First commit for infra - IPA

README.md

@@ -0,0 +1,10 @@
+# Infrastructure
+
+We will add more data here soon
+
+```
+ansible -> All ansible playbooks, modules, etc are here
+scripts -> Scripts for infrastructure go here
+tests   -> Repo specific tests
+utils   -> Utilities focused for infrastructure or testing this repo
+```

ansible/README.md

@@ -0,0 +1,3 @@
+# Ansible
+
+Ansible playbooks, roles, modules, etc will come here. Documentation to come soon.

ansible/adhoc-facts-refresh.yml

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  become: True
+  tasks:
+    - name: Force a fact refresh to have those available in local cache
+      setup:
+        gather_timeout: 30

ansible/adhoc-ipagroups.yml

@@ -0,0 +1,32 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# However, adhoc, it works fine as long as you mention all required variables.
+#
+# What: Creates groups in the idm infrastructure
+
+- name: Create our initial users
+  hosts: ipaserver
+  become: false
+  vars_files:
+  - vars/encpass.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - ipaadmin_password | mandatory
+          - ipaGroup | mandatory
+          - ipaDescription | mandatory
+          - ipaPosix | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing group information or ipa admin password"
+
+    - name: "Creating Mandatory Groups"
+      ipagroup:
+        ipaadmin_password: "{{ ipaadmin_password }}"
+        name: "{{ ipaGroup }}"
+        description: "{{ ipaDescription }}"
+        nonposix: "{{ ipaPosix }}"
+      tags:
+        - groups
+

ansible/adhoc-ipausers.yml

@@ -0,0 +1,40 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# However, adhoc, it works fine as long as you mention all required variables.
+# 
+# What: Creates users in the idm infrastructure
+
+- name: Create a User
+  hosts: ipaserver
+  become: false
+  vars_files:
+  - vars/encpass.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - ipaadmin_password | mandatory
+          - ipaName | mandatory
+          - ipaFirst | mandatory
+          - ipaLast | mandatory
+          - ipaEmail | mandatory
+          - ipaPassword | mandatory
+          - ipaTitle | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing user information or ipa admin password"
+
+    - name: "Creating User Account"
+      ipauser:
+        ipaadmin_password: "{{ ipaadmin_password }}"
+        name: "{{ ipaName }}"
+        first: "{{ ipaFirst }}"
+        last: "{{ ipaLast }}"
+        email: "{{ ipaEmail }}"
+        password: "{{ ipaPassword }}"
+        title: "{{ ipaTitle }}"
+        loginshell: "{{ ipaLoginshell|default('/sbin/nologin', True) }}"
+        update_password: on_create
+      tags:
+        - users
+

ansible/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart_ssh
+  service:
+    name: sshd
+    state: restarted
+
+- name: restart_httpd
+  service:
+    name: httpd
+    state: restarted

ansible/import-rockygroups.yml

@@ -0,0 +1,11 @@
+---
+- name: "Creating Mandatory Groups"
+  ipagroup:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.group }}"
+    description: "{{ item.description }}"
+    nonposix: no
+  loop: "{{ ipagroups }}"
+  tags:
+    - groups
+

ansible/import-rockysudo.yml

@@ -0,0 +1,11 @@
+---
+- name: "Creating SUDO Role for Rocky Admins"
+  ipasudorule:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: All_RockyAdmins
+    description: Rocky Linux infrastructure and operations sudo access
+    group:
+      - rockyadm
+    hostcat: all
+    cmdcat: all
+

ansible/import-rockyusers.yml

@@ -0,0 +1,16 @@
+---
+- name: "Creating Initial Accounts"
+  ipauser:
+    ipaadmin_password: "{{ ipaadmin_password }}"
+    name: "{{ item.name }}"
+    first: "{{ item.first }}"
+    last: "{{ item.last }}"
+    email: "{{ item.email }}"
+    password: "{{ item.password }}"
+    title: "{{ item.title }}"
+    loginshell: "{{ item.loginshell }}"
+    update_password: on_create
+  loop: "{{ users }}"
+  tags:
+    - users
+

ansible/init-rocky-ipa-team.yml

@@ -0,0 +1,28 @@
+---
+# This builds out the initial users and groups for the rocky linux infra
+- name: Create our initial users
+  hosts: ipaserver
+  become: false
+  vars_files:
+  - vars/encpass.yml
+  - vars/users.yml
+  - vars/groups.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - ipaadmin_password | mandatory
+          - users | mandatory
+          - ipagroups | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing users or ipa admin password"
+
+    - name: "Start users"
+      include: import-rockyusers.yml
+
+    - name: "Start groups"
+      include: import-rockygroups.yml
+
+    - name: "Start sudo for admins"
+      include: import-rockysudo.yml

ansible/inventory/ipainventory

@@ -0,0 +1,45 @@
+[ipaservers]
+ipa001.rockylinux.org ansible_host=10.100.1.110
+ipa002.rockylinux.org ansible_host=10.100.1.111
+
+[ipaserver]
+ipa001.rockylinux.org ansible_host=10.100.1.110
+
+[ipaserver:vars]
+ipaserver_domain=rockylinux.org
+ipaserver_realm=ROCKYLINUX.ORG
+ipaserver_setup_dns=yes
+ipaserver_setup_kra=true
+ipaserver_auto_forwarders=yes
+ipaserver_no_host_dns=true
+ipaserver_hostname=ipa001.rockylinux.org
+ipaserver_allow_zone_overlap=yes
+ipaserver_setup_firewalld=yes
+ipaclient_no_ntp=true
+ipaclient_mkhomedir=yes
+ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
+
+[ipareplicas]
+ipa002.rockylinux.org ansible_host=10.100.1.111
+
+[ipareplicas:vars]
+ipaadmin_principal=admin
+ipaclient_no_ntp=true
+ipaclient_mkhomedir=yes
+ipaserver_realm=ROCKYLINUX.ORG
+ipaserver_hostname=ipa002.rockylinux.org
+ipareplica_domain=rockylinux.org
+ipareplica_auto_forwarders=yes
+ipareplica_setup_firewalld=yes
+ipareplica_setup_ca=yes
+ipareplica_setup_kra=yes
+ipareplica_setup_dns=yes
+
+[ipaclients]
+build-a-box.rockylinux.org ansible_host=10.100.1.112
+
+[ipaclients:vars]
+ipaclient_domain=rockylinux.org
+ipaadmin_principal=admin
+ipaclient_no_ntp=true
+ipaclient_mkhomedir=yes

ansible/role-rocky-ipa-client.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure IPA client
+  hosts: ipaclients
+  become: true
+  vars_files:
+  - vars/encpass.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+  roles:
+  - role: ipaclient
+    state: present
+
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+

ansible/role-rocky-ipa-replica.yml

@@ -0,0 +1,29 @@
+---
+- name: Configure IPA server
+  hosts: ipareplicas
+  become: true
+  vars_files:
+  - vars/encpass.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+  roles:
+  - role: ipareplica
+    state: present
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+

ansible/role-rocky-ipa.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure IPA server
+  hosts: ipaserver
+  become: true
+  vars_files:
+  - vars/encpass.yml
+
+  roles:
+  - role: ipaserver
+    state: present
+

ansible/tasks/main.yml

@@ -0,0 +1 @@
+---

ansible/vars/encpass.yml

@@ -0,0 +1,8 @@
+---
+# You must set this up using ansible-vault
+ipaadmin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED
+ipadm_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED

ansible/vars/groups.yml

@@ -0,0 +1,14 @@
+---
+ipagroups:
+  - group: infrastructure
+    description: Infrastructure Team
+  - group: operations
+    description: Operations Team
+  - group: development
+    description: Development Team
+  - group: qa
+    description: Quality Assurance Team
+  - group: marketing
+    description: Marketing
+  - group: rockyadm
+    description: Rocky Linux Administrators - Only Admin Accounts

ansible/vars/sudorules.yml

@@ -0,0 +1,2 @@
+---
+

ansible/vars/users.yml

@@ -0,0 +1,16 @@
+---
+users:
+  - name: label
+    first: Louis
+    last: Abel
+    email: label@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Engineer
+    loginshell: /bin/bash
+  - name: label2
+    first: Louis
+    last: Abel
+    email: label@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: Infrastructure IdM Engineer - Admin
+    loginshell: /bin/bash