First commit for infra - IPA

This commit is contained in:
nazunalika 2020-12-10 00:33:09 -07:00
commit 528d35b1e1
19 changed files with 324 additions and 0 deletions

10
README.md Normal file
View File

@ -0,0 +1,10 @@
# Infrastructure
We will add more data here soon
```
ansible -> All ansible playbooks, modules, etc are here
scripts -> Scripts for infrastructure go here
tests -> Repo specific tests
utils -> Utilities focused for infrastructure or testing this repo
```

3
ansible/README.md Normal file
View File

@ -0,0 +1,3 @@
# Ansible
Ansible playbooks, roles, modules, etc will come here. Documentation to come soon.

View File

@ -0,0 +1,7 @@
---
- hosts: all
become: True
tasks:
- name: Force a fact refresh to have those available in local cache
setup:
gather_timeout: 30

View File

@ -0,0 +1,32 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# However, adhoc, it works fine as long as you mention all required variables.
#
# What: Creates groups in the idm infrastructure
- name: Create our initial users
hosts: ipaserver
become: false
vars_files:
- vars/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipaGroup | mandatory
- ipaDescription | mandatory
- ipaPosix | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing group information or ipa admin password"
- name: "Creating Mandatory Groups"
ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipaGroup }}"
description: "{{ ipaDescription }}"
nonposix: "{{ ipaPosix }}"
tags:
- groups

View File

@ -0,0 +1,40 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# However, adhoc, it works fine as long as you mention all required variables.
#
# What: Creates users in the idm infrastructure
- name: Create a User
hosts: ipaserver
become: false
vars_files:
- vars/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipaName | mandatory
- ipaFirst | mandatory
- ipaLast | mandatory
- ipaEmail | mandatory
- ipaPassword | mandatory
- ipaTitle | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password"
- name: "Creating User Account"
ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipaName }}"
first: "{{ ipaFirst }}"
last: "{{ ipaLast }}"
email: "{{ ipaEmail }}"
password: "{{ ipaPassword }}"
title: "{{ ipaTitle }}"
loginshell: "{{ ipaLoginshell|default('/sbin/nologin', True) }}"
update_password: on_create
tags:
- users

10
ansible/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: restart_ssh
service:
name: sshd
state: restarted
- name: restart_httpd
service:
name: httpd
state: restarted

View File

@ -0,0 +1,11 @@
---
- name: "Creating Mandatory Groups"
ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
description: "{{ item.description }}"
nonposix: no
loop: "{{ ipagroups }}"
tags:
- groups

View File

@ -0,0 +1,11 @@
---
- name: "Creating SUDO Role for Rocky Admins"
ipasudorule:
ipaadmin_password: "{{ ipaadmin_password }}"
name: All_RockyAdmins
description: Rocky Linux infrastructure and operations sudo access
group:
- rockyadm
hostcat: all
cmdcat: all

View File

@ -0,0 +1,16 @@
---
- name: "Creating Initial Accounts"
ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ users }}"
tags:
- users

View File

@ -0,0 +1,28 @@
---
# This builds out the initial users and groups for the rocky linux infra
- name: Create our initial users
hosts: ipaserver
become: false
vars_files:
- vars/encpass.yml
- vars/users.yml
- vars/groups.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- users | mandatory
- ipagroups | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing users or ipa admin password"
- name: "Start users"
include: import-rockyusers.yml
- name: "Start groups"
include: import-rockygroups.yml
- name: "Start sudo for admins"
include: import-rockysudo.yml

View File

@ -0,0 +1,45 @@
[ipaservers]
ipa001.rockylinux.org ansible_host=10.100.1.110
ipa002.rockylinux.org ansible_host=10.100.1.111
[ipaserver]
ipa001.rockylinux.org ansible_host=10.100.1.110
[ipaserver:vars]
ipaserver_domain=rockylinux.org
ipaserver_realm=ROCKYLINUX.ORG
ipaserver_setup_dns=yes
ipaserver_setup_kra=true
ipaserver_auto_forwarders=yes
ipaserver_no_host_dns=true
ipaserver_hostname=ipa001.rockylinux.org
ipaserver_allow_zone_overlap=yes
ipaserver_setup_firewalld=yes
ipaclient_no_ntp=true
ipaclient_mkhomedir=yes
ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
[ipareplicas]
ipa002.rockylinux.org ansible_host=10.100.1.111
[ipareplicas:vars]
ipaadmin_principal=admin
ipaclient_no_ntp=true
ipaclient_mkhomedir=yes
ipaserver_realm=ROCKYLINUX.ORG
ipaserver_hostname=ipa002.rockylinux.org
ipareplica_domain=rockylinux.org
ipareplica_auto_forwarders=yes
ipareplica_setup_firewalld=yes
ipareplica_setup_ca=yes
ipareplica_setup_kra=yes
ipareplica_setup_dns=yes
[ipaclients]
build-a-box.rockylinux.org ansible_host=10.100.1.112
[ipaclients:vars]
ipaclient_domain=rockylinux.org
ipaadmin_principal=admin
ipaclient_no_ntp=true
ipaclient_mkhomedir=yes

View File

@ -0,0 +1,30 @@
---
- name: Configure IPA client
hosts: ipaclients
become: true
vars_files:
- vars/encpass.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node"
roles:
- role: ipaclient
state: present
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch

View File

@ -0,0 +1,29 @@
---
- name: Configure IPA server
hosts: ipareplicas
become: true
vars_files:
- vars/encpass.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
msg: "/etc/no-ansible exists - skipping run on this node"
roles:
- role: ipareplica
state: present
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch

View File

@ -0,0 +1,11 @@
---
- name: Configure IPA server
hosts: ipaserver
become: true
vars_files:
- vars/encpass.yml
roles:
- role: ipaserver
state: present

1
ansible/tasks/main.yml Normal file
View File

@ -0,0 +1 @@
---

8
ansible/vars/encpass.yml Normal file
View File

@ -0,0 +1,8 @@
---
# You must set this up using ansible-vault
ipaadmin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
REDACTED
ipadm_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
REDACTED

14
ansible/vars/groups.yml Normal file
View File

@ -0,0 +1,14 @@
---
ipagroups:
- group: infrastructure
description: Infrastructure Team
- group: operations
description: Operations Team
- group: development
description: Development Team
- group: qa
description: Quality Assurance Team
- group: marketing
description: Marketing
- group: rockyadm
description: Rocky Linux Administrators - Only Admin Accounts

View File

@ -0,0 +1,2 @@
---

16
ansible/vars/users.yml Normal file
View File

@ -0,0 +1,16 @@
---
users:
- name: label
first: Louis
last: Abel
email: label@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Engineer
loginshell: /bin/bash
- name: label2
first: Louis
last: Abel
email: label@rockylinux.org
password: ThisIsNotMyPassword1!
title: Infrastructure IdM Engineer - Admin
loginshell: /bin/bash