internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-27 05:43:05 +00:00
Code Issues Projects Releases Wiki Activity

roles: Fix when, block and always key order.

Browse Source 
ansible-lint warns if  'warn' key is used before block and always keys.
This commit is contained in:
Rafael Guterres Jeffman
2023-01-03 18:21:07 -03:00
parent 292e2eb60e
commit 5062ac2b09
8 changed files with 58 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/ipabackup/tasks/backup.yml
View File

@@ -14,6 +14,7 @@
register: result_ipabackup
- name: Handle backup
when: ipabackup_to_controller
block:
- name: Get ipabackup_item from stderr or stdout output
ansible.builtin.set_fact:
@@ -37,5 +38,3 @@
- name: Remove backup on server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
when: not ipabackup_keep_on_server
when: ipabackup_to_controller

25
roles/ipabackup/tasks/main.yml
View File

@@ -50,6 +50,10 @@
(state == "copied" or state == "restored" or state == "absent")
- name: Get all backup names for copy to controller
when: state is defined and
((state == "copied" and ipabackup_to_controller) or
state == "absent") and
ipabackup_name is defined and ipabackup_name == "all"
block:
- name: Get list of all backups on IPA server
ansible.builtin.shell:
@@ -62,12 +66,8 @@
ansible.builtin.set_fact:
ipabackup_names: "{{ result_backup_find_backup_files.stdout_lines }}"
when: state is defined and
((state == "copied" and ipabackup_to_controller) or
state == "absent") and
ipabackup_name is defined and ipabackup_name == "all"
- name: Set ipabackup_names from ipabackup_name
when: ipabackup_names is not defined and ipabackup_name is defined
block:
- name: Fail on ipabackup_name all
ansible.builtin.fail:
@@ -83,7 +83,6 @@
ansible.builtin.set_fact:
ipabackup_names: "{{ ipabackup_name }}"
when: ipabackup_name | type_debug == "list"
when: ipabackup_names is not defined and ipabackup_name is defined
- name: Set empty ipabackup_names if ipabackup_name is not defined
ansible.builtin.set_fact:
@@ -91,6 +90,8 @@
when: ipabackup_names is not defined and ipabackup_name is not defined
- name: Process "{{ ipabackup_names }}"
when: state is defined and
((state == "copied" and ipabackup_to_controller) or state == "absent")
block:
- name: Copy backup from IPA server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
@@ -112,9 +113,6 @@
loop_var: main_item
when: state is defined and state == "absent"
when: state is defined and
((state == "copied" and ipabackup_to_controller) or state == "absent")
# Fail with more than one entry in ipabackup_names for copy to sever and
# restore.
@@ -127,6 +125,10 @@
# Use only first item in ipabackup_names for copy to server and for restore.
- name: Process "{{ ipabackup_names[0] }}"
when: ipabackup_from_controller or
(state|default("present") == "copied" and not ipabackup_to_controller)
vars:
ipabackup_name: "{{ ipabackup_names[0] }}"
block:
- name: Copy backup to server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_to_server.yml"
@@ -135,11 +137,6 @@
ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
when: state|default("present") == "restored"
vars:
ipabackup_name: "{{ ipabackup_names[0] }}"
when: ipabackup_from_controller or
(state|default("present") == "copied" and not ipabackup_to_controller)
- name: Restore IPA server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
vars:

6
roles/ipabackup/tasks/restore.yml
View File

@@ -55,6 +55,7 @@
### INSTALL PACKAGES
- name: Package installation
when: ipabackup_install_packages | bool
block:
- name: Ensure that IPA server packages are installed
ansible.builtin.package:
@@ -79,11 +80,10 @@
state: present
when: ipabackup_setup_firewalld | bool
when: ipabackup_install_packages | bool
### START FIREWALLD
- name: Firewall configuration
when: ipabackup_setup_firewalld | bool
block:
- name: Ensure that firewalld is running
ansible.builtin.systemd:
@@ -106,8 +106,6 @@
>/dev/null
when: ipabackup_firewalld_zone is defined
when: ipabackup_setup_firewalld | bool
### RESTORE
- name: Restore backup

61
roles/ipaclient/tasks/install.yml
View File

@@ -29,6 +29,8 @@
when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
- name: Install - DNS resolver configuration
when: ipaclient_configure_dns_resolver | bool
and not ipaclient_on_master | bool
block:
- name: Install - Fail on missing ipaclient_domain and ipaserver_domain
@@ -47,9 +49,6 @@
searchdomains: "{{ ipaserver_domain | default(ipaclient_domain) }}"
state: present
when: ipaclient_configure_dns_resolver | bool
and not ipaclient_on_master | bool
- name: Install - IPA client test
ipaclient_test:
### basic ###
@@ -76,6 +75,9 @@
register: result_ipaclient_test
- name: Install - Client deployment
when: not ansible_check_mode and
not (result_ipaclient_test.client_already_configured and
not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
block:
- name: Install - Cleanup leftover ccache
ansible.builtin.file:
@@ -130,6 +132,7 @@
# If a keytab is specified in the hostent, then the hostent will be disabled
# if ipaclient_use_otp is set.
- name: Install - Obtain OTP
when: ipaclient_use_otp | bool and ipaclient_otp is not defined
block:
- name: Install - Keytab or password is required for getting otp
ansible.builtin.fail:
@@ -175,9 +178,6 @@
ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
if result_ipaclient_get_otp.host is defined }}"
when: ipaclient_use_otp | bool and ipaclient_otp is not defined
always:
- name: Install - Remove keytab temporary file
ansible.builtin.file:
@@ -194,7 +194,15 @@
when: ipaclient_otp is defined
- name: Install - Check keytab, principal and keytab
when: not ipaclient_on_master | bool
block:
# This block is executed only when
# not (not ipaclient_on_master | bool and
# not result_ipaclient_join.changed and
# not ipaclient_allow_repair | bool and
# (result_ipaclient_test_keytab.krb5_keytab_ok or
# (result_ipaclient_join.already_joined is defined and
# result_ipaclient_join.already_joined)))
- name: Install - Check if principal and keytab are set
ansible.builtin.fail:
@@ -208,7 +216,6 @@
and ipaadmin_password is undefined
and ipaadmin_keytab is undefined
and ipaclient_keytab is undefined
when: not ipaclient_on_master | bool
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
ansible.builtin.command: >
@@ -254,16 +261,14 @@
ipaclient_force_join)
- name: Install - Allow repair checks
when: not ipaclient_on_master | bool and
not result_ipaclient_join.changed and
not ipaclient_allow_repair | bool and
(result_ipaclient_test_keytab.krb5_keytab_ok or
(result_ipaclient_join.already_joined is defined and
result_ipaclient_join.already_joined))
block:
# This block is executed only when
# not (not ipaclient_on_master | bool and
# not result_ipaclient_join.changed and
# not ipaclient_allow_repair | bool and
# (result_ipaclient_test_keytab.krb5_keytab_ok or
# (result_ipaclient_join.already_joined is defined and
# result_ipaclient_join.already_joined)))
- name: krb5 configuration not correct
- name: The krb5 configuration is not correct
ansible.builtin.fail:
msg: >
The krb5 configuration is not correct, please enable allow_repair
@@ -278,14 +283,14 @@
msg: >
The ca.crt file is missing, please enable allow_repair to fix this.
when: not result_ipaclient_test_keytab.ca_crt_exists
when: not ipaclient_on_master | bool and
not result_ipaclient_join.changed and
not ipaclient_allow_repair | bool and
(result_ipaclient_test_keytab.krb5_keytab_ok or
(result_ipaclient_join.already_joined is defined and
result_ipaclient_join.already_joined))
- name: Install - Configuration
when: not (not ipaclient_on_master | bool and
not result_ipaclient_join.changed and
not ipaclient_allow_repair | bool
and (result_ipaclient_test_keytab.krb5_keytab_ok
or (result_ipaclient_join.already_joined is defined
and result_ipaclient_join.already_joined)))
block:
- name: Install - Configure IPA default.conf
ipaclient_ipa_conf:
@@ -407,18 +412,6 @@
domain: "{{ result_ipaclient_test.domain }}"
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
when: not ipaclient_no_nisdomain | bool
when: not (not ipaclient_on_master | bool and
not result_ipaclient_join.changed and
not ipaclient_allow_repair | bool
and (result_ipaclient_test_keytab.krb5_keytab_ok
or (result_ipaclient_join.already_joined is defined
and result_ipaclient_join.already_joined)))
when: not ansible_check_mode and
not (result_ipaclient_test.client_already_configured and
not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
always:
- name: Install - Restore original admin password if overwritten by OTP
no_log: yes

13
roles/ipareplica/tasks/install.yml
View File

@@ -2,6 +2,7 @@
# tasks file for ipareplica
- name: Package installation
when: ipareplica_install_packages | bool
block:
- name: Install - Ensure IPA replica packages are installed
@@ -27,9 +28,8 @@
state: present
when: ipareplica_setup_firewalld | bool
when: ipareplica_install_packages | bool
- name: Firewall configuration
when: ipareplica_setup_firewalld | bool
block:
- name: Firewalld service - Ensure that firewalld is running
ansible.builtin.systemd:
@@ -52,8 +52,6 @@
>/dev/null
when: ipareplica_firewalld_zone is defined
when: ipareplica_setup_firewalld | bool
- name: Install - Set ipareplica_servers
ansible.builtin.set_fact:
ipareplica_servers: "{{ groups['ipaservers'] | list }}"
@@ -104,6 +102,9 @@
register: result_ipareplica_test
- name: Install - Deploy replica
when: not ansible_check_mode and
not (result_ipareplica_test.client_already_configured is defined or
result_ipareplica_test.server_already_configured is defined)
block:
# This block is executed only when
# not ansible_check_mode and
@@ -793,7 +794,3 @@
- "/etc/ipa/.tmp_pkcs12_dirsrv"
- "/etc/ipa/.tmp_pkcs12_http"
- "/etc/ipa/.tmp_pkcs12_pkinit"
when: not ansible_check_mode and
not (result_ipareplica_test.client_already_configured is defined or
result_ipareplica_test.server_already_configured is defined)

28
roles/ipaserver/tasks/install.yml
View File

@@ -2,6 +2,7 @@
# tasks file for ipaserver
- name: Install - Package installation
when: ipaserver_install_packages | bool
block:
- name: Install - Ensure that IPA server packages are installed
ansible.builtin.package:
@@ -26,9 +27,9 @@
state: present
when: ipaserver_setup_firewalld | bool
when: ipaserver_install_packages | bool
- name: Install - Firewall configuration
when: ipaserver_setup_firewalld | bool
block:
- name: Firewalld service - Ensure that firewalld is running
ansible.builtin.systemd:
@@ -51,9 +52,7 @@
>/dev/null
when: ipaserver_firewalld_zone is defined
when: ipaserver_setup_firewalld | bool
- name: Include tasks "{{ role_path }}/tasks/copy_external_cert.yml"
- name: Copy external cert
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
when: ipaserver_external_cert_files_from_controller is defined and
@@ -131,14 +130,13 @@
register: result_ipaserver_test
- name: Install - Deploy server
when: not ansible_check_mode and not
(not result_ipaserver_test.changed and
(result_ipaserver_test.client_already_configured is defined or
result_ipaserver_test.server_already_configured is defined))
block:
# This block is executed only when
# not ansible_check_mode and
# not (not result_ipaserver_test.changed and
# (result_ipaserver_test.client_already_configured is defined or
# result_ipaserver_test.server_already_configured is defined)
- name: Install - Obtain master password
when: ipaserver_master_password is undefined
block:
- name: Install - Master password creation
no_log: yes
@@ -153,8 +151,6 @@
ipaserver_master_password:
"{{ result_ipaserver_master_password.password }}"
when: ipaserver_master_password is undefined
- name: Install - Server preparation
ipaserver_prepare:
### basic ###
@@ -321,6 +317,7 @@
ipaserver_copy_csr_to_controller | bool
- name: Install - Configure services
when: not result_ipaserver_setup_ca.csr_generated | bool
block:
- name: Install - Setup otpd
ipaserver_setup_otpd:
@@ -476,8 +473,6 @@
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
when: not result_ipaserver_setup_ca.csr_generated | bool
always:
- name: Cleanup temporary files
ansible.builtin.file:
@@ -487,8 +482,3 @@
- "/etc/ipa/.tmp_pkcs12_dirsrv"
- "/etc/ipa/.tmp_pkcs12_http"
- "/etc/ipa/.tmp_pkcs12_pkinit"
when: not ansible_check_mode and not
(not result_ipaserver_test.changed and
(result_ipaserver_test.client_already_configured is defined or
result_ipaserver_test.server_already_configured is defined))

3
roles/ipasmartcard_client/tasks/main.yml
View File

@@ -103,6 +103,7 @@
# Ensure /etc/sssd/pki exists
- name: Prepare for authselect
when: ipasmartcard_client_vars.USE_AUTHSELECT
block:
- name: Ensure /etc/sssd/pki exists
ansible.builtin.file:
@@ -115,8 +116,6 @@
path: /etc/sssd/pki/sssd_auth_ca_db.pem
state: absent
when: ipasmartcard_client_vars.USE_AUTHSELECT
# Upload smartcard CA certificates to systemwide db
- name: Upload smartcard CA certificates to systemwide db

7
roles/ipasmartcard_server/tasks/main.yml
View File

@@ -168,10 +168,10 @@
# HTTPD IFP
- name: Allow HTTPD ifp
when: ipasmartcard_server_vars.allow_httpd_ifp
block:
# Allow Apache to access SSSD IFP
- name: Allow Apache to access SSSD IFP
ansible.builtin.command: "{{ ipasmartcard_server_vars.python_interpreter }}"
args:
@@ -192,11 +192,10 @@
name: sssd
state: restarted
when: ipasmartcard_server_vars.allow_httpd_ifp
# Ensure /etc/sssd/pki exists
- name: Prepare for authselect
when: ipasmartcard_server_vars.USE_AUTHSELECT
block:
- name: Ensure /etc/sssd/pki exists
ansible.builtin.file:
@@ -209,8 +208,6 @@
path: /etc/sssd/pki/sssd_auth_ca_db.pem
state: absent
when: ipasmartcard_server_vars.USE_AUTHSELECT
# Upload smartcard CA certificates to systemwide db
- name: Upload smartcard CA certificates to systemwide db