Add user handling role for IPA

* Add all users exported from IPA

group_vars/all/vars.yml

@@ -39,10 +39,6 @@ desktop_software:
   - perl-Clipboard
   - perl-Capture-Tiny
 
-ipaserver: las126.las.kit.edu
-ipaserver2: las100.las.kit.edu
-ipaserver3: las101.las.kit.edu
-
 # this should be the IP or in the sshd_config the "UseDNS" must be set to yes
 ansible_server: 129.13.108.126
 
@@ -54,3 +50,11 @@ userinstall_vars: "{{ vault_userinstall_vars }}"
 admin_mail: "{{ vault_admin_mail }}"
 
 rootkey: "{{ vault_rootkey }}"
+
+# IPA
+gid: "{{ vault_gid }}"
+ipaserver1: "{{ vault_ipaserver1 }}"
+ipaserver2: "{{ vault_ipaserver2 }}"
+ipaserver3: "{{ vault_ipaserver3 }}"
+
+ipa_users: "{{ vault_ipa_users }}"

hosts

@@ -138,7 +138,7 @@ las-gethmann.las.kit.edu
 las115.las.kit.edu
 
 [local]
-# 127.0.0.1 ansible_connection=local
+127.0.0.1 ansible_connection=local
 
 [admin_pcs]
 las101.las.kit.edu

ipa_user.yml

+---
+- hosts: ipa
+  vars: 
+  vars_prompt:
+    - name: "ipa_admin_pass"
+      prompt: "What is IPA's admin password?"
+      private: yes
+
+  roles:
+    - ipa_users

roles/ipa_hosts/tasks/add_ipa_host.yml

+---
+- name: install host
+  become: yes
+  dnf:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - "freeipa-client"
+    - "sssd"
+
+- name: add ipa hosts to etc
+  become: yes
+  lineinfile:
+    line: "{{ ipa_host_ip }} {{ ipa_host }}"
+    path: /etc/hosts
+    state: present
+    backup: yes
+    insertbefore: BOF
+
+# TODO
+#  - name: copy server cert
+#    copy:
+#      src: las100.pem
+#      dest: /etc/pki/ca-trust/source/anchors/las100.pem
+#    notify: update certdb
+
+- name: set hostname
+  become: yes
+  hostname:
+    name: "las{{ ip_suffix }}.las.kit.edu"
+
+- name: add host
+  become: yes
+  ipa_host:
+    name: "{{ ansible_fqdn }}"
+    force: yes
+    description: "{{ computer_name }}"
+    ip_address: "{{ ansible_default_ipv4.address }}"
+    ns_host_location: "{{ loc }}"
+    ns_os_version: "{{ ansible_distribution }} {{ ansible_distribution_version }}"
+    ns_hardware_platform: "{{ ansible_bios_date }}"
+    # mac_address: 
+    state: present
+    ipa_host: "{{ ipaserver1 }}"
+    ipa_user: admin
+    ipa_pass: "{{ ipa_pass }}"
+    random_password: True
+    # CHANGE THIS when implemented copy of cert!!!!
+    validate_certs: no
+  register: host_installed
+
+- name: get random password
+  script: "./activate_ipa_host.py {{ansible_fqdn }}"
+  delegate_to: 127.0.0.1
+  register: random_pass
+
+- name: activate host
+  become: yes
+  command: "ipa-client-install --hostname={{ ansible_fqdn }} --domain={{ ipa_domain }} --server={{ ipaserver1 }} --server={{ ipaserver2 }} --server={{ ipaserver3 }} --fixed-primary --mkhomedir -N --no-sshd --no-ssh -U --password={{ random_pass.stdout }}"
+  when: random_pass.changed

roles/ipa_users/tasks/main.yml

+---
+- name: activate user
+  ipa_user:
+    ipa_host: "{{ ipaserver1 }}"
+    ipa_pass: "{{ ipa_admin_pass }}"
+    uid: "{{ item.name }}"
+    mail: "{{ item.email }}"
+    state: "{{ item.state }}"
+    displayname: "{{ item.name }}"
+    givenname: "{{ item.firstname }}"
+    # sn: "{{ item.name }}"
+    uidnumber: "{{ item.uid }}"
+    gidnumber: "{{ gid }}"
+  with_items:
+    - "{{ ipa_user }}"

test

+[localhost]
+127.0.0.1 ansible_connection=local