role-ipa-server/tasks/main.yml

#SPDX-License-Identifier: MIT-0
---
# tasks file for role-ipa-server
- name: install freeipa-server
  ansible.builtin.package:
    name: freeipa-server
    state: present

- name: install ipa-server-dns
  ansible.builtin.package:
    name: ipa-server-dns
    state: present

#this should be moved to a dedicated firewall role down the road
- name: permit ipa-server traffic through firewall
  ansible.posix.firewalld:
    service: freeipa-4
    state: enabled
    permanent: true
    immediate: true
    offline: true

- name: deploy replication script
  ansible.builtin.copy:
    src: files/replicate.sh
    dest: /scripts/replicate.sh

- name: deploy letsencrypt setup script
  ansible.builtin.copy:
    src: files/setup-le.sh
    dest: /scripts/setup-le.sh

#this should be moved to dedicated selinux role down the road
- name: Disable SELinux
  ansible.posix.selinux:
    state: disabled

# create symlink for certs if letsencrypt is set up
- name: check if letsencrypt is set up
  ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
  register: result
  ignore_errors: true

- name: check if ipaserver is ready
  ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]'
  register: result2
  ignore_errors: true

- name: create symlink for certificate
  ansible.builtin.file:
    src: "/etc/letsencrypt/live/{{ansible_fqdn}}/cert.pem"
    dest: /var/lib/ipa/certs/httpd.crt
    state: link
    force: yes
  when: (result is succeeded) and (result2 is succeeded)
  notify: restart httpd

- name: create symlink for private key
  ansible.builtin.file:
    src: "/etc/letsencrypt/live/{{ansible_fqdn}}/privkey.pem"
    dest: /var/lib/ipa/private/httpd.key
    state: link
    force: yes
  when: (result is succeeded) and (result2 is succeeded)
  notify: restart httpd