system-config/playbooks/roles/kerberos-kdc/tasks/primary.yaml

108 lines
3.2 KiB
YAML

- name: Install packages
package:
name:
- krb5-admin-server
state: present
# Note the following is not really for production, where we already
# have a database setup. It is exercsied by testing however.
- name: Look for primary database
stat:
path: /var/lib/krb5kdc/principal
register: _db_created
- name: Setup clean primary
when: not _db_created.stat.exists
block:
- name: Setup primary db
shell: |
yes {{ kerberos_kdc_master_key }} | kdb5_util create -r {{ kerberos_kdc_realm }} -s
- name: Generate and save admin principal password
copy:
dest: '/etc/krb5kdc/admin.passwd'
content: '{{ lookup("password", "/dev/null chars=ascii_letters,digits length=12") }}'
owner: root
group: root
mode: '0600'
- name: Setup initial admin principal
shell: |
echo "addprinc -pw $(cat /etc/krb5kdc/admin.passwd) admin/admin@{{ kerberos_kdc_realm }}" | kadmin.local
# https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html
# It is not strictly necessary to have the primary KDC server in
# the Kerberos database, but it can be handy if you want to be
# able to swap the primary KDC with one of the replicas.
- name: Create primary host principal and keytab
shell:
cmd: |
echo "addprinc -randkey host/{{ inventory_hostname }}" | kadmin.local
echo "ktadd host/{{ inventory_hostname }}" | kadmin.local
- name: Create replica host principals
shell:
cmd: 'echo "addprinc -randkey host/{{ item }}" | kadmin.local'
with_inventory_hostnames: kerberos-kdc-replica
# The stash file is used to decrypt the on-disk database. Without
# this you are prompted for the master password on daemon start. This
# needs to be distributed to the replicas so they can also open the
# database.
- name: Read and save stash file
slurp:
src: '/etc/krb5kdc/stash'
register: kerberos_kdc_stash_file_contents
# Export this so replica servers can use this variable to authenicate
# and create keytabs for their host principals, if they need to.
- name: Read in admin/admin password
slurp:
src: "/etc/krb5kdc/admin.passwd"
register: _admin_password
- name: Export admin password
set_fact:
kerberos_kdc_admin_password: '{{ _admin_password.content | b64decode }}'
# kprop is what pushes the db to replicas. Set it up to run via cron
# periodically.
- name: Install kprop script
template:
src: 'run-kprop.sh.j2'
dest: '/usr/local/bin/run-kprop.sh'
mode: '0755'
owner: root
group: root
- name: kprop cron to push db to replicas
cron:
name: kprop
minute: '15'
job: '/usr/local/bin/run-kprop.sh >/dev/null 2>&1'
- name: start krb5-admin-server
systemd:
state: started
enabled: yes
name: krb5-admin-server
- name: start krb5-kdc
systemd:
state: started
enabled: yes
name: krb5-kdc
- name: Setup db backup streaming job
block:
- name: Create backup streaming config dir
file:
path: /etc/borg-streams
state: directory
- name: Create db streaming file
copy:
content: >-
/usr/sbin/kdb5_util dump
dest: /etc/borg-streams/kdb5