mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-04-24 10:31:56 +08:00
253 lines
7.1 KiB
YAML
253 lines
7.1 KiB
YAML
---
|
|
# Configuration for IPA
|
|
|
|
- name: install needed packages
|
|
package: name={{ item }} state=present
|
|
with_items:
|
|
- haveged
|
|
- ipa-server
|
|
- ipa-server-dns
|
|
- pynag
|
|
- python-ldap
|
|
tags:
|
|
- ipa/server
|
|
- packages
|
|
|
|
- name: enable haveged
|
|
service: name=haveged state=started enabled=yes
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
|
|
- name: install IPA
|
|
command: ipa-server-install
|
|
--realm={{ipa_realm}}
|
|
--domain={{ipa_realm}}
|
|
--ds-password={{ipa_dm_password}}
|
|
--admin-password={{ipa_admin_password}}
|
|
--mkhomedir
|
|
--no-ntp
|
|
--unattended
|
|
--no-ssh
|
|
--no-sshd
|
|
--setup-dns
|
|
--forwarder=10.5.126.21
|
|
--forwarder=10.5.126.22
|
|
--log-file=/var/log/ipainstall.log
|
|
creates=/etc/ipa/default.conf
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
|
|
- name: install IPA vault
|
|
command: ipa-kra-install
|
|
--password={{ipa_dm_password}}
|
|
--unattended
|
|
--log-file=/var/log/ipakrainstall.log
|
|
creates=/var/log/ipakrainstall.log
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
|
|
- name: determine whether we need to set up replication
|
|
stat: path=/etc/ipa/default.conf
|
|
register: replication_status
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01")
|
|
|
|
- name: create replica file
|
|
delegate_to: ipa01.phx2.fedoraproject.org
|
|
command: ipa-replica-prepare
|
|
--password={{ipa_dm_password}}
|
|
--ip-address={{eth0_ip}}
|
|
{{inventory_hostname}}
|
|
creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
|
|
|
|
- name: retrieve replica file
|
|
delegate_to: ipa01.phx2.fedoraproject.org
|
|
fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
|
|
dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg
|
|
flat=yes
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
|
|
|
|
- name: deploy replica file
|
|
copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg
|
|
dest=/root/ipa_replica_{{inventory_hostname}}.gpg
|
|
mode=0600 owner=root group=root
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
|
|
|
|
- name: destroy replica file on ansible host
|
|
delegate_to: localhost
|
|
file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
|
|
|
|
- name: deploy replica
|
|
command: ipa-replica-install
|
|
--setup-ca
|
|
--setup-kra
|
|
--password={{ipa_dm_password}}
|
|
--admin-password={{ipa_admin_password}}
|
|
--mkhomedir
|
|
--no-ntp
|
|
--unattended
|
|
--no-ssh
|
|
--no-sshd
|
|
--setup-dns
|
|
--forwarder=10.5.126.21
|
|
--forwarder=10.5.126.22
|
|
--skip-conncheck
|
|
--log-file=/var/log/ipainstall.log
|
|
/root/ipa_replica_{{inventory_hostname}}.gpg
|
|
creates=/etc/ipa/default.conf
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
|
|
|
|
- name: Disable rewrites
|
|
copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
|
|
- name: Deploy configuration script
|
|
copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root
|
|
register: config_deployed
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
|
|
- name: Run configuration script
|
|
command: /bin/bash /root/configure-ipa.sh {{ipa_admin_password}}
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01") and config_deployed.changed
|
|
|
|
- name: Get admin ticket
|
|
shell: echo "{{ipa_admin_password}}" | kinit admin
|
|
tags:
|
|
- ipa/server
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: inventory_hostname.startswith("ipa01")
|
|
|
|
- name: Create fas_sync user
|
|
command: ipa user-add fas_sync --first=FAS --last=Sync
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
register: create_output
|
|
changed_when: "'already exists' not in create_output.stderr"
|
|
failed_when: "'already exists' not in create_output.stderr and create_output.rc != 0"
|
|
|
|
- name: Promote fas_sync user
|
|
command: ipa group-add-member admins --users=fas_sync
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
register: promote_output
|
|
changed_when: "'already a member' not in promote_output.stdout"
|
|
failed_when: "'already a member' not in promote_output.stdout and promote_output.rc != 0"
|
|
|
|
- name: Configure password policy
|
|
command: ipa pwpolicy-mod global_policy --maxlife=0 --minlife=0 --history=0 --minclasses=0 --minlength=0 --maxfail=0
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
when: inventory_hostname.startswith("ipa01")
|
|
register: pwpolicy_output
|
|
changed_when: "'no modifications to be performed' not in pwpolicy_output.stderr"
|
|
failed_when: "'no modifications to be performed' not in pwpolicy_output.stderr and pwpolicy_output.rc != 0"
|
|
|
|
- name: Destroy admin ticket
|
|
command: kdestroy -A
|
|
tags:
|
|
- ipa/server
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: inventory_hostname.startswith("ipa01")
|
|
|
|
- name: Create LDIF directory
|
|
file: path=/root/ldif state=directory owner=root group=root mode=0750
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
|
|
- name: Copy LDIF files
|
|
copy: src={{item}} dest=/root/ldif/{{item}}
|
|
with_items:
|
|
- grant_anonymous_replication_view.ldif
|
|
- grant_fas_sync.ldif
|
|
- use_id_fp_o.ldif
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
|
|
- name: Apply LDIF files
|
|
command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}
|
|
-f /root/ldif/{{item}}.ldif
|
|
with_items:
|
|
- grant_fas_sync
|
|
- use_id_fp_o
|
|
when: inventory_hostname.startswith("ipa01")
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
register: apply_output
|
|
changed_when: "'Type or value exists' not in apply_output.stderr"
|
|
failed_when: "'Type or value exists' not in apply_output.stderr and 'modifying entry' not in apply_output.stdout"
|
|
|
|
# This is a special one, in that it needs to apply on each master since it's non-replicated.
|
|
- name: Grant access to replication status
|
|
command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}
|
|
-f /root/ldif/grant_anonymous_replication_view.ldif
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
register: grant_repl_status_output
|
|
changed_when: "'Type or value exists' not in grant_repl_status_output.stderr"
|
|
failed_when: "'Type or value exists' not in grant_repl_status_output.stderr and 'modifying entry' not in grant_repl_status_output.stdout"
|
|
|
|
# Make some httpd changes
|
|
- name: Configure referer override
|
|
template: src=referer-override.conf
|
|
dest=/etc/httpd/conf.d/referer-override.conf
|
|
notify:
|
|
- reload apache
|
|
tags:
|
|
- ipa/server
|
|
- config
|
|
|
|
- name: Update xmlrpc_uri
|
|
lineinfile: dest=/etc/ipa/default.conf
|
|
regexp='xmlrpc_uri ='
|
|
line='xmlrpc_uri = https://{{ inventory_hostname }}/ipa/xml'
|
|
tags:
|
|
- ipa/server
|
|
- config
|