Added configuration for ipa server role #1
8 changed files with 110 additions and 9 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
role-ipa-server
|
role-ipa-server
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
This role is used to build freeipa server
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
@ -11,7 +11,7 @@ No requirements
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
Server specific variables (i.e. mountpoint info) should be defined from the playbook-builder
|
No role specific variables
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
@ -23,8 +23,8 @@ Example Playbook Template
|
||||||
|
|
||||||
Playbook creation should be handled by playbook-builder. To include role in a playbook, add one of these lines (changing version/branch as needed) to the template with other core entries:
|
Playbook creation should be handled by playbook-builder. To include role in a playbook, add one of these lines (changing version/branch as needed) to the template with other core entries:
|
||||||
|
|
||||||
role:mount:v1.0:core,mount
|
role:ipa-server:v1.0:workload,ipa-server
|
||||||
role:mount:testing:core,mount
|
role:ipa-server:testing:workload,ipa-server
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
#SPDX-License-Identifier: MIT-0
|
#SPDX-License-Identifier: MIT-0
|
||||||
---
|
---
|
||||||
# defaults file for ${REPO_NAME}
|
# defaults file forrole-ipa-server
|
||||||
|
|
|
||||||
16
files/replicate.sh
Normal file
16
files/replicate.sh
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
read -s -p "Admin Password:" ADMIN_PASSWORD
|
||||||
|
echo ""
|
||||||
|
read -s -p "Directory Manager Password:" DM_PASSWORD
|
||||||
|
echo ""
|
||||||
|
read -p "Server to replicate (default ipa.actcur.com):" SERVER
|
||||||
|
|
||||||
|
if [ -z $SERVER ]
|
||||||
|
then
|
||||||
|
SERVER="ipa.actcur.com"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=$SERVER --domain actcur.com --mkhomedir --force-join
|
||||||
|
|
||||||
|
ipa-replica-install --skip-mem-check
|
||||||
|
|
||||||
|
ipa-ca-install -p $DM_PASSWORD
|
||||||
36
files/setup-le.sh
Normal file
36
files/setup-le.sh
Normal file
|
|
@ -0,0 +1,36 @@
|
||||||
|
FQDN=$(hostname -f)
|
||||||
|
mkdir -p "/etc/ssl/$FQDN"
|
||||||
|
|
||||||
|
#get x1 root
|
||||||
|
curl -o "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org"
|
||||||
|
openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem
|
||||||
|
|
||||||
|
#get x2 root
|
||||||
|
curl -o "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org"
|
||||||
|
openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem
|
||||||
|
|
||||||
|
#get issuer
|
||||||
|
openssl x509 -noout -text -in crt.pem | grep i.lencr.org | grep -Po http.+
|
||||||
|
issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'`
|
||||||
|
|
||||||
|
curl -o "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org"
|
||||||
|
openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem
|
||||||
|
|
||||||
|
|
||||||
|
ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem"
|
||||||
|
ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem"
|
||||||
|
ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem"
|
||||||
|
|
||||||
|
ipa-certupdate
|
||||||
|
|
||||||
|
if ! [[ -L /var/lib/ipa/certs/httpd.crt ]]
|
||||||
|
then
|
||||||
|
mv /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bak
|
||||||
|
ln -s /etc/letsencrypt/live/$FQDN/cert.pem /var/lib/ipa/certs/httpd.crt
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [[ -L /var/lib/ipa/private/httpd.key ]]
|
||||||
|
then
|
||||||
|
mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.bak
|
||||||
|
ln -s /etc/letsencrypt/live/$FQDN/privkey.pem /var/lib/ipa/private/httpd.key
|
||||||
|
fi
|
||||||
|
|
@ -1,3 +1,7 @@
|
||||||
#SPDX-License-Identifier: MIT-0
|
#SPDX-License-Identifier: MIT-0
|
||||||
---
|
---
|
||||||
# handlers file for ${REPO_NAME}
|
# handlers file for role-ipa-server
|
||||||
|
- name: restart httpd
|
||||||
|
service:
|
||||||
|
name: httpd
|
||||||
|
state: restarted
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,48 @@
|
||||||
#SPDX-License-Identifier: MIT-0
|
#SPDX-License-Identifier: MIT-0
|
||||||
---
|
---
|
||||||
# tasks file for ${REPO_NAME}
|
# tasks file for role-ipa-server
|
||||||
|
- name: install freeipa-server
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: freeipa-server
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: install ipa-server-dns
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: ipa-server-dns
|
||||||
|
state: present
|
||||||
|
|
||||||
|
#this should be moved to a dedicated firewall role down the road
|
||||||
|
- name: permit ipa-server traffic through firewall
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
service: freeipa-4
|
||||||
|
state: enabled
|
||||||
|
permanent: true
|
||||||
|
immediate: true
|
||||||
|
offline: true
|
||||||
|
|
||||||
|
- name: deploy replication script
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: files/replicate.sh
|
||||||
|
dest: /scripts/replicate.sh
|
||||||
|
|
||||||
|
#this should be moved to dedicated selinux role down the road
|
||||||
|
- name: Disable SELinux
|
||||||
|
ansible.posix.selinux:
|
||||||
|
state: disabled
|
||||||
|
|
||||||
|
# create letsencrypt setup script if certbot is enabled
|
||||||
|
- name: check if letsencrypt is set up
|
||||||
|
ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
|
||||||
|
register: result
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: check if ipaserver is ready
|
||||||
|
ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]'
|
||||||
|
register: result2
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: deploy letsencrypt setup script
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: files/setup-le.sh
|
||||||
|
dest: /scripts/setup-le.sh
|
||||||
|
when: (result is succeeded) and (result2 is succeeded)
|
||||||
|
|
@ -3,4 +3,4 @@
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
remote_user: root
|
remote_user: root
|
||||||
roles:
|
roles:
|
||||||
- ${REPO_NAME}
|
- role-ipa-server
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
#SPDX-License-Identifier: MIT-0
|
#SPDX-License-Identifier: MIT-0
|
||||||
---
|
---
|
||||||
# vars file for ${REPO_NAME}
|
# vars file for role-ipa-server
|
||||||
Loading…
Add table
Reference in a new issue