prepping for ipsilon role

2024-11-21 20:51:27 +00:00 · 2020-12-13 03:00:33 -07:00 · 2020-12-13 03:00:33 -07:00 · 6822dfe739
commit 6822dfe739
parent 63abc4341d
4 changed files with 60 additions and 3 deletions
--- a/ansible/inventories/production/hosts.ini
+++ b/ansible/inventories/production/hosts.ini
@ -9,9 +9,6 @@ ipaserver
 ipareplicas
 ipaclients

-[ipsilon]
-idp001 ansible_host=10.100.x.x
-
 # Playbook and role specific inventory hosts and groups
 [ipaserver]
 ipa001 ansible_host=10.100.1.110
@ -22,3 +19,6 @@ ipa002 ansible_host=10.100.1.111
 [ipaclients]
 build-a-box ansible_host=10.100.1.112

+[ipsilon]
+idp001 ansible_host=10.100.x.x
+
--- a/ansible/playbooks/role-rocky-ipsilon.yml
+++ b/ansible/playbooks/role-rocky-ipsilon.yml
@ -0,0 +1,51 @@
+---
+# Stands up an ipsilon instance for simple SSO
+- name: Configure ipsilon server
+  hosts: ipsilon
+  become: true
+  vars_files:
+  - vars/encpass.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - include: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Install arrfab ipsilon repo
+      yum_repository:
+        name: copr:copr.fedorainfracloud.org:arrfab:noggin
+        description: Copr repo for noggin owned by arrfab
+        file: copr_repos
+        baseurl: https://download.copr.fedorainfracloud.org/results/arrfab/noggin/epel-8-$basearch/
+        gpgcheck: true
+        gpgkey: https://download.copr.fedorainfracloud.org/results/arrfab/noggin/pubkey.gpg
+        enabled: true
+
+  roles:
+    - role: rockylinux.ipsilon
+      state: present
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+
+    - name: "Turn on reverse zone syncing"
+      freeipa.ansible_freeipa.ipadnsconfig:
+        ipaadmin_password: '{{ ipaadmin_password }}'
+        allow_sync_ptr: true
--- a/ansible/playbooks/vars/encpass.yml
+++ b/ansible/playbooks/vars/encpass.yml
@ -6,3 +6,6 @@ ipaadmin_password: !vault |
 ipadm_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          REDACTED
+ipsilon_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED
--- a/ansible/roles/requirements.yml
+++ b/ansible/roles/requirements.yml
@ -5,6 +5,9 @@ roles:
  # monitoring
  - name: cloudalchemy.node-exporter
  - name: cloudalchemy.prometheus
+  - name: rockylinux.ipsilon
+    src: https://github.com/rocky-linux/ansible-role-ipsilon
+    version: master

 collections:
  # freeipa