sr2/ansible-collection-core
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Initial import; migrate some roles from irl.wip

Browse source
This commit is contained in:
Iain Learmonth 2025-10-31 22:36:32 +00:00
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

99
roles/freeipa/tasks/certs.yml Normal file
View file

@ -0,0 +1,99 @@
---
- name: "FreeIPA Certificates | PATCH | Install latest certbot"
ansible.builtin.dnf:
name: certbot
state: latest
update_cache: true
- name: "FreeIPA Certificates | AUDIT | Check for existing certificate expiry"
community.crypto.x509_certificate_info:
path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
register: freeipa_certs_existing_cert
ignore_errors: true
- name: "FreeIPA Certificates | AUDIT | Calculate days until expiry"
ansible.builtin.set_fact:
freeipa_certs_days_until_expiry: "{{ ((freeipa_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
when: freeipa_certs_existing_cert.not_after is defined
- name: "FreeIPA Certificates | AUDIT | Print days until expiry"
debug:
msg: "{{ freeipa_certs_days_until_expiry }}"
when: freeipa_certs_existing_cert.not_after is defined
- name: "FreeIPA Certificates | PATCH | Request a new or renewed certificate"
when: (freeipa_certs_existing_cert.failed) or (freeipa_certs_days_until_expiry | int < 30)
block:
- name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Root"
ansible.builtin.get_url:
url: "https://letsencrypt.org/certs/{{ item }}.pem"
dest: /root/{{ item }}.pem
owner: root
group: root
mode: "0600"
with_items:
- isrgrootx1
- isrg-root-x2
- name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Intermediates"
ansible.builtin.get_url:
url: "https://letsencrypt.org/certs/2024/{{ item }}.pem"
dest: "/root/{{ item }}.pem"
owner: root
group: root
mode: "0600"
with_items:
- e7-cross
- e8-cross
- r12
- r13
- name: "FreeIPA Certificates | AUDIT | Check httpd"
ansible.builtin.systemd_service:
name: httpd
register: freeipa_certs_httpd_status
- name: "FreeIPA Certificates | PATCH | Stop httpd"
ansible.builtin.systemd_service:
name: httpd
state: stopped
when: freeipa_certs_httpd_status.status.ActiveState == "active"
- name: "FreeIPA Certificates | PATCH | Add http service to firewall (in case freeipa service is not yet configured)"
ansible.posix.firewalld:
service: http
state: enabled
- name: "FreeIPA Certificates | PATCH | Request new certificate"
ansible.builtin.command:
cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email
when: freeipa_certs_existing_cert.failed
- name: "FreeIPA Certificates | PATCH | Renew existing certificate"
ansible.builtin.command:
cmd: certbot renew
when: not freeipa_certs_existing_cert.failed
- name: "FreeIPA Certificates | PATCH | Remove http service from firewall"
ansible.posix.firewalld:
service: http
state: disabled
- name: "FreeIPA Certificates | PATCH | Start httpd"
ansible.builtin.systemd_service:
name: httpd
state: started
when: freeipa_certs_httpd_status.status.ActiveState == "active"
- name: "FreeIPA Certificates | PATCH | Create PKCS#12 encoded certificate"
community.crypto.openssl_pkcs12:
action: export
path: /root/server.p12
friendly_name: "{{ inventory_hostname }}"
privatekey_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
certificate_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
other_certificates: "/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem"
other_certificates_parse_all: true
owner: root
group: root
mode: "0600"

52
roles/freeipa/tasks/main.yml Normal file
View file

@ -0,0 +1,52 @@
---
- name: FreeIPA | PATCH | Request or renew Let's Encrypt Certificates
ansible.builtin.include_tasks:
file: certs.yml
- name: FreeIPA | PATCH | Deploy first FreeIPA server
ansible.builtin.include_role:
role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver_ca_cert_files:
- /root/isrgrootx1.pem
- /root/isrg-root-x2.pem
ipaserver_dirsrv_cert_name: "{{ ansible_inventory }}"
ipaserver_dirsrv_cert_files: [ "/root/server.p12" ]
ipaserver_dirsrv_pin: ""
ipaserver_firewalld_zone: public
ipaserver_http_cert_name: "{{ ansible_inventory }}"
ipaserver_http_cert_files: [ "/root/server.p12" ]
ipaserver_http_pin: ""
ipaserver_no_hbac_allow: true
ipaserver_no_pkinit: true
ipaserver_setup_dns: false
when: inventory_hostname == groups['ipaservers'][0]
- name: FreeIPA | PATCH | Deploy replica FreeIPA servers
ansible.builtin.include_role:
role: freeipa.ansible_freeipa.ipareplica
vars:
ipareplica_ca_cert_files:
- /root/isrgrootx1.pem
- /root/isrg-root-x2.pem
ipareplica_dirsrv_cert_name: "{{ ansible_inventory }}"
ipareplica_dirsrv_cert_files: [ "/root/server.p12" ]
ipareplica_dirsrv_pin: ""
ipareplica_firewalld_zone: public
ipareplica_http_cert_name: "{{ ansible_inventory }}"
ipareplica_http_cert_files: [ "/root/server.p12" ]
ipareplica_http_pin: ""
ipareplica_no_pkinit: true
ipareplica_setup_dns: false
- name: FreeIPA | AUDIT | Check current authselect configuration
command: authselect current
register: freeipa_authselect_status
changed_when: false
- name: FreeIPA | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
command: authselect select sssd with-sudo with-mkhomedir
when: >
'Profile ID: sssd' not in freeipa_authselect_status.stdout or
'with-sudo' not in freeipa_authselect_status.stdout or
'with-mkhomedir' not in freeipa_authselect_status.stdout