Last active
August 2, 2020 14:14
-
-
Save caguiclajmg/cf7fce2b892c822411d7d99dfde96c96 to your computer and use it in GitHub Desktop.
Set up a FreeIPA node on Linode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # <UDF name="hostname" label="Hostname" /> | |
| # <UDF name="timezone" label="Timezone" example="Asia/Tokyo" /> | |
| # <UDF name="role" label="Role" oneof="Server,Replica" /> | |
| # <UDF name="server" label="FQDN of server to set up a replica of" /> | |
| # <UDF name="domain" label="Domain" example="example.com" /> | |
| # <UDF name="realm" label="Realm" example="EXAMPLE.COM" /> | |
| # <UDF name="password_dm" label="Directory Manager Password" /> | |
| # <UDF name="password_admin" label="Admin Password" /> | |
| # <UDF name="enable_ntp" label="Enable NTP Server" oneof="No,Yes" default="No" /> | |
| # <UDF name="enable_dns" label="Enable DNS Server" oneof="No,Yes" default="Yes" /> | |
| # <UDF name="enable_mkhomedir" label="Enable Automatic Home Directory Creation" oneof="No,Yes" default="Yes" /> | |
| # <UDF name="force_join" label="Force join" oneof="No,Yes" default="No" /> | |
| source <ssinclude StackScriptID=1> | |
| # Temporary swap file to prevent OOM issues on smaller Linodes | |
| swap=/var/freeipa.swap.tmp | |
| if [[ "$LINODE_RAM" -le 1024 ]]; then | |
| dd if=/dev/zero of=$swap bs=1M count=1024 | |
| chmod 600 $swap | |
| mkswap $swap | |
| swapon $swap | |
| fi | |
| fqdn="${HOSTNAME}.${DOMAIN}" | |
| # Basic system setup | |
| get_started "${HOSTNAME}" "${fqdn}" "${TIMEZONE}" | |
| # Install FreeIPA | |
| if [[ "${detected_distro[family]}" == "redhat" ]]; then | |
| dnf module install -y idm:DL1/{server,client,dns} | |
| else | |
| system_install_package freeipa-server freeipa-client | |
| fi | |
| # Firewall setup | |
| configure_basic_firewall | |
| if [[ "${detected_distro[family]}" == "redhat" ]]; then | |
| firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd} --permanent | |
| [[ "$ENABLE_NTP" == "Yes" ]] && firewall-cmd --add-service=ntp --permanent | |
| [[ "$ENABLE_DNS" == "Yes" ]] && firewall-cmd --add-service=dns --permanent | |
| firewall-cmd --add-port={9443,9444,9445,7389}/{tcp,udp} | |
| firewall-cmd --reload | |
| else | |
| add_port {ipv4,ipv6} 80 tcp # HTTP | |
| add_port {ipv4,ipv6} 443 tcp # HTTPS | |
| add_port {ipv4,ipv6} 88 {tcp,udp} # Kerberos | |
| add_port {ipv4,ipv6} 464 {tcp,udp} # kpasswd | |
| add_port {ipv4,ipv6} 389 tcp # LDAP | |
| add_port {ipv4,ipv6} 636 tcp # LDAPS | |
| [[ "${ENABLE_NTP}" == "Yes" ]] && add_port {ipv4,ipv6} 123 udp # NTP | |
| [[ "${ENABLE_DNS}" == "Yes" ]] && add_port {ipv4,ipv6} 53 {tcp,udp} # DNS | |
| save_firewall | |
| fi | |
| # Build ipa-server-install arguments | |
| #ipa_install_args="-U -r ${REALM} -n ${DOMAIN} -p ${PASSWORD_DM} -a ${PASSWORD_ADMIN} --hostname ${fqdn}" | |
| ipa_install_args="-U -n ${DOMAIN} -r ${REALM} --hostname ${fqdn} --setup-kra --ssh-trust-dns" | |
| [[ "$ENABLE_MKHOMEDIR" == "Yes" ]] && ipa_install_args+=" --mkhomedir" | |
| [[ "$ENABLE_NTP" == "No" ]] && ipa_install_args+=" -N" | |
| [[ "$ENABLE_DNS" == "Yes" ]] && ipa_install_args+=" --setup-dns --allow-zone-overlap --auto-reverse --no-forwarders --forward-policy first" | |
| if [[ "$ROLE" == "Server" ]]; then | |
| ipa_install_args+=" -p ${PASSWORD_DM} -a ${PASSWORD_ADMIN}" | |
| ipa_install_command="ipa-server-install" | |
| else | |
| ipa_install_args+=" --server ${SERVER} -P admin -p ${PASSWORD_ADMIN} --setup-ca" | |
| if [[ "${FORCE_JOIN}" == "Yes" ]]; then | |
| ipa_install_args+=" --force-join" | |
| fi | |
| ipa_install_command="ipa-replica-install" | |
| fi | |
| $ipa_install_command $ipa_install_args | |
| # Remove temporary swap file | |
| if [[ "$LINODE_RAM" -le 1024 ]]; then | |
| swapoff $swap | |
| rm $swap | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment