Update freeipa_server role (#219)

Signed-off-by: Webster Mudge <[email protected]>

Author: wmudge

roles/freeipa_server/README.md

@@ -1,17 +1,61 @@
-<!--
- Copyright 2024 Cloudera, Inc.
+# freeipa_server
 
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+Install FreeIPA server with support for DNS, Kerberos, TLS, and LDAP.
 
-     https://www.apache.org/licenses/LICENSE-2.0
+The role is typically used to support an internal domain, e.g. `.internal`.
 
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
+The role will:
+- Enable local IPv6 networking, per FreeIPA installation requirements.
+- Install FreeIPA server packages.
+- Install and configure FreeIPA server for DNS, Kerberos, TLS, and LDAP.
+- Set up an ACL for DNS recursion.
+- Establish DNS zones for the defined domain.
 
-# freeipa_server
+## Requirements
+
+None.
+
+## Dependencies
+
+- `freeipa.ansible`
+
+## Examples
+
+```yaml
+- name: Install FreeIPA server for DNS, Kerberos, TLS, and LDAP.
+  ansible.builtin.import_role:
+    name: freeipa_server
+  vars:
+    ipaserver_forwarders: [ "1.1.1.1" ]
+    ipaserver_cidr: [ "10.0.0.1/20" ]
+    ipaserver_recursion_acl_cidr: [ "10.0.0.1/20" ]
+    ipaserver_domain: "example.internal"
+    ipaserver_realm: "EXAMPLE.INTERNAL"
+    ipaadmin_password: "krb_example"
+    ipadm_password: "dir_example"
+```
+
+To bind to explicit IP addresses, provide optional (push-down) parameters:
+
+```yaml
+ipaserver_ip_addresses: [ "10.0.0.14"]  # Bind DNS to these IP addresses only
+ipaclient_ip_address: "10.0.1.122"      # Join with this IP address
+```
+
+## License
+
+```
+Copyright 2024 Cloudera, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```

roles/freeipa_server/defaults/main.yml

@@ -1,28 +1,29 @@
----
-
-# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+# Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#ipaserver_realm: "{{ krb5_realm | upper }}"
-#ipaserver_domain: "{{ krb5_domain | default(krb5_realm | lower) }}"
-#ipaserver_setup_firewalld: "no"
-#ipaserver_setup_dns: "{{ freeipa_autodns | default(omit) }}"
-#ipaserver_auto_forwarders:
-#ipadm_password:
+# ipaserver_packages: []
+
+ipaserver_domain: "{{ undef(hint='Please define the DNS domain') }}"
+ipaserver_realm: "{{ undef(hint='Please define the Kerberos realm') }}"
+
+ipaserver_cidr: "{{ undef(hint='Please define the CIDR list under management for the DNS service.') }}"
+ipaserver_forwarders: "{{ undef(hint='Please define the upstream DNS servers') }}"
+ipaserver_recursion_acl_cidr: "{{ undef(hint='Please define the CIDR list for the DNS recursion ACL') }}"
+
+ipaserver_ca_subject: "CN=CLDR-RootCA,O={{ ipaserver_domain }}"
+
+ipaadmin_principal: admin
+ipaadmin_password: "{{ undef(hint='Please define the FreeIPA administrator principal password') }}"
 
-# ipaserver_recursion_acl_cidr:
-ipaserver_resolv_nameservers: ["8.8.8.8"]
-ipaserver_server_recursion: true
-enable_dns: false
-needs_python2: true
+ipadm_password: "{{ undef(hint='Please define the FreeIPA Directory Manager admin password') }}"

roles/freeipa_server/handlers/main.yml

@@ -1,24 +1,19 @@
----
-# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+# Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Restart network
+# named-pkcs11 is masked, so restart named
+- name: Restart DNS
   ansible.builtin.service:
-    name: NetworkManager
-    state: restarted
-
-- name: Restart dns
-  ansible.builtin.service:
-    name: named-pkcs11
+    name: named
     state: restarted

roles/freeipa_server/meta/argument_specs.yml

@@ -0,0 +1,70 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Set up FreeIPA server
+    description: |
+      Set up FreeIPA server with support for DNS, Kerberos, TLS, and LDAP.
+      Optionally, install the FreeIPA server packages.
+    author: Cloudera Labs
+    options:
+      ipaserver_packages:
+        description:
+          - List of FreeIPA packages to install.
+          - If not defined, the role will default to the packages defined in the P(freeipa.ansible_freeipa.ipaserver#role) role.
+        type: list
+        elements: str
+      ipaserver_domain:
+        description:
+          - Domain name to set as the root zone.
+        required: true
+      ipaserver_realm:
+        description:
+          - Realm to set for the Kerberos service.
+        required: true
+      ipaserver_cidr:
+        description:
+          - List of CIDR blocks to manage for the DNS service.
+        type: list
+        elements: str
+        required: true
+      ipaserver_forwarders:
+        description:
+          - List of upstream name servers for the DNS service.
+        type: list
+        elements: str
+        required: true
+      ipaserver_recursion_acl_cidr:
+        description:
+          - List of CIDR blocks to define the access ACL for DNS recursion.
+        type: list
+        elements: str
+        required: true
+      ipaserver_ca_subject:
+        description:
+          - Certificate Authority subject for the self-signed root CA.
+        default: "CN=CLDR-RootCA,O=ipaserver_domain"
+      ipaadmin_principal:
+        description:
+          - Kerberos principal for the FreeIPA administrator account.
+        default: admin
+      ipaadmin_password:
+        description:
+          - Password for the FreeIPA adminstrator Kerberos principal.
+        required: true
+      ipadm_password:
+        description:
+          - Password for the FreeIPA Directory Services administrator.
+        required: true

roles/freeipa_server/meta/main.yml

@@ -0,0 +1,46 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Converge
+  hosts: all
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Extract the VPC subnet ID from the Molecule platform configuration
+      ansible.builtin.set_fact:
+        test_subnet_id: "{{ molecule_yml.platforms | selectattr('name', 'eq', inventory_hostname) | map(attribute='vpc_subnet_id') | first }}"
+
+    - name: Retrieve the VPC subnet details
+      amazon.aws.ec2_vpc_subnet_info:
+        subnet_id: "{{ test_subnet_id }}"
+      register: __subnet
+      become: false
+      delegate_to: localhost
+
+    - name: Retrieve the VPC details
+      amazon.aws.ec2_vpc_net_info:
+        vpc_ids: "{{ __subnet.subnets | map(attribute='vpc_id') | first }}"
+      register: __vpc
+      become: false
+      delegate_to: localhost
+
+    - name: Install FreeIPA server
+      ansible.builtin.import_role:
+        name: freeipa_server
+      vars:
+        # See https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
+        vpc_cidr: "{{ __vpc.vpcs | map(attribute='cidr_block') | list }}"
+        ipaserver_cidr: "{{ vpc_cidr }}"
+        ipaserver_forwarders: "{{ vpc_cidr | map('ansible.utils.ipmath', '2') | list }}"
+        ipaserver_recursion_acl_cidr: "{{ vpc_cidr }}"