Updated with ipaclient setup and bootstrap

2019-02-23 20:34:35 -05:00
parent 65ed5e0ce8
commit 832502de34
14 changed files with 255 additions and 5 deletions
--- a/roles/debian-freeipa-client/tasks/main.yml
+++ b/roles/debian-freeipa-client/tasks/main.yml
@@ -0,0 +1,135 @@
+---
+
+- name: install kerberoes user utility
+  package:
+    name: krb5-user
+    state: present
+
+- name: check if we have a cached kerberos ticket
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: klist
+  run_once: yes
+  changed_when: false
+
+- name: check if the host exists in the directory
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
+  register: host_show
+  failed_when: host_show.rc == 1
+  changed_when: false
+
+- name: create the host principal
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
+            --sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
+            --os {{ ansible_distribution }}
+  when: host_show.rc != 0
+  tags: [install]
+
+- name: check if /etc/krb5.keytab exists
+  stat: path=/etc/krb5.keytab
+  register: keytab
+
+- name: generate the host keytab
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  tags: [install]
+
+- name: transfer the keytab over to the IPA client
+  synchronize:
+    src: /tmp/{{ ansible_hostname }}.keytab
+    dest: /etc/krb5.keytab
+    archive: no
+    ssh_args: -l root
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  notify: restart sssd
+  tags: [install]
+
+- name: remove the keytab file on the FreeIPA server
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  file:
+    path: /tmp/{{ ansible_hostname }}.keytab
+    state: absent
+  tags: [install]
+
+- name: create the directory /etc/sssd
+  file:
+    path: /etc/sssd
+    state: directory
+
+- name: configure sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  tags: [configure]
+
+- name: install sssd
+  apt: name=sssd state=present
+  tags: [install]
+
+- name: automatically create user home directories
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: execute pam-auth-update
+
+- name: configure krb5
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+  tags: [configure]
+
+- name: set AuthorizedKeysCommand for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommand\b
+    line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set AuthorizedKeysCommandUser for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommandUser
+    line: AuthorizedKeysCommandUser nobody
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set GlobalKnownHostsFile for ssh
+  lineinfile:
+    regexp: GlobalKnownHostsFile
+    line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+    dest: /etc/ssh/ssh_config
+
+- name: set ProxyCommand for ssh
+  lineinfile:
+    regexp: ProxyCommand
+    line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
+    dest: /etc/ssh/ssh_config
+  tags: [configure]
+
+- name: start and enable sssd
+  service: name=sssd state=started enabled=yes
+  tags: [serve]
+
+- name: exclude lastlog and faillog from backups
+  copy:
+    src: backup_excludes
+    dest: /var/log/.backup
+  tags: [configure]