-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathidmBuild.yaml
158 lines (158 loc) · 3.67 KB
/
idmBuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
---
# Windows section
- name: Configure Windows pt 1
hosts: win
gather_facts: true
become_method: runas
become_user: Administrator
become: false
roles:
- role: winPromote # Converts Windows server into domain controller and adds users and groups
state: present
tags: win1
- name: Configure Windows pt 2
hosts: win
become_method: runas
become_user: Administrator
become: false
roles:
- role: win_delegate # Delegates sub-domain to IdM
state: present
tags: win2
## Need to choose which method to update systems with.
- name: Subscribe systems to RH CDN
hosts: ipaserver:ipareplicas
become: true
roles:
- role: subscribe-cdn # Registers RHEL systems to the Red Hat CDN
tags:
- cdn
- never
- name: Subscribe systems to local satellite
hosts: all:!win
become: true
tasks:
- name: Using katello-ca
ansible.builtin.import_tasks: roles/subscribe-sat/tasks/katello.yml
tags:
- katello
- never
- name: Using runtime generated registration command
ansible.builtin.import_tasks: roles/subscribe-sat/tasks/sat616-2.yml
tags:
- rtgrc
- never
- name: Using pre-generated registration command
ansible.builtin.import_tasks: roles/subscribe-sat/tasks/sat616-2.yml
tags:
- pgrc
# - never
# OS section
- name: Add local linux users
hosts: all:!win
gather_facts: true
roles:
- role: local_users # Adds additional users to local RHEL systems
tags: locUsers
- name: Configure hosts file
hosts: all:!win
roles:
- role: update_hosts # Adds local hostname to /etc/hosts file
tags: confHosts
- name: Update nameserver entry on ipareplcas and ipaclients
hosts: ipareplicas:ipaclients
roles:
- role: rhel-system-roles.network # Changes IdM clients DNS to point to IdM server for resolution
tags: network
- name: Update Crypto for AD-Trust
hosts: ipaserver:ipareplicas
become: true
roles:
- role: redhat.rhel_system_roles.crypto_policies # Updates crypto policy
vars:
crypto_policies_policy: "{{ crypto }}"
crypto_policies_reboot_required: true
tags:
- crypto
- never
- name: Installs the IdM server
hosts: ipaserver
roles:
- role: redhat.rhel_idm.ipaserver
tags: server
- name: Set umask on replicas and clients
hosts: ipareplicas:ipaclients
become: true
roles:
- role: umask22
tags:
- stig
- never
- name: Turn IdM DNS PTR Sync on
hosts: ipaserver
roles:
- role: idm-dns_ptr
tags: server
- name: Installs the IdM replicas
hosts: ipareplicas
roles:
- role: redhat.rhel_idm.ipareplica
tags: replicas
- name: Installs the IdM clients
hosts: ipaclients,ipareplicas
roles:
- role: redhat.rhel_idm.ipaclient
tags: clients
- name: Revert umask back on replicas and clients
hosts: ipareplicas:ipaclientss
become: true
roles:
- role: umask77
tags:
- stig
- never
# IdM configuration
- name: Sets up the AD trust.
hosts: ipaserver
roles:
- role: idm-dns_ad_setup
tags: adtrust
- name: Setup IDP
hosts: ipaserver
roles:
- role: idm-idp
tags:
- idp
- name: Create IdM users
hosts: ipaserver
roles:
- role: idm-users
tags: idmUsers
- name: Create external group for AD Users/Groups
hosts: ipaserver
roles:
- role: idm-groups
tags: idmGrps
- name: Set default shell
hosts: ipaserver
roles:
- role: idm-defaults
tags: defaults
- name: Create client host group
hosts: ipaserver
become: false
roles:
- role: idm-hostgroup
tags: hostGrp
- name: Create HBAC Rules
hosts: ipaserver
become: false
roles:
- role: idm-hbac
tags: hbac
- name: Create IdM SUDO rules
hosts: ipaserver
become: false
roles:
- role: idm-sudo
tags: sudo