0.1.5 version: adds kerberos_kdc role

CHANGELOG.rst

@@ -5,6 +5,14 @@ msvsphere.ci Release Notes
 .. contents:: Topics
 
 
+v0.1.5
+======
+
+New Roles
+---------
+
+- msvsphere.ci.kerberos_kdc - A role that installs and configures a Kerberos KDC.
+
 v0.1.4
 ======
 

README.md

@@ -4,6 +4,7 @@ The MSVSphere OS CI/CD collection.
 
 ## Roles
 
+* [kerberos_kdc](roles/kerberos_kdc/README.md)
 * [kerberos_principal](roles/kerberos_principal/README.md)
 * [koji_cli](roles/koji_cli/README.md)
 * [koji_db_server](roles/koji_db_server/README.md)

changelogs/.plugin-cache.yaml

@@ -1,5 +1,9 @@
 objects:
   role:
+    kerberos_kdc:
+      description: A role that installs and configures a Kerberos KDC.
+      name: kerberos_kdc
+      version_added: 0.1.5
     kerberos_principal:
       description: A role that creates a kerberos principal.
       name: kerberos_principal
@@ -44,4 +48,4 @@ plugins:
   strategy: {}
   test: {}
   vars: {}
-version: 0.1.4
+version: 0.1.5

changelogs/changelog.yaml

@@ -51,3 +51,10 @@ releases:
         name: koji_server
         namespace: null
     release_date: '2023-12-18'
+  0.1.5:
+    objects:
+      role:
+      - description: A role that installs and configures a Kerberos KDC.
+        name: kerberos_kdc
+        namespace: null
+    release_date: '2023-12-18'

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: msvsphere
 name: ci
-version: 0.1.4
+version: 0.1.5
 readme: README.md
 authors:
   - Eugene Zamriy <ezamriy@msvsphere-os.ru>

roles/kerberos_kdc/README.md

@@ -0,0 +1,18 @@
+# msvsphere.ci.kerberos_kdc
+
+An Ansible role that installs and configures a Kerberos KDC (Key Distribution
+Center).
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- |----------- | -------- |
+
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)

roles/kerberos_kdc/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+kerberos_kdc_domain_name:
+kerberos_kdc_realm: "{{ kerberos_kdc_domain_name | upper }}"
+kerberos_kdc_admin_principal: "admin@{{ kerberos_kdc_realm }}"
+kerberos_kdc_db_password:

roles/kerberos_kdc/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart krb5kdc
+  ansible.builtin.service:
+    name: krb5kdc
+    state: restarted

roles/kerberos_kdc/meta/argument_specs.yml

@@ -0,0 +1,28 @@
+---
+argument_specs:
+  main:
+    short_description: A role that installs and configures a Kerberos KDC.
+    author: Eugene Zamriy
+    version_added: '0.1.5'
+    options:
+      kerberos_kdc_domain_name:
+        description: Kerberos KDC domain name.
+        type: 'str'
+        required: true
+
+      kerberos_kdc_realm:
+        description: Kerberos KDC realm.
+        default: '{{ kerberos_kdc_domain_name | upper }}'
+        type: 'str'
+        required: false
+
+      kerberos_kdc_admin_principal:
+        description: Kerberos administrator principal.
+        default: 'admin@{{ kerberos_kdc_realm }}'
+        type: 'str'
+        required: false
+
+      kerberos_kdc_db_password:
+        description: Kerberos database password.
+        type: 'str'
+        required: true

roles/kerberos_kdc/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that installs and configures a Kerberos KDC.
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - kerberos
+    - kdc
+
+dependencies: []

roles/kerberos_kdc/tasks/main.yml

@@ -0,0 +1,79 @@
+---
+- name: Check if required variables are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is not defined or empty"
+  when: |
+    (vars[item] is undefined)
+    or (vars[item] is none)
+    or (vars[item] | trim | length == 0)
+  with_items:
+    - kerberos_kdc_domain_name
+    - kerberos_kdc_realm
+    - kerberos_kdc_admin_principal
+    - kerberos_kdc_db_password
+
+- name: Add Kerberos domain name to /etc/hosts
+  ansible.builtin.lineinfile:
+    dest: /etc/hosts
+    regexp: ".*?\\s{{ kerberos_kdc_domain_name }}"
+    line: "127.0.0.1   {{ kerberos_kdc_domain_name }}"
+    state: present
+
+- name: Install Kerberos packages
+  ansible.builtin.dnf:
+    name:
+      - krb5-server
+      - krb5-workstation
+    state: installed
+
+- name: Generate /etc/krb5.conf
+  ansible.builtin.template:
+    src: etc/krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: '0644'
+    setype: krb5_conf_t
+  notify:
+    - restart krb5kdc
+
+- name: Generate /var/kerberos/krb5kdc/kdc.conf
+  ansible.builtin.template:
+    src: var/kerberos/krb5kdc/kdc.conf.j2
+    dest: /var/kerberos/krb5kdc/kdc.conf
+    owner: root
+    group: root
+    mode: '0600'
+    setype: krb5kdc_conf_t
+  notify:
+    - restart krb5kdc
+
+- name: Generate /var/kerberos/krb5kdc/kadm5.acl
+  ansible.builtin.template:
+    src: var/kerberos/krb5kdc/kadm5.acl.j2
+    dest: /var/kerberos/krb5kdc/kadm5.acl
+    owner: root
+    group: root
+    mode: '0600'
+    setype: krb5kdc_conf_t
+  notify:
+    - restart krb5kdc
+
+- name: Create Kerberos database
+  ansible.builtin.command: "/usr/sbin/kdb5_util create -s -P {{ kerberos_kdc_db_password | quote }}"
+  args:
+    creates: /var/kerberos/krb5kdc/principal.ok
+  notify:
+    - restart krb5kdc
+
+- name: Enable and start krb5kdc service
+  ansible.builtin.service:
+    name: krb5kdc
+    enabled: true
+    state: started
+
+- name: Enable and start kadmin service
+  ansible.builtin.service:
+    name: kadmin
+    enabled: true
+    state: started

roles/kerberos_kdc/templates/etc/krb5.conf.j2

@@ -0,0 +1,31 @@
+# To opt out of the system crypto-policies configuration of krb5, remove the
+# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_realm = {{ kerberos_kdc_realm }}
+    default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ kerberos_kdc_realm }} = {
+    kdc = {{ kerberos_kdc_domain_name }}
+    admin_server = {{ kerberos_kdc_domain_name }}
+}
+
+[domain_realm]
+# .example.com = EXAMPLE.COM
+# example.com = EXAMPLE.COM

roles/kerberos_kdc/templates/var/kerberos/krb5kdc/kadm5.acl.j2

@@ -0,0 +1 @@
+*/{{ kerberos_kdc_admin_principal }}	*

roles/kerberos_kdc/templates/var/kerberos/krb5kdc/kdc.conf.j2

@@ -0,0 +1,16 @@
+[kdcdefaults]
+    kdc_ports = 88
+    kdc_tcp_ports = 88
+    spake_preauth_kdc_challenge = edwards25519
+
+[realms]
+{{ kerberos_kdc_realm }} = {
+     master_key_type = aes256-cts-hmac-sha384-192
+     acl_file = /var/kerberos/krb5kdc/kadm5.acl
+     dict_file = /usr/share/dict/words
+     default_principal_flags = +preauth
+     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+     supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
+     # Supported encryption types for FIPS mode:
+     #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
+}