blob: 34d1442f4815ab28b2d9a1f8932b4e073d9f9045 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
- name: initialize freeipa server
command: >
ipa-server-install
--unattended
--realm={{ freeipa_realm }}
--domain={{ freeipa_domain }}
--ds-password={{ freeipa_ds_password | quote }}
--admin={{ freeipa_admin_password | quote }}
--hostname={{ ansible_fqdn }}
--ip-address={{ ansible_default_ipv4.address }}
--no-host-dns
--idstart={{ freeipa_idstart }}
--idmax={{ freeipa_idmax }}
--setup-dns
{% for forwarder in freeipa_dns_forwarders %}
--forwarder {{ forwarder }}
{% endfor %}
--forward-policy=only
--no-ntp
--no-hbac-allow
args:
creates: /etc/ipa/default.conf
- name: initialize AD trust (for smb)
command: >
ipa-adtrust-install
--unattended
--add-sids
--netbios-name={{ freeipa_workgroup }}
--admin-name=admin
--admin-password={{ freeipa_admin_password | quote }}
args:
creates: /etc/samba/samba.keytab
- name: set default password policy
community.general.ipa_pwpolicy:
ipa_user: '{{ ipa_user }}'
ipa_pass: '{{ ipa_pass }}'
maxpwdlife: '{{ freeipa_maxpwdlife }}'
minpwdlife: '{{ freeipa_minpwdlife }}'
historylength: '{{ freeipa_historylength }}'
minclasses: '{{ freeipa_minclasses }}'
minlength: '{{ freeipa_minlength }}'
maxfailcount: '{{ freeipa_maxfailcount }}'
failinterval: '{{ freeipa_failinterval }}'
lockouttime: '{{ freeipa_lockouttime }}'
- name: set admin user's password expiration date
ipauser:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: admin
passwordexpiration: '{{ freeipa_admin_password_expiration }}'
- name: set global freeipa configuration
ipaconfig:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
emaildomain: '{{ freeipa_email_domain }}'
defaultshell: '{{ freeipa_default_login_shell }}'
- name: create HBAC services for system-level services
ipahbacsvc:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: '{{ item }}'
description: '{{ item }}'
state: present
loop: '{{ freeipa_system_services }}'
- name: create HBAC rule for system-level services
ipahbacrule:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: whitelisted_system_services
description: Always allow authentication to system-level services
usercategory: all
hostcategory: all
hbacsvc: '{{ freeipa_system_services }}'
- name: get admin kerberos ticket
command:
cmd: kinit -fpa {{ ipa_user }}
stdin: '{{ ipa_pass }}'
changed_when: false
- include_tasks: custom_schema.yml
- name: generate clientAuth certificate profile
template:
src: etc/pki/caIPAclientAuth.cfg.j2
dest: /etc/pki/caIPAclientAuth.cfg
register: freeipa_clientauth_config
- name: import clientAuth certificate profile
shell:
cmd: >
ipa certprofile-import caIPAclientAuth
--file /etc/pki/caIPAclientAuth.cfg
--desc 'Profile for client authentication'
--store TRUE
when: freeipa_clientauth_config.changed
- name: destroy kerberos ticket
command:
cmd: kdestroy
changed_when: false
- name: create automount maps
ipaautomountmap:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: '{{ item }}'
location: default
state: present
loop: '{{ freeipa_automount_maps }}'
- name: create automount keys
ipaautomountkey:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
location: default
mapname: '{{ item.map }}'
key: '{{ item.key }}'
info: '{{ item.info }}'
state: present
loop: '{{ freeipa_automount_keys }}'
- name: create /home automount key
ipaautomountkey:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
location: default
mapname: auto.master
key: /home
info: auto.home
state: "{{ 'present' if freeipa_nfs_homedirs else 'absent' }}"
when: freeipa_nfs_homedirs
|