Newer
Older
- name: Install - Ensure that IPA server packages are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages }}"
- name: Install - Ensure that IPA server packages for dns are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages_dns }}"
when: ipaserver_setup_dns | bool
- name: Install - Ensure that IPA server packages for adtrust are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages_adtrust }}"
when: ipaserver_setup_adtrust | bool
- name: Install - Include Python2/3 import test
include: "{{role_path}}/tasks/python_2_3_test.yml"
static: yes
- name: Install - Server installation test
ipaserver_test:
### basic ###
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password | default(omit) }}"
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
domain: "{{ ipaserver_domain | default(omit) }}"
realm: "{{ ipaserver_realm | default(omit) }}"
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
no_host_dns: "{{ ipaserver_no_host_dns }}"
### server ###
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
setup_kra: "{{ ipaserver_setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
idstart: "{{ ipaserver_idstart | default(omit) }}"
idmax: "{{ ipaserver_idmax | default(omit) }}"
# no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
no_pkinit: "{{ ipaserver_no_pkinit }}"
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default([]) }}"
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
### client ###
# mkhomedir
no_ntp: "{{ ipaclient_no_ntp }}"
# ssh_trust_dns
# no_ssh
# no_sshd
# no_dns_sshfp
### certificate system ###
external_ca: "{{ ipaserver_external_ca }}"
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
# ca_signing_algorithm
### dns ###
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_reverse: "{{ ipaserver_auto_reverse }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
forwarders: "{{ ipaserver_forwarders | default([]) }}"
no_forwarders: "{{ ipaserver_no_forwarders }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
### ad trust ###
enable_compat: "{{ ipaserver_enable_compat }}"
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
register: result_ipaserver_test
Thomas Woerner
committed
- meta: end_play
when: not result_ipaserver_test.changed and (result_ipaserver_test.dns_zone_exists is defined or result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined)
- block:
- block:
- name: Install - Master password creation
no_log: yes
ipaserver_master_password:
dm_password: "{{ ipadm_password }}"
master_password: "{{ ipaserver_master_password | default(omit) }}"
register: result_ipaserver_master_password
- name: Install - Use new master password
Thomas Woerner
committed
no_log: yes
ipaserver_master_password: "{{ result_ipaserver_master_password.password }}"
when: ipaserver_master_password is undefined
- name: Install - Server preparation
ipaserver_prepare:
### basic ###
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
### server ###
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
#no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
### certificate system ###
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
### dns ###
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_reverse: "{{ ipaserver_auto_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
register: result_ipaserver_prepare
- name: Install - Setup NTP
ipaserver_setup_ntp:
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files is undefined or ipaserver_external_cert_files|length < 1)
- name: Install - Setup DS
ipaserver_setup_ds:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
#master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
#reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
#setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
#setup_kra: "{{ result_ipaserver_test.setup_kra }}"
#setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
#no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
#no_reverse: "{{ ipaserver_no_reverse }}"
#auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
- name: Install - Setup KRB
ipaserver_setup_krb:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
_pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info }}"
- name: Install - Setup CA
ipaserver_setup_ca:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
external_ca: "{{ ipaserver_external_ca }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
_subject_base: "{{ result_ipaserver_test._subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
_ca_subject: "{{ result_ipaserver_test._ca_subject }}"
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm | default(omit) }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
- name: Install - Setup otpd
ipaserver_setup_otpd:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Install - Setup custodia
ipaserver_setup_custodia:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Install - Setup HTTP
ipaserver_setup_http:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
_subject_base: "{{ result_ipaserver_test._subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
_ca_subject: "{{ result_ipaserver_test._ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
- name: Install - Setup KRA
ipaserver_setup_kra:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup DNS
ipaserver_setup_dns:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_dns: "{{ ipaserver_setup_dns }}"
forwarders: "{{ result_ipaserver_test.forwarders }}"
forward_policy: "{{ result_ipaserver_test.forward_policy }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
Thomas Woerner
committed
### additional ###
dns_ip_addresses: "{{ result_ipaserver_test.dns_ip_addresses }}"
dns_reverse_zones: "{{ result_ipaserver_test.dns_reverse_zones }}"
when: ipaserver_setup_dns | bool
- name: Install - Setup ADTRUST
ipaserver_setup_adtrust:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
when: result_ipaserver_test.setup_adtrust
- name: Install - Set DS password
ipaserver_set_ds_password:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
Thomas Woerner
committed
include_role:
name: ipaclient
vars:
state: present
Thomas Woerner
committed
ipaclient_on_master: yes
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
ipaclient_server: "{{ result_ipaserver_test.hostname }}"
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
#ipaclient_no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
#ipaclient_ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
#ipaclient_no_ssh: "{{ ipaclient_no_ssh }}"
#ipaclient_no_sshd: "{{ ipaclient_no_sshd }}"
#ipaclient_mkhomedir: "{{ ipaclient_mkhomedir }}"
Thomas Woerner
committed
#- name: Install - Setup client
# command: >
# /usr/sbin/ipa-client-install
# --unattended
# --on-master
# --domain "{{ result_ipaserver_test.domain }}"
# --realm "{{ result_ipaserver_test.realm }}"
# --server "{{ result_ipaserver_test.hostname }}"
# --hostname "{{ result_ipaserver_test.hostname }}"
# {{ "--mkhomedir" if ipaclient_mkhomedir | bool else "" }}
# # {{ "--no-dns-sshfp" if ipaclient_no_dns_sshfp | bool else "" }}
# # {{ "--ssh-trust-dns" if ipaclient_ssh_trust_dns | bool else "" }}
# # {{ "--no-ssh" if ipaclient_no_ssh | bool else "" }}
# # {{ "--no-sshd" if ipaclient_no_sshd | bool else "" }}
- name: Install - Enable IPA
ipaserver_enable_ipa:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
register: result_ipaserver_enable_ipa
- name: Install - Cleanup root IPA cache
file:
path: "/root/.ipa_cache"
state: absent
when: result_ipaserver_enable_ipa.changed
- name: Install - Configure firewalld
command: >
firewall-cmd
--permanent
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: not ipaserver_no_firewalld | bool
- name: Install - Configure firewalld runtime
command: >
firewall-cmd
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: not ipaserver_no_firewalld | bool