blob: 360e4d2c456c3a15a1f3c5f627ee3726a0169379 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
FreeIPA Server
==============
Description
-----------
The `freeipa_server` role installs and configures the FreeIPA server. When
`ansible_fqdn == freeipa_master`, this role will configure the host as the
FreeIPA master. Otherwise, the host will be configured as a replica.
This role configures some custom schema changes to support Jabber IDs and
user/group email aliases. It also creates some default HBAC rules.
Variables
---------
This role **accepts** the following variables:
Variable | Default | Description
------------------------------------|--------------------------------|------------
`freeipa_domain` | `{{ ansible_domain }}` | FreeIPA DNS domain
`freeipa_realm` | `{{ ansible_domain | upper }}` | FreeIPA realm name
`freeipa_workgroup` | `WORKGROUP` | SMB workgroup name
`freeipa_email_domain` | `{{ email_domain }}` | Default email domain for new users
`freeipa_dns_forwarders` | `['8.8.8.8', '8.8.4.4']` | Upstream DNS servers
`freeipa_dns_max_negative_cache` | 5 | Cache time for negative DNS responses (seconds)
`freeipa_nfs_homedirs` | no | Add autofs map for `/home`
`freeipa_admin_password` | | Password for `admin` account
`freeipa_ds_password` | | Password for the Directory Server
`freeipa_idstart` | 100000 | Minimum UID/GID
`freeipa_idmax` | 299999 | Maximum UID/GID
`freeipa_maxpwdlife` | 3650 | Maximum password age (days)
`freeipa_minpwdlife` | 1 | Minumum password age (hours)
`freeipa_historylength` | 0 | Number of previous passwords to save
`freeipa_minclasses` | 0 | Minimum character classes in passwords
`freeipa_minlength` | 8 | Minimum password length
`freeipa_maxfailcount` | 6 | Number of failed logins before account lockout
`freeipa_failinterval` | 60 | Duration to count login failures (seconds)
`freeipa_lockouttime` | 600 | Duration of account lockout (seconds)
`freeipa_admin_password_expiration` | 20310130235959 | Password expiration time for `admin` account (YYYYMMDDHHMMSS)
`freeipa_default_login_shell` | `/bin/bash` | Default user login shell
This role **exports** the following variables:
Variable | Description
------------------------|------------
`freeipa_archive_shell` | Shell command to generate IPA backup tarball
Usage
-----
Example playbook:
````yaml
- name: configure freeipa master server
hosts: freeipa_master
roles:
- role: freeipa_server
vars:
freeipa_domain: ipa.example.com
freeipa_realm: IPA.EXAMPLE.COM
freeipa_workgroup: EXAMPLE
freeipa_email_domain: example.com
freeipa_admin_password: s3cret
freeipa_ds_password: rea11y_s3cret
- name: configure freeipa replicas
hosts: freeipa_servers:!freeipa_master
roles:
- role: freeipa_server
vars:
freeipa_domain: ipa.example.com
freeipa_realm: IPA.EXAMPLE.COM
freeipa_admin_password: s3cret
````
|