diff --git a/ansible/.gitignore b/ansible/.gitignore index 4938ffd..f7a4281 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -6,10 +6,14 @@ tmp/* roles/public/* !roles/public/Readme.md -#keep fodler holding ansible collections empty +#keep folder holding ansible collections empty collections/* !README.md # Ignore all vaults playbooks/vars/vaults/* !playbooks/vars/vaults/README.md + +# Ignore hidden configs +playbooks/templates/hidden/* +!playbooks/templates/hidden/README.md diff --git a/ansible/playbooks/adhoc-ipadns.yml b/ansible/playbooks/adhoc-ipadns.yml index ce56a73..5fd76fd 100644 --- a/ansible/playbooks/adhoc-ipadns.yml +++ b/ansible/playbooks/adhoc-ipadns.yml @@ -14,6 +14,7 @@ - name: "Checking for user variables" assert: that: + - ipa_admin | mandatory - ipaadmin_password | mandatory - ipa_zone | mandatory success_msg: "Required variables provided" @@ -21,6 +22,7 @@ - name: "Creating DNS Zone" freeipa.ansible_freeipa.ipadnszone: + ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "{{ ipa_zone }}" tags: diff --git a/ansible/playbooks/adhoc-ipagroup.yml b/ansible/playbooks/adhoc-ipagroup.yml new file mode 100644 index 0000000..ef2d525 --- /dev/null +++ b/ansible/playbooks/adhoc-ipagroup.yml @@ -0,0 +1,49 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# What: Creates groups in the idm infrastructure based on the variables provided +# You MUST provide an ipa_admin user to run this. +# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is +# set to true. + +- name: Create our initial users + hosts: ipaserver + become: false + gather_facts: false + vars_files: + - vars/vaults/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipa_admin | mandatory + - ipaadmin_password | mandatory + - ipa_group | mandatory + - ipa_description | mandatory + - ipa_nonposix | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing group information or ipa admin password" + + - name: "Creating New Group" + freeipa.ansible_freeipa.ipagroup: + ipaadmin_principal: "{{ ipa_admin }}" + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ ipa_group }}" + description: "{{ ipa_description }}" + nonposix: "{{ ipa_nonposix }}" + membermanager_user: "{{ ipa_group_manager_user | default(omit) }}" + membermanager_group: "{{ ipa_group_manager_group | default(omit) }}" + tags: + - groups + + - name: "Prepare FAS if required" + shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" + check_mode: false + changed_when: "1 != 1" + when: ipa_fas + + - name: "Apply FAS" + command: "ipa group-mod --fasgroup {{ ipa_group }}" + check_mode: false + changed_when: "1 != 1" + when: ipa_fas diff --git a/ansible/playbooks/adhoc-ipagroups.yml b/ansible/playbooks/adhoc-ipagroups.yml deleted file mode 100644 index dbb751a..0000000 --- a/ansible/playbooks/adhoc-ipagroups.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# This playbook is meant to be used with callable variables, like adhoc or AWX. -# What: Creates groups in the idm infrastructure based on the variables provided - -- name: Create our initial users - hosts: ipaserver - become: false - gather_facts: false - vars_files: - - vars/vaults/encpass.yml - - tasks: - - name: "Checking for user variables" - assert: - that: - - ipaadmin_password | mandatory - - ipa_group | mandatory - - ipa_description | mandatory - - ipa_posix | mandatory - success_msg: "Required variables provided" - fail_msg: "We are missing group information or ipa admin password" - - - name: "Creating Mandatory Groups" - freeipa.ansible_freeipa.ipagroup: - ipaadmin_password: "{{ ipaadmin_password }}" - name: "{{ ipa_group }}" - description: "{{ ipa_description }}" - nonposix: "{{ ipa_posix }}" - tags: - - groups diff --git a/ansible/playbooks/adhoc-ipaservice.yml b/ansible/playbooks/adhoc-ipaservice.yml index ec3c7fc..b93527f 100644 --- a/ansible/playbooks/adhoc-ipaservice.yml +++ b/ansible/playbooks/adhoc-ipaservice.yml @@ -13,6 +13,7 @@ - name: "Checking for user variables" assert: that: + - ipa_admin | mandatory - ipaadmin_password | mandatory - ipa_service | mandatory success_msg: "Required variables provided" @@ -20,6 +21,7 @@ - name: "Creating Kerberos Service" freeipa.ansible_freeipa.ipaservice: + ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "{{ ipa_service }}" skip_host_check: "{{ ipa_skip_host_check | default(false) }}" diff --git a/ansible/playbooks/adhoc-ipausers.yml b/ansible/playbooks/adhoc-ipauser.yml similarity index 93% rename from ansible/playbooks/adhoc-ipausers.yml rename to ansible/playbooks/adhoc-ipauser.yml index 4599d90..8c51c4e 100644 --- a/ansible/playbooks/adhoc-ipausers.yml +++ b/ansible/playbooks/adhoc-ipauser.yml @@ -13,6 +13,7 @@ - name: "Checking for user variables" assert: that: + - ipa_admin | mandatory - ipaadmin_password | mandatory - ipa_name | mandatory - ipa_first | mandatory @@ -25,6 +26,7 @@ - name: "Creating User Account" freeipa.ansible_freeipa.ipauser: + ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "{{ ipa_name }}" first: "{{ ipa_first }}" diff --git a/ansible/playbooks/import-rockygroups.yml b/ansible/playbooks/import-rockygroups.yml index 46e790f..46eb8c7 100644 --- a/ansible/playbooks/import-rockygroups.yml +++ b/ansible/playbooks/import-rockygroups.yml @@ -7,6 +7,8 @@ description: "{{ item.description }}" nonposix: false user: "{{ item.user | default(none) }}" + membermanager_user: "{{ item.managers_users | default(omit) }}" + membermanager_group: "{{ item.managers_groups | default(omit) }}" loop: "{{ ipagroups }}" tags: - groups diff --git a/ansible/playbooks/templates/hidden/README.md b/ansible/playbooks/templates/hidden/README.md new file mode 100644 index 0000000..d0302d2 --- /dev/null +++ b/ansible/playbooks/templates/hidden/README.md @@ -0,0 +1,5 @@ +These contain configs that are considered "secret" and should not be part of any git commits. This directory still follows the basic format of where the file will be located. + +``` +hidden/etc/somefile.cfg +``` diff --git a/ansible/playbooks/vars/ipa/agreements.yml b/ansible/playbooks/vars/ipa/agreements.yml new file mode 100644 index 0000000..2c6aed1 --- /dev/null +++ b/ansible/playbooks/vars/ipa/agreements.yml @@ -0,0 +1,2 @@ +--- +# Vars for Agreements for the Rocky Linux Project diff --git a/ansible/playbooks/vars/ipa/groups.yml b/ansible/playbooks/vars/ipa/groups.yml index b1e3369..174a7bc 100644 --- a/ansible/playbooks/vars/ipa/groups.yml +++ b/ansible/playbooks/vars/ipa/groups.yml @@ -52,6 +52,13 @@ ipagroups: - tg - hbjy - rockyautomation + managers_users: + - label + - neil + - rlh + - rfelsburg + - tg + - hbjy - group: services description: Rocky Linux Service Accounts user: @@ -65,9 +72,13 @@ ipagroups: description: Rocky Linux Identity Management user: - label + managers_users: + - label - group: releng description: Rocky Linux Release Engineering user: - label + managers_users: + - label - group: mq_pub_readonly description: RabbitMQ ReadOnly diff --git a/ansible/playbooks/vars/ipsilon.yml b/ansible/playbooks/vars/ipsilon.yml index ab211d9..0bc7224 100644 --- a/ansible/playbooks/vars/ipsilon.yml +++ b/ansible/playbooks/vars/ipsilon.yml @@ -15,6 +15,7 @@ ipsilon_db_name: rockyipsilon ipsilon_httpd_hostname: "{{ inventory_hostname }}" # apache configuration for ipsilon +apache_configure: false apache_listen_port: 80 apache_listen_port_ssl: 443 apache_create_vhosts: true