rearranging

ansible/playbooks/adhoc-ipadns.yml

@@ -8,7 +8,7 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/adhoc-ipagetkeytab.yml

@@ -18,7 +18,7 @@
   become: true
   gather_facts: false
   vars_files:
-    - vars/encpass.yml
+    - vars/vaults/encpass.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/adhoc-ipagroups.yml

@@ -7,7 +7,7 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/adhoc-ipaservice.yml

@@ -7,7 +7,7 @@
   become: false
   gather_facts: false
   vars_files:
-    - vars/encpass.yml
+    - vars/vaults/encpass.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/adhoc-ipausers.yml

@@ -7,7 +7,7 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/adhoc-rabbitmqqueue.yml

@@ -22,7 +22,7 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/rabbitmq.yml
 
   tasks:

ansible/playbooks/adhoc-rabbitmquser.yml

@@ -8,7 +8,7 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/rabbitmq.yml
 
   tasks:

ansible/playbooks/import-rockyusers.yml

@@ -46,3 +46,25 @@
   loop: "{{ svcusers }}"
   tags:
     - users
+
+- name: "Creating bind account template - binder"
+  template:
+    src: "tmp/binder.update"
+    dest: "/tmp/binder.update"
+    owner: root
+    group: root
+    mode: '0600'
+  tags:
+    - users
+
+- name: "Adding in the bind account - binder"
+  command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
+  register: bind_account
+  changed_when: "bind_account.rc == 0"
+  tags:
+    - users
+
+- name: "Remove template"
+  file:
+    path: "/tmp/binder.update"
+    state: absent

ansible/playbooks/init-rocky-ipa-internal-dns.yml

@@ -5,9 +5,9 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
-  - vars/rdns.yml
-  - vars/fdns.yml
+  - vars/vaults/encpass.yml
+  - vars/ipa/rdns.yml
+  - vars/ipa/fdns.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/init-rocky-ipa-team.yml

@@ -5,12 +5,12 @@
   become: false
   gather_facts: false
   vars_files:
-  - vars/encpass.yml
-  - vars/users.yml
-  - vars/adminusers.yml
-  - vars/svcusers.yml
-  - vars/groups.yml
-  - vars/ipaprivs.yml
+  - vars/vaults/encpass.yml
+  - vars/ipa/users.yml
+  - vars/ipa/adminusers.yml
+  - vars/ipa/svcusers.yml
+  - vars/ipa/groups.yml
+  - vars/ipa/ipaprivs.yml
 
   tasks:
     - name: "Checking for user variables"

ansible/playbooks/role-rocky-ipa-client.yml

@@ -5,8 +5,8 @@
   hosts: ipaclients
   become: true
   vars_files:
-  - vars/encpass.yml
-  - vars/ipaclient.yml
+  - vars/vaults/encpass.yml
+  - vars/ipa/ipaclient.yml
 
   pre_tasks:
     - name: Check if ansible cannot be run here

ansible/playbooks/role-rocky-ipa-replica.yml

@@ -5,7 +5,7 @@
   hosts: ipareplicas
   become: true
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:

ansible/playbooks/role-rocky-ipa.yml

@@ -9,7 +9,7 @@
   hosts: ipaserver
   become: true
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:

ansible/playbooks/role-rocky-ipsilon.yml

@@ -4,7 +4,7 @@
   hosts: ipsilon
   become: true
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/ipsilon.yml
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/role-rocky-kojihub.yml

@@ -4,7 +4,7 @@
   hosts: kojihub
   become: true
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/kojihub.yml
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/role-rocky-mqtt.yml

@@ -4,7 +4,7 @@
   hosts: kojihub
   become: true
   vars_files:
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/mqtt.yml
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/role-rocky-rabbitmq.yml

@@ -5,7 +5,7 @@
   become: true
   vars_files:
   - vars/common.yml
-  - vars/encpass.yml
+  - vars/vaults/encpass.yml
   - vars/rabbitmq.yml
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/templates/tmp/binder.update

@@ -0,0 +1,7 @@
+dn: uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org
+add:objectclass:account
+add:objectclass:simplesecurityobject
+add:uid:binder
+add:userPassword:{{ ipa_binder_password }}
+add:passwordExpirationTime:20380119031407Z
+add:nsIdleTimeout:0

ansible/playbooks/vars/common.yml

@@ -6,4 +6,4 @@ rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
 # Requires jinja 2.9+
 rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
 # This will need to be vaulted
-rocky_ldap_bind_pw: "ThisIsNotThePassword!"
+# rocky_ldap_bind_pw: "ThisIsNotThePassword!"

ansible/playbooks/vars/vaults/encpass.yml

@@ -10,6 +10,9 @@ ipaadmin_password: !vault |
 ipadm_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED
+ipa_binder_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED
 ipsilon_db_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED