1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
# By convention, variables defined in this file are safe to use in all roles.
#
# In other words, this should be the only place where you should see variables
# without a 'rolename_' prefix.
---
ansible_python_interpreter: /usr/libexec/platform-python
timezone: America/New_York
domain: ipa.example.com # changeme
email_domain: example.com # changeme
organization: ACME, Inc. # changeme
# This variable will be used to configure an SSID with certificate-based auth
# for any hosts in the linux-laptops group.
wifi_ssid: acme-wifi
# Hosts in these CIDRs should be capable of kerberos authentication.
# We use this in many apache configs to determine when to force GSSAPI auth.
kerberized_cidrs: # changeme
- 10.10.12.0/24
backup_path: ~/backups
# Use your external MX hostname so that TLS validation works.
mail_host: mx1.exmaple.com
imap_host: imap.{{ domain }}
rspamd_host: rspamd.{{ domain }}
# changeme: specify your vlans here.
# This dictionary is used to discover which VLAN a host belongs to.
# The appropriate VLAN object will end up in the `vlan` variable in host_vars.
vlans:
mgmt:
id: 11
cidr: 10.10.11.0/24
gateway: 10.10.11.1
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
ntp_servers: ['10.10.11.1']
trusted:
id: 12
cidr: 10.10.12.0/23
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
gateway: 10.10.12.1
ntp_servers: ['10.10.12.1']
voip:
id: 14
cidr: 10.10.14.0/24
gateway: 10.10.14.1
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
ntp_servers: ['10.10.14.1']
print:
id: 15
cidr: 10.10.15.0/24
gateway: 10.10.15.1
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
ntp_servers: ['10.10.15.1']
vpn:
id: 16
cidr: 10.10.16.0/24
gateway: 10.10.16.1
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
ntp_servers: ['10.10.16.1']
dmz:
id: 19
cidr: 10.10.19.0/24
dns_servers: # freeipa servers
- 10.10.12.2
- 10.10.12.3
gateway: 10.10.19.1
ntp_servers: ['10.10.19.1']
# standard freeipa variables
freeipa_realm: '{{ domain | upper }}'
freeipa_basedn: "dc={{ domain.split('.') | join(',dc=') }}"
freeipa_hosts: "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}"
freeipa_ldap_uri: "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}"
freeipa_master: "{{ groups['freeipa_master'][0] }}"
freeipa_sysaccount_basedn: 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}'
freeipa_user_basedn: cn=users,cn=accounts,{{ freeipa_basedn }}
freeipa_group_basedn: cn=groups,cn=accounts,{{ freeipa_basedn }}
freeipa_accounts_basedn: cn=accounts,{{ freeipa_basedn }}
freeipa_service_basedn: cn=services,cn=accounts,{{ freeipa_basedn }}
freeipa_ds_password: '{{ vault_freeipa_ds_password }}'
freeipa_admin_password: '{{ vault_freeipa_admin_password }}'
ipa_host: '{{ freeipa_master }}.{{ domain }}'
ipa_user: admin
ipa_pass: '{{ freeipa_admin_password }}'
|
