initial commit

.ansible-lint

@@ -0,0 +1,3 @@
+skip_list:
+  - '106'
+  - '503'

.travis.yml

@@ -0,0 +1,23 @@
+---
+language: python3.6
+cache: pip
+services: docker
+
+env:
+  global:
+    - ROLE_NAME: apps_logstash
+  matrix:
+    - MOLECULE_DISTRO: centos8
+    - MOLECULE_DISTRO: centos7
+
+before_install:
+  # Upgrade Docker to work with docker-py.
+  - curl https://gist.githubusercontent.com/geerlingguy/ce883ad4aec6a5f1187ef93bd338511e/raw/36612d28981d92863f839c5aefe5b7dd7193d6c6/travis-ci-docker-upgrade.sh | sudo bash
+
+install:
+  # Install test dependencies.
+  - pip install molecule yamllint ansible-lint docker
+
+script:
+  # Run tests.
+  - molecule test

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017-2018 Pawel Krupa, Roman Demachkovych
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,49 @@
+# Ansible Role: apps_freeipa_server
+
+
+## Description
+
+[![Build Status](https://travis-ci.com/lotusnoir/apps_freeipa_server.svg?branch=master)](https://travis-ci.com/lotusnoir/apps_freeipa_server)[![License](https://img.shields.io/badge/license-MIT%20License-brightgreen.svg)](https://opensource.org/licenses/MIT)[![Ansible Role](https://img.shields.io/badge/ansible%20role-apps__freeipa_server-blue)](https://galaxy.ansible.com/lotusnoir/apps_freeipa_server/)[![GitHub tag](https://img.shields.io/badge/version-latest-blue)](https://github.com/lotusnoir/apps_freeipa_server/tags)
+
+Deploy freeipa_server app using ansible on centos.
+
+
+## Requirements
+
+if you are in a debian system, ensure to have python-firewalld package installed on your local system in order to execute firewald module.
+
+## Role variables
+
+| Name           | Default Value | Description                        |
+| -------------- | ------------- | -----------------------------------|
+| `freeipa_server_type` | master | master or replica |
+| `freeipa_server_admin_password` | "strongpassword" | set a strong password for the admin access |
+| `freeipa_server_ds_password` | "strongpassword" | |
+| `freeipa_server_domain` | example.com | set the company domain|
+| `freeipa_server_realm` | EXAMPLE.COM | same as {{ freeipa_server_domain }} but upper |
+| `freeipa_server_install_options` | | |
+| `freeipa_client_install_options` | | |
+| `freeipa_replica_install_options` | | |
+
+## Examples
+
+	---
+	- hosts: apps_freeipa_server
+	  become: yes
+	  become_method: sudo
+	  gather_facts: yes
+	  roles:
+	    - role: apps_freeipa_server
+	  vars:
+        freeipa_server_admin_password: "strongpassword"
+        freeipa_server_ds_password: "strongpassword"
+        freeipa_server_domain: "example.com"
+	  environment: 
+	    http_proxy: "{{ http_proxy }}"
+	    https_proxy: "{{ https_proxy }}"
+	    no_proxy: "{{ no_proxy }}
+
+
+## License
+
+This project is licensed under MIT License. See [LICENSE](/LICENSE) for more details.

defaults/main.yml

@@ -0,0 +1,29 @@
+---
+freeipa_server_type: master
+freeipa_server_admin_password: "strongpassword"
+freeipa_server_ds_password: "strongpassword"
+freeipa_server_domain: "example.com"
+freeipa_server_realm: "{{ freeipa_server_domain |upper }}"
+
+freeipa_server_install_options:
+  - "--realm={{ freeipa_server_realm }}"
+  - "--domain={{ freeipa_server_domain }}"
+  - "--ds-password {{ freeipa_server_ds_password }}"
+  - "--admin-password {{ freeipa_server_admin_password }}"
+  - "--mkhomedir"
+  - "--hostname={{ ansible_fqdn }}"
+  - "--ip-address={{ ansible_default_ipv4.address }}"
+  - "--no-host-dns"
+  - "--no-ntp"
+
+freeipa_client_install_options:
+  - "--domain={{ freeipa_server_domain }}"
+  - "--realm={{ freeipa_server_realm }}"
+  - "--server={{ freeipa_server_master_fqdn }}"
+  - "--mkhomedir"
+  - "-p admin"
+  - "-w {{ freeipa_server_admin_password }}"
+  - "--no-ntp"
+
+freeipa_replica_install_options:
+  - "--setup-ca"

handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart ipa services
+  service:
+    enabled: true
+    name: ipa
+    state: restarted
+
+- name: reload firewalld
+  systemd:
+    name: firewalld
+    state: reloaded

meta/main.yml

@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: "Philippe leal"
+  description: "Install and configure freeipa server on centos"
+  role_name: apps_freeipa_server
+  license: "MIT"
+  min_ansible_version: 2.8
+
+  platforms:
+    - name: "Centos"
+      versions:
+        - "8"
+        - "7"
+
+  galaxy_tags:
+    - freeipa
+    - ldap
+    - kerberos
+    - system
+    - sudo
+    - users
+
+dependencies: []

molecule/default/converge.yml

@@ -0,0 +1,8 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+  tasks:
+    - name: "Include apps_freeipa_server"
+      include_role:
+        name: "apps_freeipa_server"

molecule/default/molecule.yml

@@ -0,0 +1,20 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |   
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance-01.example.com
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}

tasks/main.yml

@@ -0,0 +1,99 @@
+---
+- name: "Ensure valid hostname"
+  hostname:
+    name: "{{ ansible_fqdn }}"
+
+- name: "Ensure hostname resolve to ip and not localhost"
+  replace:
+    path: /etc/hosts
+    regexp: '^127.0.0.1     {{ ansible_fqdn }}'
+    replace: '{{ ansible_default_ipv4.address }}\t{{ ansible_fqdn }}'
+
+#- name: "Ensure hostname resolve to ip and not localhost"
+#  lineinfile:
+#    dest: /etc/hosts
+#    line: "{{ ansible_default_ipv4.address }}\t{{ ansible_fqdn }}"
+#    insertbefore: '^127.0.0.1'
+
+- name: "Ensure ipv6 is not disable"
+  sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: '0'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: "Install rng-tools for better entropie"
+  dnf:
+    name: rng-tools
+    state: present
+
+- name: "Enable and start rng-tools"
+  systemd:
+    name: rngd
+    enabled: yes
+    state: started
+
+- name: "Install required packages"
+  dnf:
+    name: ['@idm:DL1', 'freeipa-server', 'firewalld']
+    state: present
+  register: freeipa_install
+
+- name: "Open firewall ports"
+  firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+  ignore_errors: yes
+  notify: reload firewalld
+  with_items:
+    - http
+    - https
+    - dns
+    - ntp
+    - freeipa-ldap
+    - freeipa-ldaps
+    - kerberos
+
+- name: "Change Umask to 0022 to make installer working"
+  shell: umask 0022 && umask
+  when:
+    - freeipa_install.changed
+  notify: restart ipa services
+
+- name: "MASTER - Configure FreeIPA server (take a while )"
+  args:
+    creates: /etc/ipa/default.conf
+  command: "{{ freeipa_launch_command }} {{ freeipa_server_install_options | join(' ') }}"
+  when:
+    - freeipa_server_type == 'master'
+    - freeipa_install.changed
+  notify: restart ipa services
+
+- name: "REPLICA 1/3 - Install ipa client"
+  command: "ipa-client-install -U {{ freeipa_client_install_options | join(' ') }}"
+  ignore_errors: yes
+  when:
+    - freeipa_server_type == 'replica'
+    - freeipa_install.changed
+
+- name: "REPLICA 2/3 - add to ipservers group"
+  command: "ipa hostgroup-add-member ipaservers --hosts {{ ansible_fqdn }}"
+  delegate_to: "{{ freeipa_server_master_fqdn }}"
+  ignore_errors: yes
+  when:
+    - freeipa_server_type == 'replica'
+    - freeipa_install.changed
+
+- name: "REPLICA 3/3 - Install replica (take a while)"
+  command: "{{ freeipa_launch_command }} {{ freeipa_replica_install_options | join(' ') }}"
+  when:
+    - freeipa_server_type == 'replica'
+    - freeipa_install.changed
+
+- name: "Global - Ensure admin config / auth to Kerberos realm"
+  shell: |
+    set -o pipefail
+    echo '{{ freeipa_server_admin_password }}' | kinit admin
+  changed_when: false

vars/main.yml

@@ -0,0 +1,2 @@
+---
+freeipa_launch_command: "ipa-{{ 'server' if freeipa_server_type == 'master' else 'replica' }}-install --unattended {{ '--server=' + freeipa_server_master_fqdn if freeipa_server_type == 'replica' else '' }}"