ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e09a7f7d458479e88b16110efe3f43bda952b725
toallab-automation/roles/debian-freeipa-client/tasks/main.yml
Patrick Toal 832502de34 Updated with ipaclient setup and bootstrap
2019-02-23 20:34:35 -05:00

136 lines
3.4 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
- name: install kerberoes user utility
package:
name: krb5-user
state: present
- name: check if we have a cached kerberos ticket
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: klist
run_once: yes
changed_when: false
- name: check if the host exists in the directory
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
register: host_show
failed_when: host_show.rc == 1
changed_when: false
- name: create the host principal
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
--sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
--os {{ ansible_distribution }}
when: host_show.rc != 0
tags: [install]
- name: check if /etc/krb5.keytab exists
stat: path=/etc/krb5.keytab
register: keytab
- name: generate the host keytab
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
tags: [install]
- name: transfer the keytab over to the IPA client
synchronize:
src: /tmp/{{ ansible_hostname }}.keytab
dest: /etc/krb5.keytab
archive: no
ssh_args: -l root
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
notify: restart sssd
tags: [install]
- name: remove the keytab file on the FreeIPA server
delegate_to: "{{ ipa_server }}"
vars: {ansible_user: ""}
become: no
file:
path: /tmp/{{ ansible_hostname }}.keytab
state: absent
tags: [install]
- name: create the directory /etc/sssd
file:
path: /etc/sssd
state: directory
- name: configure sssd
template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
mode: 0600
notify: restart sssd
tags: [configure]
- name: install sssd
apt: name=sssd state=present
tags: [install]
- name: automatically create user home directories
copy:
src: mkhomedir
dest: /usr/share/pam-configs/mkhomedir
notify: execute pam-auth-update
- name: configure krb5
template:
src: krb5.conf.j2
dest: /etc/krb5.conf
tags: [configure]
- name: set AuthorizedKeysCommand for sshd
lineinfile:
regexp: AuthorizedKeysCommand\b
line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
dest: /etc/ssh/sshd_config
notify: restart sshd
tags: [configure]
- name: set AuthorizedKeysCommandUser for sshd
lineinfile:
regexp: AuthorizedKeysCommandUser
line: AuthorizedKeysCommandUser nobody
dest: /etc/ssh/sshd_config
notify: restart sshd
tags: [configure]
- name: set GlobalKnownHostsFile for ssh
lineinfile:
regexp: GlobalKnownHostsFile
line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
dest: /etc/ssh/ssh_config
- name: set ProxyCommand for ssh
lineinfile:
regexp: ProxyCommand
line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
dest: /etc/ssh/ssh_config
tags: [configure]
- name: start and enable sssd
service: name=sssd state=started enabled=yes
tags: [serve]
- name: exclude lastlog and faillog from backups
copy:
src: backup_excludes
dest: /var/log/.backup
tags: [configure]
Reference in New Issue View Git Blame Copy Permalink