Added configuration for ipa server role (#1)
Reviewed-on: #1 Co-authored-by: Beth <ejparker@actcur.com> Co-committed-by: Beth <ejparker@actcur.com>
This commit is contained in:
parent
9cd50c112b
commit
72e4afa255
8 changed files with 110 additions and 9 deletions
|
|
@ -1,7 +1,7 @@
|
|||
role-ipa-server
|
||||
=========
|
||||
|
||||
A brief description of the role goes here.
|
||||
This role is used to build freeipa server
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
|
@ -11,7 +11,7 @@ No requirements
|
|||
Role Variables
|
||||
--------------
|
||||
|
||||
Server specific variables (i.e. mountpoint info) should be defined from the playbook-builder
|
||||
No role specific variables
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
|
@ -23,8 +23,8 @@ Example Playbook Template
|
|||
|
||||
Playbook creation should be handled by playbook-builder. To include role in a playbook, add one of these lines (changing version/branch as needed) to the template with other core entries:
|
||||
|
||||
role:mount:v1.0:core,mount
|
||||
role:mount:testing:core,mount
|
||||
role:ipa-server:v1.0:workload,ipa-server
|
||||
role:ipa-server:testing:workload,ipa-server
|
||||
|
||||
License
|
||||
-------
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# defaults file for ${REPO_NAME}
|
||||
# defaults file forrole-ipa-server
|
||||
|
|
|
|||
16
files/replicate.sh
Normal file
16
files/replicate.sh
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
read -s -p "Admin Password:" ADMIN_PASSWORD
|
||||
echo ""
|
||||
read -s -p "Directory Manager Password:" DM_PASSWORD
|
||||
echo ""
|
||||
read -p "Server to replicate (default ipa.actcur.com):" SERVER
|
||||
|
||||
if [ -z $SERVER ]
|
||||
then
|
||||
SERVER="ipa.actcur.com"
|
||||
fi
|
||||
|
||||
ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=$SERVER --domain actcur.com --mkhomedir --force-join
|
||||
|
||||
ipa-replica-install --skip-mem-check
|
||||
|
||||
ipa-ca-install -p $DM_PASSWORD
|
||||
36
files/setup-le.sh
Normal file
36
files/setup-le.sh
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
FQDN=$(hostname -f)
|
||||
mkdir -p "/etc/ssl/$FQDN"
|
||||
|
||||
#get x1 root
|
||||
curl -o "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org"
|
||||
openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem
|
||||
|
||||
#get x2 root
|
||||
curl -o "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org"
|
||||
openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem
|
||||
|
||||
#get issuer
|
||||
openssl x509 -noout -text -in crt.pem | grep i.lencr.org | grep -Po http.+
|
||||
issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'`
|
||||
|
||||
curl -o "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org"
|
||||
openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem
|
||||
|
||||
|
||||
ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem"
|
||||
ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem"
|
||||
ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem"
|
||||
|
||||
ipa-certupdate
|
||||
|
||||
if ! [[ -L /var/lib/ipa/certs/httpd.crt ]]
|
||||
then
|
||||
mv /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bak
|
||||
ln -s /etc/letsencrypt/live/$FQDN/cert.pem /var/lib/ipa/certs/httpd.crt
|
||||
fi
|
||||
|
||||
if ! [[ -L /var/lib/ipa/private/httpd.key ]]
|
||||
then
|
||||
mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.bak
|
||||
ln -s /etc/letsencrypt/live/$FQDN/privkey.pem /var/lib/ipa/private/httpd.key
|
||||
fi
|
||||
|
|
@ -1,3 +1,7 @@
|
|||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# handlers file for ${REPO_NAME}
|
||||
# handlers file for role-ipa-server
|
||||
- name: restart httpd
|
||||
service:
|
||||
name: httpd
|
||||
state: restarted
|
||||
|
|
|
|||
|
|
@ -1,3 +1,48 @@
|
|||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# tasks file for ${REPO_NAME}
|
||||
# tasks file for role-ipa-server
|
||||
- name: install freeipa-server
|
||||
ansible.builtin.package:
|
||||
name: freeipa-server
|
||||
state: present
|
||||
|
||||
- name: install ipa-server-dns
|
||||
ansible.builtin.package:
|
||||
name: ipa-server-dns
|
||||
state: present
|
||||
|
||||
#this should be moved to a dedicated firewall role down the road
|
||||
- name: permit ipa-server traffic through firewall
|
||||
ansible.posix.firewalld:
|
||||
service: freeipa-4
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
offline: true
|
||||
|
||||
- name: deploy replication script
|
||||
ansible.builtin.copy:
|
||||
src: files/replicate.sh
|
||||
dest: /scripts/replicate.sh
|
||||
|
||||
#this should be moved to dedicated selinux role down the road
|
||||
- name: Disable SELinux
|
||||
ansible.posix.selinux:
|
||||
state: disabled
|
||||
|
||||
# create letsencrypt setup script if certbot is enabled
|
||||
- name: check if letsencrypt is set up
|
||||
ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: check if ipaserver is ready
|
||||
ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]'
|
||||
register: result2
|
||||
ignore_errors: true
|
||||
|
||||
- name: deploy letsencrypt setup script
|
||||
ansible.builtin.copy:
|
||||
src: files/setup-le.sh
|
||||
dest: /scripts/setup-le.sh
|
||||
when: (result is succeeded) and (result2 is succeeded)
|
||||
|
|
@ -3,4 +3,4 @@
|
|||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- ${REPO_NAME}
|
||||
- role-ipa-server
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# vars file for ${REPO_NAME}
|
||||
# vars file for role-ipa-server
|
||||
Loading…
Add table
Reference in a new issue