From a5bd83543f341af6f480dbae02197ab344b409f0 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sat, 21 Aug 2021 17:49:53 -0700 Subject: [PATCH 1/3] I think this syncs the ipa keys --- ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb index 56f0859..16cf16e 100644 --- a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb +++ b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb @@ -44,7 +44,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' user_filter: '{{ gitlab_ldap_user_filter }}' group_base: '{{ gitlab_ldap_group_dn }}' admin_group: '{{ gitlab_ldap_admin_group }}' - sync_ssh_keys: true + sync_ssh_keys: 'ipaSshPubKey' attributes: username: ['uid'] email: ['mail'] From e431bc0fc87eb75d729e9c8d2618b4e7a23f1347 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Wed, 25 Aug 2021 10:32:23 -0700 Subject: [PATCH 2/3] add service support --- ansible/playbooks/adhoc-ipagetcert.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/playbooks/adhoc-ipagetcert.yml b/ansible/playbooks/adhoc-ipagetcert.yml index 1a919c0..8007411 100644 --- a/ansible/playbooks/adhoc-ipagetcert.yml +++ b/ansible/playbooks/adhoc-ipagetcert.yml @@ -9,6 +9,7 @@ # -> getcert_postcmd: command to run after a certificate renews # -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain_location: location for the chain +# -> getcert_service: service name (eg HTTP, host), defaults to host # TODO: Add CNAME/SAN support - name: Request and sign an IPA Certificate @@ -23,6 +24,7 @@ nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" postcmd: "{{ getcert_postcmd|default(false) }}" + service: "{{ getcert_service|default('host') }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}" From 7d36cd1cd2199419d2738e3a53a62cb02d9491b3 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Fri, 27 Aug 2021 09:49:10 -0700 Subject: [PATCH 3/3] quick readme update --- ansible/README.md | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/ansible/README.md b/ansible/README.md index dab6bb7..30e1348 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -6,8 +6,6 @@ Each playbook should have comments or a name descriptor that explains what the p ## Management Node Structure -Loosely copied from the CentOS ansible infrastructure. - ``` . ├── ansible.cfg @@ -262,7 +260,8 @@ init-rocky-system-config.yml │   │   │   │   └── custom │   │   │   │   └── sssd-rocky │   │   │   │   ├── CentOS-8-system-auth -> RedHat-8-system-auth -│   │   │   │   └── RedHat-8-system-auth +│   │   │   │   ├── RedHat-8-system-auth +│   │   │   │   └── Rocky-8-system-auth -> RedHat-8-system-auth │   │   │   ├── gitlab │   │   │   ├── pam.d │   │   │   │   ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac @@ -299,7 +298,8 @@ init-rocky-system-config.yml │   ├── init-rocky-noggin.yml │   ├── init-rocky-repo-servers.yml │   ├── init-rocky-system-config.yml -│   ├── rocky-rocky-gitlab-ee.yml +│   ├── role-rocky-bootstrap_staging.yml +│   ├── role-rocky-gitlab-ee.yml │   ├── role-rocky-gitlab-runner.yml │   ├── role-rocky-graylog.yml │   ├── role-rocky-ipa-client.yml @@ -313,9 +313,12 @@ init-rocky-system-config.yml │   ├── role-rocky-monitoring.yml │   ├── role-rocky-mqtt.yml │   ├── role-rocky-node_exporter.yml +│   ├── role-rocky-pinnwand.yml │   ├── role-rocky-rabbitmq.yml +│   ├── role-rocky-repopool.yml │   ├── role-rocky-sigul-bridge.yml │   ├── role-rocky-sigul-server.yml +│   ├── role-rocky-srpmproc.yml │   ├── role-rocky-wikijs.yml │   ├── tasks │   │   ├── account_services.yml @@ -324,6 +327,7 @@ init-rocky-system-config.yml │   │   ├── bugzilla_install.yml │   │   ├── bugzilla.yml │   │   ├── chrony.yml +│   │   ├── efs_mount.yml │   │   ├── gitlab-reconfigure.yml │   │   ├── gitlab-runner.yml │   │   ├── grub.yml @@ -338,6 +342,7 @@ init-rocky-system-config.yml │   │   ├── rabbitmq-reconfigure.yml │   │   ├── repository.yml │   │   ├── scripts.yml +│   │   ├── srpmproc.yml │   │   ├── ssh_config.yml │   │   └── variable_loader_common.yml │   ├── templates @@ -367,7 +372,8 @@ init-rocky-system-config.yml │   │   │   │   ├── CentOS-7-sshd_config.j2 -> RedHat-7-sshd_config.j2 │   │   │   │   ├── CentOS-8-sshd_config.j2 -> RedHat-8-sshd_config.j2 │   │   │   │   ├── RedHat-7-sshd_config.j2 -│   │   │   │   └── RedHat-8-sshd_config.j2 +│   │   │   │   ├── RedHat-8-sshd_config.j2 +│   │   │   │   └── Rocky-8-sshd_config.j2 -> RedHat-8-sshd_config.j2 │   │   │   └── sssd │   │   ├── hidden │   │   │   ├── home @@ -382,6 +388,10 @@ init-rocky-system-config.yml │   │   │   ├── binder_template.update │   │   │   ├── binder.update │   │   │   └── mantis_import.sql.j2 +│   │   ├── usr +│   │   │   └── local +│   │   │   └── bin +│   │   │   └── fix_gitlab_certs.sh │   │   └── var │   │   └── www │   │   ├── bugzilla @@ -420,13 +430,19 @@ init-rocky-system-config.yml │   ├── monitoring │   │   └── README.md │   ├── monitoring.yml +│   ├── mounts +│   │   ├── bootstrap_staging.yml +│   │   ├── repopool.yml +│   │   └── srpmproc.yml │   ├── mqtt.yml +│   ├── pinnwand.yml │   ├── production │   │   ├── koji-common.yml │   │   ├── kojid.yml │   │   └── kojihub.yml │   ├── rabbitmq.yml │   ├── RedHat.yml +│   ├── Rocky.yml -> RedHat.yml │   ├── sigul_bridge.yml │   ├── sigul_server.yml │   ├── staging