Import the old ipa-server role.

This commit is contained in:
Andrea Dell'Amico 2020-06-25 19:15:40 +02:00
parent 82f5d3287e
commit 4d5c50156f
8 changed files with 235 additions and 68 deletions

View File

@ -1,31 +1,50 @@
Role Name Role Name
========= =========
A brief description of the role goes here. A role that installs the FreeIPA server, <https://www.freeipa.org/>
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables Role Variables
-------------- --------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. The most important variables are listed below:
``` yaml
ipa_server_install: True
ipa_server_use_dns: True
ipa_server_is_master: False
ipa_server_domain: example.org
ipa_server_realm: '{{ ipa_server_domain | upper }}'
ipa_server_packages:
- ipa-server
- rng-tools
- ntp
ipa_server_dns_packages:
- ipa-server-dns
ipa_packages_to_remove:
- chrony
# Installation command
# It uses letsencrypt certificates
ipa_installation_options: "--ca-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --dirsrv-cert-file=/etc/pki/ipa/fullchain.pem --dirsrv-pin='' --http-cert-file=/etc/pki/ipa/fullchain.pem --http-pin='' --no-pkinit -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=hostmaster@xample.com"
# Comand that installs a replica
ipa_replica_installation_command: "ipa-replica-install --no-reverse --setup-dns --no-forwarders --dirsrv-cert-file=/etc/pki/ipa/fullchain.pem --dirsrv-pin='' --http-cert-file=/etc/pki/ipa/fullchain.pem --http-pin='' --no-pkinit"
ipa_run_the_installation_command: True
ipa_ssl_letsencrypt_managed: True
ipa_ssl_letsencrypt_use_hook: False
ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
ipa_letsencrypt_cron_job_day: '1'
```
Dependencies Dependencies
------------ ------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. None
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License License
------- -------
@ -35,4 +54,4 @@ EUPL-1.2
Author Information Author Information
------------------ ------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed). Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

View File

@ -1,2 +1,32 @@
--- ---
# defaults file for ansible-role-template # See https://github.com/antevens/letsencrypt-freeipa for the letsencrypt hints
ipa_server_install: True
ipa_server_use_dns: True
ipa_server_is_master: False
ipa_server_domain: example.org
ipa_server_realm: '{{ ipa_server_domain | upper }}'
ipa_server_packages:
- ipa-server
- rng-tools
- ntp
ipa_server_dns_packages:
- ipa-server-dns
ipa_packages_to_remove:
- chrony
# Installation command
# It uses letsencrypt certificates
ipa_installation_options: "--ca-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --dirsrv-cert-file=/etc/pki/ipa/fullchain.pem --dirsrv-pin='' --http-cert-file=/etc/pki/ipa/fullchain.pem --http-pin='' --no-pkinit -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=hostmaster@xample.com"
# Comand that installs a replica
ipa_replica_installation_command: "ipa-replica-install --no-reverse --setup-dns --no-forwarders --dirsrv-cert-file=/etc/pki/ipa/fullchain.pem --dirsrv-pin='' --http-cert-file=/etc/pki/ipa/fullchain.pem --http-pin='' --no-pkinit"
ipa_run_the_installation_command: True
ipa_ssl_letsencrypt_managed: True
ipa_ssl_letsencrypt_use_hook: False
ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
ipa_letsencrypt_cron_job_day: '1'

View File

@ -0,0 +1,47 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

View File

@ -1,2 +1,7 @@
--- ---
# handlers file for ansible-role-template - name: httpd reload
service: name=httpd state=reloaded
- name: apache2 reload
service: name=apache2 state=reload

View File

@ -1,61 +1,24 @@
galaxy_info: galaxy_info:
author: your name author: Andrea Dell'Amico
description: your description description: Systems Architect
company: ISTI-CNR company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses: license: EUPL 1.2+
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
min_ansible_version: 2.8 min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit: # To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/ # https://galaxy.ansible.com/api/v1/platforms/
# #
# platforms: platforms:
# - name: Fedora - name: EL
# versions: versions:
# - all - 7
# - 25 - 8
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: [] galaxy_tags:
# List tags for your role here, one per line. A tag is a keyword that describes - ipa
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: [] dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -1,2 +1,81 @@
--- ---
# tasks file for ansible-role-template - block:
- name: Install the apache letsencrypt directives on trusty
template: src=letsencrypt-proxy.conf.j2 dest=/etc/apache2/conf.d/letsencrypt-proxy.conf owner=root group=root mode=0644
when: ansible_distribution_file_variety == "Debian"
notify: httpd reload
- name: Install the apache letsencrypt directives on CentOS
template: src=letsencrypt-proxy.conf.j2 dest=/etc/httpd/conf.d/letsencrypt-proxy.conf owner=root group=root mode=0644
when: ansible_distribution_file_variety == "RedHat"
notify: httpd reload
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook that fixes the letsencrypt certificate for ipa and then reloads the service
template: src=ipa-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/ipa owner=root group=root mode=0550
when: ipa_ssl_letsencrypt_use_hook | bool
- name: Install a script that fixes the letsencrypt certificate for ipa and then reloads the service
template: src=ipa-letsencrypt-acmetool.sh dest=/usr/local/bin/ipa-letsencrypt owner=root group=root mode=0500
when: not ipa_ssl_letsencrypt_use_hook | bool
tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt', 'ipa_letsencrypt_cron' ]
- name: Install a cron job that runs the ipa-letsencrypt script
cron: name="Refresh-the-letsencrypt-certificate-configured-in-FreeIPA" job="/usr/local/bin/ipa-letsencrypt >/var/log/acme/ipa-letsencrypt.log 2>&1" user=root hour="{{ range(1, 4) | random }}" minute="{{ range(0, 59) | random }}" day={{ ipa_letsencrypt_cron_job_day }} state=present
when: not ipa_ssl_letsencrypt_use_hook | bool
tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt', 'ipa_letsencrypt_cron' ]
- name: Create the ipa certificate directory
file: dest=/etc/pki/ipa state=directory owner=root group=root mode=0750
- name: Install the Letsencrypt CA file with both the root and the trusted CAs
copy: src={{ ipa_letsencrypt_ca_filename }} dest=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} mode=0440
- name: Copy the certificate file into /etc/pki/ipa
copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/etc/pki/ipa/cert.pem remote_src=True force=True mode=0440
- name: Copy the certificate key file into /etc/pki/ipa
copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/etc/pki/ipa/cert-key.pem remote_src=True force=True mode=0440
- name: Put chain and cert in a single file. Needed once for the first configuration
shell: cat /etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} /etc/pki/ipa/cert.pem /etc/pki/ipa/cert-key.pem > /etc/pki/ipa/fullchain.pem ; chmod 400 /etc/pki/ipa/fullchain.pem
args:
creates: '/etc/pki/ipa/fullchain.pem'
when:
- ipa_ssl_letsencrypt_managed | bool
- letsencrypt_acme_install | bool
tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt' ]
- block:
- name: Install the FreeIPA server packages
yum: pkg={{ ipa_server_packages }} state=latest
- name: Install the FreeIPA DNS server packages
yum: pkg={{ ipa_server_dns_packages }} state=latest
- name: Remove the packages that conflict with the FreeIPA server configuration
yum: pkg={{ ipa_packages_to_remove }} state=absent
- name: Ensure that the ntpd service is started and enabled
service: name=ntpd state=started enabled=yes
when:
- ipa_server_install | bool
- ansible_distribution_file_variety == "RedHat"
tags: [ 'ipa' ]
- block:
- name: Run the ipa-server-install command unattended.
command: ipa-server-install {{ ipa_installation_options }}
args:
creates: /var/lib/ipa/dnssec/softhsm_pin
when:
- ipa_server_install | bool
- ipa_server_is_master | bool
- ansible_distribution_file_variety == "RedHat"
- ipa_run_the_installation_command | bool
tags: [ 'ipa' ]

View File

@ -0,0 +1,23 @@
#!/bin/bash
LE_LOG_DIR=/var/log/acme
LOG_FILE="$LE_LOG_DIR/ipa-server.log"
DATE=$( date )
LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LOG_FILE
krb_realm=$( grep realm /etc/ipa/default.conf | awk '{ print $3 }' )
/bin/cp -f "$LE_CERTS_DIR/fullchain" /etc/pki/ipa/cert.pem
/bin/cp -f "$LE_CERTS_DIR/privkey" /etc/pki/ipa/cert-key.pem
chmod 400 /etc/pki/ipa/cert-key.pem
ipa-server-certinstall -w -d /etc/pki/ipa/cert.pem /etc/pki/ipa/cert-key.pem --pin='' -p '{{ ipa_manager_password }}'
systemctl reload httpd
systemctl restart "dirsrv@${krb_realm//./-}.service"
echo "Done." >> $LOG_FILE
exit 0

View File

@ -0,0 +1 @@
ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge"