WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-01 14:02:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
38,302 Commits 9 Branches 0 Tags
b7e5056a4ec6fda678d33f052d6980775fa16cf1
Commit Graph

215 Commits

Author SHA1 Message Date
Pavel Raiskup
e804c8ff01 ipa/service: add missing tags for the "fail" task 2022-11-23 15:07:46 +01:00
Pavel Raiskup
c59e68a986 ipa/service: don't fail if service already exists 
Relates: https://pagure.io/fedora-infra/ansible/pull-request/1259
 2022-11-23 15:03:41 +01:00
Pavel Raiskup
8d3cbc375e ipa/service: drop the PR I merged 
The 'stat' can't work because "{{ service }}/{{ host }}" isn't a real
path name.

Revert "check if ipa service entry exists"

This reverts commit 98475f6ae4.
 2022-11-23 14:50:50 +01:00
Seddik Alaoui Ismaili
98475f6ae4 check if ipa service entry exists 2022-11-23 13:31:10 +00:00
Kevin Fenzi
527d8cda18 sssd: exclude rabbitmq user also 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2022-10-03 16:12:55 -07:00
Kevin Fenzi
3c960624f4 fas2: good bye! You served long and well 
Remove fas2 and all the checks that depended on it.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2022-07-01 12:09:36 -07:00
Kevin Fenzi
35a977170e ipa: set nolog back on 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2022-05-19 17:11:23 -07:00
Kevin Fenzi
a8851731d0 Revert "Revert "ipa/client: temp remove nolog"" 
This reverts commit 04bd033a9b.
 2022-05-19 11:05:34 -07:00
Kevin Fenzi
04bd033a9b Revert "ipa/client: temp remove nolog" 
This reverts commit 6bb9f0a4ea.
 2022-05-19 11:00:04 -07:00
Kevin Fenzi
6bb9f0a4ea ipa/client: temp remove nolog 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2022-05-19 10:58:23 -07:00
Kevin Fenzi
51e1424f5d ipa/client: add a debug for ipa_servers 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2022-05-19 10:01:19 -07:00
Silvie Chlupova
a2bad7325c copr-fe: fix support for principal alias 2021-10-07 15:09:05 +02:00
Silvie Chlupova
3f5cb87166 copr-fe: support for principal alias 
Relates: https://pagure.io/fedora-infrastructure/issue/10065
 2021-09-29 18:47:25 +00:00
Aurélien Bompard
adf5af64bc Not so idempotent after all. 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-07-21 17:47:19 +02:00
Aurélien Bompard
a5be08dab3 Most tasks in the ipa playbook are actually idempotent 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-07-21 17:36:14 +02:00
Kevin Fenzi
1a069052f0 ipa/client: add mirrormanager user/group to ipa excludes 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-07-16 08:15:15 -07:00
Kevin Fenzi
a42bb9e383 ipa/server: fix typo: yess to yes 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-07-08 09:45:41 -07:00
Aurélien Bompard
7b650d56c9 Allow people in the sysadmin-main group to manage stage users in Noggin 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-07-02 18:04:30 +02:00
Aurélien Bompard
d0ccea03f2 Add the new collectd plugin for IPA 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-07-02 17:37:54 +02:00
František Zatloukal
9f273622e0 Blockerbugs: force to use local user instead of the ipa one 2021-06-09 19:14:13 +02:00
Kevin Fenzi
48e22151ae ipa/client: flush handlers at the end of ipa/client 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-24 15:24:40 -07:00
Kevin Fenzi
cd50797995 ipa / client: actually install the ignore conf file as .conf instead of .conf.j2 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-24 14:54:35 -07:00
Kevin Fenzi
52a197735b ipa/client: split out these groups 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-22 10:36:20 -07:00
Kevin Fenzi
1c6dfc82fd ipa/client: no comment in this jinja2 sadly, just make this a normal comment 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-22 10:26:50 -07:00
Kevin Fenzi
24ae7d3d16 ipa / client: rework the excluded local users from sssd 
There's a real user 'mock' who we want to allow on ipsilon (so they can
login to anything) and people02 (so they can get to their people space),
but no where else, since we ened the local mock user on places like
builders, etc.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-21 12:51:32 -07:00
Tomas Hrcka
fb395d74a2 Update sssd config to filter users bodhi and ftpsync 
Signed-off-by: Tomas Hrcka <thrcka@redhat.com>
 2021-05-13 20:59:17 +00:00
Kevin Fenzi
7b93c69d29 ipa / server: fix delegations 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-10 11:51:16 -07:00
Kevin Fenzi
6b1feadf4f ipa / server: only install the stage user cleanup on 01 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-10 11:43:00 -07:00
Aurélien Bompard
86567270dc The keytab path is hostname-dependant 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-07 10:12:11 +02:00
Aurélien Bompard
bfe6cf9d02 Only run the cron job on one server 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-07 09:34:27 +02:00
Aurélien Bompard
abaf67b66c Adjust the keytab location to the service 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-07 09:16:16 +02:00
Aurélien Bompard
551ba9bd39 Oops. 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-06 19:04:34 +02:00
Aurélien Bompard
f1e9387759 Finally, use a service for the stage users cleanup script 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-06 19:02:38 +02:00
Aurélien Bompard
3ddc3934da Add a periodic cleanup script for stage users 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-06 13:59:21 +02:00
Aurélien Bompard
3719dff88e Add some missing tags 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-05-06 13:58:40 +02:00
Mark O'Brien
2649c23c52 ipa: add env_suffix for stg 2021-05-06 12:30:29 +01:00
Kevin Fenzi
0cf61ae919 ipa / client: do not exclude mock ipa user on people02 
We have a legit user who has the 'mock' account. So, we allow the ipa
one to override on people02 (since they have a shell account there), but
keep the filer everywhere else where we may run 'mock' the command.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-05 16:04:32 -07:00
Kevin Fenzi
8d20a480c2 ipa/client: add apache to ignore for sssd 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-04 14:34:22 -07:00
Kevin Fenzi
6e6dbc0581 ipa/client: ignore 'mock' ipa/fas user and use local one. 
There's a actual legit person with a fas account of 'mock'
We don't want to use their account, we want to use the local mock user
instead.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-05-04 13:16:34 -07:00
Aurélien Bompard
809635c923 Improve the IPA backup process 
Fixes: https://pagure.io/fedora-infrastructure/issue/9916

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2021-04-30 10:35:33 +02:00
Mark O'Brien
b51c4a5c7b ipa: need more modules enabled 2021-04-23 15:33:35 +01:00
Mark O'Brien
7952914916 ipa: enable correct idm module stg 2021-04-23 12:30:13 +01:00
Kevin Fenzi
6e1ab9cd21 ipa / client: setup nopasswd sudo groups for maintainer test 
For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-04-21 16:18:47 +00:00
Mark O'Brien
cba637c5c2 ipa: otp script fix dest name 2021-04-15 21:01:46 +01:00
Mark O'Brien
d3927bb3c9 ipa: otp script add tags 2021-04-15 20:29:58 +01:00
Mark O'Brien
ecf0dadc3b add script 2021-04-15 18:23:12 +00:00
Mark O'Brien
b8515e6bce ipa: add script to check which sysadmins do not have otp tokens 2021-04-15 18:23:12 +00:00
Kevin Fenzi
cc736849e2 ipa/client: split out prod and stg ipa user/group ignore file 
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2021-04-08 17:15:51 -07:00
Nils Philippsen
05f399851e ipa/client: Don't apply hosts role on non-VPN hosts 
We don't want a custom /etc/hosts installed on every host, so bring back
the conditional.

Improves commit 7a2024398f.

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-04-02 00:13:18 +02:00
Nils Philippsen
7a2024398f hosts: do the right thing for VPN hosts 
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.

Fixes: fedora-infrastructure#9822

Signed-off-by: Nils Philippsen <nils@redhat.com>
 2021-04-01 16:31:59 +02:00