From 9a32359a5d4bf5e7e6acfad054ec2fd696631615 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 3 Jan 2023 16:42:15 -0300 Subject: [PATCH 1/8] roles: Fix type of data used for for versions in meta files ansible-lint warns if version strings are used as numbers instead fo strings. --- roles/ipabackup/meta/main.yml | 6 +++--- roles/ipaclient/meta/main.yml | 6 +++--- roles/ipareplica/meta/main.yml | 6 +++--- roles/ipaserver/meta/main.yml | 6 +++--- roles/ipasmartcard_client/meta/main.yml | 6 +++--- roles/ipasmartcard_server/meta/main.yml | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/roles/ipabackup/meta/main.yml b/roles/ipabackup/meta/main.yml index 6131e0d7..f081e2a6 100644 --- a/roles/ipabackup/meta/main.yml +++ b/roles/ipabackup/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to backup and restore an IPA server company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa diff --git a/roles/ipaclient/meta/main.yml b/roles/ipaclient/meta/main.yml index 356b2db0..7c759325 100644 --- a/roles/ipaclient/meta/main.yml +++ b/roles/ipaclient/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to join a machine to an IPA domain company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa diff --git a/roles/ipareplica/meta/main.yml b/roles/ipareplica/meta/main.yml index 6b1021ad..3054787c 100644 --- a/roles/ipareplica/meta/main.yml +++ b/roles/ipareplica/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to setup an IPA domain replica company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa diff --git a/roles/ipaserver/meta/main.yml b/roles/ipaserver/meta/main.yml index 86a05f9b..89c7a384 100644 --- a/roles/ipaserver/meta/main.yml +++ b/roles/ipaserver/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to setup an iPA domain server company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa diff --git a/roles/ipasmartcard_client/meta/main.yml b/roles/ipasmartcard_client/meta/main.yml index 26ef55df..73d3a9d1 100644 --- a/roles/ipasmartcard_client/meta/main.yml +++ b/roles/ipasmartcard_client/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to setup IPA server(s) for Smart Card authentication company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa diff --git a/roles/ipasmartcard_server/meta/main.yml b/roles/ipasmartcard_server/meta/main.yml index 26ef55df..73d3a9d1 100644 --- a/roles/ipasmartcard_server/meta/main.yml +++ b/roles/ipasmartcard_server/meta/main.yml @@ -6,15 +6,15 @@ galaxy_info: description: A role to setup IPA server(s) for Smart Card authentication company: Red Hat, Inc license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.8" platforms: - name: Fedora versions: - all - name: EL versions: - - 7 - - 8 + - "7" + - "8" galaxy_tags: - identity - ipa From 6b7633976cd9c45ad3f2c698c79763d3e9490a75 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 3 Jan 2023 16:56:59 -0300 Subject: [PATCH 2/8] roles: Fix use of ansible.builtin.fail free-form message. ansible-lint warns to avoid using free-form when calling module actions and ansible-freeipa roles used this form with 'ansible.builtin.fail'. --- roles/ipabackup/tasks/backup.yml | 3 ++- .../tasks/copy_backup_from_server.yml | 6 ++++-- .../ipabackup/tasks/copy_backup_to_server.yml | 6 ++++-- roles/ipabackup/tasks/main.yml | 18 ++++++++++++------ roles/ipabackup/tasks/restore.yml | 6 ++++-- roles/ipaclient/tasks/install.yml | 17 +++++++++++------ roles/ipasmartcard_client/tasks/main.yml | 6 ++++-- roles/ipasmartcard_server/tasks/main.yml | 12 ++++++++---- 8 files changed, 49 insertions(+), 25 deletions(-) diff --git a/roles/ipabackup/tasks/backup.yml b/roles/ipabackup/tasks/backup.yml index b2f77817..5aa95dcc 100644 --- a/roles/ipabackup/tasks/backup.yml +++ b/roles/ipabackup/tasks/backup.yml @@ -26,7 +26,8 @@ label: "" - name: Fail on missing ipabackup_item - ansible.builtin.fail: msg="Failed to get ipabackup_item" + ansible.builtin.fail: + msg: "Failed to get ipabackup_item" when: ipabackup_item is not defined - name: Copy backup to controller diff --git a/roles/ipabackup/tasks/copy_backup_from_server.yml b/roles/ipabackup/tasks/copy_backup_from_server.yml index 516814b1..85c78e89 100644 --- a/roles/ipabackup/tasks/copy_backup_from_server.yml +++ b/roles/ipabackup/tasks/copy_backup_from_server.yml @@ -1,6 +1,7 @@ --- - name: Fail on invalid ipabackup_item - ansible.builtin.fail: msg="ipabackup_item {{ ipabackup_item }} is not valid" + ansible.builtin.fail: + msg: "ipabackup_item {{ ipabackup_item }} is not valid" when: ipabackup_item is not defined or ipabackup_item | length < 1 or (ipabackup_item.find("ipa-full-") == -1 and @@ -19,7 +20,8 @@ register: result_backup_stat - name: Fail on missing backup directory - ansible.builtin.fail: msg="Unable to find backup {{ ipabackup_item }}" + ansible.builtin.fail: + msg: "Unable to find backup {{ ipabackup_item }}" when: result_backup_stat.stat.isdir is not defined - name: Get backup files to copy for "{{ ipabackup_item }}" diff --git a/roles/ipabackup/tasks/copy_backup_to_server.yml b/roles/ipabackup/tasks/copy_backup_to_server.yml index 6fa20613..eb591508 100644 --- a/roles/ipabackup/tasks/copy_backup_to_server.yml +++ b/roles/ipabackup/tasks/copy_backup_to_server.yml @@ -1,6 +1,7 @@ --- - name: Fail on invalid ipabackup_name - ansible.builtin.fail: msg="ipabackup_name {{ ipabackup_name }} is not valid" + ansible.builtin.fail: + msg: "ipabackup_name {{ ipabackup_name }} is not valid" when: ipabackup_name is not defined or ipabackup_name | length < 1 or (ipabackup_name.find("ipa-full-") == -1 and @@ -30,7 +31,8 @@ become: no - name: Fail on missing backup to copy - ansible.builtin.fail: msg="Unable to find backup {{ ipabackup_name }}" + ansible.builtin.fail: + msg: "Unable to find backup {{ ipabackup_name }}" when: result_backup_stat.stat.isdir is not defined - name: Copy backup files to server for "{{ ipabackup_item }}" diff --git a/roles/ipabackup/tasks/main.yml b/roles/ipabackup/tasks/main.yml index 25d8c25c..7b323990 100644 --- a/roles/ipabackup/tasks/main.yml +++ b/roles/ipabackup/tasks/main.yml @@ -2,7 +2,8 @@ # tasks file for ipabackup - name: Check for empty vars - ansible.builtin.fail: msg="Variable {{ item }} is empty" + ansible.builtin.fail: + msg: "Variable {{ item }} is empty" when: "item in vars and not vars[item]" with_items: "{{ ipabackup_empty_var_checks }}" vars: @@ -23,11 +24,13 @@ when: ipabackup_online | bool and not ipabackup_data | bool - name: Fail if ipabackup_from_controller and ipabackup_to_controller are set - ansible.builtin.fail: msg="ipabackup_from_controller and ipabackup_to_controller are set" + ansible.builtin.fail: + msg: "ipabackup_from_controller and ipabackup_to_controller are set" when: ipabackup_from_controller | bool and ipabackup_to_controller | bool - name: Fail for given ipabackup_name if state is not copied, restored or absent - ansible.builtin.fail: msg="ipabackup_name is given and state is not copied, restored or absent" + ansible.builtin.fail: + msg: "ipabackup_name is given and state is not copied, restored or absent" when: state is not defined or (state != "copied" and state != "restored" and state != "absent") and ipabackup_name is defined @@ -40,7 +43,8 @@ when: state|default("present") == "present" - name: Fail on missing ipabackup_name - ansible.builtin.fail: msg="ipabackup_name is not set" + ansible.builtin.fail: + msg: "ipabackup_name is not set" when: (ipabackup_name is not defined or not ipabackup_name) and state is defined and (state == "copied" or state == "restored" or state == "absent") @@ -66,7 +70,8 @@ - name: Set ipabackup_names from ipabackup_name block: - name: Fail on ipabackup_name all - ansible.builtin.fail: msg="ipabackup_name can not be all in this case" + ansible.builtin.fail: + msg: "ipabackup_name can not be all in this case" when: ipabackup_name is defined and ipabackup_name == "all" - name: Set ipabackup_names from ipabackup_name string @@ -114,7 +119,8 @@ # restore. - name: Fail to copy or restore more than one backup on the server - ansible.builtin.fail: msg="Only one backup can be copied to the server or restored" + ansible.builtin.fail: + msg: "Only one backup can be copied to the server or restored" when: state is defined and (state == "copied" or state == "restored") and ipabackup_from_controller | bool and ipabackup_names | length != 1 diff --git a/roles/ipabackup/tasks/restore.yml b/roles/ipabackup/tasks/restore.yml index 1a0794da..290ba249 100644 --- a/roles/ipabackup/tasks/restore.yml +++ b/roles/ipabackup/tasks/restore.yml @@ -26,7 +26,8 @@ register: result_backup_stat - name: Fail on missing backup directory - ansible.builtin.fail: msg="Unable to find backup {{ ipabackup_item }}" + ansible.builtin.fail: + msg: "Unable to find backup {{ ipabackup_item }}" when: result_backup_stat.stat.isdir is not defined - name: Stat header file in backup "{{ ipabackup_item }}" @@ -35,7 +36,8 @@ register: result_backup_header_stat - name: Fail on missing header file in backup - ansible.builtin.fail: msg="Unable to find backup {{ ipabackup_item }} header file" + ansible.builtin.fail: + msg: "Unable to find backup {{ ipabackup_item }} header file" when: result_backup_header_stat.stat.isreg is not defined - name: Get services from backup diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 28998c56..922259b9 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -19,7 +19,8 @@ ipaclient_servers is not defined - name: Install - Check that either password or keytab is set - ansible.builtin.fail: msg="ipaadmin_password and ipaadmin_keytab cannot be used together" + ansible.builtin.fail: + msg: "ipaadmin_password and ipaadmin_keytab cannot be used together" when: ipaadmin_keytab is defined and ipaadmin_password is defined - name: Install - Set default principal if no keytab is given @@ -31,11 +32,13 @@ block: - name: Install - Fail on missing ipaclient_domain and ipaserver_domain - ansible.builtin.fail: msg="ipaclient_domain or ipaserver_domain is required for ipaclient_configure_dns_resolver" + ansible.builtin.fail: + msg: "ipaclient_domain or ipaserver_domain is required for ipaclient_configure_dns_resolver" when: ipaserver_domain is not defined and ipaclient_domain is not defined - name: Install - Fail on missing ipaclient_servers - ansible.builtin.fail: msg="ipaclient_dns_servers is required for ipaclient_configure_dns_resolver" + ansible.builtin.fail: + msg: "ipaclient_dns_servers is required for ipaclient_configure_dns_resolver" when: ipaclient_dns_servers is not defined - name: Install - Configure DNS resolver @@ -130,7 +133,7 @@ block: - name: Install - Keytab or password is required for getting otp ansible.builtin.fail: - msg: Keytab or password is required for getting otp + msg: "Keytab or password is required for getting otp" when: ipaadmin_keytab is undefined and ipaadmin_password is undefined - name: Install - Create temporary file for keytab @@ -194,11 +197,13 @@ block: - name: Install - Check if principal and keytab are set - ansible.builtin.fail: msg="Admin principal and client keytab cannot be used together" + ansible.builtin.fail: + msg: "Admin principal and client keytab cannot be used together" when: ipaadmin_principal is defined and ipaclient_keytab is defined - name: Install - Check if one of password or keytabs are set - ansible.builtin.fail: msg="At least one of password or keytabs must be specified" + ansible.builtin.fail: + msg: "At least one of password or keytabs must be specified" when: not result_ipaclient_test_keytab.krb5_keytab_ok and ipaadmin_password is undefined and ipaadmin_keytab is undefined diff --git a/roles/ipasmartcard_client/tasks/main.yml b/roles/ipasmartcard_client/tasks/main.yml index 54ced777..bdbfc801 100644 --- a/roles/ipasmartcard_client/tasks/main.yml +++ b/roles/ipasmartcard_client/tasks/main.yml @@ -2,7 +2,8 @@ # tasks file for ipasmartcard_client role - name: Uninstall smartcard client - ansible.builtin.fail: msg="Uninstalling smartcard for IPA is not supported" + ansible.builtin.fail: + msg: "Uninstalling smartcard for IPA is not supported" when: state|default('present') == 'absent' - name: Import variables specific to distribution @@ -36,7 +37,8 @@ # Fail on empty "ipasmartcard_client_ca_certs" - name: Fail on empty "ipasmartcard_client_ca_certs" - ansible.builtin.fail: msg="No CA certs given in 'ipasmartcard_client_ca_certs'" + ansible.builtin.fail: + msg: "No CA certs given in 'ipasmartcard_client_ca_certs'" when: ipasmartcard_client_ca_certs is not defined or ipasmartcard_client_ca_certs | length < 1 diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml index 6f0fa28e..1c214d05 100644 --- a/roles/ipasmartcard_server/tasks/main.yml +++ b/roles/ipasmartcard_server/tasks/main.yml @@ -2,7 +2,8 @@ # tasks file for ipasmartcard_server role - name: Uninstall smartcard server - ansible.builtin.fail: msg="Uninstalling smartcard for IPA is not supported" + ansible.builtin.fail: + msg: "Uninstalling smartcard for IPA is not supported" when: state|default('present') == 'absent' - name: Import variables specific to distribution @@ -27,7 +28,8 @@ # Fail on empty "ipasmartcard_server_ca_certs" - name: Fail on empty "ipasmartcard_server_ca_certs" - ansible.builtin.fail: msg="No CA certs given in 'ipasmartcard_server_ca_certs'" + ansible.builtin.fail: + msg: "No CA certs given in 'ipasmartcard_server_ca_certs'" when: ipasmartcard_server_ca_certs is not defined or ipasmartcard_server_ca_certs | length < 1 @@ -70,7 +72,8 @@ register: result_ipa_server_show - name: Fail if not an IPA server - ansible.builtin.fail: msg="Not an IPA server" + ansible.builtin.fail: + msg: "Not an IPA server" when: result_ipa_server_show.failed - name: Get Domain from server-find server name @@ -83,7 +86,8 @@ register: result_get_ipaca_records - name: Fail if ipa-ca records are not resolvable - ansible.builtin.fail: msg="ipa-ca records are not resolvable" + ansible.builtin.fail: + msg: "ipa-ca records are not resolvable" when: result_get_ipaca_records.failed or result_get_ipaca_records.stdout | length == 0 From baa7cae8bf0f5fd56495b556535715e2699281a4 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 3 Jan 2023 17:06:29 -0300 Subject: [PATCH 3/8] roles: Fix task names to start with uppercase letters ansible-lint warns if task names don't start with an uppercase letter. --- roles/ipaclient/tasks/install.yml | 2 +- roles/ipasmartcard_client/tasks/main.yml | 6 +++--- roles/ipasmartcard_server/tasks/main.yml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 922259b9..174eefaf 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -273,7 +273,7 @@ ansible.builtin.fail: msg: "The IPA test failed, please enable allow_repair to fix this." when: not result_ipaclient_test_keytab.ping_test_ok - - name: ca.crt file is missing + - name: Fail due to missing ca.crt file ansible.builtin.fail: msg: > The ca.crt file is missing, please enable allow_repair to fix this. diff --git a/roles/ipasmartcard_client/tasks/main.yml b/roles/ipasmartcard_client/tasks/main.yml index bdbfc801..f7ddb827 100644 --- a/roles/ipasmartcard_client/tasks/main.yml +++ b/roles/ipasmartcard_client/tasks/main.yml @@ -70,13 +70,13 @@ ipaadmin_principal: admin when: ipaadmin_principal is undefined - - name: kinit using "{{ ipaadmin_principal }}" password + - name: Authenticate using kinit and "{{ ipaadmin_principal }}" password ansible.builtin.command: kinit "{{ ipaadmin_principal }}" args: stdin: "{{ ipaadmin_password }}" when: ipaadmin_password is defined - - name: kinit using "{{ ipaadmin_principal }}" keytab + - name: Authenticate using kinit and "{{ ipaadmin_principal }}" keytab ansible.builtin.command: kinit -kt "{{ ipaadmin_keytab }}" "{{ ipaadmin_principal }}" when: ipaadmin_keytab is defined @@ -173,5 +173,5 @@ ### ALWAYS ### always: - - name: kdestroy + - name: Destroy Kerberos tickets ansible.builtin.command: kdestroy -A diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml index 1c214d05..a57ea6d1 100644 --- a/roles/ipasmartcard_server/tasks/main.yml +++ b/roles/ipasmartcard_server/tasks/main.yml @@ -55,13 +55,13 @@ ipaadmin_principal: admin when: ipaadmin_principal is undefined - - name: kinit using "{{ ipaadmin_principal }}" password + - name: Athenticate with kinit and "{{ ipaadmin_principal }}" password ansible.builtin.command: kinit "{{ ipaadmin_principal }}" args: stdin: "{{ ipaadmin_password }}" when: ipaadmin_password is defined - - name: kinit using "{{ ipaadmin_principal }}" keytab + - name: Authenticate with kinit and "{{ ipaadmin_principal }}" keytab ansible.builtin.command: kinit -kt "{{ ipaadmin_keytab }}" "{{ ipaadmin_principal }}" when: ipaadmin_keytab is defined @@ -250,5 +250,5 @@ ### ALWAYS ### always: - - name: kdestroy + - name: Destroy Kereberos tickets ansible.builtin.command: kdestroy -A From 292e2eb60e6deb04b0bd50af789e840ed30674e1 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 3 Jan 2023 17:46:43 -0300 Subject: [PATCH 4/8] roles: Fix jinja2 template spacing This patch fixes ansible-lint warns on jinja2 template spacing in roles --- roles/ipabackup/tasks/backup.yml | 4 ++-- roles/ipabackup/tasks/copy_backup_from_server.yml | 2 +- roles/ipabackup/tasks/copy_backup_to_server.yml | 4 ++-- roles/ipabackup/tasks/restore.yml | 12 ++++++------ roles/ipareplica/tasks/install.yml | 6 +++--- roles/ipaserver/tasks/copy_external_cert.yml | 2 +- roles/ipasmartcard_server/tasks/main.yml | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/ipabackup/tasks/backup.yml b/roles/ipabackup/tasks/backup.yml index 5aa95dcc..5fcb65cf 100644 --- a/roles/ipabackup/tasks/backup.yml +++ b/roles/ipabackup/tasks/backup.yml @@ -5,12 +5,12 @@ ansible.builtin.shell: > ipa-backup {{ "--gpg" if ipabackup_gpg | bool else "" }} - {{ "--gpg-keyring="+ipabackup_gpg_keyring if ipabackup_gpg_keyring is defined else "" }} + {{ "--gpg-keyring=" + ipabackup_gpg_keyring if ipabackup_gpg_keyring is defined else "" }} {{ "--data" if ipabackup_data | bool else "" }} {{ "--logs" if ipabackup_logs | bool else "" }} {{ "--online" if ipabackup_online | bool else "" }} {{ "--disable-role-check" if ipabackup_disable_role_check | bool else "" }} - {{ "--log-file="+ipabackup_log_file if ipabackup_log_file is defined else "" }} + {{ "--log-file=" + ipabackup_log_file if ipabackup_log_file is defined else "" }} register: result_ipabackup - name: Handle backup diff --git a/roles/ipabackup/tasks/copy_backup_from_server.yml b/roles/ipabackup/tasks/copy_backup_from_server.yml index 85c78e89..cea4afdf 100644 --- a/roles/ipabackup/tasks/copy_backup_from_server.yml +++ b/roles/ipabackup/tasks/copy_backup_from_server.yml @@ -10,7 +10,7 @@ - name: Set controller destination directory ansible.builtin.set_fact: ipabackup_controller_dir: - "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}/{{ + "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}/{{ ipabackup_name_prefix | default(ansible_facts['fqdn']) }}_{{ ipabackup_item }}/" diff --git a/roles/ipabackup/tasks/copy_backup_to_server.yml b/roles/ipabackup/tasks/copy_backup_to_server.yml index eb591508..dc2f1885 100644 --- a/roles/ipabackup/tasks/copy_backup_to_server.yml +++ b/roles/ipabackup/tasks/copy_backup_to_server.yml @@ -10,12 +10,12 @@ - name: Set controller source directory ansible.builtin.set_fact: ipabackup_controller_dir: - "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}" + "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}" - name: Set ipabackup_item ansible.builtin.set_fact: ipabackup_item: - "{{ ipabackup_name | regex_search('.*_(ipa-.+)','\\1') | first }}" + "{{ ipabackup_name | regex_search('.*_(ipa-.+)', '\\1') | first }}" when: "'_ipa-' in ipabackup_name" - name: Set ipabackup_item diff --git a/roles/ipabackup/tasks/restore.yml b/roles/ipabackup/tasks/restore.yml index 290ba249..ca11a8c6 100644 --- a/roles/ipabackup/tasks/restore.yml +++ b/roles/ipabackup/tasks/restore.yml @@ -116,13 +116,13 @@ ipa-restore {{ ipabackup_item }} --unattended - {{ "--password="+ipabackup_password if ipabackup_password is defined else "" }} + {{ "--password=" + ipabackup_password if ipabackup_password is defined else "" }} {{ "--data" if ipabackup_data | bool else "" }} {{ "--online" if ipabackup_online | bool else "" }} - {{ "--instance="+ipabackup_instance if ipabackup_instance is defined else "" }} - {{ "--backend="+ipabackup_backend if ipabackup_backend is defined else "" }} + {{ "--instance=" + ipabackup_instance if ipabackup_instance is defined else "" }} + {{ "--backend=" + ipabackup_backend if ipabackup_backend is defined else "" }} {{ "--no-logs" if ipabackup_no_logs | bool else "" }} - {{ "--log-file="+ipabackup_log_file if ipabackup_log_file is defined else "" }} + {{ "--log-file=" + ipabackup_log_file if ipabackup_log_file is defined else "" }} register: result_iparestore ignore_errors: yes @@ -138,7 +138,7 @@ ansible.builtin.command: > firewall-cmd --permanent - {{ "--zone="+ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }} + {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }} --add-service=freeipa-ldap --add-service=freeipa-ldaps {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }} @@ -149,7 +149,7 @@ - name: Configure firewalld runtime ansible.builtin.command: > firewall-cmd - {{ "--zone="+ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }} + {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }} --add-service=freeipa-ldap --add-service=freeipa-ldaps {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }} diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 79848418..670a03ae 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -73,7 +73,7 @@ domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}" servers: "{{ ipareplica_servers | default(omit) }}" - realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}" + realm: "{{ ipareplica_realm | default(ipaserver_realm) | default(omit) }}" hostname: "{{ ipareplica_hostname | default(ansible_facts['fqdn']) }}" ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}" hidden_replica: "{{ ipareplica_hidden_replica }}" @@ -305,7 +305,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" - _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}" + _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}" subject_base: "{{ result_ipareplica_prepare.subject_base }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" @@ -370,7 +370,7 @@ config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" - _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" diff --git a/roles/ipaserver/tasks/copy_external_cert.yml b/roles/ipaserver/tasks/copy_external_cert.yml index 8d30aca4..85ba3182 100644 --- a/roles/ipaserver/tasks/copy_external_cert.yml +++ b/roles/ipaserver/tasks/copy_external_cert.yml @@ -11,4 +11,4 @@ force: yes - name: Install - Extend ipaserver_external_cert_files with "/root/{{ item | basename }}" ansible.builtin.set_fact: - ipaserver_external_cert_files: "{{ ipaserver_external_cert_files + [ '/root/' + (item | basename) ] }}" + ipaserver_external_cert_files: "{{ ipaserver_external_cert_files + ['/root/' + (item | basename)] }}" diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml index a57ea6d1..4306a31a 100644 --- a/roles/ipasmartcard_server/tasks/main.yml +++ b/roles/ipasmartcard_server/tasks/main.yml @@ -78,7 +78,7 @@ - name: Get Domain from server-find server name ansible.builtin.set_fact: - ipaserver_domain: "{{ (result_ipa_server_show.stdout | regex_search('cn: (.+)', '\\1'))[0].split('.')[1:] | join ('.') }}" + ipaserver_domain: "{{ (result_ipa_server_show.stdout | regex_search('cn: (.+)', '\\1'))[0].split('.')[1:] | join('.') }}" when: ipaserver_domain is not defined - name: Get ipa-ca records From 5062ac2b0961ba4ae01ebfef345e5c8790868c38 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 3 Jan 2023 18:21:07 -0300 Subject: [PATCH 5/8] roles: Fix when, block and always key order. ansible-lint warns if 'warn' key is used before block and always keys. --- roles/ipabackup/tasks/backup.yml | 3 +- roles/ipabackup/tasks/main.yml | 25 +++++----- roles/ipabackup/tasks/restore.yml | 6 +-- roles/ipaclient/tasks/install.yml | 61 +++++++++++------------- roles/ipareplica/tasks/install.yml | 13 ++--- roles/ipaserver/tasks/install.yml | 28 ++++------- roles/ipasmartcard_client/tasks/main.yml | 3 +- roles/ipasmartcard_server/tasks/main.yml | 7 +-- 8 files changed, 58 insertions(+), 88 deletions(-) diff --git a/roles/ipabackup/tasks/backup.yml b/roles/ipabackup/tasks/backup.yml index 5fcb65cf..fb4cb249 100644 --- a/roles/ipabackup/tasks/backup.yml +++ b/roles/ipabackup/tasks/backup.yml @@ -14,6 +14,7 @@ register: result_ipabackup - name: Handle backup + when: ipabackup_to_controller block: - name: Get ipabackup_item from stderr or stdout output ansible.builtin.set_fact: @@ -37,5 +38,3 @@ - name: Remove backup on server ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml" when: not ipabackup_keep_on_server - - when: ipabackup_to_controller diff --git a/roles/ipabackup/tasks/main.yml b/roles/ipabackup/tasks/main.yml index 7b323990..01fb10b8 100644 --- a/roles/ipabackup/tasks/main.yml +++ b/roles/ipabackup/tasks/main.yml @@ -50,6 +50,10 @@ (state == "copied" or state == "restored" or state == "absent") - name: Get all backup names for copy to controller + when: state is defined and + ((state == "copied" and ipabackup_to_controller) or + state == "absent") and + ipabackup_name is defined and ipabackup_name == "all" block: - name: Get list of all backups on IPA server ansible.builtin.shell: @@ -62,12 +66,8 @@ ansible.builtin.set_fact: ipabackup_names: "{{ result_backup_find_backup_files.stdout_lines }}" - when: state is defined and - ((state == "copied" and ipabackup_to_controller) or - state == "absent") and - ipabackup_name is defined and ipabackup_name == "all" - - name: Set ipabackup_names from ipabackup_name + when: ipabackup_names is not defined and ipabackup_name is defined block: - name: Fail on ipabackup_name all ansible.builtin.fail: @@ -83,7 +83,6 @@ ansible.builtin.set_fact: ipabackup_names: "{{ ipabackup_name }}" when: ipabackup_name | type_debug == "list" - when: ipabackup_names is not defined and ipabackup_name is defined - name: Set empty ipabackup_names if ipabackup_name is not defined ansible.builtin.set_fact: @@ -91,6 +90,8 @@ when: ipabackup_names is not defined and ipabackup_name is not defined - name: Process "{{ ipabackup_names }}" + when: state is defined and + ((state == "copied" and ipabackup_to_controller) or state == "absent") block: - name: Copy backup from IPA server ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml" @@ -112,9 +113,6 @@ loop_var: main_item when: state is defined and state == "absent" - when: state is defined and - ((state == "copied" and ipabackup_to_controller) or state == "absent") - # Fail with more than one entry in ipabackup_names for copy to sever and # restore. @@ -127,6 +125,10 @@ # Use only first item in ipabackup_names for copy to server and for restore. - name: Process "{{ ipabackup_names[0] }}" + when: ipabackup_from_controller or + (state|default("present") == "copied" and not ipabackup_to_controller) + vars: + ipabackup_name: "{{ ipabackup_names[0] }}" block: - name: Copy backup to server ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_to_server.yml" @@ -135,11 +137,6 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml" when: state|default("present") == "restored" - vars: - ipabackup_name: "{{ ipabackup_names[0] }}" - when: ipabackup_from_controller or - (state|default("present") == "copied" and not ipabackup_to_controller) - - name: Restore IPA server ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml" vars: diff --git a/roles/ipabackup/tasks/restore.yml b/roles/ipabackup/tasks/restore.yml index ca11a8c6..27e3c7d6 100644 --- a/roles/ipabackup/tasks/restore.yml +++ b/roles/ipabackup/tasks/restore.yml @@ -55,6 +55,7 @@ ### INSTALL PACKAGES - name: Package installation + when: ipabackup_install_packages | bool block: - name: Ensure that IPA server packages are installed ansible.builtin.package: @@ -79,11 +80,10 @@ state: present when: ipabackup_setup_firewalld | bool - when: ipabackup_install_packages | bool - ### START FIREWALLD - name: Firewall configuration + when: ipabackup_setup_firewalld | bool block: - name: Ensure that firewalld is running ansible.builtin.systemd: @@ -106,8 +106,6 @@ >/dev/null when: ipabackup_firewalld_zone is defined - when: ipabackup_setup_firewalld | bool - ### RESTORE - name: Restore backup diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 174eefaf..8c1286cb 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -29,6 +29,8 @@ when: ipaadmin_principal is undefined and ipaclient_keytab is undefined - name: Install - DNS resolver configuration + when: ipaclient_configure_dns_resolver | bool + and not ipaclient_on_master | bool block: - name: Install - Fail on missing ipaclient_domain and ipaserver_domain @@ -47,9 +49,6 @@ searchdomains: "{{ ipaserver_domain | default(ipaclient_domain) }}" state: present - when: ipaclient_configure_dns_resolver | bool - and not ipaclient_on_master | bool - - name: Install - IPA client test ipaclient_test: ### basic ### @@ -76,6 +75,9 @@ register: result_ipaclient_test - name: Install - Client deployment + when: not ansible_check_mode and + not (result_ipaclient_test.client_already_configured and + not ipaclient_allow_repair | bool and not ipaclient_force_join | bool) block: - name: Install - Cleanup leftover ccache ansible.builtin.file: @@ -130,6 +132,7 @@ # If a keytab is specified in the hostent, then the hostent will be disabled # if ipaclient_use_otp is set. - name: Install - Obtain OTP + when: ipaclient_use_otp | bool and ipaclient_otp is not defined block: - name: Install - Keytab or password is required for getting otp ansible.builtin.fail: @@ -175,9 +178,6 @@ ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}" ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword if result_ipaclient_get_otp.host is defined }}" - - when: ipaclient_use_otp | bool and ipaclient_otp is not defined - always: - name: Install - Remove keytab temporary file ansible.builtin.file: @@ -194,7 +194,15 @@ when: ipaclient_otp is defined - name: Install - Check keytab, principal and keytab + when: not ipaclient_on_master | bool block: + # This block is executed only when + # not (not ipaclient_on_master | bool and + # not result_ipaclient_join.changed and + # not ipaclient_allow_repair | bool and + # (result_ipaclient_test_keytab.krb5_keytab_ok or + # (result_ipaclient_join.already_joined is defined and + # result_ipaclient_join.already_joined))) - name: Install - Check if principal and keytab are set ansible.builtin.fail: @@ -208,7 +216,6 @@ and ipaadmin_password is undefined and ipaadmin_keytab is undefined and ipaclient_keytab is undefined - when: not ipaclient_on_master | bool - name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab ansible.builtin.command: > @@ -254,16 +261,14 @@ ipaclient_force_join) - name: Install - Allow repair checks + when: not ipaclient_on_master | bool and + not result_ipaclient_join.changed and + not ipaclient_allow_repair | bool and + (result_ipaclient_test_keytab.krb5_keytab_ok or + (result_ipaclient_join.already_joined is defined and + result_ipaclient_join.already_joined)) block: - # This block is executed only when - # not (not ipaclient_on_master | bool and - # not result_ipaclient_join.changed and - # not ipaclient_allow_repair | bool and - # (result_ipaclient_test_keytab.krb5_keytab_ok or - # (result_ipaclient_join.already_joined is defined and - # result_ipaclient_join.already_joined))) - - - name: krb5 configuration not correct + - name: The krb5 configuration is not correct ansible.builtin.fail: msg: > The krb5 configuration is not correct, please enable allow_repair @@ -278,14 +283,14 @@ msg: > The ca.crt file is missing, please enable allow_repair to fix this. when: not result_ipaclient_test_keytab.ca_crt_exists - when: not ipaclient_on_master | bool and - not result_ipaclient_join.changed and - not ipaclient_allow_repair | bool and - (result_ipaclient_test_keytab.krb5_keytab_ok or - (result_ipaclient_join.already_joined is defined and - result_ipaclient_join.already_joined)) - name: Install - Configuration + when: not (not ipaclient_on_master | bool and + not result_ipaclient_join.changed and + not ipaclient_allow_repair | bool + and (result_ipaclient_test_keytab.krb5_keytab_ok + or (result_ipaclient_join.already_joined is defined + and result_ipaclient_join.already_joined))) block: - name: Install - Configure IPA default.conf ipaclient_ipa_conf: @@ -407,18 +412,6 @@ domain: "{{ result_ipaclient_test.domain }}" nisdomain: "{{ ipaclient_nisdomain | default(omit) }}" when: not ipaclient_no_nisdomain | bool - - when: not (not ipaclient_on_master | bool and - not result_ipaclient_join.changed and - not ipaclient_allow_repair | bool - and (result_ipaclient_test_keytab.krb5_keytab_ok - or (result_ipaclient_join.already_joined is defined - and result_ipaclient_join.already_joined))) - - when: not ansible_check_mode and - not (result_ipaclient_test.client_already_configured and - not ipaclient_allow_repair | bool and not ipaclient_force_join | bool) - always: - name: Install - Restore original admin password if overwritten by OTP no_log: yes diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 670a03ae..0e10d9b0 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -2,6 +2,7 @@ # tasks file for ipareplica - name: Package installation + when: ipareplica_install_packages | bool block: - name: Install - Ensure IPA replica packages are installed @@ -27,9 +28,8 @@ state: present when: ipareplica_setup_firewalld | bool - when: ipareplica_install_packages | bool - - name: Firewall configuration + when: ipareplica_setup_firewalld | bool block: - name: Firewalld service - Ensure that firewalld is running ansible.builtin.systemd: @@ -52,8 +52,6 @@ >/dev/null when: ipareplica_firewalld_zone is defined - when: ipareplica_setup_firewalld | bool - - name: Install - Set ipareplica_servers ansible.builtin.set_fact: ipareplica_servers: "{{ groups['ipaservers'] | list }}" @@ -104,6 +102,9 @@ register: result_ipareplica_test - name: Install - Deploy replica + when: not ansible_check_mode and + not (result_ipareplica_test.client_already_configured is defined or + result_ipareplica_test.server_already_configured is defined) block: # This block is executed only when # not ansible_check_mode and @@ -793,7 +794,3 @@ - "/etc/ipa/.tmp_pkcs12_dirsrv" - "/etc/ipa/.tmp_pkcs12_http" - "/etc/ipa/.tmp_pkcs12_pkinit" - - when: not ansible_check_mode and - not (result_ipareplica_test.client_already_configured is defined or - result_ipareplica_test.server_already_configured is defined) diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index bfb5b740..74dd5d8b 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -2,6 +2,7 @@ # tasks file for ipaserver - name: Install - Package installation + when: ipaserver_install_packages | bool block: - name: Install - Ensure that IPA server packages are installed ansible.builtin.package: @@ -26,9 +27,9 @@ state: present when: ipaserver_setup_firewalld | bool - when: ipaserver_install_packages | bool - name: Install - Firewall configuration + when: ipaserver_setup_firewalld | bool block: - name: Firewalld service - Ensure that firewalld is running ansible.builtin.systemd: @@ -51,9 +52,7 @@ >/dev/null when: ipaserver_firewalld_zone is defined - when: ipaserver_setup_firewalld | bool - -- name: Include tasks "{{ role_path }}/tasks/copy_external_cert.yml" +- name: Copy external cert ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml" with_items: "{{ ipaserver_external_cert_files_from_controller }}" when: ipaserver_external_cert_files_from_controller is defined and @@ -131,14 +130,13 @@ register: result_ipaserver_test - name: Install - Deploy server + when: not ansible_check_mode and not + (not result_ipaserver_test.changed and + (result_ipaserver_test.client_already_configured is defined or + result_ipaserver_test.server_already_configured is defined)) block: - # This block is executed only when - # not ansible_check_mode and - # not (not result_ipaserver_test.changed and - # (result_ipaserver_test.client_already_configured is defined or - # result_ipaserver_test.server_already_configured is defined) - - name: Install - Obtain master password + when: ipaserver_master_password is undefined block: - name: Install - Master password creation no_log: yes @@ -153,8 +151,6 @@ ipaserver_master_password: "{{ result_ipaserver_master_password.password }}" - when: ipaserver_master_password is undefined - - name: Install - Server preparation ipaserver_prepare: ### basic ### @@ -321,6 +317,7 @@ ipaserver_copy_csr_to_controller | bool - name: Install - Configure services + when: not result_ipaserver_setup_ca.csr_generated | bool block: - name: Install - Setup otpd ipaserver_setup_otpd: @@ -476,8 +473,6 @@ {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }} when: ipaserver_setup_firewalld | bool - when: not result_ipaserver_setup_ca.csr_generated | bool - always: - name: Cleanup temporary files ansible.builtin.file: @@ -487,8 +482,3 @@ - "/etc/ipa/.tmp_pkcs12_dirsrv" - "/etc/ipa/.tmp_pkcs12_http" - "/etc/ipa/.tmp_pkcs12_pkinit" - - when: not ansible_check_mode and not - (not result_ipaserver_test.changed and - (result_ipaserver_test.client_already_configured is defined or - result_ipaserver_test.server_already_configured is defined)) diff --git a/roles/ipasmartcard_client/tasks/main.yml b/roles/ipasmartcard_client/tasks/main.yml index f7ddb827..94d1e9c3 100644 --- a/roles/ipasmartcard_client/tasks/main.yml +++ b/roles/ipasmartcard_client/tasks/main.yml @@ -103,6 +103,7 @@ # Ensure /etc/sssd/pki exists - name: Prepare for authselect + when: ipasmartcard_client_vars.USE_AUTHSELECT block: - name: Ensure /etc/sssd/pki exists ansible.builtin.file: @@ -115,8 +116,6 @@ path: /etc/sssd/pki/sssd_auth_ca_db.pem state: absent - when: ipasmartcard_client_vars.USE_AUTHSELECT - # Upload smartcard CA certificates to systemwide db - name: Upload smartcard CA certificates to systemwide db diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml index 4306a31a..a05451a8 100644 --- a/roles/ipasmartcard_server/tasks/main.yml +++ b/roles/ipasmartcard_server/tasks/main.yml @@ -168,10 +168,10 @@ # HTTPD IFP - name: Allow HTTPD ifp + when: ipasmartcard_server_vars.allow_httpd_ifp block: # Allow Apache to access SSSD IFP - - name: Allow Apache to access SSSD IFP ansible.builtin.command: "{{ ipasmartcard_server_vars.python_interpreter }}" args: @@ -192,11 +192,10 @@ name: sssd state: restarted - when: ipasmartcard_server_vars.allow_httpd_ifp - # Ensure /etc/sssd/pki exists - name: Prepare for authselect + when: ipasmartcard_server_vars.USE_AUTHSELECT block: - name: Ensure /etc/sssd/pki exists ansible.builtin.file: @@ -209,8 +208,6 @@ path: /etc/sssd/pki/sssd_auth_ca_db.pem state: absent - when: ipasmartcard_server_vars.USE_AUTHSELECT - # Upload smartcard CA certificates to systemwide db - name: Upload smartcard CA certificates to systemwide db From 8240d9beb69161990775807b82a143b0f1c6f357 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 9 Jan 2023 20:47:40 -0300 Subject: [PATCH 6/8] roles: Fix ansible-lint warning on var-naming. ansible-lint warns if set_fact sets a variable where the name is used or can be as a parameter for the role. --- .../tasks/copy_backup_from_server.yml | 6 ++-- .../ipabackup/tasks/copy_backup_to_server.yml | 14 ++++---- roles/ipareplica/tasks/install.yml | 34 +++++++++---------- roles/ipaserver/tasks/install.yml | 16 ++++++--- 4 files changed, 38 insertions(+), 32 deletions(-) diff --git a/roles/ipabackup/tasks/copy_backup_from_server.yml b/roles/ipabackup/tasks/copy_backup_from_server.yml index cea4afdf..c64c3c46 100644 --- a/roles/ipabackup/tasks/copy_backup_from_server.yml +++ b/roles/ipabackup/tasks/copy_backup_from_server.yml @@ -9,7 +9,7 @@ - name: Set controller destination directory ansible.builtin.set_fact: - ipabackup_controller_dir: + __derived_controller_dir: "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}/{{ ipabackup_name_prefix | default(ansible_facts['fqdn']) }}_{{ ipabackup_item }}/" @@ -35,13 +35,13 @@ ansible.builtin.fetch: flat: yes src: "{{ ipabackup_dir }}/{{ ipabackup_item }}/{{ item }}" - dest: "{{ ipabackup_controller_dir }}" + dest: "{{ __derived_controller_dir }}" with_items: - "{{ result_find_backup_files.stdout_lines }}" - name: Fix file modes for backup on controller ansible.builtin.file: - dest: "{{ ipabackup_controller_dir }}" + dest: "{{ __derived_controller_dir }}" mode: u=rwX,go= recurse: yes delegate_to: localhost diff --git a/roles/ipabackup/tasks/copy_backup_to_server.yml b/roles/ipabackup/tasks/copy_backup_to_server.yml index dc2f1885..a4871528 100644 --- a/roles/ipabackup/tasks/copy_backup_to_server.yml +++ b/roles/ipabackup/tasks/copy_backup_to_server.yml @@ -9,23 +9,23 @@ - name: Set controller source directory ansible.builtin.set_fact: - ipabackup_controller_dir: + __derived_controller_dir: "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}" - name: Set ipabackup_item ansible.builtin.set_fact: - ipabackup_item: + __derived_item: "{{ ipabackup_name | regex_search('.*_(ipa-.+)', '\\1') | first }}" when: "'_ipa-' in ipabackup_name" - name: Set ipabackup_item ansible.builtin.set_fact: - ipabackup_item: "{{ ipabackup_name }}" + __derived_item: "{{ ipabackup_name }}" when: "'_ipa-' not in ipabackup_name" - name: Stat backup to copy ansible.builtin.stat: - path: "{{ ipabackup_controller_dir }}/{{ ipabackup_name }}" + path: "{{ __derived_controller_dir }}/{{ ipabackup_name }}" register: result_backup_stat delegate_to: localhost become: no @@ -35,10 +35,10 @@ msg: "Unable to find backup {{ ipabackup_name }}" when: result_backup_stat.stat.isdir is not defined -- name: Copy backup files to server for "{{ ipabackup_item }}" +- name: Copy backup files to server for "{{ __derived_item }}" ansible.builtin.copy: - src: "{{ ipabackup_controller_dir }}/{{ ipabackup_name }}/" - dest: "{{ ipabackup_dir }}/{{ ipabackup_item }}" + src: "{{ __derived_controller_dir }}/{{ ipabackup_name }}/" + dest: "{{ ipabackup_dir }}/{{ __derived_item }}" owner: root group: root mode: u=rw,go=r diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 0e10d9b0..d4fb2997 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -227,7 +227,7 @@ - name: Install - Set dirman password no_log: yes ansible.builtin.set_fact: - ipareplica_dirman_password: + __derived_dirman_password: "{{ result_ipareplica_master_password.password }}" - name: Install - Setup certmonger @@ -268,7 +268,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}" @@ -312,7 +312,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" @@ -356,7 +356,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" - name: Install - Setup KRB @@ -373,7 +373,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" # We need to point to the master in ipa default conf when certmonger # asks for HTTP certificate in newer ipa versions. In these versions @@ -414,7 +414,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" master: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" @@ -438,7 +438,7 @@ _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}" - name: Install - Setup http @@ -459,7 +459,7 @@ _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info if result_ipareplica_prepare._http_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" # Need to point back to ourself after the cert for HTTP is obtained - name: Install - Create original IPA conf again @@ -498,7 +498,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" when: result_ipareplica_test.change_master_for_certmonger @@ -517,7 +517,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" - name: Install - Setup custodia ipareplica_setup_custodia: @@ -538,7 +538,7 @@ _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" - name: Install - Setup CA ipareplica_setup_ca: @@ -561,7 +561,7 @@ _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" _random_serial_numbers: "{{ result_ipareplica_prepare._random_serial_numbers }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" @@ -586,7 +586,7 @@ _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" - name: Install - DS apply updates ipareplica_ds_apply_updates: @@ -606,7 +606,7 @@ _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}" - name: Install - Setup kra @@ -646,7 +646,7 @@ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" when: result_ipareplica_test.setup_kra - name: Install - Restart KDC @@ -664,7 +664,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" - name: Install - Custodia import dm password ipareplica_custodia_import_dm_password: @@ -685,7 +685,7 @@ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - dirman_password: "{{ ipareplica_dirman_password }}" + dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" - name: Install - Promote SSSD diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 74dd5d8b..34a6faa9 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -148,9 +148,15 @@ - name: Install - Use new master password no_log: yes ansible.builtin.set_fact: - ipaserver_master_password: + __derived_master_password: "{{ result_ipaserver_master_password.password }}" + - name: Use user defined master password, if provided + when: ipaserver_master_password is defined + no_log: yes + ansible.builtin.set_fact: + __derived_master_password: "{{ ipaserver_master_password }}" + - name: Install - Server preparation ipaserver_prepare: ### basic ### @@ -208,7 +214,7 @@ ipaserver_setup_ds: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" - # master_password: "{{ ipaserver_master_password }}" + # master_password: "{{ __derived_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm | default(omit) }}" hostname: "{{ result_ipaserver_test.hostname }}" @@ -237,7 +243,7 @@ ipaserver_setup_krb: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" - master_password: "{{ ipaserver_master_password }}" + master_password: "{{ __derived_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" @@ -270,7 +276,7 @@ ipaserver_setup_ca: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" - master_password: "{{ ipaserver_master_password }}" + master_password: "{{ __derived_master_password }}" # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" @@ -329,7 +335,7 @@ ipaserver_setup_http: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" - master_password: "{{ ipaserver_master_password }}" + master_password: "{{ __derived_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" From a945862540d0d7e3529b40cb4cbbcc16393b8ad4 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 9 Jan 2023 22:12:12 -0300 Subject: [PATCH 7/8] roles: Fix ansible-lint name:template warnings ansible-lint warns if Jinja2 templates are not used as the last item in a task name. --- roles/ipaclient/tasks/install.yml | 2 +- roles/ipaserver/tasks/copy_external_cert.yml | 30 +++++++++++--------- roles/ipaserver/tasks/install.yml | 4 +-- roles/ipasmartcard_client/tasks/main.yml | 4 +-- roles/ipasmartcard_server/tasks/main.yml | 6 ++-- 5 files changed, 25 insertions(+), 21 deletions(-) diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 8c1286cb..fa33f89a 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -217,7 +217,7 @@ and ipaadmin_keytab is undefined and ipaclient_keytab is undefined - - name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab + - name: "Install - From host keytab, purge {{ result_ipaclient_test.realm }}" ansible.builtin.command: > /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab diff --git a/roles/ipaserver/tasks/copy_external_cert.yml b/roles/ipaserver/tasks/copy_external_cert.yml index 85ba3182..6adcaa08 100644 --- a/roles/ipaserver/tasks/copy_external_cert.yml +++ b/roles/ipaserver/tasks/copy_external_cert.yml @@ -1,14 +1,18 @@ --- -- name: Install - Initialize ipaserver_external_cert_files - ansible.builtin.set_fact: - ipaserver_external_cert_files: [] - when: ipaserver_external_cert_files is undefined -- name: Install - Copy "{{ item }}" "{{ inventory_hostname }}':/root/'{{ item | basename }}" - ansible.builtin.copy: - src: "{{ item }}" - dest: "/root/{{ item | basename }}" - mode: preserve - force: yes -- name: Install - Extend ipaserver_external_cert_files with "/root/{{ item | basename }}" - ansible.builtin.set_fact: - ipaserver_external_cert_files: "{{ ipaserver_external_cert_files + ['/root/' + (item | basename)] }}" +- name: Copy external certificates + vars: + __item_basename: "{{ item | basename }}" + block: + - name: Install - Initialize ipaserver_external_cert_files + ansible.builtin.set_fact: + ipaserver_external_cert_files: [] + when: ipaserver_external_cert_files is undefined + - name: Install - Copy "{{ item + " " + inventory_hostname + ':/root/' + __item_basename }}" + ansible.builtin.copy: + src: "{{ item }}" + dest: "/root/{{ __item_basename }}" + mode: preserve + force: yes + - name: Install - Extend ipaserver_external_cert_files with "/root/{{ __item_basename }}" + ansible.builtin.set_fact: + ipaserver_external_cert_files: "{{ ipaserver_external_cert_files + ['/root/' + (__item_basename)] }}" diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml index 34a6faa9..f4906dc9 100644 --- a/roles/ipaserver/tasks/install.yml +++ b/roles/ipaserver/tasks/install.yml @@ -52,7 +52,7 @@ >/dev/null when: ipaserver_firewalld_zone is defined -- name: Copy external cert +- name: Copy external certs ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml" with_items: "{{ ipaserver_external_cert_files_from_controller }}" when: ipaserver_external_cert_files_from_controller is defined and @@ -314,7 +314,7 @@ _http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}" register: result_ipaserver_setup_ca - - name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr" + - name: Copy /root/ipa.csr to "{{ inventory_hostname + '-ipa.csr' }}" ansible.builtin.fetch: src: /root/ipa.csr dest: "{{ inventory_hostname }}-ipa.csr" diff --git a/roles/ipasmartcard_client/tasks/main.yml b/roles/ipasmartcard_client/tasks/main.yml index 94d1e9c3..8c87a80f 100644 --- a/roles/ipasmartcard_client/tasks/main.yml +++ b/roles/ipasmartcard_client/tasks/main.yml @@ -70,13 +70,13 @@ ipaadmin_principal: admin when: ipaadmin_principal is undefined - - name: Authenticate using kinit and "{{ ipaadmin_principal }}" password + - name: Authenticate using kinit with password for "{{ ipaadmin_principal }}" ansible.builtin.command: kinit "{{ ipaadmin_principal }}" args: stdin: "{{ ipaadmin_password }}" when: ipaadmin_password is defined - - name: Authenticate using kinit and "{{ ipaadmin_principal }}" keytab + - name: Authenticate using kinit with keytab for "{{ ipaadmin_principal }}" ansible.builtin.command: kinit -kt "{{ ipaadmin_keytab }}" "{{ ipaadmin_principal }}" when: ipaadmin_keytab is defined diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml index a05451a8..c650511e 100644 --- a/roles/ipasmartcard_server/tasks/main.yml +++ b/roles/ipasmartcard_server/tasks/main.yml @@ -42,7 +42,7 @@ # INSTALL bind-utils - - name: Ensure {{ ipasmartcard_server_bindutils_packages }} are installed + - name: Ensure bind utilities packages are installed ansible.builtin.package: name: "{{ ipasmartcard_server_bindutils_packages }}" state: present @@ -55,13 +55,13 @@ ipaadmin_principal: admin when: ipaadmin_principal is undefined - - name: Athenticate with kinit and "{{ ipaadmin_principal }}" password + - name: Athenticate with kinit and password for "{{ ipaadmin_principal }}" ansible.builtin.command: kinit "{{ ipaadmin_principal }}" args: stdin: "{{ ipaadmin_password }}" when: ipaadmin_password is defined - - name: Authenticate with kinit and "{{ ipaadmin_principal }}" keytab + - name: Authenticate with kinit and keytab for "{{ ipaadmin_principal }}" ansible.builtin.command: kinit -kt "{{ ipaadmin_keytab }}" "{{ ipaadmin_principal }}" when: ipaadmin_keytab is defined From 529deae407161f73a4375333eebe76b10c092532 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Thu, 12 Jan 2023 13:13:45 -0300 Subject: [PATCH 8/8] ansible-lint: Fix file kind and ignores. ansible-lint must ignore Azure configuration, and handle non-test files with the proper kind (tasks or playbook). --- .ansible-lint | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index 7aeb2ef5..3fde5995 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -16,6 +16,11 @@ exclude_paths: kinds: - playbook: '**/tests/**/test_*.yml' - playbook: '**/playbooks/**/*.yml' + - playbook: '**/tests/ca-less/install_*_without_ca.yml' + - playbook: '**/tests/ca-less/clean_up_certificates.yml' + - playbook: '**/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml' + - playbook: '**/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml' + - playbook: '**/tests/user/create_users_json.yml' - tasks: '**/tasks_*.yml' - tasks: '**/env_*.yml'