From 5c430461d9ebd8794b67dac1f3e047c75b50a9ca Mon Sep 17 00:00:00 2001 From: Beth Parker Date: Wed, 25 Dec 2024 21:49:42 -0600 Subject: [PATCH 01/16] Updated Readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 461ffae..4aa441c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ role-ipa-server ========= -A brief description of the role goes here. +This role is used to build freeipa server Requirements ------------ @@ -11,7 +11,7 @@ No requirements Role Variables -------------- -Server specific variables (i.e. mountpoint info) should be defined from the playbook-builder +No role specific variables Dependencies ------------ @@ -23,8 +23,8 @@ Example Playbook Template Playbook creation should be handled by playbook-builder. To include role in a playbook, add one of these lines (changing version/branch as needed) to the template with other core entries: -role:mount:v1.0:core,mount -role:mount:testing:core,mount +role:ipa-server:v1.0:workload,ipa-server +role:ipa-server:testing:workload,ipa-server License ------- -- 2.49.0 From ad248d5666f8adfdc7d1853fa9d2af81b6ed25b4 Mon Sep 17 00:00:00 2001 From: Beth Parker Date: Wed, 25 Dec 2024 21:55:35 -0600 Subject: [PATCH 02/16] fixed variables that didn't get replaced from template --- defaults/main.yml | 2 +- handlers/main.yml | 2 +- tasks/main.yml | 2 +- tests/test.yml | 2 +- vars/main.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0eb46b..b98a086 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# defaults file for ${REPO_NAME} +# defaults file forrole-ipa-server diff --git a/handlers/main.yml b/handlers/main.yml index 192bcab..7dc8980 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# handlers file for ${REPO_NAME} +# handlers file for role-ipa-server diff --git a/tasks/main.yml b/tasks/main.yml index 0482006..c5f3690 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# tasks file for ${REPO_NAME} +# tasks file for role-ipa-server \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index a1c8646..7e88656 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -3,4 +3,4 @@ - hosts: localhost remote_user: root roles: - - ${REPO_NAME} + - role-ipa-server diff --git a/vars/main.yml b/vars/main.yml index f31a73e..83e9f8b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for ${REPO_NAME} +# vars file for role-ipa-server \ No newline at end of file -- 2.49.0 From 7bf624aca0bfd7f0991c33c9e71690c401235925 Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 15:03:30 -0500 Subject: [PATCH 03/16] added replica script, https symlink, and ipactl handler (might need to change) --- files/replicate.sh | 12 +++++++++++ handlers/main.yml | 4 ++++ tasks/main.yml | 54 +++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 files/replicate.sh diff --git a/files/replicate.sh b/files/replicate.sh new file mode 100644 index 0000000..959ef49 --- /dev/null +++ b/files/replicate.sh @@ -0,0 +1,12 @@ +read -s -p "Admin Password:" ADMIN_PASSWORD +echo "" +read -p "Server to replicate (default ipa.actcur.com):" SERVER + +if [ -z $SERVER ] +then + SERVER="ipa.actcur.com" +fi + +ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=ipa-replica2.actcur.com --domain actcur.com --mkhomedir --force-join + +ipa-replica-install --skip-mem-check \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml index 7dc8980..53071c3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,7 @@ #SPDX-License-Identifier: MIT-0 --- # handlers file for role-ipa-server +- name: restart ipactl + service: + name: ipactl + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index c5f3690..419fb1d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,3 +1,55 @@ #SPDX-License-Identifier: MIT-0 --- -# tasks file for role-ipa-server \ No newline at end of file +# tasks file for role-ipa-server +- name: install freeipa-server + ansible.builtin.package: + name: freeipa-server + state: present + +- name: install ipa-server-dns + ansible.builtin.package: + name: ipa-server-dns + state: present + +#this should be moved to a dedicated firewall role down the road +- name: permit ipa-server traffic through firewall + ansible.builtin.package: + service: freeipa-4 + state: enabled + permanent: true + immediate: true + offline: true + +- name: deploy replication script + ansible.builtin.copy: + src: files/replicate.sh + dest: /scripts/replicate.sh + +# create symlink for certs if letsencrypt is set up +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' + register: result + ignore_errors: true + +- name: check if ipaserver is ready + ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]' + register: result2 + ignore_errors: true + +- name: create symlink for certificate + ansible.builtin.file: + src: /etc/letsencrypt/live + dest: /var/lib/ipa/certs/httpd.crt + state: link + force: yes + when: (result is succeeded) and (result2 is succeeded) + notify: restart ipactl + +- name: create symlink for private key + ansible.builtin.file: + src: /etc/letsencrypt/live + dest: /var/lib/ipa/private/httpd.key + state: link + force: yes + when: (result is succeeded) and (result2 is succeeded) + notify: restart ipactl -- 2.49.0 From 6a7e8b1e683a97f20e22f86bd316c7849ce2b0f4 Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 15:41:38 -0500 Subject: [PATCH 04/16] fixed firewalld --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 419fb1d..18a2474 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,7 +13,7 @@ #this should be moved to a dedicated firewall role down the road - name: permit ipa-server traffic through firewall - ansible.builtin.package: + ansible.posix.firewalld: service: freeipa-4 state: enabled permanent: true -- 2.49.0 From 41e6d1e78d27b994c2ed4fe5d48f9557b326e6bc Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 15:45:19 -0500 Subject: [PATCH 05/16] switch to restarting httpd rather than trying to restart all freeipa services --- handlers/main.yml | 4 ++-- tasks/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 53071c3..a28e14e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,7 @@ #SPDX-License-Identifier: MIT-0 --- # handlers file for role-ipa-server -- name: restart ipactl +- name: restart httpd service: - name: ipactl + name: httpd state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index 18a2474..11019b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,7 +43,7 @@ state: link force: yes when: (result is succeeded) and (result2 is succeeded) - notify: restart ipactl + notify: restart httpd - name: create symlink for private key ansible.builtin.file: @@ -52,4 +52,4 @@ state: link force: yes when: (result is succeeded) and (result2 is succeeded) - notify: restart ipactl + notify: restart httpd -- 2.49.0 From a51a192262e2f8f52b9b8037ab91d594365a998f Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 15:52:43 -0500 Subject: [PATCH 06/16] fix cert symlink --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 11019b9..50564dd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,7 +38,7 @@ - name: create symlink for certificate ansible.builtin.file: - src: /etc/letsencrypt/live + src: "/etc/letsencrypt/live/{{ansible_fqdn}}/cert.pem" dest: /var/lib/ipa/certs/httpd.crt state: link force: yes @@ -47,7 +47,7 @@ - name: create symlink for private key ansible.builtin.file: - src: /etc/letsencrypt/live + src: "/etc/letsencrypt/live/{{ansible_fqdn}}/privkey.pem" dest: /var/lib/ipa/private/httpd.key state: link force: yes -- 2.49.0 From c8cf3eb3a14d976f49c325f29b404c88c5339d0b Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 16:29:59 -0500 Subject: [PATCH 07/16] disable selinux --- files/replicate.sh | 4 +++- tasks/main.yml | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/files/replicate.sh b/files/replicate.sh index 959ef49..e312d01 100644 --- a/files/replicate.sh +++ b/files/replicate.sh @@ -9,4 +9,6 @@ fi ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=ipa-replica2.actcur.com --domain actcur.com --mkhomedir --force-join -ipa-replica-install --skip-mem-check \ No newline at end of file +ipa-replica-install --skip-mem-check + +ipa-ca-install \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 50564dd..51e024e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,6 +25,10 @@ src: files/replicate.sh dest: /scripts/replicate.sh +- name: Disable SELinux + ansible.posix.selinux: + state: disabled + # create symlink for certs if letsencrypt is set up - name: check if letsencrypt is set up ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' -- 2.49.0 From 0c5ea84c46e43bd3b16d4185c3511e9130f6f6a3 Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 16:30:25 -0500 Subject: [PATCH 08/16] disable selinux --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 51e024e..ab0b754 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,10 +25,11 @@ src: files/replicate.sh dest: /scripts/replicate.sh +#this should be moved to dedicated selinux role down the road - name: Disable SELinux ansible.posix.selinux: state: disabled - + # create symlink for certs if letsencrypt is set up - name: check if letsencrypt is set up ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' -- 2.49.0 From 15f61dcedfe336009f8fcac89376f9fbdc03f3b6 Mon Sep 17 00:00:00 2001 From: Beth Date: Fri, 28 Mar 2025 16:32:23 -0500 Subject: [PATCH 09/16] removed accidental temporary lines --- files/replicate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/replicate.sh b/files/replicate.sh index e312d01..7afc67c 100644 --- a/files/replicate.sh +++ b/files/replicate.sh @@ -11,4 +11,4 @@ ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=ipa-replica2.actcur.c ipa-replica-install --skip-mem-check -ipa-ca-install \ No newline at end of file +ipa-ca-install -- 2.49.0 From 2cc83d5410591db5cb43a0662e1db043fc9af303 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 22:06:03 -0500 Subject: [PATCH 10/16] added setup-le script --- files/setup-le.sh | 24 ++++++++++++++++++++++++ tasks/main.yml | 5 +++++ 2 files changed, 29 insertions(+) create mode 100644 files/setup-le.sh diff --git a/files/setup-le.sh b/files/setup-le.sh new file mode 100644 index 0000000..811f056 --- /dev/null +++ b/files/setup-le.sh @@ -0,0 +1,24 @@ +FQDN=$(hostname -f) +mkdir -p "/etc/ssl/$FQDN" + +#get x1 root +curl -o "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org" +openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem + +#get x2 root +curl -o "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org" +openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem + +#get issuer +openssl x509 -noout -text -in crt.pem | grep i.lencr.org | grep -Po http.+ +issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'` + +curl -o "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org" +openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem + + +ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem" +ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem" +ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem" + +ipa-certupdate \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index ab0b754..0ecb4f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,6 +25,11 @@ src: files/replicate.sh dest: /scripts/replicate.sh +- name: deploy letsencrypt setup script + ansible.builtin.copy: + src: files/setup-le.sh + dest: /scripts/setup-le.sh + #this should be moved to dedicated selinux role down the road - name: Disable SELinux ansible.posix.selinux: -- 2.49.0 From 65aa543a1e5b8b9314cb8dad86977dd349992f72 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 22:09:08 -0500 Subject: [PATCH 11/16] deploy/trigger le setup script only if certbot is set up --- tasks/main.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0ecb4f2..bbd4dbe 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,11 +25,6 @@ src: files/replicate.sh dest: /scripts/replicate.sh -- name: deploy letsencrypt setup script - ansible.builtin.copy: - src: files/setup-le.sh - dest: /scripts/setup-le.sh - #this should be moved to dedicated selinux role down the road - name: Disable SELinux ansible.posix.selinux: @@ -46,6 +41,18 @@ register: result2 ignore_errors: true +- name: deploy letsencrypt setup script + ansible.builtin.copy: + src: files/setup-le.sh + dest: /scripts/setup-le.sh + when: (result is succeeded) and (result2 is succeeded) + +- name: run letsencrypt setup script + ansible.builtin.script: + cmd: /scripts/setup-le.sh + when: (result is succeeded) and (result2 is succeeded) + + - name: create symlink for certificate ansible.builtin.file: src: "/etc/letsencrypt/live/{{ansible_fqdn}}/cert.pem" -- 2.49.0 From 4e36a42e24487efaa44dbffec3e330c94e02106b Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 22:38:19 -0500 Subject: [PATCH 12/16] fix replicate script, remove setup-le run from tasks - has to be done after server install --- files/replicate.sh | 2 +- tasks/main.yml | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/files/replicate.sh b/files/replicate.sh index 7afc67c..0d57064 100644 --- a/files/replicate.sh +++ b/files/replicate.sh @@ -7,7 +7,7 @@ then SERVER="ipa.actcur.com" fi -ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=ipa-replica2.actcur.com --domain actcur.com --mkhomedir --force-join +ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=$SERVER --domain actcur.com --mkhomedir --force-join ipa-replica-install --skip-mem-check diff --git a/tasks/main.yml b/tasks/main.yml index bbd4dbe..2c61477 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -47,12 +47,6 @@ dest: /scripts/setup-le.sh when: (result is succeeded) and (result2 is succeeded) -- name: run letsencrypt setup script - ansible.builtin.script: - cmd: /scripts/setup-le.sh - when: (result is succeeded) and (result2 is succeeded) - - - name: create symlink for certificate ansible.builtin.file: src: "/etc/letsencrypt/live/{{ansible_fqdn}}/cert.pem" -- 2.49.0 From 2d834f028d93f2953d29b7dbdbdc7442678e9987 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 22:51:11 -0500 Subject: [PATCH 13/16] added dm password to replication script --- files/replicate.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/files/replicate.sh b/files/replicate.sh index 0d57064..70bb23c 100644 --- a/files/replicate.sh +++ b/files/replicate.sh @@ -1,4 +1,5 @@ read -s -p "Admin Password:" ADMIN_PASSWORD +read -s -p "Directory Manager Password:" DM_PASSWORD echo "" read -p "Server to replicate (default ipa.actcur.com):" SERVER @@ -11,4 +12,4 @@ ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=$SERVER --domain actc ipa-replica-install --skip-mem-check -ipa-ca-install +ipa-ca-install -p $DM_PASSWORD -- 2.49.0 From 665b64c8788e1bff22916253c2ca875cf4708148 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 23:08:22 -0500 Subject: [PATCH 14/16] moved symlink creation to le setup script --- files/setup-le.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/files/setup-le.sh b/files/setup-le.sh index 811f056..925c1e3 100644 --- a/files/setup-le.sh +++ b/files/setup-le.sh @@ -21,4 +21,6 @@ ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem" ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem" ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem" +systemctl restart httpd + ipa-certupdate \ No newline at end of file -- 2.49.0 From 96b9da0e5e07012701d45f6cce934ccdea98eba7 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 23:08:47 -0500 Subject: [PATCH 15/16] moved symlink creation to le setup script --- files/setup-le.sh | 14 ++++++++++++-- tasks/main.yml | 22 ++-------------------- 2 files changed, 14 insertions(+), 22 deletions(-) diff --git a/files/setup-le.sh b/files/setup-le.sh index 925c1e3..72052e8 100644 --- a/files/setup-le.sh +++ b/files/setup-le.sh @@ -21,6 +21,16 @@ ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem" ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem" ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem" -systemctl restart httpd +ipa-certupdate -ipa-certupdate \ No newline at end of file +if ! [[ -L /var/lib/ipa/certs/httpd.crt ]] +then + mv /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bak + ln -s /etc/letsencrypt/live/$FQDN/cert.pem /var/lib/ipa/certs/httpd.crt +fi + +if ! [[ -L /var/lib/ipa/private/httpd.key ]] +then + mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.bak + ln -s /etc/letsencrypt/live/$FQDN/privkey.pem /var/lib/ipa/private/httpd.key +fi \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 2c61477..ae8a3a2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -30,7 +30,7 @@ ansible.posix.selinux: state: disabled -# create symlink for certs if letsencrypt is set up +# create letsencrypt setup script if certbot is enabled - name: check if letsencrypt is set up ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' register: result @@ -45,22 +45,4 @@ ansible.builtin.copy: src: files/setup-le.sh dest: /scripts/setup-le.sh - when: (result is succeeded) and (result2 is succeeded) - -- name: create symlink for certificate - ansible.builtin.file: - src: "/etc/letsencrypt/live/{{ansible_fqdn}}/cert.pem" - dest: /var/lib/ipa/certs/httpd.crt - state: link - force: yes - when: (result is succeeded) and (result2 is succeeded) - notify: restart httpd - -- name: create symlink for private key - ansible.builtin.file: - src: "/etc/letsencrypt/live/{{ansible_fqdn}}/privkey.pem" - dest: /var/lib/ipa/private/httpd.key - state: link - force: yes - when: (result is succeeded) and (result2 is succeeded) - notify: restart httpd + when: (result is succeeded) and (result2 is succeeded) \ No newline at end of file -- 2.49.0 From 0106e1e3b6eb7598ff606418f67b958ca6672090 Mon Sep 17 00:00:00 2001 From: Beth Date: Sat, 29 Mar 2025 23:32:59 -0500 Subject: [PATCH 16/16] added newline between asking for passwords --- files/replicate.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/files/replicate.sh b/files/replicate.sh index 70bb23c..e77de83 100644 --- a/files/replicate.sh +++ b/files/replicate.sh @@ -1,4 +1,5 @@ read -s -p "Admin Password:" ADMIN_PASSWORD +echo "" read -s -p "Directory Manager Password:" DM_PASSWORD echo "" read -p "Server to replicate (default ipa.actcur.com):" SERVER -- 2.49.0