From 2458aff5b5650d9979e84db79f12b8adfe8b3197 Mon Sep 17 00:00:00 2001 From: William Graef Date: Mon, 9 Dec 2024 20:02:18 -0500 Subject: [PATCH 01/13] add freeipa deployment to olam --- olam/create_instance.yml | 6 +- olam/default_vars.yml | 3 +- olam/deploy_free_ipa.yml | 64 +++++++++++++++++++ ...y-olam-tasks.yml => deploy_olam_tasks.yml} | 0 olam/requirements.yml | 4 ++ olam/templates/install_ipa.j2 | 2 + 6 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 olam/deploy_free_ipa.yml rename olam/{deploy-olam-tasks.yml => deploy_olam_tasks.yml} (100%) create mode 100644 olam/templates/install_ipa.j2 diff --git a/olam/create_instance.yml b/olam/create_instance.yml index bce660a..5137644 100644 --- a/olam/create_instance.yml +++ b/olam/create_instance.yml @@ -320,7 +320,7 @@ - use_olae_only - name: Install Oracle Linux Automation Manager - ansible.builtin.include_tasks: deploy-olam-tasks.yml + ansible.builtin.include_tasks: deploy_olam_tasks.yml vars: control_node_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" when: @@ -331,6 +331,10 @@ ansible.builtin.import_playbook: update_all_rpms.yml when: update_all +- name: Install free ipa server + ansible.builtin.import_playbook: deploy_free_ipa.yml + when: use_freeipa + - name: Print instances hosts: all become: true diff --git a/olam/default_vars.yml b/olam/default_vars.yml index 83a2e6e..3a2353d 100644 --- a/olam/default_vars.yml +++ b/olam/default_vars.yml @@ -21,4 +21,5 @@ block_count: 1 update_all: false passwordless_ssh: true olam_single_host: false -use_olae_only: false \ No newline at end of file +use_olae_only: false +use_freeipa: false \ No newline at end of file diff --git a/olam/deploy_free_ipa.yml b/olam/deploy_free_ipa.yml new file mode 100644 index 0000000..8d97715 --- /dev/null +++ b/olam/deploy_free_ipa.yml @@ -0,0 +1,64 @@ +--- +- name: Setup freeipa server using a role + hosts: ipa-server + become: true + vars: + ipaserver_domain: "{{ ansible_domain }}" + ipaserver_realm: "{{ ansible_domain|upper }}" + ipaserver_setup_dns: false + ipaadmin_password: ADMPassword1 + ipadm_password: DMPassword1 + + roles: + - role: freeipa.ansible_freeipa.ipaserver + state: present + +# - name: Setup freeipa server manually on ol8 +# hosts: ipa-server +# become: yes +# vars: +# ipaserver_domain: "{{ ansible_domain }}" +# ipaserver_realm: "{{ ansible_domain|upper }}" +# ipaserver_setup_dns: no +# ipaadmin_password: ADMPassword1 +# ipadm_password: DMPassword1 + +# tasks: + +# - name: Set firewall rules for freeipa +# ansible.posix.firewalld: +# zone: public +# service: "{{ item }}" +# permanent: yes +# state: enabled +# immediate: yes +# loop: +# - freeipa-4 + +# - name: Enable the idm DL1 module stream +# ansible.builtin.dnf: +# name: '@idm:DL1' +# state: present +# when: +# - ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + +# - name: Install freeipa packages and dependencies +# ansible.builtin.dnf: +# name: +# - ipa-server +# state: latest + +# - name: Copy script +# ansible.builtin.template: +# src: templates/install.j2 +# dest: /root/install.sh +# mode: '0755' + +# - name: Install the freeipa server +# #ansible.builtin.shell: ipa-server-install -r {{ ipaserver_realm | quote }} -p {{ ipadm_password | quote }} -a {{ ipaadmin_password | quote }} -U +# shell: /root/install.sh +# register: freeipa_install + +# - name: Output from freeipa install +# ansible.builtin.debug: +# msg: "{{ freeipa_install.stdout }}" diff --git a/olam/deploy-olam-tasks.yml b/olam/deploy_olam_tasks.yml similarity index 100% rename from olam/deploy-olam-tasks.yml rename to olam/deploy_olam_tasks.yml diff --git a/olam/requirements.yml b/olam/requirements.yml index fa329b2..5318626 100644 --- a/olam/requirements.yml +++ b/olam/requirements.yml @@ -28,5 +28,9 @@ collections: version: main - name: https://github.com/ansible-collections/community.libvirt.git + type: git + version: main + + - name: https://github.com/freeipa/ansible-freeipa.git type: git version: main \ No newline at end of file diff --git a/olam/templates/install_ipa.j2 b/olam/templates/install_ipa.j2 new file mode 100644 index 0000000..e15dce9 --- /dev/null +++ b/olam/templates/install_ipa.j2 @@ -0,0 +1,2 @@ +#!/bin/bash +/usr/sbin/ipa-server-install -r {{ ipaserver_realm | quote }} -p {{ ipadm_password | quote }} -a {{ ipaadmin_password | quote }} -U From 5defcc7e1366ca65eb19ee4286a7f40239d97dec Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 09:01:19 -0500 Subject: [PATCH 02/13] update branch for freeipa collection --- olam/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/olam/requirements.yml b/olam/requirements.yml index 5318626..93a0cc0 100644 --- a/olam/requirements.yml +++ b/olam/requirements.yml @@ -33,4 +33,4 @@ collections: - name: https://github.com/freeipa/ansible-freeipa.git type: git - version: main \ No newline at end of file + version: master \ No newline at end of file From e45b491f430743cdbcda9f1f602796102fbf118e Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 13:06:56 -0500 Subject: [PATCH 03/13] add git server --- olam/deploy_free_ipa.yml | 5 ++++ olam/deploy_git_server.yml | 53 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 olam/deploy_git_server.yml diff --git a/olam/deploy_free_ipa.yml b/olam/deploy_free_ipa.yml index 8d97715..ea96a7f 100644 --- a/olam/deploy_free_ipa.yml +++ b/olam/deploy_free_ipa.yml @@ -1,4 +1,9 @@ --- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + - name: Setup freeipa server using a role hosts: ipa-server become: true diff --git a/olam/deploy_git_server.yml b/olam/deploy_git_server.yml new file mode 100644 index 0000000..77a8dbc --- /dev/null +++ b/olam/deploy_git_server.yml @@ -0,0 +1,53 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Configure a git server + hosts: git-server + become: true + vars: + ssh_key_params: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " + + tasks: + + - name: Add git user + ansible.builtin.user: + name: git + comment: standard git user + + - name: Set authorized key for git access using local pubilc key file + ansible.posix.authorized_key: + user: git + state: present + key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" + + - name: Install git + ansible.builtin.dnf: + name: git + state: present + + - name: Create new repo on the git server + ansible.builtin.file: + path: /git-server/repos/hello-world.git + owner: git + group: git + state: directory + mode: "0755" + + - name: Set git default branch + community.general.git_config: + name: init.defaultBranch + scope: global + value: main + + - name: Initialize a bare repo + ansible.builtin.shell: | + git init --bare + args: + chdir: /git-server/repos/hello-world.git/ + become: true + become_user: git + register: git_results + changed_when: git_results.rc != 0 From 3c8ac4570043325d05da24b5e60c6649c239aad7 Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 13:07:29 -0500 Subject: [PATCH 04/13] add use_git var --- olam/default_vars.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/olam/default_vars.yml b/olam/default_vars.yml index 3a2353d..afed48e 100644 --- a/olam/default_vars.yml +++ b/olam/default_vars.yml @@ -22,4 +22,5 @@ update_all: false passwordless_ssh: true olam_single_host: false use_olae_only: false -use_freeipa: false \ No newline at end of file +use_freeipa: false +use_git: false \ No newline at end of file From 38b72357aef232e9b5e15df4374faf902f334294 Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 19:07:30 -0500 Subject: [PATCH 05/13] add extra group to host setup --- olam/create_instance.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/olam/create_instance.yml b/olam/create_instance.yml index 5137644..87768c9 100644 --- a/olam/create_instance.yml +++ b/olam/create_instance.yml @@ -304,7 +304,10 @@ - name: Configure instance ansible.builtin.include_tasks: "host_setup.yml" - when: inventory_hostname in groups['control'] + when: >- + inventory_hostname in + groups['control'] + + groups['server'] - name: Configure passwordless SSH ansible.builtin.include_tasks: "olam_passwordless_setup.yml" From f3c326f10c74c0b7775a461c7b67a1672919d826 Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 20:53:23 -0500 Subject: [PATCH 06/13] update collections reqs --- olam/requirements.yml | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/olam/requirements.yml b/olam/requirements.yml index 93a0cc0..1c78eed 100644 --- a/olam/requirements.yml +++ b/olam/requirements.yml @@ -7,30 +7,10 @@ # roles: collections: - - name: https://github.com/ansible-collections/community.general.git - type: git - version: main - - - name: https://github.com/ansible-collections/ansible.posix.git - type: git - version: main - - - name: https://github.com/oracle/oci-ansible-collection.git - type: git - version: master - - - name: https://github.com/ansible-collections/community.postgresql.git - type: git - version: main - - - name: https://github.com/ansible-collections/community.crypto.git - type: git - version: main - - - name: https://github.com/ansible-collections/community.libvirt.git - type: git - version: main - - - name: https://github.com/freeipa/ansible-freeipa.git - type: git - version: master \ No newline at end of file + - ansible.posix + - community.general + - community.postgresql + - community.crypto + - freeipa.ansible_freeipa + - community.libvirt + - oracle.oci From 88689a9d5e04740d0058384a295838d5f77e4557 Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 21:17:19 -0500 Subject: [PATCH 07/13] fix olam repo enabled versions --- olam/deploy_olam_tasks.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/olam/deploy_olam_tasks.yml b/olam/deploy_olam_tasks.yml index d8622a7..9e3bd7b 100644 --- a/olam/deploy_olam_tasks.yml +++ b/olam/deploy_olam_tasks.yml @@ -131,16 +131,24 @@ - name: Disable Oracle Linux Automation Manager 1.0 repository community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" - section: ol8_automation1 + section: ol8_automation option: enabled value: "0" mode: '0644' -- name: Enable Oracle Linux Automation Manager 2.0 repository +- name: Disable Oracle Linux Automation Manager 2.0 repository community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation2 option: enabled + value: "0" + mode: '0644' + +- name: Enable Oracle Linux Automation Manager 2.2 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" + section: ol8_automation2.2 + option: enabled value: "1" mode: '0644' From ea061ab3f58e03014fbf53cfc7ffbc2f29cdceed Mon Sep 17 00:00:00 2001 From: William Graef Date: Tue, 10 Dec 2024 22:16:18 -0500 Subject: [PATCH 08/13] add ldap ingress rules --- olam/templates/ingress_security_rules.j2 | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/olam/templates/ingress_security_rules.j2 b/olam/templates/ingress_security_rules.j2 index db769f6..67de4f3 100644 --- a/olam/templates/ingress_security_rules.j2 +++ b/olam/templates/ingress_security_rules.j2 @@ -11,4 +11,26 @@ instance_ingress_security_rules: tcp_options: destination_port_range: max: 22 - min: 22 \ No newline at end of file + min: 22 + {% if use_freeipa %} + - source: "10.0.0.0/24" + protocol: 6 + destination_port_range: + max: 80 + min: 80 +- source: "10.0.0.0/24" + protocol: 6 + destination_port_range: + max: 443 + min: 443 +- source: "10.0.0.0/24" + protocol: 6 + destination_port_range: + max: 389 + min: 389 +- source: "10.0.0.0/24" + protocol: 6 + destination_port_range: + max: 636 + min: 636 +{% endif %} \ No newline at end of file From f5ac1c280fff99872fa18b31d7c53b4088613a0b Mon Sep 17 00:00:00 2001 From: William Graef Date: Wed, 11 Dec 2024 08:28:03 -0500 Subject: [PATCH 09/13] fix formatting of ingress rules --- olam/templates/ingress_security_rules.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/olam/templates/ingress_security_rules.j2 b/olam/templates/ingress_security_rules.j2 index 67de4f3..92ad8ac 100644 --- a/olam/templates/ingress_security_rules.j2 +++ b/olam/templates/ingress_security_rules.j2 @@ -12,23 +12,23 @@ instance_ingress_security_rules: destination_port_range: max: 22 min: 22 - {% if use_freeipa %} +{% if use_freeipa %} - source: "10.0.0.0/24" protocol: 6 destination_port_range: max: 80 min: 80 -- source: "10.0.0.0/24" + - source: "10.0.0.0/24" protocol: 6 destination_port_range: max: 443 min: 443 -- source: "10.0.0.0/24" + - source: "10.0.0.0/24" protocol: 6 destination_port_range: max: 389 min: 389 -- source: "10.0.0.0/24" + - source: "10.0.0.0/24" protocol: 6 destination_port_range: max: 636 From 732df83100bf04df2b6e4ce6c063e6fa8178f6c2 Mon Sep 17 00:00:00 2001 From: William Graef Date: Wed, 11 Dec 2024 08:36:57 -0500 Subject: [PATCH 10/13] add missing tcp options to ingress rules --- olam/templates/ingress_security_rules.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/olam/templates/ingress_security_rules.j2 b/olam/templates/ingress_security_rules.j2 index 92ad8ac..b956337 100644 --- a/olam/templates/ingress_security_rules.j2 +++ b/olam/templates/ingress_security_rules.j2 @@ -15,21 +15,25 @@ instance_ingress_security_rules: {% if use_freeipa %} - source: "10.0.0.0/24" protocol: 6 + tcp_options: destination_port_range: max: 80 min: 80 - source: "10.0.0.0/24" protocol: 6 + tcp_options: destination_port_range: max: 443 min: 443 - source: "10.0.0.0/24" protocol: 6 + tcp_options: destination_port_range: max: 389 min: 389 - source: "10.0.0.0/24" protocol: 6 + tcp_options: destination_port_range: max: 636 min: 636 From db9bc080d19a37f8a1cb686e1f4450ec8cb5d662 Mon Sep 17 00:00:00 2001 From: William Graef Date: Wed, 11 Dec 2024 12:08:52 -0500 Subject: [PATCH 11/13] fix host setup group condition and git ssh keys --- olam/create_instance.yml | 8 ++++---- olam/deploy_git_server.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/olam/create_instance.yml b/olam/create_instance.yml index 87768c9..0885bed 100644 --- a/olam/create_instance.yml +++ b/olam/create_instance.yml @@ -306,8 +306,8 @@ ansible.builtin.include_tasks: "host_setup.yml" when: >- inventory_hostname in - groups['control'] - + groups['server'] + groups['control']|default([]) + + groups['server']|default([]) - name: Configure passwordless SSH ansible.builtin.include_tasks: "olam_passwordless_setup.yml" @@ -319,7 +319,7 @@ - ansible-core state: present when: - - inventory_hostname in groups['control'] + - inventory_hostname in groups['control']|default([]) - use_olae_only - name: Install Oracle Linux Automation Manager @@ -327,7 +327,7 @@ vars: control_node_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" when: - - inventory_hostname in groups['control'] + - inventory_hostname in groups['control']|default([]) - olam_single_host - name: Update all rpm packages diff --git a/olam/deploy_git_server.yml b/olam/deploy_git_server.yml index 77a8dbc..43bcbbc 100644 --- a/olam/deploy_git_server.yml +++ b/olam/deploy_git_server.yml @@ -21,7 +21,7 @@ ansible.posix.authorized_key: user: git state: present - key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" + key: "{{ ssh_key_params ~ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" - name: Install git ansible.builtin.dnf: From a1c595649bda7bd1273815acde2a23cd64ba6b6e Mon Sep 17 00:00:00 2001 From: William Graef Date: Wed, 11 Dec 2024 12:55:27 -0500 Subject: [PATCH 12/13] add git server import_playbook --- olam/create_instance.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/olam/create_instance.yml b/olam/create_instance.yml index 0885bed..cecda4c 100644 --- a/olam/create_instance.yml +++ b/olam/create_instance.yml @@ -338,6 +338,10 @@ ansible.builtin.import_playbook: deploy_free_ipa.yml when: use_freeipa +- name: Install git server + ansible.builtin.import_playbook: deploy_git_server.yml + when: use_git + - name: Print instances hosts: all become: true From fea2cf73d961439dc48efc3e478f1598b67a79c2 Mon Sep 17 00:00:00 2001 From: William Graef Date: Wed, 11 Dec 2024 13:14:57 -0500 Subject: [PATCH 13/13] add private_key to git playbook --- olam/deploy_git_server.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/olam/deploy_git_server.yml b/olam/deploy_git_server.yml index 43bcbbc..d5445cd 100644 --- a/olam/deploy_git_server.yml +++ b/olam/deploy_git_server.yml @@ -9,6 +9,7 @@ become: true vars: ssh_key_params: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " + private_key: "id_rsa" tasks: