{ item.last }}" + email: "{{ item.email }}" + password: "{{ item.password }}" + title: "{{ item.title }}" + loginshell: "{{ item.loginshell }}" + update_password: on_create + loop: "{{ users }}" + tags: + - users + diff --git a/ansible/init-rocky-ipa-team.yml b/ansible/init-rocky-ipa-team.yml new file mode 100644 index 0000000..3d8af84 --- /dev/null +++ b/ansible/init-rocky-ipa-team.yml @@ -0,0 +1,28 @@ +--- +# This builds out the initial users and groups for the rocky linux infra +- name: Create our initial users + hosts: ipaserver + become: false + vars_files: + - vars/encpass.yml + - vars/users.yml + - vars/groups.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - users | mandatory + - ipagroups | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing users or ipa admin password" + + - name: "Start users" + include: import-rockyusers.yml + + - name: "Start groups" + include: import-rockygroups.yml + + - name: "Start sudo for admins" + include: import-rockysudo.yml diff --git a/ansible/inventory/ipainventory b/ansible/inventory/ipainventory new file mode 100644 index 0000000..f35c23d --- /dev/null +++ b/ansible/inventory/ipainventory @@ -0,0 +1,45 @@ +[ipaservers] +ipa001.rockylinux.org ansible_host=10.100.1.110 +ipa002.rockylinux.org ansible_host=10.100.1.111 + +[ipaserver] +ipa001.rockylinux.org ansible_host=10.100.1.110 + +[ipaserver:vars] +ipaserver_domain=rockylinux.org +ipaserver_realm=ROCKYLINUX.ORG +ipaserver_setup_dns=yes +ipaserver_setup_kra=true +ipaserver_auto_forwarders=yes +ipaserver_no_host_dns=true +ipaserver_hostname=ipa001.rockylinux.org +ipaserver_allow_zone_overlap=yes +ipaserver_setup_firewalld=yes +ipaclient_no_ntp=true +ipaclient_mkhomedir=yes +ipaserver_reverse_zones=["1.100.10.in-addr.arpa."] + +[ipareplicas] +ipa002.rockylinux.org ansible_host=10.100.1.111 + +[ipareplicas:vars] +ipaadmin_principal=admin +ipaclient_no_ntp=true +ipaclient_mkhomedir=yes +ipaserver_realm=ROCKYLINUX.ORG +ipaserver_hostname=ipa002.rockylinux.org +ipareplica_domain=rockylinux.org +ipareplica_auto_forwarders=yes +ipareplica_setup_firewalld=yes +ipareplica_setup_ca=yes +ipareplica_setup_kra=yes +ipareplica_setup_dns=yes + +[ipaclients] +build-a-box.rockylinux.org ansible_host=10.100.1.112 + +[ipaclients:vars] +ipaclient_domain=rockylinux.org +ipaadmin_principal=admin +ipaclient_no_ntp=true +ipaclient_mkhomedir=yes diff --git a/ansible/role-rocky-ipa-client.yml b/ansible/role-rocky-ipa-client.yml new file mode 100644 index 0000000..f85a06d --- /dev/null +++ b/ansible/role-rocky-ipa-client.yml @@ -0,0 +1,30 @@ +--- +- name: Configure IPA client + hosts: ipaclients + become: true + vars_files: + - vars/encpass.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + msg: "/etc/no-ansible exists - skipping run on this node" + + roles: + - role: ipaclient + state: present + + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + diff --git a/ansible/role-rocky-ipa-replica.yml b/ansible/role-rocky-ipa-replica.yml new file mode 100644 index 0000000..70b01e9 --- /dev/null +++ b/ansible/role-rocky-ipa-replica.yml @@ -0,0 +1,29 @@ +--- +- name: Configure IPA server + hosts: ipareplicas + become: true + vars_files: + - vars/encpass.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + msg: "/etc/no-ansible exists - skipping run on this node" + + roles: + - role: ipareplica + state: present + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + diff --git a/ansible/role-rocky-ipa.yml b/ansible/role-rocky-ipa.yml new file mode 100644 index 0000000..86fbc17 --- /dev/null +++ b/ansible/role-rocky-ipa.yml @@ -0,0 +1,11 @@ +--- +- name: Configure IPA server + hosts: ipaserver + become: true + vars_files: + - vars/encpass.yml + + roles: + - role: ipaserver + state: present + diff --git a/ansible/tasks/main.yml b/ansible/tasks/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/ansible/tasks/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible/vars/encpass.yml b/ansible/vars/encpass.yml new file mode 100644 index 0000000..f5c59c1 --- /dev/null +++ b/ansible/vars/encpass.yml @@ -0,0 +1,8 @@ +--- +# You must set this up using ansible-vault +ipaadmin_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + REDACTED +ipadm_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + REDACTED diff --git a/ansible/vars/groups.yml b/ansible/vars/groups.yml new file mode 100644 index 0000000..6f54d81 --- /dev/null +++ b/ansible/vars/groups.yml @@ -0,0 +1,14 @@ +--- +ipagroups: + - group: infrastructure + description: Infrastructure Team + - group: operations + description: Operations Team + - group: development + description: Development Team + - group: qa + description: Quality Assurance Team + - group: marketing + description: Marketing + - group: rockyadm + description: Rocky Linux Administrators - Only Admin Accounts diff --git a/ansible/vars/sudorules.yml b/ansible/vars/sudorules.yml new file mode 100644 index 0000000..cd21505 --- /dev/null +++ b/ansible/vars/sudorules.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ansible/vars/users.yml b/ansible/vars/users.yml new file mode 100644 index 0000000..cc3c520 --- /dev/null +++ b/ansible/vars/users.yml @@ -0,0 +1,16 @@ +--- +users: + - name: label + first: Louis + last: Abel + email: label@rockylinux.org + password: ThisIsNotMyPassword1! + title: Infrastructure IdM Engineer + loginshell: /bin/bash + - name: label2 + first: Louis + last: Abel + email: label@rockylinux.org + password: ThisIsNotMyPassword1! + title: Infrastructure IdM Engineer - Admin + loginshell: /bin/bash