Updated with ipaclient setup and bootstrap

.vscode/settings.json

@@ -0,0 +1 @@
+{}

bootstrap.yml

@@ -0,0 +1,9 @@
+# Note: need to specify extra_vars, providing ansible_ssh_user, and ansible_ssh_pass
+- name: Set up IPA Client
+  hosts: lab-ipa-client
+  become: yes
+  roles:
+    - role: debian-freeipa-client
+      when: ansible_facts['os_family'] == "Debian"
+    - role: alvaroaleman.freeipa-client
+      when: ansible_facts['os_family'] == "RedHat"

rhv_setup.yml

@@ -0,0 +1,21 @@
+---
+- name: Create RHV/ovirt VLANs
+  hosts: rhv.lab.toal.ca
+  connection: local
+  vars:
+    # Hack to work around virtualenv python interpreter
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  tasks:
+    - ovirt_network:
+        auth: "{{ ovirt_auth }}"
+        fetch_nested: true
+        data_center: "{{ item.data_center }}"
+        name: "{{ item.name }}"
+        vlan_tag: "{{ item.vlan_tag }}"
+        vm_network: "{{ item.vm_network }}"
+        mtu: "{{ item.mtu }}"
+        description: "{{ item.description }}"
+      loop: "{{ ovirt_networks }}"
+      register: networkinfo
+
+    - debug: msg="{{networkinfo}}"

roles/debian-freeipa-client/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+ipa_realm: "example.com"
+ipa_server: freeipa.example.com

roles/debian-freeipa-client/files/backup_excludes

@@ -0,0 +1,2 @@
+- lastlog
+- faillog

roles/debian-freeipa-client/files/mkhomedir

@@ -0,0 +1,8 @@
+Name: Create home directory during login
+Default: yes
+Priority: 127
+
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+        required pam_mkhomedir.so skel=/etc/skel/ umask=0022

roles/debian-freeipa-client/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: restart sssd
+  service: name=sssd state=restarted
+
+- name: restart sshd
+  service: name=sshd state=restarted
+
+- name: execute pam-auth-update
+  command: pam-auth-update --package
+
+- name: restart ntp
+  service: name=ntp state=restarted

roles/debian-freeipa-client/tasks/main.yml

@@ -0,0 +1,135 @@
+---
+
+- name: install kerberoes user utility
+  package:
+    name: krb5-user
+    state: present
+
+- name: check if we have a cached kerberos ticket
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: klist
+  run_once: yes
+  changed_when: false
+
+- name: check if the host exists in the directory
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
+  register: host_show
+  failed_when: host_show.rc == 1
+  changed_when: false
+
+- name: create the host principal
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
+            --sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
+            --os {{ ansible_distribution }}
+  when: host_show.rc != 0
+  tags: [install]
+
+- name: check if /etc/krb5.keytab exists
+  stat: path=/etc/krb5.keytab
+  register: keytab
+
+- name: generate the host keytab
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  tags: [install]
+
+- name: transfer the keytab over to the IPA client
+  synchronize:
+    src: /tmp/{{ ansible_hostname }}.keytab
+    dest: /etc/krb5.keytab
+    archive: no
+    ssh_args: -l root
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
+  notify: restart sssd
+  tags: [install]
+
+- name: remove the keytab file on the FreeIPA server
+  delegate_to: "{{ ipa_server }}"
+  vars: {ansible_user: ""}
+  become: no
+  file:
+    path: /tmp/{{ ansible_hostname }}.keytab
+    state: absent
+  tags: [install]
+
+- name: create the directory /etc/sssd
+  file:
+    path: /etc/sssd
+    state: directory
+
+- name: configure sssd
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  tags: [configure]
+
+- name: install sssd
+  apt: name=sssd state=present
+  tags: [install]
+
+- name: automatically create user home directories
+  copy:
+    src: mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+  notify: execute pam-auth-update
+
+- name: configure krb5
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+  tags: [configure]
+
+- name: set AuthorizedKeysCommand for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommand\b
+    line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set AuthorizedKeysCommandUser for sshd
+  lineinfile:
+    regexp: AuthorizedKeysCommandUser
+    line: AuthorizedKeysCommandUser nobody
+    dest: /etc/ssh/sshd_config
+  notify: restart sshd
+  tags: [configure]
+
+- name: set GlobalKnownHostsFile for ssh
+  lineinfile:
+    regexp: GlobalKnownHostsFile
+    line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+    dest: /etc/ssh/ssh_config
+
+- name: set ProxyCommand for ssh
+  lineinfile:
+    regexp: ProxyCommand
+    line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
+    dest: /etc/ssh/ssh_config
+  tags: [configure]
+
+- name: start and enable sssd
+  service: name=sssd state=started enabled=yes
+  tags: [serve]
+
+- name: exclude lastlog and faillog from backups
+  copy:
+    src: backup_excludes
+    dest: /var/log/.backup
+  tags: [configure]

roles/debian-freeipa-client/templates/krb5.conf.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+includedir /var/lib/sss/pubconf/krb5.include.d/
+
+[libdefaults]
+  default_realm = {{ ipa_realm }}
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  rdns = false
+  dns_canonicalize_hostname = false
+  ticket_lifetime = 24h
+  forwardable = true
+  
+
+[realms]
+  {{ ipa_realm |upper }} = {
+    kdc = {{ ipa_server }}:88
+    master_kdc = {{ ipa_server }}:88
+    admin_server = {{ ipa_server }}:749
+    kpasswd_server = {{ ipa_server }}:464
+    default_domain = {{ bind_localdomain }}
+  }
+
+
+[domain_realm]
+  .{{ bind_localdomain }} = {{ ipa_realm |upper}}
+  {{ bind_localdomain }} = {{ ipa_realm |upper}}
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmin.log

roles/debian-freeipa-client/templates/sssd.conf.j2

@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo, ssh
+domains = {{ ipa_realm }}
+
+[nss]
+
+[pam]
+
+[ssh]
+
+[sudo]
+
+[domain/{{ ipa_realm }}]
+cache_credentials = true
+krb5_store_password_if_offline = true
+id_provider = ipa
+auth_provider = ipa
+access_provider = ipa
+chpass_provider = ipa
+ldap_tls_cacert = /etc/ipa/ca.crt
+ipa_hostname = {{ ansible_fqdn }}

roles/lightbulb-ansiblered-deck

@@ -0,0 +1 @@
+/Users/ptoal/Dev/lightbulb-ansiblered-deck

roles/toal-common/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 # Ensure that virtual guests have the guest tools installed.
+- block:
   - name: Guest Tools Repository
     rhsm_repository:
       name: rhel-7-server-rh-common-rpms
@@ -9,7 +10,7 @@
     yum:
       name: ovirt-guest-agent
       state: present
-    when: ansible_virtualization_type == "RHEV"
     notify: Ovirt Agent Restart
+  when: ansible_virtualization_type == "RHEV"
 
 

satellite.yml

@@ -64,14 +64,13 @@
         memory: "{{ vm_memory }}"
         disks: "{{ vm_disks }}"
         cpu_cores: "{{ vm_cpu_cores }}"
-        operating_system: "{{ vm_os }}"
         cluster: "{{ vm_cluster }}"
+        operating_system: "{{ vm_os }}"
         type: server
         graphical_console:
           protocol:
             - spice
             - vnc
-        cluster: Default
         boot_devices:
           - hd
       async: 300

site.yml

@@ -1,8 +1,12 @@
 # Toal Lab Site Playbook
-
-
 - name: Common Lab Machine Setup
   hosts: all
   become: true
   roles:
     - toal-common
+
+- name: Ansible Red Demo Environment
+  hosts: ansible-red
+  become: false
+  roles:
+    - lightbulb-ansiblered-deck