mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 18:55:53 +00:00
a4087a755b
Since FreeIPA version 4.10 it is possible to deploy servers that use Random Serial Number v3 support for certificates. This patch exposes the 'random_serial_numbers' parameter, as 'ipaserver_random_serial_numbers', allowing a user to have random serial numbers enabled for the domain. The use of random serial numbers is allowed on new installations only.
491 lines
22 KiB
YAML
491 lines
22 KiB
YAML
---
|
|
# tasks file for ipaserver
|
|
|
|
- name: Install - Package installation
|
|
when: ipaserver_install_packages | bool
|
|
block:
|
|
- name: Install - Ensure that IPA server packages are installed
|
|
ansible.builtin.package:
|
|
name: "{{ ipaserver_packages }}"
|
|
state: present
|
|
|
|
- name: Install - Ensure that IPA server packages for dns are installed
|
|
ansible.builtin.package:
|
|
name: "{{ ipaserver_packages_dns }}"
|
|
state: present
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Ensure that IPA server packages for adtrust are installed
|
|
ansible.builtin.package:
|
|
name: "{{ ipaserver_packages_adtrust }}"
|
|
state: present
|
|
when: ipaserver_setup_adtrust | bool
|
|
|
|
- name: Install - Ensure that firewall packages installed
|
|
ansible.builtin.package:
|
|
name: "{{ ipaserver_packages_firewalld }}"
|
|
state: present
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
|
|
- name: Install - Firewall configuration
|
|
when: ipaserver_setup_firewalld | bool
|
|
block:
|
|
- name: Firewalld service - Ensure that firewalld is running
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"
|
|
ansible.builtin.shell: >
|
|
firewall-cmd
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
- name: Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"
|
|
ansible.builtin.shell: >
|
|
firewall-cmd
|
|
--permanent
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
- name: Copy external certs
|
|
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
|
|
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
|
|
when: ipaserver_external_cert_files_from_controller is defined and
|
|
ipaserver_external_cert_files_from_controller|length > 0 and
|
|
not ipaserver_external_cert_files is defined
|
|
|
|
- name: Install - Server installation test
|
|
ipaserver_test:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
domain: "{{ ipaserver_domain | default(omit) }}"
|
|
realm: "{{ ipaserver_realm | default(omit) }}"
|
|
hostname: "{{ ipaserver_hostname | default(ansible_facts['fqdn']) }}"
|
|
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
|
|
no_host_dns: "{{ ipaserver_no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
|
|
skip_mem_check: "{{ not ipaserver_mem_check }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
idstart: "{{ ipaserver_idstart | default(omit) }}"
|
|
idmax: "{{ ipaserver_idmax | default(omit) }}"
|
|
# no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ ipaserver_no_pkinit }}"
|
|
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
### ssl certificate ###
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
dirsrv_cert_name: "{{ ipaserver_dirsrv_cert_name | default(omit) }}"
|
|
dirsrv_pin: "{{ ipaserver_dirsrv_pin | default(omit) }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}"
|
|
http_cert_name: "{{ ipaserver_http_cert_name | default(omit) }}"
|
|
http_pin: "{{ ipaserver_http_pin | default(omit) }}"
|
|
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}"
|
|
pkinit_cert_name: "{{ ipaserver_pkinit_cert_name | default(omit) }}"
|
|
pkinit_pin: "{{ ipaserver_pkinit_pin | default(omit) }}"
|
|
### client ###
|
|
# mkhomedir
|
|
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
# ssh_trust_dns
|
|
# no_ssh
|
|
# no_sshd
|
|
# no_dns_sshfp
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
random_serial_numbers: "{{ ipaserver_random_serial_numbers | default(omit) }}"
|
|
# ca_signing_algorithm
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
|
|
### additional ###
|
|
register: result_ipaserver_test
|
|
|
|
- name: Install - Deploy server
|
|
when: not ansible_check_mode and not
|
|
(not result_ipaserver_test.changed and
|
|
(result_ipaserver_test.client_already_configured is defined or
|
|
result_ipaserver_test.server_already_configured is defined))
|
|
block:
|
|
- name: Install - Obtain master password
|
|
when: ipaserver_master_password is undefined
|
|
block:
|
|
- name: Install - Master password creation
|
|
no_log: yes
|
|
ipaserver_master_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
register: result_ipaserver_master_password
|
|
|
|
- name: Install - Use new master password
|
|
no_log: yes
|
|
ansible.builtin.set_fact:
|
|
__derived_master_password:
|
|
"{{ result_ipaserver_master_password.password }}"
|
|
|
|
- name: Use user defined master password, if provided
|
|
when: ipaserver_master_password is defined
|
|
no_log: yes
|
|
ansible.builtin.set_fact:
|
|
__derived_master_password: "{{ ipaserver_master_password }}"
|
|
|
|
- name: Install - Server preparation
|
|
ipaserver_prepare:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
### additional ###
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
|
|
random_serial_numbers: "{{ result_ipaserver_test.random_serial_numbers }}"
|
|
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
|
|
register: result_ipaserver_prepare
|
|
|
|
- name: Install - Setup NTP
|
|
ipaserver_setup_ntp:
|
|
ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}"
|
|
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files
|
|
is undefined or ipaserver_external_cert_files|length < 1)
|
|
|
|
- name: Install - Setup DS
|
|
ipaserver_setup_ds:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
# master_password: "{{ __derived_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
# reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
# setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
# setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
# setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
# no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
# no_reverse: "{{ ipaserver_no_reverse }}"
|
|
# auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
|
|
- name: Install - Setup KRB
|
|
ipaserver_setup_krb:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ __derived_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
_pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup custodia
|
|
ipaserver_setup_custodia:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup CA
|
|
ipaserver_setup_ca:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ __derived_master_password }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
|
|
default(omit) }}"
|
|
_random_serial_numbers: "{{ result_ipaserver_prepare._random_serial_numbers }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
_http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}"
|
|
register: result_ipaserver_setup_ca
|
|
|
|
- name: Copy /root/ipa.csr to "{{ inventory_hostname + '-ipa.csr' }}"
|
|
ansible.builtin.fetch:
|
|
src: /root/ipa.csr
|
|
dest: "{{ inventory_hostname }}-ipa.csr"
|
|
flat: yes
|
|
when: result_ipaserver_setup_ca.csr_generated | bool and
|
|
ipaserver_copy_csr_to_controller | bool
|
|
|
|
- name: Install - Configure services
|
|
when: not result_ipaserver_setup_ca.csr_generated | bool
|
|
block:
|
|
- name: Install - Setup otpd
|
|
ipaserver_setup_otpd:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup HTTP
|
|
ipaserver_setup_http:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ __derived_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
|
|
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
_http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup KRA
|
|
ipaserver_setup_kra:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
dm_password: "{{ ipadm_password }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
when: result_ipaserver_test.setup_kra | bool
|
|
|
|
- name: Install - Setup DNS
|
|
ipaserver_setup_dns:
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
forwarders: "{{ result_ipaserver_prepare.forwarders }}"
|
|
forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
|
|
### additional ###
|
|
dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
|
|
dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Setup ADTRUST
|
|
ipaserver_setup_adtrust:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
rid_base: "{{ result_ipaserver_test.rid_base }}"
|
|
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
|
|
### additional ###
|
|
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
|
|
adtrust_reset_netbios_name:
|
|
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
|
|
when: result_ipaserver_test.setup_adtrust or
|
|
result_ipaserver_test.sid_generation_always
|
|
|
|
- name: Install - Set DS password
|
|
ipaserver_set_ds_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup client
|
|
ansible.builtin.include_role:
|
|
name: ipaclient
|
|
vars:
|
|
state: present
|
|
ipaclient_on_master: yes
|
|
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
|
|
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
|
|
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
|
|
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
|
|
ipaclient_no_ntp:
|
|
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
|
|
else 'false' }}"
|
|
ipaclient_install_packages: no
|
|
|
|
- name: Install - Enable IPA
|
|
ipaserver_enable_ipa:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
register: result_ipaserver_enable_ipa
|
|
|
|
- name: Install - Configure firewalld
|
|
ansible.builtin.command: >
|
|
firewall-cmd
|
|
--permanent
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
- name: Install - Configure firewalld runtime
|
|
ansible.builtin.command: >
|
|
firewall-cmd
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
always:
|
|
- name: Install - Cleanup root IPA cache
|
|
ansible.builtin.file:
|
|
path: "/root/.ipa_cache"
|
|
state: absent
|
|
|
|
- name: Cleanup temporary files
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "/etc/ipa/.tmp_pkcs12_dirsrv"
|
|
- "/etc/ipa/.tmp_pkcs12_http"
|
|
- "/etc/ipa/.tmp_pkcs12_pkinit"
|