1 files changed, 64 insertions, 0 deletions

diff --git a/roles/prosody/tasks/freeipa.yml b/roles/prosody/tasks/freeipa.yml
new file mode 100644
index 0000000..caff62a
--- /dev/null
+++ b/roles/prosody/tasks/freeipa.yml
@@ -0,0 +1,64 @@
+- name: create user
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ prosody_user }}'
+    loginshell: /sbin/nologin
+    homedir: '{{ prosody_data_dir }}'
+    givenname: Prosody
+    sn: Service Account
+    state: present
+  run_once: yes
+
+- name: retrieve user keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: '{{ prosody_user }}'
+    keytab_path: '{{ prosody_keytab }}'
+
+- name: configure gssproxy for kerberized postgres
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: prosody
+    gssproxy_section: service/prosody
+    gssproxy_client_keytab: '{{ prosody_keytab }}'
+    gssproxy_cred_usage: initiate
+    gssproxy_euid: prosody
+
+- name: create systemd override directory
+  file:
+    path: /etc/systemd/system/prosody.service.d
+    state: directory
+
+- name: create systemd override file
+  copy:
+    src: etc/systemd/system/prosody.service.d/override.conf
+    dest: /etc/systemd/system/prosody.service.d/override.conf
+  register: prosody_systemd_unit
+  notify: restart prosody
+
+- name: reload systemd units
+  systemd:
+    daemon_reload: yes
+  when: prosody_systemd_unit.changed
+
+- name: create SELinux policy for prosody to access gssproxy
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: prosody_gssproxy
+    selinux_policy_te: '{{ prosody_selinux_policy_te }}'
+  tags: selinux
+
+- name: create access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ prosody_access_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes