From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/freeipa_server/tasks/master.yml | 138 ++++++++++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 roles/freeipa_server/tasks/master.yml

(limited to 'roles/freeipa_server/tasks/master.yml')

diff --git a/roles/freeipa_server/tasks/master.yml b/roles/freeipa_server/tasks/master.yml
new file mode 100644
index 0000000..34d1442
--- /dev/null
+++ b/roles/freeipa_server/tasks/master.yml
@@ -0,0 +1,138 @@
+- name: initialize freeipa server
+  command: >
+    ipa-server-install
+    --unattended
+    --realm={{ freeipa_realm }}
+    --domain={{ freeipa_domain }}
+    --ds-password={{ freeipa_ds_password | quote }}
+    --admin={{ freeipa_admin_password | quote }}
+    --hostname={{ ansible_fqdn }}
+    --ip-address={{ ansible_default_ipv4.address }}
+    --no-host-dns
+    --idstart={{ freeipa_idstart }}
+    --idmax={{ freeipa_idmax }}
+    --setup-dns
+    {% for forwarder in freeipa_dns_forwarders %}
+    --forwarder {{ forwarder }}
+    {% endfor %}
+    --forward-policy=only
+    --no-ntp
+    --no-hbac-allow
+  args:
+    creates: /etc/ipa/default.conf
+
+- name: initialize AD trust (for smb)
+  command: >
+    ipa-adtrust-install
+    --unattended
+    --add-sids
+    --netbios-name={{ freeipa_workgroup }}
+    --admin-name=admin
+    --admin-password={{ freeipa_admin_password | quote }}
+  args:
+    creates: /etc/samba/samba.keytab
+
+- name: set default password policy
+  community.general.ipa_pwpolicy:
+    ipa_user: '{{ ipa_user }}'
+    ipa_pass: '{{ ipa_pass }}'
+    maxpwdlife: '{{ freeipa_maxpwdlife }}'
+    minpwdlife: '{{ freeipa_minpwdlife }}'
+    historylength: '{{ freeipa_historylength }}'
+    minclasses: '{{ freeipa_minclasses }}'
+    minlength: '{{ freeipa_minlength }}'
+    maxfailcount: '{{ freeipa_maxfailcount }}'
+    failinterval: '{{ freeipa_failinterval }}'
+    lockouttime: '{{ freeipa_lockouttime }}'
+
+- name: set admin user's password expiration date
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: admin
+    passwordexpiration: '{{ freeipa_admin_password_expiration }}'
+
+- name: set global freeipa configuration
+  ipaconfig:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    emaildomain: '{{ freeipa_email_domain }}'
+    defaultshell: '{{ freeipa_default_login_shell }}'
+
+- name: create HBAC services for system-level services
+  ipahbacsvc:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ item }}'
+    description: '{{ item }}'
+    state: present
+  loop: '{{ freeipa_system_services }}'
+
+- name: create HBAC rule for system-level services
+  ipahbacrule:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: whitelisted_system_services
+    description: Always allow authentication to system-level services
+    usercategory: all
+    hostcategory: all
+    hbacsvc: '{{ freeipa_system_services }}'
+
+- name: get admin kerberos ticket
+  command:
+    cmd: kinit -fpa {{ ipa_user }}
+    stdin: '{{ ipa_pass }}'
+  changed_when: false
+
+- include_tasks: custom_schema.yml
+
+- name: generate clientAuth certificate profile
+  template:
+    src: etc/pki/caIPAclientAuth.cfg.j2
+    dest: /etc/pki/caIPAclientAuth.cfg
+  register: freeipa_clientauth_config
+
+- name: import clientAuth certificate profile
+  shell:
+    cmd: >
+      ipa certprofile-import caIPAclientAuth
+      --file /etc/pki/caIPAclientAuth.cfg
+      --desc 'Profile for client authentication'
+      --store TRUE
+  when: freeipa_clientauth_config.changed
+
+- name: destroy kerberos ticket
+  command:
+    cmd: kdestroy
+  changed_when: false
+
+- name: create automount maps
+  ipaautomountmap:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ item }}'
+    location: default
+    state: present
+  loop: '{{ freeipa_automount_maps }}'
+
+- name: create automount keys
+  ipaautomountkey:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    location: default
+    mapname: '{{ item.map }}'
+    key: '{{ item.key }}'
+    info: '{{ item.info }}'
+    state: present
+  loop: '{{ freeipa_automount_keys }}'
+
+- name: create /home automount key
+  ipaautomountkey:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    location: default
+    mapname: auto.master
+    key: /home
+    info: auto.home
+    state: "{{ 'present' if freeipa_nfs_homedirs else 'absent' }}"
+  when: freeipa_nfs_homedirs
-- 
cgit