From 79794a00ef832365959404ca8499a545b6202d7c Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Thu, 9 Mar 2023 07:05:07 -0500
Subject: dnf_automatic: don't automatically restart services on ipa servers

Turns out that restarting individual units on a freeipa server can leave
it in a bad state. Systemd isn't smart enough to restart things in the
right order - you have to use `ipactl restart`.

There's probably a way to make the daemon restart script smarter with
regard to IPA hosts, but since an IPA outage is incredibly disruptive,
I'm just disabling auto-restart on IPA hosts for now.
---
 inventory-example/30-constructed.yml |  1 +
 inventory-example/40-groups          | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'inventory-example')

diff --git a/inventory-example/30-constructed.yml b/inventory-example/30-constructed.yml
index f519d22..5a776a1 100644
--- a/inventory-example/30-constructed.yml
+++ b/inventory-example/30-constructed.yml
@@ -10,6 +10,7 @@ compose:
   proxmox_memory: (ram | default('4g') | human_to_bytes / 1048576) | int
   proxmox_cores: cores | default(2)
 groups:
+  freeipa_replicas: "'freeipa_servers' in group_names and 'freeipa_master' not in group_names"
   el:                             (group_names | intersect(['unmanaged','opnsense_firewalls','proxmox_hypervisors']) | length) == 0
   nagios_ansible_managed_clients: (group_names | intersect(['unmanaged','opnsense_firewalls','linux_laptops']) | length) == 0
   nagios_el_clients:              (group_names | intersect(['unmanaged','opnsense_firewalls','linux_laptops','proxmox_hypervisors']) | length) == 0
diff --git a/inventory-example/40-groups b/inventory-example/40-groups
index 0b3f935..4e10ce7 100644
--- a/inventory-example/40-groups
+++ b/inventory-example/40-groups
@@ -43,10 +43,16 @@ proxmox_bios = seabios
 [freeipa_master:vars]
 # The initial FreeIPA installation requires an upstream DNS server to bootstrap itself.
 proxmox_nameservers = '{{ freeipa_dns_forwarders }}'
-# Update the FreeIPA master every _other_ day. If there's a botched automatic
-# update, we don't want to take the entire domain down overnight.
+# Don't update all freeipa servers at once
 dnf_automatic_on_calendar = '*-*-1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 04:00:00'
 
+[freeipa_replicas:vars]
+# Don't update all freeipa servers at once
+dnf_automatic_on_calendar = '*-*-2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 04:00:00'
+
+[freeipa_servers:vars]
+dnf_automatic_restart = False
+
 [git_servers:vars]
 apache_gssapi = True
 
-- 
cgit