Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

[ipa/server] Fix ansible-lint errors

Browse source 
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
This commit is contained in:
Michal Konecny 2024-11-05 12:55:14 +01:00 committed by zlopez
parent b3a22d9049
commit 792bc60a8a
2 changed files with 224 additions and 160 deletions
Download patch file Download diff file Expand all files Collapse all files

342
roles/ipa/server/tasks/main.yml
View file

@ -1,9 +1,10 @@
--- ---
# Configuration for IPA # Configuration for IPA
- name: on rhel8 hosts enable the correct idm module - name: On rhel8 hosts enable the correct idm module
copy: ansible.builtin.copy:
src: "{{item}}" src: "{{ item }}"
dest: /etc/dnf/modules.d/{{item}} dest: /etc/dnf/modules.d/{{ item }}
mode: "0644"
with_items: with_items:
- 389-ds.module - 389-ds.module
- idm.module - idm.module
@ -14,8 +15,10 @@
- ipa/server - ipa/server
- config - config
- name: install needed packages - name: Install needed packages
package: name={{ item }} state=present ansible.builtin.package:
name: "{{ item }}"
state: present
with_items: with_items:
- haveged - haveged
- ipa-server - ipa-server
@ -28,62 +31,75 @@
# TODO: need pynag for monitoring, not yet in rhel9. # TODO: need pynag for monitoring, not yet in rhel9.
- name: enable haveged - name: Enable haveged
service: name=haveged state=started enabled=yes ansible.builtin.service:
name: haveged
state: started
enabled: yes
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Copy LDIF file for working around annoying IPA bug in initial sync - name: Copy LDIF file for working around annoying IPA bug in initial sync
copy: src=fix_sasl.ldif dest=/usr/share/ipa/fix_sasl.ldif ansible.builtin.copy:
src: fix_sasl.ldif
dest: /usr/share/ipa/fix_sasl.ldif
mode: "0644"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: install IPA - name: Install IPA
command: ipa-server-install ansible.builtin.command:
--realm={{ipa_realm}} argv:
--domain={{ipa_realm}} - ipa-server-install
--ds-password={{ipa_dm_password}} - --realm={{ ipa_realm }}
--admin-password={{ipa_admin_password}} - --domain={{ ipa_realm }}
--mkhomedir - --ds-password={{ ipa_dm_password }}
--no-ntp - --admin-password={{ ipa_admin_password }}
--unattended - --mkhomedir
--no-ssh - --no-ntp
--no-sshd - --unattended
--log-file=/var/log/ipainstall.log - --no-ssh
creates=/etc/ipa/default.conf - --no-sshd
- --log-file=/var/log/ipainstall.log
creates: /etc/ipa/default.conf
tags: tags:
- ipa/server - ipa/server
- config - config
when: ipa_initial and ansible_distribution_major_version|int > 8 and ansible_distribution == 'RedHat' when: >
ipa_initial and ansible_distribution_major_version|int > 8 and
ansible_distribution == 'RedHat'
- name: install IPA vault - name: Install IPA vault
command: ipa-kra-install ansible.builtin.command:
--password={{ipa_dm_password}} argv:
--unattended - ipa-kra-install
--log-file=/var/log/ipakrainstall.log - --password={{ ipa_dm_password }}
creates=/var/log/ipakrainstall.log - --unattended
- --log-file=/var/log/ipakrainstall.log
creates: /var/log/ipakrainstall.log
tags: tags:
- ipa/server - ipa/server
- config - config
when: ipa_initial when: ipa_initial
- name: Create LDIF directory - name: Create LDIF directory
file: ansible.builtin.file:
path: /root/ldif path: /root/ldif
state: directory state: directory
owner: root owner: root
group: root group: root
mode: 0750 mode: "0750"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Copy LDIF files - name: Copy LDIF files
copy: ansible.builtin.copy:
src: "{{item}}" src: "{{ item }}"
dest: /root/ldif/{{item}} dest: /root/ldif/{{ item }}
mode: "0644"
with_items: with_items:
- grant_anonymous_replication_view.ldif - grant_anonymous_replication_view.ldif
- grant_fas_sync.ldif - grant_fas_sync.ldif
@ -104,16 +120,18 @@
- ipa/server - ipa/server
- config - config
- name: ask admin if they are ok reinstalling this ipa server replica - name: Ask admin if they are OK reinstalling this ipa server replica
ansible.builtin.pause: ansible.builtin.pause:
prompt: "Do you want to reinstall replica for {{ item }} (ignored for master node and any node with /var/log/ipainstall.log)? (yes/no)" prompt: |
"Do you want to reinstall replica for {{ item }} "
"(ignored for master node and any node with /var/log/ipainstall.log)? (yes/no)"
register: confirm_replica register: confirm_replica
with_items: "{{ play_hosts }}" with_items: "{{ play_hosts }}"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: save the confirmation results to other hosts - name: Save the confirmation results to other hosts
ansible.builtin.set_fact: ansible.builtin.set_fact:
confirm_replica: "{{ item.user_input }}" confirm_replica: "{{ item.user_input }}"
with_items: "{{ hostvars[play_hosts.0].confirm_replica.results }}" with_items: "{{ hostvars[play_hosts.0].confirm_replica.results }}"
@ -122,45 +140,7 @@
- ipa/server - ipa/server
- config - config
- name: configure replication - name: Configure replication
block:
# The ipa-client-install makes the ipa-replica-install fail
# on RHEL 9 with: "Your system is partly configured."
# This will clean the previous installation and allows
# the replica to be deployed.
- name: clean client installation
command: ipa-server-install
--uninstall
--unattended
when: ansible_distribution_major_version|int >= 9
- name: Get admin ticket on ipa master
shell: echo "{{ipa_admin_password}}" | kinit admin
delegate_to: "{{ ipa_server }}"
# Replication agreement needs to be removed from ipa cluster
# before installing the replica
- name: Remove the replication agreement for the replica
command: "ipa server-del --force {{ inventory_hostname }}"
delegate_to: "{{ ipa_server }}"
- name: deploy replica
command: ipa-replica-install
--setup-ca
--admin-password={{ipa_admin_password}}
--no-host-dns
--mkhomedir
--no-ntp
--unattended
--no-ssh
--no-sshd
--skip-conncheck
--force-join
--log-file=/var/log/ipainstall.log
--domain={{ipa_realm}}
--server={{ipa_server}}
--dirsrv-config-file=/root/ldif/replica-install.ldif
when: ansible_distribution_major_version|int >= 8
when: when:
- not ipa_initial - not ipa_initial
- not check_replica.stat.exists - not check_replica.stat.exists
@ -168,9 +148,58 @@
tags: tags:
- ipa/server - ipa/server
- config - config
block:
# The ipa-client-install makes the ipa-replica-install fail
# on RHEL 9 with: "Your system is partly configured."
# This will clean the previous installation and allows
# the replica to be deployed.
- name: Clean client installation
ansible.builtin.command:
argv:
- ipa-server-install
- --uninstall
- --unattended
changed_when: true
when: ansible_distribution_major_version|int >= 9
- name: Get admin ticket on ipa master
ansible.builtin.shell: set -o pipefail && echo "{{ ipa_admin_password }}" | kinit admin
delegate_to: "{{ ipa_server }}"
changed_when: false
# Replication agreement needs to be removed from ipa cluster
# before installing the replica
- name: Remove the replication agreement for the replica
ansible.builtin.command: "ipa server-del --force {{ inventory_hostname }}"
delegate_to: "{{ ipa_server }}"
changed_when: true
- name: Deploy replica
ansible.builtin.command:
argv:
- ipa-replica-install
- --setup-ca
- --admin-password={{ ipa_admin_password }}
- --no-host-dns
- --mkhomedir
- --no-ntp
- --unattended
- --no-ssh
- --no-sshd
- --skip-conncheck
- --force-join
- --log-file=/var/log/ipainstall.log
- --domain={{ ipa_realm }}
- --server={{ ipa_server }}
- --dirsrv-config-file=/root/ldif/replica-install.ldif
when: ansible_distribution_major_version|int >= 8
changed_when: true
- name: Disable rewrites - name: Disable rewrites
template: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf ansible.builtin.template:
src: ipa-rewrite.conf
dest: /etc/httpd/conf.d/ipa-rewrite.conf
mode: "0644"
notify: notify:
- reload httpd - reload httpd
tags: tags:
@ -178,7 +207,9 @@
- config - config
- name: Disable the compat tree - name: Disable the compat tree
shell: echo "{{ipa_dm_password}}" | ipa-compat-manage disable ansible.builtin.shell: |
set -o pipefail
echo "{{ ipa_dm_password }}" | ipa-compat-manage disable
tags: tags:
- ipa/server - ipa/server
- config - config
@ -189,7 +220,9 @@
- restart ipa - restart ipa
- name: Disable the nis tree - name: Disable the nis tree
shell: echo "{{ipa_dm_password}}" | ipa-nis-manage disable ansible.builtin.shell: |
set -o pipefail
echo "{{ ipa_dm_password }}" | ipa-nis-manage disable
tags: tags:
- ipa/server - ipa/server
- config - config
@ -200,7 +233,7 @@
- restart ipa - restart ipa
- name: Set the expiration date for the admin user - name: Set the expiration date for the admin user
ipauser: community.general.ipauser:
name: admin name: admin
password: "{{ ipa_admin_password }}" password: "{{ ipa_admin_password }}"
# Password expiration date will be a Friday 13th in 30 years. I'm sure we'll remember that. # Password expiration date will be a Friday 13th in 30 years. I'm sure we'll remember that.
@ -212,7 +245,10 @@
- config - config
- name: Get admin ticket - name: Get admin ticket
shell: echo "{{ipa_admin_password}}" | kinit admin ansible.builtin.shell: |
set -o pipefail
echo "{{ ipa_admin_password }}" | kinit admin
changed_when: false
tags: tags:
- ipa/server - ipa/server
- config - config
@ -257,7 +293,7 @@
# Set the default value back # Set the default value back
- name: Restore the default permission on user addressbook attributes - name: Restore the default permission on user addressbook attributes
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- permission-mod - permission-mod
@ -271,20 +307,20 @@
failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0" failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0"
- name: Configure password policy - name: Configure password policy
ipapwpolicy: community.general.ipa_pwpolicy:
minlife: 0 minpwdlife: 0
maxlife: 0 maxpwdlife: 0
history: 0 historylength: 0
minclasses: 0 minclasses: 0
minlength: 0 minlength: 0
maxfail: 0 maxfailcount: 0
ipaadmin_password: "{{ ipa_admin_password }}" ipa_pass: "{{ ipa_admin_password }}"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Create fas_sync user - name: Create fas_sync user
ipauser: community.general.ipauser:
name: fas_sync name: fas_sync
givenname: FAS givenname: FAS
sn: Sync sn: Sync
@ -296,31 +332,35 @@
# Certificate generation # Certificate generation
- name: Make a directory to store certificate profiles - name: Make a directory to store certificate profiles
file: ansible.builtin.file:
path: /etc/ipa/certprofiles path: /etc/ipa/certprofiles
state: directory state: directory
mode: "0755"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Warn admins that this is not the canonical source - name: Warn admins that this is not the canonical source
copy: ansible.builtin.copy:
dest: /etc/ipa/certprofiles/README dest: /etc/ipa/certprofiles/README
content: "This is just a dump of the server values, which are accessible with ipa certprofile-find" content: >
"This is just a dump of the server values, which are accessible with ipa certprofile-find"
mode: "0644"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Copy the certificate profile for users - name: Copy the certificate profile for users
template: ansible.builtin.template:
src: userCerts.conf src: userCerts.conf
dest: /etc/ipa/certprofiles/userCerts.conf dest: /etc/ipa/certprofiles/userCerts.conf
mode: "0644"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Create the certificate profile - name: Create the certificate profile
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- certprofile-import - certprofile-import
@ -336,7 +376,7 @@
failed_when: "'already exists' not in create_output.stderr and create_output.rc != 0" failed_when: "'already exists' not in create_output.stderr and create_output.rc != 0"
- name: Update the certificate profile - name: Update the certificate profile
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- certprofile-mod - certprofile-mod
@ -347,27 +387,30 @@
tags: tags:
- ipa/server - ipa/server
- config - config
changed_when: true
when: "ipa_initial and 'already exists' in create_output.stderr" when: "ipa_initial and 'already exists' in create_output.stderr"
# Create a new ACL linking the new profile and ipausers group (that all users are members of) # Create a new ACL linking the new profile and ipausers group (that all users are members of)
- name: Create the CA ACL for the new certificate profile - name: Create the CA ACL for the new certificate profile
command: ipa caacl-add userCerts ansible.builtin.command: ipa caacl-add userCerts
tags: tags:
- ipa/server - ipa/server
- config - config
register: output register: output
changed_when: "'already exists' not in output.stderr" changed_when: "'already exists' not in output.stderr"
failed_when: "'already exists' not in output.stderr and output.rc != 0" failed_when: "'already exists' not in output.stderr and output.rc != 0"
- name: Add the ipausers group to the CA ACL - name: Add the ipausers group to the CA ACL
command: ipa caacl-add-user userCerts --group ipausers ansible.builtin.command: ipa caacl-add-user userCerts --group ipausers
tags: tags:
- ipa/server - ipa/server
- config - config
register: output register: output
changed_when: "'is already a member' not in output.stdout" changed_when: "'is already a member' not in output.stdout"
failed_when: "'is already a member' not in output.stdout and output.rc != 0" failed_when: "'is already a member' not in output.stdout and output.rc != 0"
- name: Add the ipausers group to the CA ACL - name: Add the ipausers group to the CA ACL
command: ipa caacl-add-profile userCerts --certprofile userCerts ansible.builtin.command: ipa caacl-add-profile userCerts --certprofile userCerts
tags: tags:
- ipa/server - ipa/server
- config - config
@ -378,7 +421,8 @@
# HBAC # HBAC
- name: Don't allow all users to log into all hosts - name: Don't allow all users to log into all hosts
command: ipa hbacrule-disable allow_all ansible.builtin.command: ipa hbacrule-disable allow_all
changed_when: true
tags: tags:
- ipa/server - ipa/server
- config - config
@ -387,20 +431,23 @@
# Noggin user setup # Noggin user setup
- name: Register the proper noggin admin password - name: Register the proper noggin admin password
set_fact: ansible.builtin.set_fact:
noggin_password: "{{ (env == 'production')|ternary(noggin_admin_password, noggin_stg_admin_password) }}" noggin_password: >
"{{ (env == 'production') | ternary(noggin_admin_password, noggin_stg_admin_password) }}"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Create noggin user - name: Create noggin user
ipauser: community.general.ipauser:
name: noggin name: noggin
givenname: Noggin givenname: Noggin
sn: User sn: User
password: "{{ (env == 'production')|ternary(noggin_admin_password, noggin_stg_admin_password) }}" password: >
"{{ (env == 'production') | ternary(noggin_admin_password, noggin_stg_admin_password) }}"
# Password expiration date will be a Friday 13th in 30 years. I'm sure we'll remember that. # Password expiration date will be a Friday 13th in 30 years. I'm sure we'll remember that.
# (if unset, IPA will assume the password is expired because it hasn't been set by the user themselves) # (if unset, IPA will assume the password is expired because it hasn't been set by the user
# themselves)
passwordexpiration: "2050-05-13 00:00:00" passwordexpiration: "2050-05-13 00:00:00"
update_password: on_create update_password: on_create
userclass: system userclass: system
@ -410,7 +457,7 @@
- config - config
- name: Create the noggin privilege - name: Create the noggin privilege
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- privilege-add - privilege-add
@ -424,7 +471,7 @@
failed_when: "'already exists' not in output.stderr and output.rc != 0" failed_when: "'already exists' not in output.stderr and output.rc != 0"
- name: Setup the noggin privilege - name: Setup the noggin privilege
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- privilege-add-permission - privilege-add-permission
@ -446,7 +493,7 @@
failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0" failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
- name: Create the noggin role - name: Create the noggin role
ipa_role: community.general.ipa_role:
name: "Self-service Portal Administrator" name: "Self-service Portal Administrator"
description: "Noggin admin user" description: "Noggin admin user"
privilege: privilege:
@ -455,7 +502,7 @@
- noggin - noggin
ipa_host: "{{ inventory_hostname }}" ipa_host: "{{ inventory_hostname }}"
ipa_user: admin ipa_user: admin
ipa_pass: "{{ipa_admin_password}}" ipa_pass: "{{ ipa_admin_password }}"
validate_certs: no validate_certs: no
tags: tags:
- ipa/server - ipa/server
@ -474,7 +521,7 @@
# - krbPrincipalKey # - krbPrincipalKey
# - sambaLMPassword # - sambaLMPassword
# - sambaNTPassword # - sambaNTPassword
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- selfservice-add - selfservice-add
@ -504,7 +551,7 @@
# - cn # - cn
# - displayname # - displayname
# - gecos # - gecos
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- selfservice-add - selfservice-add
@ -527,7 +574,7 @@
# through Noggin: # through Noggin:
- name: Create the stage users managers privilege - name: Create the stage users managers privilege
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- privilege-add - privilege-add
@ -541,7 +588,7 @@
failed_when: "'already exists' not in output.stderr and output.rc != 0" failed_when: "'already exists' not in output.stderr and output.rc != 0"
- name: Setup the stage users managers privilege - name: Setup the stage users managers privilege
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- privilege-add-permission - privilege-add-permission
@ -557,7 +604,7 @@
failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0" failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
- name: Create the stage users managers role - name: Create the stage users managers role
ipa_role: community.general.ipa_role:
name: "Stage User Managers" name: "Stage User Managers"
description: "Manage registering users in Noggin" description: "Manage registering users in Noggin"
privilege: privilege:
@ -566,7 +613,7 @@
- sysadmin-main - sysadmin-main
ipa_host: "{{ inventory_hostname }}" ipa_host: "{{ inventory_hostname }}"
ipa_user: admin ipa_user: admin
ipa_pass: "{{ipa_admin_password}}" ipa_pass: "{{ ipa_admin_password }}"
validate_certs: no validate_certs: no
tags: tags:
- ipa/server - ipa/server
@ -575,7 +622,7 @@
# Add the missing topology segments that are missed during replication # Add the missing topology segments that are missed during replication
# Ignore any failure as that means that segment is already in place # Ignore any failure as that means that segment is already in place
- name: Add the missing segments for ca suffix - name: Add the missing segments for ca suffix
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- topologysegment-add - topologysegment-add
@ -583,8 +630,10 @@
- "--rightnode={{ item }}" - "--rightnode={{ item }}"
- "ca" - "ca"
- "{{ inventory_hostname + '-' + item }}" - "{{ inventory_hostname + '-' + item }}"
with_items: "{{ (env == 'production')|ternary(groups['ipa'], groups['ipa_stg']) }}" with_items: "{{ (env == 'production') | ternary(groups['ipa'], groups['ipa_stg']) }}"
ignore_errors: true ignore_errors: true # noqa ignore-errors
register: output
changed_when: "'Segment already exists' not in output.stdout"
tags: tags:
- ipa/server - ipa/server
- config - config
@ -592,7 +641,7 @@
# Add the missing topology segments that are missed during replication # Add the missing topology segments that are missed during replication
# Ignore any failure as that means that segment is already in place # Ignore any failure as that means that segment is already in place
- name: Add the missing segments for domain suffix - name: Add the missing segments for domain suffix
command: ansible.builtin.command:
argv: argv:
- ipa - ipa
- topologysegment-add - topologysegment-add
@ -600,14 +649,17 @@
- "--rightnode={{ item }}" - "--rightnode={{ item }}"
- "domain" - "domain"
- "{{ inventory_hostname + '-' + item }}" - "{{ inventory_hostname + '-' + item }}"
with_items: "{{ (env == 'production')|ternary(groups['ipa'], groups['ipa_stg']) }}" with_items: "{{ (env == 'production') | ternary(groups['ipa'], groups['ipa_stg']) }}"
ignore_errors: true ignore_errors: true # noqa ignore-errors
register: output
changed_when: "'Segment already exists' not in output.stdout"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Destroy admin ticket - name: Destroy admin ticket
command: kdestroy -A ansible.builtin.command: kdestroy -A
changed_when: true
tags: tags:
- ipa/server - ipa/server
- config - config
@ -620,13 +672,14 @@
mode: '0644' mode: '0644'
backup: yes backup: yes
- import_tasks: scripts.yml - name: Include script.yml
ansible.builin.import_tasks: scripts.yml
# User groups # User groups
- name: Set the members of the admin group - name: Set the members of the admin group
ipa_group: community.general.ipa_group:
name: admins name: admins
user: user:
- admin - admin
@ -634,7 +687,7 @@
- arrfab - arrfab
ipa_host: "{{ inventory_hostname }}" ipa_host: "{{ inventory_hostname }}"
ipa_user: admin ipa_user: admin
ipa_pass: "{{ipa_admin_password}}" ipa_pass: "{{ ipa_admin_password }}"
validate_certs: no validate_certs: no
tags: tags:
- ipa/server - ipa/server
@ -642,8 +695,8 @@
- name: Create the sysadmin-main group - name: Create the sysadmin-main group
ipagroup: community.general.ipa_group:
ipaadmin_password: "{{ ipa_admin_password }}" ipa_pass: "{{ ipa_admin_password }}"
name: sysadmin-main name: sysadmin-main
description: Fedora Main Sysadmin Group description: Fedora Main Sysadmin Group
tags: tags:
@ -653,8 +706,12 @@
# This is a special one, in that it needs to apply on each master since it's non-replicated. # This is a special one, in that it needs to apply on each master since it's non-replicated.
- name: Grant access to replication status - name: Grant access to replication status
command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }} ansible.builin.command:
-f /root/ldif/{{item}} argv:
- ldapmodify
- -Y EXTERNAL
- -H {{ ipa_ldap_socket }}
- -f /root/ldif/{{ item }}
with_items: with_items:
- grant_anonymous_replication_view.ldif - grant_anonymous_replication_view.ldif
- grant_fas_sync.ldif - grant_fas_sync.ldif
@ -664,12 +721,16 @@
- config - config
register: grant_repl_status_output register: grant_repl_status_output
changed_when: "'Type or value exists' not in grant_repl_status_output.stderr" changed_when: "'Type or value exists' not in grant_repl_status_output.stderr"
failed_when: "'Type or value exists' not in grant_repl_status_output.stderr and 'modifying entry' not in grant_repl_status_output.stdout" failed_when: |
"'Type or value exists' not in grant_repl_status_output.stderr and
'modifying entry' not in grant_repl_status_output.stdout"
# Make some httpd changes # Make some httpd changes
- name: Configure referer override - name: Configure referer override
template: src=referer-override.conf ansible.builtin.template:
dest=/etc/httpd/conf.d/referer-override.conf src: referer-override.conf
dest: /etc/httpd/conf.d/referer-override.conf
mode: "0644"
notify: notify:
- reload apache - reload apache
tags: tags:
@ -677,9 +738,10 @@
- config - config
- name: Update xmlrpc_uri - name: Update xmlrpc_uri
lineinfile: dest=/etc/ipa/default.conf ansible.builtin.lineinfile:
regexp='xmlrpc_uri =' dest: /etc/ipa/default.conf
line='xmlrpc_uri = https://{{ inventory_hostname }}/ipa/xml' regexp: 'xmlrpc_uri ='
line: 'xmlrpc_uri = https://{{ inventory_hostname }}/ipa/xml'
tags: tags:
- ipa/server - ipa/server
- config - config
@ -688,7 +750,7 @@
# start it. If systemd starts it, it will run before IPA is available and # start it. If systemd starts it, it will run before IPA is available and
# KdcProxy will be disabled because it can't reach LDAP. # KdcProxy will be disabled because it can't reach LDAP.
- name: Disable the httpd service - name: Disable the httpd service
service: ansible.builtin.service:
name: httpd name: httpd
enabled: no enabled: no
tags: tags:
@ -696,25 +758,25 @@
- config - config
- name: Set cron for daily data only backups - name: Set cron for daily data only backups
copy: ansible.builtin.copy:
src: data-only-backup.sh src: data-only-backup.sh
dest: "/etc/cron.daily/data-only-backup.sh" dest: "/etc/cron.daily/data-only-backup.sh"
mode: 0755 mode: "0755"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Copy sweeper script to /usr/local/bin/ - name: Copy sweeper script to /usr/local/bin/
copy: ansible.builtin.copy:
src: sweeper.py src: sweeper.py
dest: /usr/local/bin/sweeper dest: /usr/local/bin/sweeper
mode: 0755 mode: "0755"
tags: tags:
- ipa/server - ipa/server
- config - config
- name: Set sweeper script on a cron schedule - name: Set sweeper script on a cron schedule
cron: ansible.builtin.cron:
name: "clean up mod_auth_gssapi tokens" name: "clean up mod_auth_gssapi tokens"
hour: "3" hour: "3"
minute: "0" minute: "0"

42
roles/ipa/server/tasks/scripts.yml
View file

@ -1,5 +1,6 @@
- name: install needed packages for scripts ---
package: - name: Install needed packages for scripts
ansible.builtin.package:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
with_items: with_items:
@ -14,20 +15,20 @@
# Cleanup stage users # Cleanup stage users
# #
- name: Create the service for stage users - name: Create the service for stage users
include_role: ansible.builtin.include_role:
name: keytab/service name: "keytab/service" # noqa role-name[path]
apply: apply:
tags: tags:
- ipa/server - ipa/server
- config - config
- keytab - keytab
vars: vars:
host: "{{ ipa_server }}" host: "{{ ipa_server }}" # noqa: var-naming[no-role-prefix]
service: stage-users service: stage-users # noqa: var-naming[no-role-prefix]
- name: Create the Stage User Administrator role - name: Create the Stage User Administrator role
ipa_role: community.general.ipa_role:
name: "Stage User Administrator" name: "Stage User Administrator"
description: "Role for users that need to perform admin tasks on stage users." description: "Role for users that need to perform admin tasks on stage users."
privilege: privilege:
@ -36,7 +37,7 @@
- "stage-users/{{ ipa_server }}" - "stage-users/{{ ipa_server }}"
ipa_host: "{{ inventory_hostname }}" ipa_host: "{{ inventory_hostname }}"
ipa_user: admin ipa_user: admin
ipa_pass: "{{ipa_admin_password}}" ipa_pass: "{{ ipa_admin_password }}"
validate_certs: no validate_certs: no
run_once: yes run_once: yes
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
@ -46,10 +47,10 @@
- name: Deploy the stage users cleanup script - name: Deploy the stage users cleanup script
copy: ansible.builtin.copy:
src: cleanup-stage-users.py src: cleanup-stage-users.py
dest: /etc/cron.daily/cleanup-stage-users dest: /etc/cron.daily/cleanup-stage-users
mode: 0755 mode: "0755"
# Only run the cron job on one server # Only run the cron job on one server
run_once: yes run_once: yes
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
@ -62,11 +63,12 @@
# OTP check for sysadmins # OTP check for sysadmins
# #
- name: Copy file for checking if sysadmins have otp set - name: Copy file for checking if sysadmins have otp set
template: ansible.builtin.template:
src: check_sysadmin_otp.py.j2 src: check_sysadmin_otp.py.j2
dest: /root/check_sysadmin_otp.py dest: /root/check_sysadmin_otp.py
owner: root owner: root
group: root group: root
mode: "0644"
tags: tags:
- ipa/server - ipa/server
- otp_script - otp_script
@ -79,34 +81,34 @@
# a subrole of the collectd role. # a subrole of the collectd role.
# #
- name: Install and setup collectd-ipa - name: Install and setup collectd-ipa
# Only collect stats on one server
run_once: yes
delegate_to: "{{ ipa_server }}"
block: block:
- name: install collectd-ipa - name: Install collectd-ipa
package: ansible.builtin.package:
state: present state: present
name: python3-collectd-ipa name: python3-collectd-ipa
tags: tags:
- packages - packages
- collectd - collectd
- name: install collectd ipa config - name: Install collectd ipa config
template: ansible.builtin.template:
src: "ipa.collectd.conf.j2" src: "ipa.collectd.conf.j2"
dest: "/etc/collectd.d/ipa.conf" dest: "/etc/collectd.d/ipa.conf"
owner: root owner: root
group: root group: root
mode: 0640 mode: "0640"
tags: tags:
- collectd - collectd
- config - config
notify: restart collectd notify: restart collectd
- name: Let collectd talk to the RabbitMQ management interface - name: Let collectd talk to the RabbitMQ management interface
seboolean: ansible.posix.seboolean:
name: collectd_tcp_network_connect name: collectd_tcp_network_connect
state: yes state: yes
persistent: yes persistent: yes
tags: tags:
- collectd - collectd
# Only collect stats on one server
run_once: yes
delegate_to: "{{ ipa_server }}"