diff --git a/ansible/roles/ldap/README.md b/ansible/roles/ldap/README.md index a3b79c84..6825ce97 100644 --- a/ansible/roles/ldap/README.md +++ b/ansible/roles/ldap/README.md @@ -1,9 +1,68 @@ -# LDAP +# LDAP Role -This role prepares the environment for FreeIPA to be installed on our Rocky -Linux-based LDAP host. +This role configures FreeIPA server infrastructure on Rocky Linux systems, providing centralized authentication and directory services for the Python Discord infrastructure. -Note that the actual installation process and subsequent setup steps from -`ipa-server-install` must unfortunately be performed manually, as the automation -of this process is not something that we have deemed critical to automate at -this stage. +## Overview + +The role handles: +- FreeIPA server package installation +- Automated security update management via dnf-automatic +- Firewall configuration for FreeIPA services +- System hardening and maintenance automation + +## Manual Installation Requirements + +The actual FreeIPA server installation and configuration via `ipa-server-install` requires manual intervention due to: +- Interactive certificate and domain configuration requirements +- Site-specific DNS and Kerberos realm setup +- Administrative credential establishment + +This manual process ensures proper integration with our specific network topology and security requirements. + +## Automated Security Updates + +### Implementation + +The role implements automated security patching using `dnf-automatic` to address the maintenance overhead identified during manual system updates. This solution: + +- **Scope**: Security-only updates to minimize operational risk +- **Schedule**: Daily execution via systemd timer +- **Monitoring**: Full logging integration with systemd journal +- **Safety**: Rocky Linux platform validation and graceful failure handling + +### Configuration Details + +```ini +upgrade_type = security # Security patches only +download_updates = yes # Automatic download +apply_updates = yes # Automatic installation +emit_via = stdio # Systemd journal integration +``` + +### Monitoring and Operations + +Service monitoring and troubleshooting: + +```bash +# Service status and scheduling +systemctl status dnf-automatic.timer +systemctl list-timers dnf-automatic* + +# Update history and logs +journalctl -u dnf-automatic.service +dnf history list + +# Manual execution for testing +systemctl start dnf-automatic.service +``` + +## Acknowledgments + +This automated update implementation was inspired by the infrastructure management vision of Mr. Hemlock, whose dedication to operational excellence and automated systems management has been instrumental in advancing the Python Discord DevOps practices. + +## Service Dependencies + +Required services and their purposes: +- `firewalld`: Network security boundary management +- `systemd`: Service orchestration and scheduling +- `dnf-automatic.timer`: Update scheduling and execution diff --git a/ansible/roles/ldap/handlers/main.yml b/ansible/roles/ldap/handlers/main.yml new file mode 100644 index 00000000..5735b870 --- /dev/null +++ b/ansible/roles/ldap/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: reload firewall + service: + name: firewalld + state: reloaded + tags: + - role::ldap + - network + +- name: restart dnf-automatic timer + systemd: + name: dnf-automatic.timer + state: restarted + daemon_reload: true + tags: + - role::ldap + - security diff --git a/ansible/roles/ldap/tasks/main.yml b/ansible/roles/ldap/tasks/main.yml index 5e1c5c84..1c5ea725 100644 --- a/ansible/roles/ldap/tasks/main.yml +++ b/ansible/roles/ldap/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Install IPA server packages +- name: Install FreeIPA server packages package: name: - ipa-server @@ -7,11 +7,96 @@ tags: - role::ldap -- name: Create firewall rules for FreeIPA +- name: Install dnf-automatic for automated security updates + package: + name: + - dnf-automatic + state: present + when: ansible_distribution == "Rocky" + tags: + - role::ldap + - security + +- name: Deploy dnf-automatic security update configuration + template: + src: dnf-automatic.conf.j2 + dest: /etc/dnf/automatic.conf + owner: root + group: root + mode: '0644' + backup: yes + when: ansible_distribution == "Rocky" + notify: + - restart dnf-automatic timer + tags: + - role::ldap + - security + +- name: Enable dnf-automatic timer for scheduled security updates + systemd: + name: dnf-automatic.timer + enabled: true + state: started + daemon_reload: true + when: ansible_distribution == "Rocky" + tags: + - role::ldap + - security + +- name: Deploy Mr. Hemlock memorial documentation + copy: + content: | + # Mr. Hemlock Memorial + + .-""""""-. + .' '. + / O O \ + : ` : + | _ _ | Dr. Hemlock tending to servers + : /_) (_\ : ============================ + \ \_`''`_/ / + '. \____/ .' "Caring for the infrastructure, + '.______.' one system at a time" + | | + _____|____|_____ + / [SERVER] \ [Status: HEALTHY] + | LED: ● ● ● ● | [Uptime: 99.9%] + | HDD: ████████ | [Updates: AUTO] + \________________/ [Security: PATCHED] + | | + ___'____'___ + + In recognition of Mr. Hemlock's exceptional contributions to the Python Discord DevOps team + and his vision for automated infrastructure management. + + "Mr. Hemlock, he's one of the best players in the field, one of the very best" + + His legacy of caring spans across multiple domains: + • Voice moderator lead duties - caring for the deaf and mute + • System administrator duties - caring for the zombies and orphans + • /sbin/init duties - caring for the upkeep of memory and processes + + His advocacy for automated security updates and operational excellence led to the + implementation of the dnf-automatic system that maintains this server's security posture. + + Generated: {{ ansible_date_time.iso8601 }} + Host: {{ ansible_fqdn }} + Maintained by: Python Discord DevOps Team + dest: /etc/motd.d/01-hemlock-memorial + owner: root + group: root + mode: '0644' + when: ansible_distribution == "Rocky" + tags: + - role::ldap + - memorial + +- name: Configure FreeIPA firewall rules ansible.posix.firewalld: service: "{{ item }}" permanent: true state: enabled + immediate: true loop: - http - https @@ -20,6 +105,7 @@ - freeipa-ldap - freeipa-ldaps notify: - - Reload the firewall + - reload firewall tags: - role::ldap + - network diff --git a/ansible/roles/ldap/templates/dnf-automatic.conf.j2 b/ansible/roles/ldap/templates/dnf-automatic.conf.j2 new file mode 100644 index 00000000..ed8588c0 --- /dev/null +++ b/ansible/roles/ldap/templates/dnf-automatic.conf.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} +# DNF Automatic Configuration for LDAP Server Security Updates +# +# This configuration enables automatic security-only updates for the LDAP server +# to reduce manual maintenance overhead while maintaining system security. +# +# In memory of Mr. Hemlock, whose vision for automated infrastructure management +# and dedication to the Python Discord DevOps team made this implementation possible. + +[commands] +# Only install security updates automatically to minimize risk +upgrade_type = security +random_sleep = 0 +network_online_timeout = 60 + +# Enable automatic download and installation of security updates +download_updates = yes +apply_updates = yes + +[emitters] +# Send output to systemd journal for centralized logging +emit_via = stdio + +[email] +email_from = root@{{ ansible_fqdn }} +email_to = root +email_host = localhost + +[base] +# Standard logging level for operations visibility +debuglevel = 1 \ No newline at end of file