diff --git a/inventory/group_vars/ipa b/inventory/group_vars/ipa index 03735b76fb..b97484dd21 100644 --- a/inventory/group_vars/ipa +++ b/inventory/group_vars/ipa @@ -1,12 +1,12 @@ --- -# Define resources for this group of hosts here. +# Define resources for this group of hosts here. lvm_size: 30000 mem_size: 6144 num_cpus: 2 tcp_ports: [ 80, 88, 389, 443, 464, 636 ] -custom_rules: [ +custom_rules: [ '-A INPUT -p udp -m udp -s 10.5.0.0/16 --dport 53 -j ACCEPT' ] @@ -15,5 +15,6 @@ fas_client_groups: sysadmin-main,sysadmin-accounts nrpe_procs_warn: 300 nrpe_procs_crit: 500 +ipa_initial: false ipa_dm_password: "{{ ipa_prod_dm_password }}" ipa_ldap_socket: ldapi://%2fvar%2frun%2fslapd-FEDORAPROJECT-ORG.socket diff --git a/inventory/host_vars/ipa01.phx2.fedoraproject.org b/inventory/host_vars/ipa01.phx2.fedoraproject.org index 249e8708e3..c21c57a4e5 100644 --- a/inventory/host_vars/ipa01.phx2.fedoraproject.org +++ b/inventory/host_vars/ipa01.phx2.fedoraproject.org @@ -8,3 +8,4 @@ volgroup: /dev/vg_guests00 eth0_ip: 10.5.126.162 vmhost: virthost15.phx2.fedoraproject.org datacenter: phx2 +ipa_initial: true diff --git a/inventory/host_vars/ipa01.stg.phx2.fedoraproject.org b/inventory/host_vars/ipa01.stg.phx2.fedoraproject.org index 7e468de6e3..c42bc8d2f0 100644 --- a/inventory/host_vars/ipa01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/ipa01.stg.phx2.fedoraproject.org @@ -8,3 +8,4 @@ volgroup: /dev/vg_guests eth0_ip: 10.5.128.136 vmhost: virthost04.stg.phx2.fedoraproject.org datacenter: phx2 +ipa_initial: true diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml index 0b8c1379b0..c89ffdb2c3 100644 --- a/roles/ipa/server/tasks/main.yml +++ b/roles/ipa/server/tasks/main.yml @@ -38,7 +38,7 @@ tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial - name: install IPA vault command: ipa-kra-install @@ -49,7 +49,7 @@ tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial - name: determine whether we need to set up replication stat: path=/etc/ipa/default.conf @@ -57,31 +57,29 @@ tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") + when: not ipa_initial - name: create replica file - delegate_to: ipa01.{{ item }}.fedoraproject.org + delegate_to: ipa01.phx2.fedoraproject.org command: ipa-replica-prepare --password={{ipa_dm_password}} --ip-address={{eth0_ip}} {{inventory_hostname}} creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg - with_items: "{{ datacenter }}" tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + when: not ipa_initial and not replication_status.stat.exists - name: retrieve replica file - delegate_to: ipa01.{{ item }}.fedoraproject.org - with_items: "{{ datacenter }}" + delegate_to: ipa01.phx2.fedoraproject.org fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg flat=yes tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + when: not ipa_initial and not replication_status.stat.exists - name: deploy replica file copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg @@ -90,7 +88,7 @@ tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + when: not ipa_initial and not replication_status.stat.exists - name: destroy replica file on ansible host delegate_to: localhost @@ -98,7 +96,7 @@ tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + when: not ipa_initial and not replication_status.stat.exists - name: deploy replica command: ipa-replica-install @@ -121,7 +119,7 @@ tags: - ipa/server - config - when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists + when: not ipa_initial and not replication_status.stat.exists - name: Disable rewrites copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf @@ -137,14 +135,14 @@ tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial - name: Run configuration script command: /bin/bash /root/configure-ipa.sh {{ipa_admin_password}} tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") and config_deployed.changed + when: ipa_initial and config_deployed.changed - name: Get admin ticket shell: echo "{{ipa_admin_password}}" | kinit admin @@ -153,14 +151,14 @@ - keytab - config - krb5 - when: inventory_hostname.startswith("ipa01") + when: ipa_initial - name: Create fas_sync user command: ipa user-add fas_sync --first=FAS --last=Sync tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial register: create_output changed_when: "'already exists' not in create_output.stderr" failed_when: "'already exists' not in create_output.stderr and create_output.rc != 0" @@ -170,7 +168,7 @@ tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial register: promote_output changed_when: "'already a member' not in promote_output.stdout" failed_when: "'already a member' not in promote_output.stdout and promote_output.rc != 0" @@ -180,7 +178,7 @@ tags: - ipa/server - config - when: inventory_hostname.startswith("ipa01") + when: ipa_initial register: pwpolicy_output changed_when: "'no modifications to be performed' not in pwpolicy_output.stderr" failed_when: "'no modifications to be performed' not in pwpolicy_output.stderr and pwpolicy_output.rc != 0" @@ -192,7 +190,7 @@ - keytab - config - krb5 - when: inventory_hostname.startswith("ipa01") + when: ipa_initial - name: Create LDIF directory file: path=/root/ldif state=directory owner=root group=root mode=0750 @@ -216,7 +214,7 @@ with_items: - grant_fas_sync - use_id_fp_o - when: inventory_hostname.startswith("ipa01") + when: ipa_initial tags: - ipa/server - config