108 lines
3.2 KiB
YAML
108 lines
3.2 KiB
YAML
- name: Install packages
|
|
package:
|
|
name:
|
|
- krb5-admin-server
|
|
state: present
|
|
|
|
# Note the following is not really for production, where we already
|
|
# have a database setup. It is exercsied by testing however.
|
|
- name: Look for primary database
|
|
stat:
|
|
path: /var/lib/krb5kdc/principal
|
|
register: _db_created
|
|
|
|
- name: Setup clean primary
|
|
when: not _db_created.stat.exists
|
|
block:
|
|
|
|
- name: Setup primary db
|
|
shell: |
|
|
yes {{ kerberos_kdc_master_key }} | kdb5_util create -r {{ kerberos_kdc_realm }} -s
|
|
|
|
- name: Generate and save admin principal password
|
|
copy:
|
|
dest: '/etc/krb5kdc/admin.passwd'
|
|
content: '{{ lookup("password", "/dev/null chars=ascii_letters,digits length=12") }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Setup initial admin principal
|
|
shell: |
|
|
echo "addprinc -pw $(cat /etc/krb5kdc/admin.passwd) admin/admin@{{ kerberos_kdc_realm }}" | kadmin.local
|
|
|
|
# https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html
|
|
# It is not strictly necessary to have the primary KDC server in
|
|
# the Kerberos database, but it can be handy if you want to be
|
|
# able to swap the primary KDC with one of the replicas.
|
|
- name: Create primary host principal and keytab
|
|
shell:
|
|
cmd: |
|
|
echo "addprinc -randkey host/{{ inventory_hostname }}" | kadmin.local
|
|
echo "ktadd host/{{ inventory_hostname }}" | kadmin.local
|
|
|
|
- name: Create replica host principals
|
|
shell:
|
|
cmd: 'echo "addprinc -randkey host/{{ item }}" | kadmin.local'
|
|
with_inventory_hostnames: kerberos-kdc-replica
|
|
|
|
# The stash file is used to decrypt the on-disk database. Without
|
|
# this you are prompted for the master password on daemon start. This
|
|
# needs to be distributed to the replicas so they can also open the
|
|
# database.
|
|
- name: Read and save stash file
|
|
slurp:
|
|
src: '/etc/krb5kdc/stash'
|
|
register: kerberos_kdc_stash_file_contents
|
|
|
|
# Export this so replica servers can use this variable to authenicate
|
|
# and create keytabs for their host principals, if they need to.
|
|
- name: Read in admin/admin password
|
|
slurp:
|
|
src: "/etc/krb5kdc/admin.passwd"
|
|
register: _admin_password
|
|
- name: Export admin password
|
|
set_fact:
|
|
kerberos_kdc_admin_password: '{{ _admin_password.content | b64decode }}'
|
|
|
|
# kprop is what pushes the db to replicas. Set it up to run via cron
|
|
# periodically.
|
|
- name: Install kprop script
|
|
template:
|
|
src: 'run-kprop.sh.j2'
|
|
dest: '/usr/local/bin/run-kprop.sh'
|
|
mode: '0755'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: kprop cron to push db to replicas
|
|
cron:
|
|
name: kprop
|
|
minute: '15'
|
|
job: '/usr/local/bin/run-kprop.sh >/dev/null 2>&1'
|
|
|
|
- name: start krb5-admin-server
|
|
systemd:
|
|
state: started
|
|
enabled: yes
|
|
name: krb5-admin-server
|
|
|
|
- name: start krb5-kdc
|
|
systemd:
|
|
state: started
|
|
enabled: yes
|
|
name: krb5-kdc
|
|
|
|
- name: Setup db backup streaming job
|
|
block:
|
|
- name: Create backup streaming config dir
|
|
file:
|
|
path: /etc/borg-streams
|
|
state: directory
|
|
|
|
- name: Create db streaming file
|
|
copy:
|
|
content: >-
|
|
/usr/sbin/kdb5_util dump
|
|
dest: /etc/borg-streams/kdb5
|