-
Notifications
You must be signed in to change notification settings - Fork 21
/
main.yml
184 lines (167 loc) · 6 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
- name: Configure IPA IP address (from metadata)
set_fact:
ipa_ip: "{{ hostvars[inventory_hostname]['meta_ip'] }}"
when: '"meta_ip" in hostvars[inventory_hostname]'
- name: Configure IPA IP address (from ssh)
set_fact:
ipa_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
when: '"meta_ip" not in hostvars[inventory_hostname]'
- name: Prepare IPA facts
set_fact:
ipa_domain: "{{ '.'.join(inventory_hostname.split('.')[1:]) }}"
ipa_netbios: "{{ inventory_hostname.split('.')[0].upper() }}"
ipa_suffix: "{{ inventory_hostname.split('.')[1:] | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
ipa_password: "{{ ansible_password | default(service.ipa.password) }}"
- name: Debug IPA facts
debug:
msg: 'IPA domain: "{{ ipa_domain }}", IPA netbios: "{{ ipa_netbios }}", IPA suffix: "{{ ipa_suffix }}"'
- name: Install IPA server
shell: |
set -e
alias install-ipa="/usr/sbin/ipa-server-install --unattended \
--realm={{ ipa_domain | upper | quote }} \
--domain={{ ipa_domain | quote }} \
--netbios-name={{ ipa_netbios| quote }} \
--ds-password={{ ipa_password | quote }} \
--admin-password={{ ipa_password | quote }} \
--setup-dns \
--ip-address={{ ipa_ip | quote }} \
--setup-adtrust \
--auto-forwarders \
--auto-reverse \
--no-dnssec-validation \
--no-host-dns \
--no-ntp"
install-ipa --external-ca
openssl x509 -days 7200 -req \
-extfile /data/configs/openssl_sign_ca.ext \
-CA "/data/certs/ca.crt" \
-CAkey "/data/certs/ca.key" \
--CAcreateserial \
-in "/root/ipa.csr" \
-out "/root/ipa.crt"
install-ipa \
--external-cert-file=/root/ipa.crt \
--external-cert-file=/data/certs/ca.crt
args:
creates: /etc/ipa/default.conf
- name: Remove auto.master and auto.direct maps
shell: |
kinit admin
ipa automountmap-del default auto.master
ipa automountmap-del default auto.direct
args:
stdin: '{{ ipa_password }}'
register: automountmapdel
failed_when:
- 'automountmapdel.rc != 0 and "automount map not found" not in automountmapdel.stderr'
- name: Create pw-never-expires group
shell: |
kinit admin
ipa group-add pw-never-expires
args:
stdin: '{{ ipa_password }}'
register: pwneverexpires
failed_when:
- 'pwneverexpires.rc != 0 and "already exists" not in pwneverexpires.stderr'
- name: Create pw-never-expires password policy
shell: |
kinit admin
ipa pwpolicy-add pw-never-expires --maxlife=0 --minlife=0 --priority=0
args:
stdin: '{{ ipa_password }}'
register: policy
failed_when:
- 'policy.rc != 0 and "already used by pw-never-expires" not in policy.stderr'
- name: Add admin to pw-never-expires group
shell: |
kinit admin
ipa group-add-member pw-never-expires --users=admin
args:
stdin: '{{ ipa_password }}'
register: member
failed_when:
- 'member.rc != 0 and "This entry is already a member" not in member.stdout'
- name: Reset admin password to apply pw-never-expires policy
shell: |
kinit admin
ipa user-mod admin --password
args:
stdin: |
{{ ipa_password }}
{{ ipa_password }}
- name: Add reverse zone for artificial hosts
shell: |
kinit admin
ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24
args:
stdin: '{{ ipa_password }}'
- name: 'Check trust with other domains'
shell: |
kinit admin
ipa trust-find
args:
stdin: |
{{ ipa_password }}
register: trust
failed_when: False
- name: 'Setup trust with samba'
block:
- name: Set Samba facts (IPA)
set_fact:
samba_domain: "{{ '.'.join(hostvars[groups.samba.0].inventory_hostname.split('.')[1:]) }}"
samba_password: "{{ hostvars[groups.samba.0].ansible_password | default(service.ipa.password) }}"
- name: Debug Samba facts (IPA)
debug:
msg: 'Samba domain: "{{ samba_domain }}"'
- name: Run ipa trust-add
shell: |
kinit admin
ipa trust-add {{ samba_domain | quote }} --admin Administrator --password
args:
stdin: |
{{ ipa_password }}
{{ samba_password }}
when:
- 'samba_domain not in trust.stdout'
when:
- '"samba" in groups and groups["samba"]'
- join_samba
- trust_ipa_samba
- name: 'Setup trust with AD'
block:
- name: Set AD facts (IPA)
set_fact:
ad_domain: "{{ '.'.join(hostvars[groups.ad.0].inventory_hostname.split('.')[1:]) }}"
safe_password: "{{ service.ad.safe_password }}"
# TODO: range-type can be configurable ipa-ad-trust or ipa-ad-trust-posix
range_type: "--range-type=ipa-ad-trust"
- name: Debug AD facts (IPA)
debug:
msg: 'AD domain: "{{ ad_domain }}"'
- name: Run ipa trust-add
shell: |
kinit admin
ipa trust-add --type=ad {{ ad_domain | quote }} --admin Administrator --password {{ range_type }}
args:
stdin: |
{{ ipa_password }}
{{ safe_password }}
when:
- 'ad_domain not in trust.stdout'
- not trust_ipa_ad_two_way
- name: Run ipa trust-add (two-way)
shell: |
kinit admin
ipa trust-add --type=ad --two-way=true {{ ad_domain | quote }} --admin Administrator --password {{ range_type }}
args:
stdin: |
{{ ipa_password }}
{{ safe_password }}
when:
- 'ad_domain not in trust.stdout'
- trust_ipa_ad_two_way
when:
- '"ad" in groups and groups["ad"]'
- join_ad
- trust_ipa_ad