mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-10 10:45:55 +00:00
a7e532a4dc
The new variables ipa[server,replica]_firewalld_zone have been added to be able to set the zone in which the needed services for IPA are enabled. New tasks have been added to check if the zone is available in the runtime and also permamanet environment. The code to enable firewalld has been moved out of thee ipa[server,replica]_install_packages blocks to make sure that the firewalld service is also enabled if the package is already installed. Fixes: issue #177 (How to set up firewalld zones?)
487 lines
22 KiB
YAML
487 lines
22 KiB
YAML
---
|
|
# tasks file for ipaserver
|
|
|
|
- block:
|
|
- name: Install - Ensure that IPA server packages are installed
|
|
package:
|
|
name: "{{ ipaserver_packages }}"
|
|
state: present
|
|
|
|
- name: Install - Ensure that IPA server packages for dns are installed
|
|
package:
|
|
name: "{{ ipaserver_packages_dns }}"
|
|
state: present
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Ensure that IPA server packages for adtrust are installed
|
|
package:
|
|
name: "{{ ipaserver_packages_adtrust }}"
|
|
state: present
|
|
when: ipaserver_setup_adtrust | bool
|
|
|
|
- name: Install - Ensure that firewall packages installed
|
|
package:
|
|
name: "{{ ipaserver_packages_firewalld }}"
|
|
state: present
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
when: ipaserver_install_packages | bool
|
|
|
|
- block:
|
|
- name: Firewalld service - Ensure that firewalld is running
|
|
systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"
|
|
shell: >
|
|
firewall-cmd
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
- name: Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"
|
|
shell: >
|
|
firewall-cmd
|
|
--permanent
|
|
--info-zone="{{ ipaserver_firewalld_zone }}"
|
|
>/dev/null
|
|
when: ipaserver_firewalld_zone is defined
|
|
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
#- name: Install - Include Python2/3 import test
|
|
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
|
|
|
- include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
|
|
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
|
|
when: ipaserver_external_cert_files_from_controller is defined and
|
|
ipaserver_external_cert_files_from_controller|length > 0 and
|
|
not ipaserver_external_cert_files is defined
|
|
|
|
- name: Install - Server installation test
|
|
ipaserver_test:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
domain: "{{ ipaserver_domain | default(omit) }}"
|
|
realm: "{{ ipaserver_realm | default(omit) }}"
|
|
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
|
|
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
|
|
no_host_dns: "{{ ipaserver_no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
idstart: "{{ ipaserver_idstart | default(omit) }}"
|
|
idmax: "{{ ipaserver_idmax | default(omit) }}"
|
|
# no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ ipaserver_no_pkinit }}"
|
|
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
### ssl certificate ###
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
dirsrv_cert_name: "{{ ipaserver_dirsrv_cert_name | default(omit) }}"
|
|
dirsrv_pin: "{{ ipaserver_dirsrv_pin | default(omit) }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}"
|
|
http_cert_name: "{{ ipaserver_http_cert_name | default(omit) }}"
|
|
http_pin: "{{ ipaserver_http_pin | default(omit) }}"
|
|
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}"
|
|
pkinit_cert_name: "{{ ipaserver_pkinit_cert_name | default(omit) }}"
|
|
pkinit_pin: "{{ ipaserver_pkinit_pin | default(omit) }}"
|
|
### client ###
|
|
# mkhomedir
|
|
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
# ssh_trust_dns
|
|
# no_ssh
|
|
# no_sshd
|
|
# no_dns_sshfp
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
# ca_signing_algorithm
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
|
|
### additional ###
|
|
register: result_ipaserver_test
|
|
|
|
- block:
|
|
# This block is executed only when
|
|
# not ansible_check_mode and
|
|
# not (not result_ipaserver_test.changed and
|
|
# (result_ipaserver_test.client_already_configured is defined or
|
|
# result_ipaserver_test.server_already_configured is defined)
|
|
|
|
- block:
|
|
- name: Install - Master password creation
|
|
no_log: yes
|
|
ipaserver_master_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
master_password: "{{ ipaserver_master_password | default(omit) }}"
|
|
register: result_ipaserver_master_password
|
|
|
|
- name: Install - Use new master password
|
|
no_log: yes
|
|
set_fact:
|
|
ipaserver_master_password:
|
|
"{{ result_ipaserver_master_password.password }}"
|
|
|
|
when: ipaserver_master_password is undefined
|
|
|
|
- name: Install - Server preparation
|
|
ipaserver_prepare:
|
|
### basic ###
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
### server ###
|
|
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
|
|
setup_kra: "{{ ipaserver_setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
### certificate system ###
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
|
|
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
|
|
### dns ###
|
|
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
|
|
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_reverse: "{{ ipaserver_auto_reverse }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
forwarders: "{{ ipaserver_forwarders | default([]) }}"
|
|
no_forwarders: "{{ ipaserver_no_forwarders }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
|
|
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
|
|
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
|
|
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
|
### additional ###
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
|
|
register: result_ipaserver_prepare
|
|
|
|
- name: Install - Setup NTP
|
|
ipaserver_setup_ntp:
|
|
ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}"
|
|
ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}"
|
|
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files
|
|
is undefined or ipaserver_external_cert_files|length < 1)
|
|
|
|
- name: Install - Setup DS
|
|
ipaserver_setup_ds:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
# master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
# reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
# setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
# setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
# setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
# no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
# no_reverse: "{{ ipaserver_no_reverse }}"
|
|
# auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
|
|
- name: Install - Setup KRB
|
|
ipaserver_setup_krb:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
_pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup custodia
|
|
ipaserver_setup_custodia:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup CA
|
|
ipaserver_setup_ca:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
external_ca: "{{ ipaserver_external_ca }}"
|
|
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
|
|
external_ca_profile:
|
|
"{{ ipaserver_external_ca_profile | default(omit) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
|
|
default(omit) }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
_http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}"
|
|
register: result_ipaserver_setup_ca
|
|
|
|
- name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr"
|
|
fetch:
|
|
src: /root/ipa.csr
|
|
dest: "{{ inventory_hostname }}-ipa.csr"
|
|
flat: yes
|
|
when: result_ipaserver_setup_ca.csr_generated | bool and
|
|
ipaserver_copy_csr_to_controller | bool
|
|
|
|
- block:
|
|
- name: Install - Setup otpd
|
|
ipaserver_setup_otpd:
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
|
|
- name: Install - Setup HTTP
|
|
ipaserver_setup_http:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
master_password: "{{ ipaserver_master_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
|
|
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
|
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
|
external_cert_files:
|
|
"{{ ipaserver_external_cert_files | default(omit) }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
|
|
no_reverse: "{{ ipaserver_no_reverse }}"
|
|
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
|
|
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
|
|
_http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup KRA
|
|
ipaserver_setup_kra:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
dm_password: "{{ ipadm_password }}"
|
|
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
pki_config_override: "{{ ipaserver_pki_config_override |
|
|
default(omit) }}"
|
|
when: result_ipaserver_test.setup_kra | bool
|
|
|
|
- name: Install - Setup DNS
|
|
ipaserver_setup_dns:
|
|
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
forwarders: "{{ result_ipaserver_prepare.forwarders }}"
|
|
forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
|
|
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
|
|
no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
|
|
### additional ###
|
|
dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
|
|
dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
|
|
when: ipaserver_setup_dns | bool
|
|
|
|
- name: Install - Setup ADTRUST
|
|
ipaserver_setup_adtrust:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
|
### ad trust ###
|
|
enable_compat: "{{ ipaserver_enable_compat }}"
|
|
rid_base: "{{ result_ipaserver_test.rid_base }}"
|
|
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
|
|
### additional ###
|
|
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
|
|
adtrust_reset_netbios_name:
|
|
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
|
|
when: result_ipaserver_test.setup_adtrust
|
|
|
|
- name: Install - Set DS password
|
|
ipaserver_set_ds_password:
|
|
dm_password: "{{ ipadm_password }}"
|
|
password: "{{ ipaadmin_password }}"
|
|
domain: "{{ result_ipaserver_test.domain }}"
|
|
realm: "{{ result_ipaserver_test.realm }}"
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
|
|
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
|
|
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
|
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
|
idstart: "{{ result_ipaserver_test.idstart }}"
|
|
idmax: "{{ result_ipaserver_test.idmax }}"
|
|
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
|
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"
|
|
|
|
- name: Install - Setup client
|
|
include_role:
|
|
name: ipaclient
|
|
vars:
|
|
state: present
|
|
ipaclient_on_master: yes
|
|
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
|
|
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
|
|
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
|
|
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
|
|
ipaclient_no_ntp:
|
|
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
|
|
else 'false' }}"
|
|
ipaclient_install_packages: "{{ ipaserver_install_packages }}"
|
|
|
|
- name: Install - Enable IPA
|
|
ipaserver_enable_ipa:
|
|
hostname: "{{ result_ipaserver_test.hostname }}"
|
|
setup_dns: "{{ ipaserver_setup_dns }}"
|
|
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
|
register: result_ipaserver_enable_ipa
|
|
|
|
- name: Install - Cleanup root IPA cache
|
|
file:
|
|
path: "/root/.ipa_cache"
|
|
state: absent
|
|
when: result_ipaserver_enable_ipa.changed
|
|
|
|
- name: Install - Configure firewalld
|
|
command: >
|
|
firewall-cmd
|
|
--permanent
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
- name: Install - Configure firewalld runtime
|
|
command: >
|
|
firewall-cmd
|
|
--zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
|
|
defined else '' }}"
|
|
--add-service=freeipa-ldap
|
|
--add-service=freeipa-ldaps
|
|
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
|
|
else "" }}
|
|
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
|
|
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
|
when: ipaserver_setup_firewalld | bool
|
|
|
|
when: not result_ipaserver_setup_ca.csr_generated | bool
|
|
|
|
always:
|
|
- name: Cleanup temporary files
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "/etc/ipa/.tmp_pkcs12_dirsrv"
|
|
- "/etc/ipa/.tmp_pkcs12_http"
|
|
- "/etc/ipa/.tmp_pkcs12_pkinit"
|
|
|
|
when: not ansible_check_mode and not
|
|
(not result_ipaserver_test.changed and
|
|
(result_ipaserver_test.client_already_configured is defined or
|
|
result_ipaserver_test.server_already_configured is defined))
|