From 3ae2a51c08504bee835e39ff3309bf2411a79d0f Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 24 Aug 2017 12:36:51 +0200
Subject: [PATCH] New sssd role

---
 roles/sssd/defaults/main.yml      | 12 +++++++++++
 roles/sssd/meta/main.yml          | 12 +++++++++++
 roles/sssd/tasks/main.yml         | 26 +++++++++++++++++++++++
 roles/sssd/templates/sssd.conf.j2 | 34 +++++++++++++++++++++++++++++++
 roles/sssd/vars/default.yml       |  4 ++++
 5 files changed, 88 insertions(+)
 create mode 100644 roles/sssd/defaults/main.yml
 create mode 100644 roles/sssd/meta/main.yml
 create mode 100644 roles/sssd/tasks/main.yml
 create mode 100644 roles/sssd/templates/sssd.conf.j2
 create mode 100644 roles/sssd/vars/default.yml

diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml
new file mode 100644
index 00000000..50943f8d
--- /dev/null
+++ b/roles/sssd/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+sssd_conf: /etc/sssd/sssd.conf
+sssd_packages: sssd
+sssd_domains:
+sssd_id_provider:
+sssd_auth_provider:
+sssd_access_provider:
+sssd_chpass_provider:
+sssd_cache_credentials: False
+sssd_krb5_store_password_if_offline: False
+sssd_ipa_servers:
+sssd_services:
diff --git a/roles/sssd/meta/main.yml b/roles/sssd/meta/main.yml
new file mode 100644
index 00000000..d5390a6f
--- /dev/null
+++ b/roles/sssd/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Thomas Woerner
+  description: A role to configure sssd for IPA
+  company: Red Hat, Inc
+
+  license: GPLv2+
+
+  min_ansible_version: 2.0
+
+  galaxy_tags: [ 'identity', 'ipa']
+
+dependencies: []
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 00000000..30d4c4ef
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Install {{ sssd_packages }}
+  package: name="{{ item }}" state=present
+  with_items: "{{ sssd_packages }}"
+
+# No backup in ipa-client-install mode
+#- name: Backup {{ sssd_conf }}
+#  copy:
+#    src: "{{ sssd_conf }}"
+#    dest: "{{ sssd_conf }}.bkp"
+#    force: no
+
+- name: Template sssd.conf
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    backup: yes
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Enable and start sssd
+  service:
+    name: sssd
+    state: restarted
+    enabled: yes
diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2
new file mode 100644
index 00000000..f37bb665
--- /dev/null
+++ b/roles/sssd/templates/sssd.conf.j2
@@ -0,0 +1,34 @@
+[domain/{{ sssd_domains }}]
+cache_credentials = {{ sssd_cache_credentials }}
+krb5_store_password_if_offline = {{ sssd_krb5_store_password_if_offline }}
+ipa_domain = {{ sssd_domains }}
+id_provider = {{ sssd_id_provider }}
+auth_provider = {{ sssd_auth_provider }}
+access_provider = {{ sssd_access_provider }}
+ipa_hostname = {{ ansible_host }}
+chpass_provider = {{ sssd_chpass_provider }}
+{% if sssd_on_master %}
+ipa_server = {{ sssd_ipa_servers | join(", ") }}
+ipa_server_mode = True
+{% else %}
+{% if sssd_domains != ansible_domain %}
+dns_discovery_domain = sssd_domains
+{% endif %}
+ipa_server = _srv_, {{ sssd_ipa_servers | join(", ")}}
+{% endif %}
+ldap_tls_cacert = /etc/ipa/ca.crt
+
+{% if sssd_on_master %}
+{%   set sssd_services = sssd_services + ", ifp" %}
+{% endif %}
+[sssd]
+services = {{ sssd_services }}
+domains = {{ sssd_domains }}
+
+{% for service in sssd_services.split(',') %}
+[{{ service | trim }}]
+{% if service | trim == "nss" %}
+homedir_substring = /home
+{% endif %}
+
+{% endfor %}
diff --git a/roles/sssd/vars/default.yml b/roles/sssd/vars/default.yml
new file mode 100644
index 00000000..9f0ad83b
--- /dev/null
+++ b/roles/sssd/vars/default.yml
@@ -0,0 +1,4 @@
+sssd_packages:
+ - sssd
+ - sssd-ipa
+ - sssd-krb5
-- 
GitLab