--- # tasks file for ipaserver - block: - name: Install - Ensure that IPA server packages are installed package: name: "{{ ipaserver_packages }}" state: present - name: Install - Ensure that IPA server packages for dns are installed package: name: "{{ ipaserver_packages_dns }}" state: present when: ipaserver_setup_dns | bool - name: Install - Ensure that IPA server packages for adtrust are installed package: name: "{{ ipaserver_packages_adtrust }}" state: present when: ipaserver_setup_adtrust | bool - name: Install - Ensure that firewall packages installed package: name: "{{ ipaserver_packages_firewalld }}" state: present when: ipaserver_setup_firewalld | bool - name: Firewalld service - Ensure that firewalld is running systemd: name: firewalld enabled: yes state: started when: ipaserver_setup_firewalld | bool when: ipaserver_install_packages | bool #- name: Install - Include Python2/3 import test # import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml" - include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml" with_items: "{{ ipaserver_external_cert_files_from_controller }}" when: ipaserver_external_cert_files_from_controller is defined and ipaserver_external_cert_files_from_controller|length > 0 and not ipaserver_external_cert_files is defined - name: Install - Server installation test ipaserver_test: ### basic ### dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" master_password: "{{ ipaserver_master_password | default(omit) }}" domain: "{{ ipaserver_domain | default(omit) }}" realm: "{{ ipaserver_realm | default(omit) }}" hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}" ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}" no_host_dns: "{{ ipaserver_no_host_dns }}" pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}" ### server ### setup_adtrust: "{{ ipaserver_setup_adtrust }}" setup_kra: "{{ ipaserver_setup_kra }}" setup_dns: "{{ ipaserver_setup_dns }}" idstart: "{{ ipaserver_idstart | default(omit) }}" idmax: "{{ ipaserver_idmax | default(omit) }}" # no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" no_pkinit: "{{ ipaserver_no_pkinit }}" # no_ui_redirect: "{{ ipaserver_no_ui_redirect }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" ### ssl certificate ### dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}" dirsrv_cert_name: "{{ ipaserver_dirsrv_cert_name | default(omit) }}" dirsrv_pin: "{{ ipaserver_dirsrv_pin | default(omit) }}" http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}" http_cert_name: "{{ ipaserver_http_cert_name | default(omit) }}" http_pin: "{{ ipaserver_http_pin | default(omit) }}" pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}" pkinit_cert_name: "{{ ipaserver_pkinit_cert_name | default(omit) }}" pkinit_pin: "{{ ipaserver_pkinit_pin | default(omit) }}" ### client ### # mkhomedir ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}" ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}" no_ntp: "{{ ipaclient_no_ntp }}" # ssh_trust_dns # no_ssh # no_sshd # no_dns_sshfp ### certificate system ### external_ca: "{{ ipaserver_external_ca }}" external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}" external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ ipaserver_subject_base | default(omit) }}" ca_subject: "{{ ipaserver_ca_subject | default(omit) }}" # ca_signing_algorithm ### dns ### allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}" reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}" no_reverse: "{{ ipaserver_no_reverse }}" auto_reverse: "{{ ipaserver_auto_reverse }}" zonemgr: "{{ ipaserver_zonemgr | default(omit) }}" forwarders: "{{ ipaserver_forwarders | default([]) }}" no_forwarders: "{{ ipaserver_no_forwarders }}" auto_forwarders: "{{ ipaserver_auto_forwarders }}" forward_policy: "{{ ipaserver_forward_policy | default(omit) }}" no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}" ### ad trust ### enable_compat: "{{ ipaserver_enable_compat }}" netbios_name: "{{ ipaserver_netbios_name | default(omit) }}" rid_base: "{{ ipaserver_rid_base | default(omit) }}" secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}" ### additional ### register: result_ipaserver_test - block: # This block is executed only when # not ansible_check_mode and # not (not result_ipaserver_test.changed and # (result_ipaserver_test.client_already_configured is defined or # result_ipaserver_test.server_already_configured is defined) - block: - name: Install - Master password creation no_log: yes ipaserver_master_password: dm_password: "{{ ipadm_password }}" master_password: "{{ ipaserver_master_password | default(omit) }}" register: result_ipaserver_master_password - name: Install - Use new master password no_log: yes set_fact: ipaserver_master_password: "{{ result_ipaserver_master_password.password }}" when: ipaserver_master_password is undefined - name: Install - Server preparation ipaserver_prepare: ### basic ### dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" ### server ### setup_adtrust: "{{ ipaserver_setup_adtrust }}" setup_kra: "{{ ipaserver_setup_kra }}" setup_dns: "{{ ipaserver_setup_dns }}" ### certificate system ### external_ca: "{{ ipaserver_external_ca }}" external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}" external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ ipaserver_subject_base | default(omit) }}" ca_subject: "{{ ipaserver_ca_subject | default(omit) }}" ### dns ### allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}" reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}" no_reverse: "{{ ipaserver_no_reverse }}" auto_reverse: "{{ ipaserver_auto_reverse }}" zonemgr: "{{ ipaserver_zonemgr | default(omit) }}" forwarders: "{{ ipaserver_forwarders | default([]) }}" no_forwarders: "{{ ipaserver_no_forwarders }}" auto_forwarders: "{{ ipaserver_auto_forwarders }}" forward_policy: "{{ ipaserver_forward_policy | default(omit) }}" no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}" ### ad trust ### enable_compat: "{{ ipaserver_enable_compat }}" netbios_name: "{{ ipaserver_netbios_name | default(omit) }}" rid_base: "{{ ipaserver_rid_base | default(omit) }}" secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}" ### additional ### setup_ca: "{{ result_ipaserver_test.setup_ca }}" _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}" register: result_ipaserver_prepare - name: Install - Setup NTP ipaserver_setup_ntp: ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}" ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}" when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files is undefined or ipaserver_external_cert_files|length < 1) - name: Install - Setup DS ipaserver_setup_ds: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" # master_password: "{{ ipaserver_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm | default(omit) }}" hostname: "{{ result_ipaserver_test.hostname }}" # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}" # reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}" # setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" # setup_kra: "{{ result_ipaserver_test.setup_kra }}" # setup_dns: "{{ ipaserver_setup_dns }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" # no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}" _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" ca_subject: "{{ result_ipaserver_prepare.ca_subject }}" # no_reverse: "{{ ipaserver_no_reverse }}" # auto_forwarders: "{{ ipaserver_auto_forwarders }}" no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" - name: Install - Setup KRB ipaserver_setup_krb: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" master_password: "{{ ipaserver_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}" reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" setup_kra: "{{ result_ipaserver_test.setup_kra }}" setup_dns: "{{ ipaserver_setup_dns }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" ca_subject: "{{ result_ipaserver_prepare.ca_subject }}" no_reverse: "{{ ipaserver_no_reverse }}" auto_forwarders: "{{ ipaserver_auto_forwarders }}" no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" _pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}" - name: Install - Setup custodia ipaserver_setup_custodia: realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" - name: Install - Setup CA ipaserver_setup_ca: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" master_password: "{{ ipaserver_master_password }}" # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" setup_kra: "{{ result_ipaserver_test.setup_kra }}" setup_dns: "{{ ipaserver_setup_dns }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}" _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" external_ca: "{{ ipaserver_external_ca }}" external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}" external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" _subject_base: "{{ result_ipaserver_prepare._subject_base }}" ca_subject: "{{ result_ipaserver_prepare.ca_subject }}" _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}" ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm | default(omit) }}" reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}" no_reverse: "{{ ipaserver_no_reverse }}" auto_forwarders: "{{ ipaserver_auto_forwarders }}" _http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}" register: result_ipaserver_setup_ca - name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr" fetch: src: /root/ipa.csr dest: "{{ inventory_hostname }}-ipa.csr" flat: yes when: result_ipaserver_setup_ca.csr_generated | bool and ipaserver_copy_csr_to_controller | bool - block: - name: Install - Setup otpd ipaserver_setup_otpd: realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" - name: Install - Setup HTTP ipaserver_setup_http: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" master_password: "{{ ipaserver_master_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}" reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" setup_kra: "{{ result_ipaserver_test.setup_kra }}" setup_dns: "{{ ipaserver_setup_dns }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" no_host_dns: "{{ result_ipaserver_test.no_host_dns }}" dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}" external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" _subject_base: "{{ result_ipaserver_prepare._subject_base }}" ca_subject: "{{ result_ipaserver_prepare.ca_subject }}" _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}" no_reverse: "{{ ipaserver_no_reverse }}" auto_forwarders: "{{ ipaserver_auto_forwarders }}" no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}" no_ui_redirect: "{{ ipaserver_no_ui_redirect }}" _http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}" - name: Install - Setup KRA ipaserver_setup_kra: hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" dm_password: "{{ ipadm_password }}" setup_kra: "{{ result_ipaserver_test.setup_kra }}" realm: "{{ result_ipaserver_test.realm }}" pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}" when: result_ipaserver_test.setup_kra | bool - name: Install - Setup DNS ipaserver_setup_dns: ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" setup_dns: "{{ ipaserver_setup_dns }}" forwarders: "{{ result_ipaserver_prepare.forwarders }}" forward_policy: "{{ result_ipaserver_prepare.forward_policy }}" zonemgr: "{{ ipaserver_zonemgr | default(omit) }}" no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}" ### additional ### dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}" dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}" when: ipaserver_setup_dns | bool - name: Install - Setup ADTRUST ipaserver_setup_adtrust: hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}" ### ad trust ### enable_compat: "{{ ipaserver_enable_compat }}" rid_base: "{{ result_ipaserver_test.rid_base }}" secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}" ### additional ### adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}" adtrust_reset_netbios_name: "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}" when: result_ipaserver_test.setup_adtrust - name: Install - Set DS password ipaserver_set_ds_password: dm_password: "{{ ipadm_password }}" password: "{{ ipaadmin_password }}" domain: "{{ result_ipaserver_test.domain }}" realm: "{{ result_ipaserver_test.realm }}" hostname: "{{ result_ipaserver_test.hostname }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" subject_base: "{{ result_ipaserver_prepare.subject_base }}" ca_subject: "{{ result_ipaserver_prepare.ca_subject }}" no_pkinit: "{{ result_ipaserver_test.no_pkinit }}" no_hbac_allow: "{{ ipaserver_no_hbac_allow }}" idstart: "{{ result_ipaserver_test.idstart }}" idmax: "{{ result_ipaserver_test.idmax }}" dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}" _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}" - name: Install - Setup client include_role: name: ipaclient vars: state: present ipaclient_on_master: yes ipaclient_domain: "{{ result_ipaserver_test.domain }}" ipaclient_realm: "{{ result_ipaserver_test.realm }}" ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"] ipaclient_hostname: "{{ result_ipaserver_test.hostname }}" ipaclient_no_ntp: "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690 else 'false' }}" ipaclient_install_packages: "{{ ipaserver_install_packages }}" - name: Install - Enable IPA ipaserver_enable_ipa: hostname: "{{ result_ipaserver_test.hostname }}" setup_dns: "{{ ipaserver_setup_dns }}" setup_ca: "{{ result_ipaserver_test.setup_ca }}" register: result_ipaserver_enable_ipa - name: Install - Cleanup root IPA cache file: path: "/root/.ipa_cache" state: absent when: result_ipaserver_enable_ipa.changed - name: Install - Configure firewalld command: > firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool else "" }} {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }} {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }} when: ipaserver_setup_firewalld | bool - name: Install - Configure firewalld runtime command: > firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool else "" }} {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }} {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }} when: ipaserver_setup_firewalld | bool when: not result_ipaserver_setup_ca.csr_generated | bool always: - name: Cleanup temporary files file: path: "{{ item }}" state: absent with_items: - "/etc/ipa/.tmp_pkcs12_dirsrv" - "/etc/ipa/.tmp_pkcs12_http" - "/etc/ipa/.tmp_pkcs12_pkinit" when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined))