Merge pull request #14963 from rocky-linux/develop

Deployment Prep
This commit is contained in:
Louis Abel 2021-01-06 20:41:24 -07:00 committed by GitHub
commit e823e87708
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 81 additions and 31 deletions

6
ansible/.gitignore vendored
View File

@ -6,10 +6,14 @@ tmp/*
roles/public/*
!roles/public/Readme.md
#keep fodler holding ansible collections empty
#keep folder holding ansible collections empty
collections/*
!README.md
# Ignore all vaults
playbooks/vars/vaults/*
!playbooks/vars/vaults/README.md
# Ignore hidden configs
playbooks/templates/hidden/*
!playbooks/templates/hidden/README.md

View File

@ -14,6 +14,7 @@
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_zone | mandatory
success_msg: "Required variables provided"
@ -21,6 +22,7 @@
- name: "Creating DNS Zone"
freeipa.ansible_freeipa.ipadnszone:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_zone }}"
tags:

View File

@ -0,0 +1,49 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates groups in the idm infrastructure based on the variables provided
# You MUST provide an ipa_admin user to run this.
# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is
# set to true.
- name: Create our initial users
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_group | mandatory
- ipa_description | mandatory
- ipa_nonposix | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing group information or ipa admin password"
- name: "Creating New Group"
freeipa.ansible_freeipa.ipagroup:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_group }}"
description: "{{ ipa_description }}"
nonposix: "{{ ipa_nonposix }}"
membermanager_user: "{{ ipa_group_manager_user | default(omit) }}"
membermanager_group: "{{ ipa_group_manager_group | default(omit) }}"
tags:
- groups
- name: "Prepare FAS if required"
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
check_mode: false
changed_when: "1 != 1"
when: ipa_fas
- name: "Apply FAS"
command: "ipa group-mod --fasgroup {{ ipa_group }}"
check_mode: false
changed_when: "1 != 1"
when: ipa_fas

View File

@ -1,30 +0,0 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates groups in the idm infrastructure based on the variables provided
- name: Create our initial users
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipa_group | mandatory
- ipa_description | mandatory
- ipa_posix | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing group information or ipa admin password"
- name: "Creating Mandatory Groups"
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_group }}"
description: "{{ ipa_description }}"
nonposix: "{{ ipa_posix }}"
tags:
- groups

View File

@ -13,6 +13,7 @@
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_service | mandatory
success_msg: "Required variables provided"
@ -20,6 +21,7 @@
- name: "Creating Kerberos Service"
freeipa.ansible_freeipa.ipaservice:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_service }}"
skip_host_check: "{{ ipa_skip_host_check | default(false) }}"

View File

@ -13,6 +13,7 @@
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_name | mandatory
- ipa_first | mandatory
@ -25,6 +26,7 @@
- name: "Creating User Account"
freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}"
first: "{{ ipa_first }}"

View File

@ -7,6 +7,8 @@
description: "{{ item.description }}"
nonposix: false
user: "{{ item.user | default(none) }}"
membermanager_user: "{{ item.managers_users | default(omit) }}"
membermanager_group: "{{ item.managers_groups | default(omit) }}"
loop: "{{ ipagroups }}"
tags:
- groups

View File

@ -0,0 +1,5 @@
These contain configs that are considered "secret" and should not be part of any git commits. This directory still follows the basic format of where the file will be located.
```
hidden/etc/somefile.cfg
```

View File

@ -0,0 +1,2 @@
---
# Vars for Agreements for the Rocky Linux Project

View File

@ -52,6 +52,13 @@ ipagroups:
- tg
- hbjy
- rockyautomation
managers_users:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- group: services
description: Rocky Linux Service Accounts
user:
@ -65,9 +72,13 @@ ipagroups:
description: Rocky Linux Identity Management
user:
- label
managers_users:
- label
- group: releng
description: Rocky Linux Release Engineering
user:
- label
managers_users:
- label
- group: mq_pub_readonly
description: RabbitMQ ReadOnly

View File

@ -15,6 +15,7 @@ ipsilon_db_name: rockyipsilon
ipsilon_httpd_hostname: "{{ inventory_hostname }}"
# apache configuration for ipsilon
apache_configure: false
apache_listen_port: 80
apache_listen_port_ssl: 443
apache_create_vhosts: true