52 lines
1.9 KiB
YAML
52 lines
1.9 KiB
YAML
---
|
|
- name: FreeIPA | PATCH | Request or renew Let's Encrypt Certificates
|
|
ansible.builtin.include_tasks:
|
|
file: certs.yml
|
|
|
|
- name: FreeIPA | PATCH | Deploy first FreeIPA server
|
|
ansible.builtin.include_role:
|
|
role: freeipa.ansible_freeipa.ipaserver
|
|
vars:
|
|
ipaserver_ca_cert_files:
|
|
- /root/isrgrootx1.pem
|
|
- /root/isrg-root-x2.pem
|
|
ipaserver_dirsrv_cert_name: "{{ ansible_inventory }}"
|
|
ipaserver_dirsrv_cert_files: [ "/root/server.p12" ]
|
|
ipaserver_dirsrv_pin: ""
|
|
ipaserver_firewalld_zone: public
|
|
ipaserver_http_cert_name: "{{ ansible_inventory }}"
|
|
ipaserver_http_cert_files: [ "/root/server.p12" ]
|
|
ipaserver_http_pin: ""
|
|
ipaserver_no_hbac_allow: true
|
|
ipaserver_no_pkinit: true
|
|
ipaserver_setup_dns: false
|
|
when: inventory_hostname == groups['ipaservers'][0]
|
|
|
|
- name: FreeIPA | PATCH | Deploy replica FreeIPA servers
|
|
ansible.builtin.include_role:
|
|
role: freeipa.ansible_freeipa.ipareplica
|
|
vars:
|
|
ipareplica_ca_cert_files:
|
|
- /root/isrgrootx1.pem
|
|
- /root/isrg-root-x2.pem
|
|
ipareplica_dirsrv_cert_name: "{{ ansible_inventory }}"
|
|
ipareplica_dirsrv_cert_files: [ "/root/server.p12" ]
|
|
ipareplica_dirsrv_pin: ""
|
|
ipareplica_firewalld_zone: public
|
|
ipareplica_http_cert_name: "{{ ansible_inventory }}"
|
|
ipareplica_http_cert_files: [ "/root/server.p12" ]
|
|
ipareplica_http_pin: ""
|
|
ipareplica_no_pkinit: true
|
|
ipareplica_setup_dns: false
|
|
|
|
- name: FreeIPA | AUDIT | Check current authselect configuration
|
|
command: authselect current
|
|
register: freeipa_authselect_status
|
|
changed_when: false
|
|
|
|
- name: FreeIPA | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
|
|
command: authselect select sssd with-sudo with-mkhomedir
|
|
when: >
|
|
'Profile ID: sssd' not in freeipa_authselect_status.stdout or
|
|
'with-sudo' not in freeipa_authselect_status.stdout or
|
|
'with-mkhomedir' not in freeipa_authselect_status.stdout
|