initial commit

5 files changed, 83 insertions, 0 deletions

diff --git a/roles/freeipa_client/defaults/main.yml b/roles/freeipa_client/defaults/main.yml
new file mode 100644
index 0000000..95fa912
--- /dev/null
+++ b/roles/freeipa_client/defaults/main.yml
@@ -0,0 +1 @@
+freeipa_autofs: yes
diff --git a/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf b/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf
new file mode 100644
index 0000000..2ef5e1e
--- /dev/null
+++ b/roles/freeipa_client/files/etc/gssproxy/99-nfs-client.conf
@@ -0,0 +1,9 @@
+[service/nfs-client]
+  mechs = krb5
+  cred_store = keytab:/etc/krb5.keytab
+  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%u
+  cred_store = client_keytab:/var/lib/gssproxy/clients/%u.keytab
+  cred_usage = initiate
+  allow_any_uid = yes
+  trusted = yes
+  euid = 0
diff --git a/roles/freeipa_client/handlers/main.yml b/roles/freeipa_client/handlers/main.yml
new file mode 100644
index 0000000..6f9bf27
--- /dev/null
+++ b/roles/freeipa_client/handlers/main.yml
@@ -0,0 +1,14 @@
+- name: restart gssproxy
+  systemd:
+    name: gssproxy
+    state: restarted
+
+- name: restart sssd
+  systemd:
+    name: sssd
+    state: restarted
+
+- name: restart rsyslog
+  systemd:
+    name: rsyslog
+    state: restarted
diff --git a/roles/freeipa_client/tasks/main.yml b/roles/freeipa_client/tasks/main.yml
new file mode 100644
index 0000000..8b98daa
--- /dev/null
+++ b/roles/freeipa_client/tasks/main.yml
@@ -0,0 +1,54 @@
+- name: install freeipa pacakges
+  dnf:
+    name: '{{ freeipa_packages[ansible_distribution_major_version] }}'
+    state: present
+
+- name: initialize freeipa client
+  command: >
+    ipa-client-install
+    --unattended
+    --principal={{ ipa_user }}
+    --password={{ ipa_pass | quote }}
+  args:
+    creates: /etc/ipa/default.conf
+
+- name: configure autofs
+  command: ipa-client-automount --unattended
+  register: ipa_client_automount
+  failed_when: ipa_client_automount.rc not in [0, 3]
+  changed_when: ipa_client_automount.rc != 3
+  when: freeipa_autofs
+
+- name: configure gssproxy
+  copy:
+    src: etc/gssproxy/99-nfs-client.conf
+    dest: /etc/gssproxy/99-nfs-client.conf
+  notify: restart gssproxy
+
+- name: enable krb5 hostname canonicalization
+  lineinfile:
+    path: /etc/krb5.conf
+    regexp: '^\s*{{ item }}\s*='
+    line: '  {{ item }} = true'
+    insertafter: '\[libdefaults\]'
+    state: present
+  loop:
+    - rdns
+    - dns_canonicalize_hostname
+
+# Disabling this until they figure out this bug. I don't use containers,
+# so the kernel KEYRING ccache is just fine.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2035496
+- name: uninstall sssd-kcm
+  dnf:
+    name: sssd-kcm
+    state: absent
+  notify: restart sssd
+
+- name: send sssd logs to journald
+  lineinfile:
+    create: yes
+    path: /etc/sysconfig/sssd
+    regexp: ^DEBUG_LOGGER=
+    line: DEBUG_LOGGER=--logger=journald
+  notify: restart sssd
diff --git a/roles/freeipa_client/vars/main.yml b/roles/freeipa_client/vars/main.yml
new file mode 100644
index 0000000..0dc5a8e
--- /dev/null
+++ b/roles/freeipa_client/vars/main.yml
@@ -0,0 +1,5 @@
+freeipa_packages:
+  '8':
+    - '@idm:DL1/client'
+  '9':
+    - ipa-client