From 832502de342e28c20c9c72c452777330bc1c7131 Mon Sep 17 00:00:00 2001
From: Patrick Toal <ptoal@redhat.com>
Date: Sat, 23 Feb 2019 20:34:35 -0500
Subject: [PATCH] Updated with ipaclient setup and bootstrap

---
 .vscode/settings.json                         |   1 +
 bootstrap.yml                                 |   9 ++
 rhv_setup.yml                                 |  21 +++
 roles/debian-freeipa-client/defaults/main.yml |   3 +
 .../files/backup_excludes                     |   2 +
 roles/debian-freeipa-client/files/mkhomedir   |   8 ++
 roles/debian-freeipa-client/handlers/main.yml |  12 ++
 roles/debian-freeipa-client/tasks/main.yml    | 135 ++++++++++++++++++
 .../templates/krb5.conf.j2                    |  31 ++++
 .../templates/sssd.conf.j2                    |  23 +++
 roles/lightbulb-ansiblered-deck               |   1 +
 roles/toal-common/tasks/main.yml              |   3 +-
 satellite.yml                                 |   3 +-
 site.yml                                      |   8 +-
 14 files changed, 255 insertions(+), 5 deletions(-)
 create mode 100644 .vscode/settings.json
 create mode 100644 bootstrap.yml
 create mode 100644 rhv_setup.yml
 create mode 100644 roles/debian-freeipa-client/defaults/main.yml
 create mode 100644 roles/debian-freeipa-client/files/backup_excludes
 create mode 100644 roles/debian-freeipa-client/files/mkhomedir
 create mode 100644 roles/debian-freeipa-client/handlers/main.yml
 create mode 100644 roles/debian-freeipa-client/tasks/main.yml
 create mode 100644 roles/debian-freeipa-client/templates/krb5.conf.j2
 create mode 100644 roles/debian-freeipa-client/templates/sssd.conf.j2
 create mode 120000 roles/lightbulb-ansiblered-deck

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..9e26dfe
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1 @@
+{}
\ No newline at end of file
diff --git a/bootstrap.yml b/bootstrap.yml
new file mode 100644
index 0000000..800a89e
--- /dev/null
+++ b/bootstrap.yml
@@ -0,0 +1,9 @@
+# Note: need to specify extra_vars, providing ansible_ssh_user, and ansible_ssh_pass
+- name: Set up IPA Client
+  hosts: lab-ipa-client
+  become: yes
+  roles:
+    - role: debian-freeipa-client
+      when: ansible_facts['os_family'] == "Debian"
+    - role: alvaroaleman.freeipa-client
+      when: ansible_facts['os_family'] == "RedHat"
diff --git a/rhv_setup.yml b/rhv_setup.yml
new file mode 100644
index 0000000..8358431
--- /dev/null
+++ b/rhv_setup.yml
@@ -0,0 +1,21 @@
+---
+- name: Create RHV/ovirt VLANs
+  hosts: rhv.lab.toal.ca
+  connection: local
+  vars:
+    # Hack to work around virtualenv python interpreter
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  tasks:
+    - ovirt_network:
+        auth: "{{ ovirt_auth }}"
+        fetch_nested: true
+        data_center: "{{ item.data_center }}"
+        name: "{{ item.name }}"
+        vlan_tag: "{{ item.vlan_tag }}"
+        vm_network: "{{ item.vm_network }}"
+        mtu: "{{ item.mtu }}"
+        description: "{{ item.description }}"
+      loop: "{{ ovirt_networks }}"
+      register: networkinfo
+
+    - debug: msg="{{networkinfo}}"
diff --git a/roles/debian-freeipa-client/defaults/main.yml b/roles/debian-freeipa-client/defaults/main.yml
new file mode 100644
index 0000000..e29fa61
--- /dev/null
+++ b/roles/debian-freeipa-client/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+ipa_realm: "example.com"
+ipa_server: freeipa.example.com
diff --git a/roles/debian-freeipa-client/files/backup_excludes b/roles/debian-freeipa-client/files/backup_excludes
new file mode 100644
index 0000000..50535ff
--- /dev/null
+++ b/roles/debian-freeipa-client/files/backup_excludes
@@ -0,0 +1,2 @@
+- lastlog
+- faillog
diff --git a/roles/debian-freeipa-client/files/mkhomedir b/roles/debian-freeipa-client/files/mkhomedir
new file mode 100644
index 0000000..d2e7214
--- /dev/null
+++ b/roles/debian-freeipa-client/files/mkhomedir
@@ -0,0 +1,8 @@
+Name: Create home directory during login
+Default: yes
+Priority: 127
+
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+        required pam_mkhomedir.so skel=/etc/skel/ umask=0022
diff --git a/roles/debian-freeipa-client/handlers/main.yml b/roles/debian-freeipa-client/handlers/main.yml
new file mode 100644
index 0000000..2b16a8c
--- /dev/null
+++ b/roles/debian-freeipa-client/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart sssd
+  service: name=sssd state=restarted
+
+- name: restart sshd
+  service: name=sshd state=restarted
+
+- name: execute pam-auth-update
+  command: pam-auth-update --package
+
+- name: restart ntp
+  service: name=ntp state=restarted
diff --git a/roles/debian-freeipa-client/tasks/main.yml b/roles/debian-freeipa-client/tasks/main.yml
new file mode 100644
index 0000000..80f602f
--- /dev/null
+++ b/roles/debian-freeipa-client/tasks/main.yml
@@ -0,0 +1,135 @@
+---
+
+- name: install kerberoes user utility
+  package:
+    name: krb5-user
+    state: present
+
+- name: check if we have a cached kerberos ticket
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: klist
+  run_once: yes
+  changed_when: false
+
+- name: check if the host exists in the directory
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
+  register: host_show
+  failed_when: host_show.rc == 1
+  changed_when: false
+
+- name: create the host principal
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
+            --sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
+            --os {{ ansible_distribution }}
+  when: host_show.rc != 0
+  tags: [install]
+
+- name: check if /etc/krb5.keytab exists
+  stat: path=/etc/krb5.keytab
+  register: keytab
+
+- name: generate the host keytab
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  tags: [install]
+
+- name: transfer the keytab over to the IPA client
+  synchronize:
+    src: /tmp/{{ ansible_hostname }}.keytab
+    dest: /etc/krb5.keytab
+    archive: no
+    ssh_args: -l root
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  notify: restart sssd
+  tags: [install]
+
+- name: remove the keytab file on the FreeIPA server
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  file:
+    path: /tmp/{{ ansible_hostname }}.keytab
+    state: absent
+  tags: [install]
+
+- name: create the directory /etc/sssd
+  file:
+    path: /etc/sssd
+    state: directory
+
+- name: configure sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  tags: [configure]
+
+- name: install sssd
+  apt: name=sssd state=present
+  tags: [install]
+
+- name: automatically create user home directories
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: execute pam-auth-update
+
+- name: configure krb5
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+  tags: [configure]
+
+- name: set AuthorizedKeysCommand for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommand\b
+    line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set AuthorizedKeysCommandUser for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommandUser
+    line: AuthorizedKeysCommandUser nobody
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set GlobalKnownHostsFile for ssh
+  lineinfile:
+    regexp: GlobalKnownHostsFile
+    line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+    dest: /etc/ssh/ssh_config
+
+- name: set ProxyCommand for ssh
+  lineinfile:
+    regexp: ProxyCommand
+    line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
+    dest: /etc/ssh/ssh_config
+  tags: [configure]
+
+- name: start and enable sssd
+  service: name=sssd state=started enabled=yes
+  tags: [serve]
+
+- name: exclude lastlog and faillog from backups
+  copy:
+    src: backup_excludes
+    dest: /var/log/.backup
+  tags: [configure]
diff --git a/roles/debian-freeipa-client/templates/krb5.conf.j2 b/roles/debian-freeipa-client/templates/krb5.conf.j2
new file mode 100644
index 0000000..58077b2
--- /dev/null
+++ b/roles/debian-freeipa-client/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+includedir /var/lib/sss/pubconf/krb5.include.d/
+
+[libdefaults]
+  default_realm = {{ ipa_realm }}
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  rdns = false
+  dns_canonicalize_hostname = false
+  ticket_lifetime = 24h
+  forwardable = true
+  
+
+[realms]
+  {{ ipa_realm |upper }} = {
+    kdc = {{ ipa_server }}:88
+    master_kdc = {{ ipa_server }}:88
+    admin_server = {{ ipa_server }}:749
+    kpasswd_server = {{ ipa_server }}:464
+    default_domain = {{ bind_localdomain }}
+  }
+
+
+[domain_realm]
+  .{{ bind_localdomain }} = {{ ipa_realm |upper}}
+  {{ bind_localdomain }} = {{ ipa_realm |upper}}
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmin.log
diff --git a/roles/debian-freeipa-client/templates/sssd.conf.j2 b/roles/debian-freeipa-client/templates/sssd.conf.j2
new file mode 100644
index 0000000..dc1d9cf
--- /dev/null
+++ b/roles/debian-freeipa-client/templates/sssd.conf.j2
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo, ssh
+domains = {{ ipa_realm }}
+
+[nss]
+
+[pam]
+
+[ssh]
+
+[sudo]
+
+[domain/{{ ipa_realm }}]
+cache_credentials = true
+krb5_store_password_if_offline = true
+id_provider = ipa
+auth_provider = ipa
+access_provider = ipa
+chpass_provider = ipa
+ldap_tls_cacert = /etc/ipa/ca.crt
+ipa_hostname = {{ ansible_fqdn }}
diff --git a/roles/lightbulb-ansiblered-deck b/roles/lightbulb-ansiblered-deck
new file mode 120000
index 0000000..f06526d
--- /dev/null
+++ b/roles/lightbulb-ansiblered-deck
@@ -0,0 +1 @@
+/Users/ptoal/Dev/lightbulb-ansiblered-deck
\ No newline at end of file
diff --git a/roles/toal-common/tasks/main.yml b/roles/toal-common/tasks/main.yml
index e415b03..742efb1 100644
--- a/roles/toal-common/tasks/main.yml
+++ b/roles/toal-common/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 # Ensure that virtual guests have the guest tools installed.
+- block:
   - name: Guest Tools Repository
     rhsm_repository:
       name: rhel-7-server-rh-common-rpms
@@ -9,7 +10,7 @@
     yum:
       name: ovirt-guest-agent
       state: present
-    when: ansible_virtualization_type == "RHEV"
     notify: Ovirt Agent Restart
+  when: ansible_virtualization_type == "RHEV"
 
 
diff --git a/satellite.yml b/satellite.yml
index 608df57..642b87c 100644
--- a/satellite.yml
+++ b/satellite.yml
@@ -64,14 +64,13 @@
         memory: "{{ vm_memory }}"
         disks: "{{ vm_disks }}"
         cpu_cores: "{{ vm_cpu_cores }}"
-        operating_system: "{{ vm_os }}"
         cluster: "{{ vm_cluster }}"
+        operating_system: "{{ vm_os }}"
         type: server
         graphical_console:
           protocol:
             - spice
             - vnc
-        cluster: Default
         boot_devices:
           - hd
       async: 300
diff --git a/site.yml b/site.yml
index 74e6201..41f0969 100644
--- a/site.yml
+++ b/site.yml
@@ -1,8 +1,12 @@
 # Toal Lab Site Playbook
-
-
 - name: Common Lab Machine Setup
   hosts: all
   become: true
   roles:
     - toal-common
+
+- name: Ansible Red Demo Environment
+  hosts: ansible-red
+  become: false
+  roles:
+    - lightbulb-ansiblered-deck