ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated with ipaclient setup and bootstrap

Browse Source
This commit is contained in:
Patrick Toal
2019-02-23 20:34:35 -05:00
parent 65ed5e0ce8
commit 832502de34
14 changed files with 255 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1 @@
{}

9
bootstrap.yml Normal file
View File

@@ -0,0 +1,9 @@
# Note: need to specify extra_vars, providing ansible_ssh_user, and ansible_ssh_pass
- name: Set up IPA Client
hosts: lab-ipa-client
become: yes
roles:
- role: debian-freeipa-client
when: ansible_facts['os_family'] == "Debian"
- role: alvaroaleman.freeipa-client
when: ansible_facts['os_family'] == "RedHat"

21
rhv_setup.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Create RHV/ovirt VLANs
hosts: rhv.lab.toal.ca
connection: local
vars:
# Hack to work around virtualenv python interpreter
ansible_python_interpreter: "{{ ansible_playbook_python }}"
tasks:
- ovirt_network:
auth: "{{ ovirt_auth }}"
fetch_nested: true
data_center: "{{ item.data_center }}"
name: "{{ item.name }}"
vlan_tag: "{{ item.vlan_tag }}"
vm_network: "{{ item.vm_network }}"
mtu: "{{ item.mtu }}"
description: "{{ item.description }}"
loop: "{{ ovirt_networks }}"
register: networkinfo
- debug: msg="{{networkinfo}}"

3
roles/debian-freeipa-client/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
ipa_realm: "example.com"
ipa_server: freeipa.example.com

2
roles/debian-freeipa-client/files/backup_excludes Normal file
View File

@@ -0,0 +1,2 @@
- lastlog
- faillog

8
roles/debian-freeipa-client/files/mkhomedir Normal file
View File

@@ -0,0 +1,8 @@
Name: Create home directory during login
Default: yes
Priority: 127
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so skel=/etc/skel/ umask=0022

12
roles/debian-freeipa-client/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: restart sssd
service: name=sssd state=restarted
- name: restart sshd
service: name=sshd state=restarted
- name: execute pam-auth-update
command: pam-auth-update --package
- name: restart ntp
service: name=ntp state=restarted

135
roles/debian-freeipa-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,135 @@
---
- name: install kerberoes user utility
package:
name: krb5-user
state: present
- name: check if we have a cached kerberos ticket
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: klist
run_once: yes
changed_when: false
- name: check if the host exists in the directory
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
register: host_show
failed_when: host_show.rc == 1
changed_when: false
- name: create the host principal
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
--sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
--os {{ ansible_distribution }}
when: host_show.rc != 0
tags: [install]
- name: check if /etc/krb5.keytab exists
stat: path=/etc/krb5.keytab
register: keytab
- name: generate the host keytab
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
tags: [install]
- name: transfer the keytab over to the IPA client
synchronize:
src: /tmp/{{ ansible_hostname }}.keytab
dest: /etc/krb5.keytab
archive: no
ssh_args: -l root
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
notify: restart sssd
tags: [install]
- name: remove the keytab file on the FreeIPA server
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
file:
path: /tmp/{{ ansible_hostname }}.keytab
state: absent
tags: [install]
- name: create the directory /etc/sssd
file:
path: /etc/sssd
state: directory
- name: configure sssd
template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
mode: 0600
notify: restart sssd
tags: [configure]
- name: install sssd
apt: name=sssd state=present
tags: [install]
- name: automatically create user home directories
copy:
src: mkhomedir
dest: /usr/share/pam-configs/mkhomedir
notify: execute pam-auth-update
- name: configure krb5
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
tags: [configure]
- name: set AuthorizedKeysCommand for sshd
lineinfile:
regexp: AuthorizedKeysCommand\b
line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
dest: /etc/ssh/sshd_config
notify: restart sshd
tags: [configure]
- name: set AuthorizedKeysCommandUser for sshd
lineinfile:
regexp: AuthorizedKeysCommandUser
line: AuthorizedKeysCommandUser nobody
dest: /etc/ssh/sshd_config
notify: restart sshd
tags: [configure]
- name: set GlobalKnownHostsFile for ssh
lineinfile:
regexp: GlobalKnownHostsFile
line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
dest: /etc/ssh/ssh_config
- name: set ProxyCommand for ssh
lineinfile:
regexp: ProxyCommand
line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
dest: /etc/ssh/ssh_config
tags: [configure]
- name: start and enable sssd
service: name=sssd state=started enabled=yes
tags: [serve]
- name: exclude lastlog and faillog from backups
copy:
src: backup_excludes
dest: /var/log/.backup
tags: [configure]

31
roles/debian-freeipa-client/templates/krb5.conf.j2 Normal file
View File

@@ -0,0 +1,31 @@
# {{ ansible_managed }}
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = {{ ipa_realm }}
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
[realms]
{{ ipa_realm |upper }} = {
kdc = {{ ipa_server }}:88
master_kdc = {{ ipa_server }}:88
admin_server = {{ ipa_server }}:749
kpasswd_server = {{ ipa_server }}:464
default_domain = {{ bind_localdomain }}
}
[domain_realm]
.{{ bind_localdomain }} = {{ ipa_realm |upper}}
{{ bind_localdomain }} = {{ ipa_realm |upper}}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

23
roles/debian-freeipa-client/templates/sssd.conf.j2 Normal file
View File

@@ -0,0 +1,23 @@
# {{ ansible_managed }}
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = {{ ipa_realm }}
[nss]
[pam]
[ssh]
[sudo]
[domain/{{ ipa_realm }}]
cache_credentials = true
krb5_store_password_if_offline = true
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = {{ ansible_fqdn }}

1
roles/lightbulb-ansiblered-deck Symbolic link
View File

@@ -0,0 +1 @@
/Users/ptoal/Dev/lightbulb-ansiblered-deck

3
roles/toal-common/tasks/main.yml
View File

@@ -1,5 +1,6 @@
---
# Ensure that virtual guests have the guest tools installed.
- block:
- name: Guest Tools Repository
rhsm_repository:
name: rhel-7-server-rh-common-rpms
@@ -9,7 +10,7 @@
yum:
name: ovirt-guest-agent
state: present
when: ansible_virtualization_type == "RHEV"
notify: Ovirt Agent Restart
when: ansible_virtualization_type == "RHEV"

3
satellite.yml
View File

@@ -64,14 +64,13 @@
memory: "{{ vm_memory }}"
disks: "{{ vm_disks }}"
cpu_cores: "{{ vm_cpu_cores }}"
operating_system: "{{ vm_os }}"
cluster: "{{ vm_cluster }}"
operating_system: "{{ vm_os }}"
type: server
graphical_console:
protocol:
- spice
- vnc
cluster: Default
boot_devices:
- hd
async: 300

8
site.yml
View File

@@ -1,8 +1,12 @@
# Toal Lab Site Playbook
- name: Common Lab Machine Setup
hosts: all
become: true
roles:
- toal-common
- name: Ansible Red Demo Environment
hosts: ansible-red
become: false
roles:
- lightbulb-ansiblered-deck