mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-25 06:31:27 +00:00
First commit for infra - IPA
This commit is contained in:
commit
528d35b1e1
10
README.md
Normal file
10
README.md
Normal file
@ -0,0 +1,10 @@
|
||||
# Infrastructure
|
||||
|
||||
We will add more data here soon
|
||||
|
||||
```
|
||||
ansible -> All ansible playbooks, modules, etc are here
|
||||
scripts -> Scripts for infrastructure go here
|
||||
tests -> Repo specific tests
|
||||
utils -> Utilities focused for infrastructure or testing this repo
|
||||
```
|
3
ansible/README.md
Normal file
3
ansible/README.md
Normal file
@ -0,0 +1,3 @@
|
||||
# Ansible
|
||||
|
||||
Ansible playbooks, roles, modules, etc will come here. Documentation to come soon.
|
7
ansible/adhoc-facts-refresh.yml
Normal file
7
ansible/adhoc-facts-refresh.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: True
|
||||
tasks:
|
||||
- name: Force a fact refresh to have those available in local cache
|
||||
setup:
|
||||
gather_timeout: 30
|
32
ansible/adhoc-ipagroups.yml
Normal file
32
ansible/adhoc-ipagroups.yml
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# However, adhoc, it works fine as long as you mention all required variables.
|
||||
#
|
||||
# What: Creates groups in the idm infrastructure
|
||||
|
||||
- name: Create our initial users
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
- ipaGroup | mandatory
|
||||
- ipaDescription | mandatory
|
||||
- ipaPosix | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing group information or ipa admin password"
|
||||
|
||||
- name: "Creating Mandatory Groups"
|
||||
ipagroup:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ ipaGroup }}"
|
||||
description: "{{ ipaDescription }}"
|
||||
nonposix: "{{ ipaPosix }}"
|
||||
tags:
|
||||
- groups
|
||||
|
40
ansible/adhoc-ipausers.yml
Normal file
40
ansible/adhoc-ipausers.yml
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# However, adhoc, it works fine as long as you mention all required variables.
|
||||
#
|
||||
# What: Creates users in the idm infrastructure
|
||||
|
||||
- name: Create a User
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
- ipaName | mandatory
|
||||
- ipaFirst | mandatory
|
||||
- ipaLast | mandatory
|
||||
- ipaEmail | mandatory
|
||||
- ipaPassword | mandatory
|
||||
- ipaTitle | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing user information or ipa admin password"
|
||||
|
||||
- name: "Creating User Account"
|
||||
ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ ipaName }}"
|
||||
first: "{{ ipaFirst }}"
|
||||
last: "{{ ipaLast }}"
|
||||
email: "{{ ipaEmail }}"
|
||||
password: "{{ ipaPassword }}"
|
||||
title: "{{ ipaTitle }}"
|
||||
loginshell: "{{ ipaLoginshell|default('/sbin/nologin', True) }}"
|
||||
update_password: on_create
|
||||
tags:
|
||||
- users
|
||||
|
10
ansible/handlers/main.yml
Normal file
10
ansible/handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: restart_ssh
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: restart_httpd
|
||||
service:
|
||||
name: httpd
|
||||
state: restarted
|
11
ansible/import-rockygroups.yml
Normal file
11
ansible/import-rockygroups.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: "Creating Mandatory Groups"
|
||||
ipagroup:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.group }}"
|
||||
description: "{{ item.description }}"
|
||||
nonposix: no
|
||||
loop: "{{ ipagroups }}"
|
||||
tags:
|
||||
- groups
|
||||
|
11
ansible/import-rockysudo.yml
Normal file
11
ansible/import-rockysudo.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: "Creating SUDO Role for Rocky Admins"
|
||||
ipasudorule:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: All_RockyAdmins
|
||||
description: Rocky Linux infrastructure and operations sudo access
|
||||
group:
|
||||
- rockyadm
|
||||
hostcat: all
|
||||
cmdcat: all
|
||||
|
16
ansible/import-rockyusers.yml
Normal file
16
ansible/import-rockyusers.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: "Creating Initial Accounts"
|
||||
ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.name }}"
|
||||
first: "{{ item.first }}"
|
||||
last: "{{ item.last }}"
|
||||
email: "{{ item.email }}"
|
||||
password: "{{ item.password }}"
|
||||
title: "{{ item.title }}"
|
||||
loginshell: "{{ item.loginshell }}"
|
||||
update_password: on_create
|
||||
loop: "{{ users }}"
|
||||
tags:
|
||||
- users
|
||||
|
28
ansible/init-rocky-ipa-team.yml
Normal file
28
ansible/init-rocky-ipa-team.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
# This builds out the initial users and groups for the rocky linux infra
|
||||
- name: Create our initial users
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
- vars/users.yml
|
||||
- vars/groups.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipaadmin_password | mandatory
|
||||
- users | mandatory
|
||||
- ipagroups | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing users or ipa admin password"
|
||||
|
||||
- name: "Start users"
|
||||
include: import-rockyusers.yml
|
||||
|
||||
- name: "Start groups"
|
||||
include: import-rockygroups.yml
|
||||
|
||||
- name: "Start sudo for admins"
|
||||
include: import-rockysudo.yml
|
45
ansible/inventory/ipainventory
Normal file
45
ansible/inventory/ipainventory
Normal file
@ -0,0 +1,45 @@
|
||||
[ipaservers]
|
||||
ipa001.rockylinux.org ansible_host=10.100.1.110
|
||||
ipa002.rockylinux.org ansible_host=10.100.1.111
|
||||
|
||||
[ipaserver]
|
||||
ipa001.rockylinux.org ansible_host=10.100.1.110
|
||||
|
||||
[ipaserver:vars]
|
||||
ipaserver_domain=rockylinux.org
|
||||
ipaserver_realm=ROCKYLINUX.ORG
|
||||
ipaserver_setup_dns=yes
|
||||
ipaserver_setup_kra=true
|
||||
ipaserver_auto_forwarders=yes
|
||||
ipaserver_no_host_dns=true
|
||||
ipaserver_hostname=ipa001.rockylinux.org
|
||||
ipaserver_allow_zone_overlap=yes
|
||||
ipaserver_setup_firewalld=yes
|
||||
ipaclient_no_ntp=true
|
||||
ipaclient_mkhomedir=yes
|
||||
ipaserver_reverse_zones=["1.100.10.in-addr.arpa."]
|
||||
|
||||
[ipareplicas]
|
||||
ipa002.rockylinux.org ansible_host=10.100.1.111
|
||||
|
||||
[ipareplicas:vars]
|
||||
ipaadmin_principal=admin
|
||||
ipaclient_no_ntp=true
|
||||
ipaclient_mkhomedir=yes
|
||||
ipaserver_realm=ROCKYLINUX.ORG
|
||||
ipaserver_hostname=ipa002.rockylinux.org
|
||||
ipareplica_domain=rockylinux.org
|
||||
ipareplica_auto_forwarders=yes
|
||||
ipareplica_setup_firewalld=yes
|
||||
ipareplica_setup_ca=yes
|
||||
ipareplica_setup_kra=yes
|
||||
ipareplica_setup_dns=yes
|
||||
|
||||
[ipaclients]
|
||||
build-a-box.rockylinux.org ansible_host=10.100.1.112
|
||||
|
||||
[ipaclients:vars]
|
||||
ipaclient_domain=rockylinux.org
|
||||
ipaadmin_principal=admin
|
||||
ipaclient_no_ntp=true
|
||||
ipaclient_mkhomedir=yes
|
30
ansible/role-rocky-ipa-client.yml
Normal file
30
ansible/role-rocky-ipa-client.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
- name: Configure IPA client
|
||||
hosts: ipaclients
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
roles:
|
||||
- role: ipaclient
|
||||
state: present
|
||||
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
|
29
ansible/role-rocky-ipa-replica.yml
Normal file
29
ansible/role-rocky-ipa-replica.yml
Normal file
@ -0,0 +1,29 @@
|
||||
---
|
||||
- name: Configure IPA server
|
||||
hosts: ipareplicas
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
roles:
|
||||
- role: ipareplica
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
|
11
ansible/role-rocky-ipa.yml
Normal file
11
ansible/role-rocky-ipa.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Configure IPA server
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
roles:
|
||||
- role: ipaserver
|
||||
state: present
|
||||
|
1
ansible/tasks/main.yml
Normal file
1
ansible/tasks/main.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
8
ansible/vars/encpass.yml
Normal file
8
ansible/vars/encpass.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
# You must set this up using ansible-vault
|
||||
ipaadmin_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
REDACTED
|
||||
ipadm_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
REDACTED
|
14
ansible/vars/groups.yml
Normal file
14
ansible/vars/groups.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
ipagroups:
|
||||
- group: infrastructure
|
||||
description: Infrastructure Team
|
||||
- group: operations
|
||||
description: Operations Team
|
||||
- group: development
|
||||
description: Development Team
|
||||
- group: qa
|
||||
description: Quality Assurance Team
|
||||
- group: marketing
|
||||
description: Marketing
|
||||
- group: rockyadm
|
||||
description: Rocky Linux Administrators - Only Admin Accounts
|
2
ansible/vars/sudorules.yml
Normal file
2
ansible/vars/sudorules.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
|
16
ansible/vars/users.yml
Normal file
16
ansible/vars/users.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
users:
|
||||
- name: label
|
||||
first: Louis
|
||||
last: Abel
|
||||
email: label@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure IdM Engineer
|
||||
loginshell: /bin/bash
|
||||
- name: label2
|
||||
first: Louis
|
||||
last: Abel
|
||||
email: label@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure IdM Engineer - Admin
|
||||
loginshell: /bin/bash
|
Loading…
Reference in New Issue
Block a user