151 lines
3.3 KiB
YAML
151 lines
3.3 KiB
YAML
---
|
|
- hosts: ldap-server
|
|
become: true
|
|
tasks:
|
|
|
|
- name: update
|
|
dnf:
|
|
update_cache: yes
|
|
|
|
- name: install freeipa-server
|
|
dnf:
|
|
name: freeipa-server
|
|
state: present
|
|
|
|
- name: install freeipa-server-dns
|
|
dnf:
|
|
name: ipa-server-dns
|
|
state: present
|
|
|
|
- name: enable firewalld
|
|
systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: open firewalld ports
|
|
firewalld:
|
|
service: "{{ item }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
loop:
|
|
- http
|
|
- https
|
|
- dns
|
|
- kerberos
|
|
- kpasswd
|
|
- ldap
|
|
- ldaps
|
|
- ntp
|
|
|
|
- name: enable firewalld
|
|
systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: generate pass admin
|
|
set_fact:
|
|
admin_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"
|
|
|
|
- name: generate pass directory manager
|
|
set_fact:
|
|
ds_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"
|
|
|
|
- name: save admin pass
|
|
copy:
|
|
content: "{{ admin_password }}"
|
|
dest: "./admin_pass"
|
|
become: no
|
|
delegate_to: localhost
|
|
|
|
- name: save directory manager pass
|
|
copy:
|
|
content: "{{ ds_password }}"
|
|
dest: "./ds_pass"
|
|
become: no
|
|
delegate_to: localhost
|
|
|
|
- name: change hosts
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
line: "10.10.1.10 ldap-server.lab.local ldap-server"
|
|
state: present
|
|
|
|
- name: freeipa server config
|
|
command: >
|
|
ipa-server-install -U
|
|
--domain=lab.local
|
|
--realm=LAB.LOCAL
|
|
--admin-password={{ admin_password }}
|
|
--ds-password={{ ds_password }}
|
|
--setup-dns
|
|
--auto-forwarders
|
|
--no-host-dns
|
|
|
|
- name: generate ssh key
|
|
openssh_keypair:
|
|
path: "./id_rsa"
|
|
type: rsa
|
|
size: 4096
|
|
register: key_data
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: auth kerberos
|
|
shell: echo "{{ admin_password }}" | kinit admin@LAB.LOCAL
|
|
|
|
- name: generate pass pupkin.v
|
|
set_fact:
|
|
user_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"
|
|
|
|
- name: create user
|
|
command: ipa user-add pupkin.a --first=Aristarkh --last=Pupkin --cn=pupkin.a --password
|
|
args:
|
|
stdin: "{{ user_password }}"
|
|
ignore_errors: yes
|
|
|
|
- name: add ssh public key
|
|
command: ipa user-mod pupkin.a --sshpubkey="{{ key_data.public_key }}"
|
|
|
|
- name: show pass
|
|
debug:
|
|
msg: "ВНИМАНИЕ!!! Сохраните сгенерированные пароли: admin - {{ admin_password }}, directory manager - {{ ds_password }}, pupkin.a - {{ user_password }}"
|
|
|
|
|
|
|
|
- hosts: ldap-client
|
|
become: yes
|
|
tasks:
|
|
|
|
- name: update
|
|
dnf:
|
|
update_cache: yes
|
|
|
|
- name: install ipa-client
|
|
dnf:
|
|
name: ipa-client
|
|
state: present
|
|
|
|
|
|
- name: add dns
|
|
lineinfile:
|
|
path: /etc/resolv.conf
|
|
line: "nameserver 10.10.1.10"
|
|
insertbefore: BOF
|
|
state: present
|
|
|
|
- name: get admin pass
|
|
set_fact:
|
|
admin_password: "{{ lookup('file', './admin_pass') | trim }}"
|
|
|
|
- name: freeipa client config
|
|
command: >
|
|
ipa-client-install -U
|
|
--domain=lab.local
|
|
--realm=LAB.LOCAL
|
|
--server=ldap-server.lab.local
|
|
--principal=admin
|
|
--password={{ admin_password }}
|
|
--mkhomedir |