11 files changed, 585 insertions, 0 deletions

diff --git a/roles/freeipa_server/defaults/main.yml b/roles/freeipa_server/defaults/main.yml
new file mode 100644
index 0000000..209cd5f
--- /dev/null
+++ b/roles/freeipa_server/defaults/main.yml
@@ -0,0 +1,33 @@
+freeipa_domain: '{{ ansible_domain }}'
+freeipa_realm: '{{ ansible_domain | upper }}'
+freeipa_email_domain: '{{ email_domain }}'
+freeipa_workgroup: WORKGROUP
+
+freeipa_archive_on_calendar: 'Sat *-*-* 04:00:00'
+
+freeipa_dns_forwarders:
+  - 8.8.8.8
+  - 8.8.4.4
+
+freeipa_dns_max_negative_cache: 5  # seconds
+
+freeipa_nfs_homedirs: no
+
+freeipa_admin_password: ChangeMe123
+freeipa_ds_password: ChangeMe123
+
+freeipa_idstart: 100000
+freeipa_idmax:   299999
+
+freeipa_maxpwdlife:    3650 # 10 years
+freeipa_minpwdlife:    1 # hours
+freeipa_historylength: 0
+freeipa_minclasses:    0
+freeipa_minlength:     8
+freeipa_maxfailcount:  6
+freeipa_failinterval:  60  # seconds
+freeipa_lockouttime:   600 # seconds
+
+freeipa_admin_password_expiration: 20310130235959
+
+freeipa_default_login_shell: /bin/bash
diff --git a/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif
new file mode 100644
index 0000000..592059a
--- /dev/null
+++ b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif
@@ -0,0 +1,3 @@
+dn: cn=config
+attributetypes: ( 1.3.6.1.1.23.2 NAME 'jid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' )
+objectclasses: ( 1.3.6.1.1.23.1 NAME 'JIDObject' AUXILIARY MAY jid X-ORIGIN 'Extending FreeIPA' )
diff --git a/roles/freeipa_server/handlers/main.yml b/roles/freeipa_server/handlers/main.yml
new file mode 100644
index 0000000..884f66d
--- /dev/null
+++ b/roles/freeipa_server/handlers/main.yml
@@ -0,0 +1,19 @@
+- name: restart freeipa
+  systemd:
+    name: ipa
+    state: restarted
+
+- name: restart sssd
+  systemd:
+    name: sssd
+    state: restarted
+
+- name: restart rsyslog
+  systemd:
+    name: rsyslog
+    state: restarted
+
+- name: restart samba
+  systemd:
+    name: smb
+    state: restarted
diff --git a/roles/freeipa_server/tasks/custom_schema.yml b/roles/freeipa_server/tasks/custom_schema.yml
new file mode 100644
index 0000000..e5bca0d
--- /dev/null
+++ b/roles/freeipa_server/tasks/custom_schema.yml
@@ -0,0 +1,101 @@
+- name: create custom schema directory
+  file:
+    path: '{{ freeipa_custom_schema_dir }}'
+    state: directory
+    recurse: yes
+
+- name: copy jid schema
+  copy:
+    src: '{{ freeipa_custom_schema_dir[1:] }}/jid.ldif'
+    dest: '{{ freeipa_custom_schema_dir }}/jid.ldif'
+
+- name: check if JIDObject exists in schema
+  shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q JIDObject
+  changed_when: no
+  failed_when: no
+  register: ldapsearch_jidobject
+
+- block:
+    - name: extend freeipa schema for JIDs
+      command: ipa-ldap-updater --schema-file '{{ freeipa_custom_schema_dir }}/jid.ldif'
+
+    - name: restart httpd
+      systemd:
+        name: httpd
+        state: restarted
+  when: ldapsearch_jidobject.rc != 0
+
+- name: add index to jid attribute
+  ldap_entry:
+    dn: 'cn=jid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
+    objectClass:
+      - top
+      - nsIndex
+    attributes:
+      cn: jid
+      nsSystemIndex: false
+      nsIndexType: eq
+    bind_dn: cn=Directory Manager
+    bind_pw: '{{ freeipa_ds_password }}'
+    server_uri: ldaps://{{ ipa_host }}
+  register: jid_index
+
+- name: regenerate indexes for jid attribute
+  ldap_entry:
+    dn: cn=jidindex,cn=index,cn=tasks,cn=config
+    objectClass:
+      - top
+      - extensibleObject
+    attributes:
+      cn: jidindex
+      nsInstance: userRoot
+      nsIndexAttribute: 'jid:eq'
+    bind_dn: cn=Directory Manager
+    bind_pw: '{{ freeipa_ds_password }}'
+    server_uri: ldaps://{{ ipa_host }}
+  when: jid_index.changed
+
+- name: add default user object classes
+  ldap_attrs:
+    dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }}
+    attributes:
+      ipaUserObjectClasses:
+        - mailRecipient
+        - JIDObject
+    state: present
+    bind_dn: cn=Directory Manager
+    bind_pw: '{{ freeipa_ds_password }}'
+    server_uri: ldaps://{{ ipa_host }}
+
+- name: add default group object classes
+  ldap_attrs:
+    dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }}
+    attributes:
+      ipaGroupObjectClasses:
+        - mailRecipient
+    state: present
+    bind_dn: cn=Directory Manager
+    bind_pw: '{{ freeipa_ds_password }}'
+    server_uri: ldaps://{{ ipa_host }}
+
+- name: allow read access to custom user attributes
+  ipapermission:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'System: Read User Addressbook Attributes'
+    attrs:
+      - mailAlternateAddress
+      - jid
+    action: member
+    state: present
+
+- name: allow read access to custom group attributes
+  ipapermission:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'System: Read Groups'
+    attrs:
+      - mail
+      - mailAlternateAddress
+    action: member
+    state: present
diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml
new file mode 100644
index 0000000..1dd6eaa
--- /dev/null
+++ b/roles/freeipa_server/tasks/main.yml
@@ -0,0 +1,77 @@
+- name: install freeipa pacakges
+  dnf:
+    name: '{{ freeipa_packages }}'
+    state: present
+
+# Disabling this until they figure out this bug. I don't use containers,
+# so the kernel KEYRING ccache is just fine.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2035496
+- name: uninstall sssd-kcm
+  dnf:
+    name: sssd-kcm
+    state: absent
+  notify: restart sssd
+
+- name: open firewall ports
+  firewalld:
+    service: '{{ item }}'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+    - dns
+    - freeipa-ldap
+    - freeipa-ldaps
+    - freeipa-trust
+    - freeipa-replication
+  tags: firewalld
+
+- include_tasks:
+    file: "{{ 'master' if (freeipa_master == inventory_hostname) else 'replica' }}.yml"
+
+- name: copy bind configuration
+  template:
+    src: etc/named/ipa-options-ext.conf.j2
+    dest: /etc/named/ipa-options-ext.conf
+  notify: restart freeipa
+
+- name: send sssd logs to journald
+  lineinfile:
+    create: yes
+    path: /etc/sysconfig/sssd
+    regexp: ^DEBUG_LOGGER=
+    line: DEBUG_LOGGER=--logger=journald
+  notify: restart sssd
+
+- name: check if rsyslog is installed
+  stat:
+    path: /etc/rsyslog.d
+  register: rsyslog_conf_dir
+
+- name: log krb5 to rsyslog
+  lineinfile:
+    path: /etc/krb5.conf
+    insertafter: '^\[logging\]$'
+    firstmatch: yes
+    regexp: '^\s*{{ item }}\s*='
+    line: ' {{ item }} = SYSLOG:INFO:DAEMON'
+  loop:
+    - kdc
+    - admin_server
+  notify: restart freeipa
+
+- name: log freeipa files to rsyslog
+  template:
+    src: etc/rsyslog.d/freeipa.conf.j2
+    dest: /etc/rsyslog.d/freeipa.conf
+  notify: restart rsyslog
+  when: rsyslog_conf_dir.stat.exists
+
+- name: log samba to rsyslog
+  lineinfile:
+    path: /etc/samba/smb.conf
+    insertafter: '^\[global\]$'
+    firstmatch: yes
+    regexp: '^\s*logging\s*='
+    line: 'logging = syslog@2'
+  notify: restart samba
diff --git a/roles/freeipa_server/tasks/master.yml b/roles/freeipa_server/tasks/master.yml
new file mode 100644
index 0000000..34d1442
--- /dev/null
+++ b/roles/freeipa_server/tasks/master.yml
@@ -0,0 +1,138 @@
+- name: initialize freeipa server
+  command: >
+    ipa-server-install
+    --unattended
+    --realm={{ freeipa_realm }}
+    --domain={{ freeipa_domain }}
+    --ds-password={{ freeipa_ds_password | quote }}
+    --admin={{ freeipa_admin_password | quote }}
+    --hostname={{ ansible_fqdn }}
+    --ip-address={{ ansible_default_ipv4.address }}
+    --no-host-dns
+    --idstart={{ freeipa_idstart }}
+    --idmax={{ freeipa_idmax }}
+    --setup-dns
+    {% for forwarder in freeipa_dns_forwarders %}
+    --forwarder {{ forwarder }}
+    {% endfor %}
+    --forward-policy=only
+    --no-ntp
+    --no-hbac-allow
+  args:
+    creates: /etc/ipa/default.conf
+
+- name: initialize AD trust (for smb)
+  command: >
+    ipa-adtrust-install
+    --unattended
+    --add-sids
+    --netbios-name={{ freeipa_workgroup }}
+    --admin-name=admin
+    --admin-password={{ freeipa_admin_password | quote }}
+  args:
+    creates: /etc/samba/samba.keytab
+
+- name: set default password policy
+  community.general.ipa_pwpolicy:
+    ipa_user: '{{ ipa_user }}'
+    ipa_pass: '{{ ipa_pass }}'
+    maxpwdlife: '{{ freeipa_maxpwdlife }}'
+    minpwdlife: '{{ freeipa_minpwdlife }}'
+    historylength: '{{ freeipa_historylength }}'
+    minclasses: '{{ freeipa_minclasses }}'
+    minlength: '{{ freeipa_minlength }}'
+    maxfailcount: '{{ freeipa_maxfailcount }}'
+    failinterval: '{{ freeipa_failinterval }}'
+    lockouttime: '{{ freeipa_lockouttime }}'
+
+- name: set admin user's password expiration date
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: admin
+    passwordexpiration: '{{ freeipa_admin_password_expiration }}'
+
+- name: set global freeipa configuration
+  ipaconfig:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    emaildomain: '{{ freeipa_email_domain }}'
+    defaultshell: '{{ freeipa_default_login_shell }}'
+
+- name: create HBAC services for system-level services
+  ipahbacsvc:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ item }}'
+    description: '{{ item }}'
+    state: present
+  loop: '{{ freeipa_system_services }}'
+
+- name: create HBAC rule for system-level services
+  ipahbacrule:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: whitelisted_system_services
+    description: Always allow authentication to system-level services
+    usercategory: all
+    hostcategory: all
+    hbacsvc: '{{ freeipa_system_services }}'
+
+- name: get admin kerberos ticket
+  command:
+    cmd: kinit -fpa {{ ipa_user }}
+    stdin: '{{ ipa_pass }}'
+  changed_when: false
+
+- include_tasks: custom_schema.yml
+
+- name: generate clientAuth certificate profile
+  template:
+    src: etc/pki/caIPAclientAuth.cfg.j2
+    dest: /etc/pki/caIPAclientAuth.cfg
+  register: freeipa_clientauth_config
+
+- name: import clientAuth certificate profile
+  shell:
+    cmd: >
+      ipa certprofile-import caIPAclientAuth
+      --file /etc/pki/caIPAclientAuth.cfg
+      --desc 'Profile for client authentication'
+      --store TRUE
+  when: freeipa_clientauth_config.changed
+
+- name: destroy kerberos ticket
+  command:
+    cmd: kdestroy
+  changed_when: false
+
+- name: create automount maps
+  ipaautomountmap:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ item }}'
+    location: default
+    state: present
+  loop: '{{ freeipa_automount_maps }}'
+
+- name: create automount keys
+  ipaautomountkey:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    location: default
+    mapname: '{{ item.map }}'
+    key: '{{ item.key }}'
+    info: '{{ item.info }}'
+    state: present
+  loop: '{{ freeipa_automount_keys }}'
+
+- name: create /home automount key
+  ipaautomountkey:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    location: default
+    mapname: auto.master
+    key: /home
+    info: auto.home
+    state: "{{ 'present' if freeipa_nfs_homedirs else 'absent' }}"
+  when: freeipa_nfs_homedirs
diff --git a/roles/freeipa_server/tasks/replica.yml b/roles/freeipa_server/tasks/replica.yml
new file mode 100644
index 0000000..5b6b296
--- /dev/null
+++ b/roles/freeipa_server/tasks/replica.yml
@@ -0,0 +1,21 @@
+- name: initialize freeipa replica
+  command: >
+    ipa-replica-install
+    --unattended
+    --realm={{ freeipa_realm }}
+    --domain={{ freeipa_domain }}
+    --principal=admin
+    --admin-password={{ freeipa_admin_password | quote }}
+    --hostname={{ ansible_fqdn }}
+    --ip-address={{ ansible_default_ipv4.address }}
+    --no-host-dns
+    --setup-ca
+    --setup-dns
+    --setup-adtrust
+    {% for forwarder in freeipa_dns_forwarders %}
+    --forwarder {{ forwarder }}
+    {% endfor %}
+    --no-ntp
+  args:
+    creates: /etc/ipa/default.conf
+
diff --git a/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2 b/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2
new file mode 100644
index 0000000..9c37805
--- /dev/null
+++ b/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2
@@ -0,0 +1,7 @@
+allow-recursion { any; };
+allow-query-cache { any; };
+
+max-ncache-ttl {{ freeipa_dns_max_negative_cache }};
+
+/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
+listen-on-v6 { any; };
diff --git a/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2 b/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2
new file mode 100644
index 0000000..0b03615
--- /dev/null
+++ b/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2
@@ -0,0 +1,113 @@
+auth.instance_id=raCertAuth
+classId=caEnrollImpl
+desc=This certificate profile is for client authentication certificates.
+enable=true
+enableBy=ipara
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.list=i1,i2
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={{ freeipa_realm }}
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{{ freeipa_domain }}/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{{ freeipa_domain }}/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
+profileId=caIPAclientAuth
+visible=true
diff --git a/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2 b/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2
new file mode 100644
index 0000000..6ef8a1c
--- /dev/null
+++ b/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2
@@ -0,0 +1,8 @@
+{% for file in freeipa_log_files %}
+input(type="imfile"
+      addMetadata="on"
+      file="{{ file.path }}"
+      tag="{{ file.tag }}"
+      severity="{{ file.severity | default('info') }}")
+
+{% endfor %}
diff --git a/roles/freeipa_server/vars/main.yml b/roles/freeipa_server/vars/main.yml
new file mode 100644
index 0000000..89657e7
--- /dev/null
+++ b/roles/freeipa_server/vars/main.yml
@@ -0,0 +1,65 @@
+freeipa_packages:
+  - ipa-server
+  - ipa-server-trust-ad
+  - ipa-server-dns
+
+freeipa_backup_dir: /var/lib/ipa/backup
+
+# These services must be explicitly allowed if the default HBAC-allow-all policy
+# is not used. See https://pagure.io/freeipa/issue/7831
+freeipa_system_services:
+  - systemd-user
+  - sudo
+  - sudo-i
+  - polkit-1
+
+freeipa_automount_maps:
+  - auto.nfs
+  - auto.home
+  - auto.nfs_user
+  - auto.nfs_group
+  - auto.nfs_media
+
+freeipa_automount_keys:
+  - map: auto.master
+    key: /net
+    info: -hosts
+
+  - map: auto.master
+    key: /nfs
+    info: auto.nfs -browse
+
+  - map: auto.nfs
+    key: user
+    info: -fstype=autofs auto.nfs_user
+
+  - map: auto.nfs
+    key: group
+    info: -fstype=autofs auto.nfs_group
+
+  - map: auto.nfs
+    key: media
+    info: -fstype=autofs auto.nfs_media
+
+freeipa_log_files:
+  - path: /var/log/pki/pki-tomcat/ca/transactions
+    tag: ipa-ca
+
+  - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/access
+    tag: slapd
+
+  - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/audit
+    tag: slapd
+
+  - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/errors
+    tag: slapd
+    severity: error
+
+  - path: /var/log/httpd/access_log
+    tag: httpd
+
+  - path: /var/log/httpd/error_log
+    tag: httpd
+    severity: error
+
+freeipa_custom_schema_dir: /usr/local/share/dirsrv/schema