mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
7a23531047
Without this change the "Import variables specific to distribution" tasks fail with "Could not find file on the Ansible Controller..." on environments with inject facts disabled. This changes the tests to run with ansible with inject_facts_as_vars = false and fixes other roles and playbooks.
485 lines
22 KiB
YAML
485 lines
22 KiB
YAML
---
|
|
# tasks file for ipaserver
|
|
|
|
- block:
|
|
- name: Install - Ensure that IPA server packages are installed
|
|
package:
|
|
name: "{{ ipaserver_packages }}"
|
|
state: present
|
|
|
|
- name: Install - Ensure that IPA server packages for dns are installed
|
|
package:
|
|
name: "{{ ipaserver_packages_dns }}"
|
|
state: present
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Ensure that IPA server packages for adtrust are installed
|
|
package:
|
|
name: "{{ ipaserver_packages_adtrust }}"
|
|
state: present
|
|
when: ipaserver_setup_adtrust | bool
|
|
|
|
- name: Install - Ensure that firewall packages installed
|
|
package:
|
|
name: "{{ ipaserver_packages_firewalld }}"
|
|
state: present
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
when: ipaserver_install_packages | bool
|
|
|
|
- block:
|
|
- name: Firewalld service - Ensure that firewalld is running
|
|
systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"
|
|
shell: >
|
|
firewall-cmd
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
- name: Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"
|
|
shell: >
|
|
firewall-cmd
|
|
--permanent
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
- include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
|
|
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
|
|
when: ipaserver_external_cert_files_from_controller is defined and
|
|
ipaserver_external_cert_files_from_controller|length > 0 and
|
|
not ipaserver_external_cert_files is defined
|
|
|
|
- name: Install - Server installation test
|
|
ipaserver_test:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
domain: "{{ ipaserver_domain | default(omit) }}"
|
|
realm: "{{ ipaserver_realm | default(omit) }}"
|
|
hostname: "{{ ipaserver_hostname | default(ansible_facts['fqdn']) }}"
|
|
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
|
|
no_host_dns: "{{ ipaserver_no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
|
|
skip_mem_check: "{{ not ipaserver_mem_check }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
idstart: "{{ ipaserver_idstart | default(omit) }}"
|
|
idmax: "{{ ipaserver_idmax | default(omit) }}"
|
|
# no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ ipaserver_no_pkinit }}"
|
|
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
### ssl certificate ###
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
dirsrv_cert_name: "{{ ipaserver_dirsrv_cert_name | default(omit) }}"
|
|
dirsrv_pin: "{{ ipaserver_dirsrv_pin | default(omit) }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}"
|
|
http_cert_name: "{{ ipaserver_http_cert_name | default(omit) }}"
|
|
http_pin: "{{ ipaserver_http_pin | default(omit) }}"
|
|
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}"
|
|
pkinit_cert_name: "{{ ipaserver_pkinit_cert_name | default(omit) }}"
|
|
pkinit_pin: "{{ ipaserver_pkinit_pin | default(omit) }}"
|
|
### client ###
|
|
# mkhomedir
|
|
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
# ssh_trust_dns
|
|
# no_ssh
|
|
# no_sshd
|
|
# no_dns_sshfp
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
# ca_signing_algorithm
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
|
|
### additional ###
|
|
register: result_ipaserver_test
|
|
|
|
- block:
|
|
# This block is executed only when
|
|
# not ansible_check_mode and
|
|
# not (not result_ipaserver_test.changed and
|
|
# (result_ipaserver_test.client_already_configured is defined or
|
|
# result_ipaserver_test.server_already_configured is defined)
|
|
|
|
- block:
|
|
- name: Install - Master password creation
|
|
no_log: yes
|
|
ipaserver_master_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
register: result_ipaserver_master_password
|
|
|
|
- name: Install - Use new master password
|
|
no_log: yes
|
|
set_fact:
|
|
ipaserver_master_password:
|
|
"{{ result_ipaserver_master_password.password }}"
|
|
|
|
when: ipaserver_master_password is undefined
|
|
|
|
- name: Install - Server preparation
|
|
ipaserver_prepare:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
### additional ###
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
|
|
register: result_ipaserver_prepare
|
|
|
|
- name: Install - Setup NTP
|
|
ipaserver_setup_ntp:
|
|
ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}"
|
|
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files
|
|
is undefined or ipaserver_external_cert_files|length < 1)
|
|
|
|
- name: Install - Setup DS
|
|
ipaserver_setup_ds:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
# master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
# reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
# setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
# setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
# setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
# no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
# no_reverse: "{{ ipaserver_no_reverse }}"
|
|
# auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
|
|
- name: Install - Setup KRB
|
|
ipaserver_setup_krb:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
_pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup custodia
|
|
ipaserver_setup_custodia:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup CA
|
|
ipaserver_setup_ca:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
|
|
default(omit) }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
_http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}"
|
|
register: result_ipaserver_setup_ca
|
|
|
|
- name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr"
|
|
fetch:
|
|
src: /root/ipa.csr
|
|
dest: "{{ inventory_hostname }}-ipa.csr"
|
|
flat: yes
|
|
when: result_ipaserver_setup_ca.csr_generated | bool and
|
|
ipaserver_copy_csr_to_controller | bool
|
|
|
|
- block:
|
|
- name: Install - Setup otpd
|
|
ipaserver_setup_otpd:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup HTTP
|
|
ipaserver_setup_http:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
|
|
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
_http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup KRA
|
|
ipaserver_setup_kra:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
dm_password: "{{ ipadm_password }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
when: result_ipaserver_test.setup_kra | bool
|
|
|
|
- name: Install - Setup DNS
|
|
ipaserver_setup_dns:
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
forwarders: "{{ result_ipaserver_prepare.forwarders }}"
|
|
forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
|
|
### additional ###
|
|
dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
|
|
dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Setup ADTRUST
|
|
ipaserver_setup_adtrust:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
rid_base: "{{ result_ipaserver_test.rid_base }}"
|
|
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
|
|
### additional ###
|
|
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
|
|
adtrust_reset_netbios_name:
|
|
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
|
|
when: result_ipaserver_test.setup_adtrust
|
|
|
|
- name: Install - Set DS password
|
|
ipaserver_set_ds_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup client
|
|
include_role:
|
|
name: ipaclient
|
|
vars:
|
|
state: present
|
|
ipaclient_on_master: yes
|
|
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
|
|
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
|
|
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
|
|
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
|
|
ipaclient_no_ntp:
|
|
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
|
|
else 'false' }}"
|
|
ipaclient_install_packages: "{{ ipaserver_install_packages }}"
|
|
|
|
- name: Install - Enable IPA
|
|
ipaserver_enable_ipa:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
register: result_ipaserver_enable_ipa
|
|
|
|
- name: Install - Cleanup root IPA cache
|
|
file:
|
|
path: "/root/.ipa_cache"
|
|
state: absent
|
|
when: result_ipaserver_enable_ipa.changed
|
|
|
|
- name: Install - Configure firewalld
|
|
command: >
|
|
firewall-cmd
|
|
--permanent
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
- name: Install - Configure firewalld runtime
|
|
command: >
|
|
firewall-cmd
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
when: not result_ipaserver_setup_ca.csr_generated | bool
|
|
|
|
always:
|
|
- name: Cleanup temporary files
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "/etc/ipa/.tmp_pkcs12_dirsrv"
|
|
- "/etc/ipa/.tmp_pkcs12_http"
|
|
- "/etc/ipa/.tmp_pkcs12_pkinit"
|
|
|
|
when: not ansible_check_mode and not
|
|
(not result_ipaserver_test.changed and
|
|
(result_ipaserver_test.client_already_configured is defined or
|
|
result_ipaserver_test.server_already_configured is defined))
|