caguiclajmg · August 2, 2020 05:49
diff --git a/freeipa-setup.sh b/freeipa-setup.sh
 #!/bin/bash

 # FreeIPA installer script for CentOS 8
 # https://gist.github.com/caguiclajmg/d293c49dfc4514e12ec81f50c6ceb724

 COLOR_ERROR='\033[0;31m'
 COLOR_WARNING='\033[1;33m'
 COLOR_NONE='\033[0m'

 function die {
 	echo -e "${COLOR_ERROR}error: ${1}${COLOR_NONE}"
 	exit "$2"
 }

 function warn {
 	echo -e "${COLOR_WARNING}warning: $1${COLOR_NONE}"
 }

 function help {
 	printf "Usage: freeipa-setup.sh options\n"
 	printf "\n"

 	printf "General Options\n"
 	printf "  --role\t\tRole of this FreeIPA node (server, replica)\n"
 	printf "  --hostname\t\tHostname\n"
 	printf "  --domain\t\tDomain\n"
 	printf "  --realm\t\tRealm\n"
 	printf "  --admin-password\tAdmin password\n"
 	printf "  --mkhomedir\t\tAutomatically create user home directory on first logon\n"
 	printf "\n"

 	printf "Server Role Options\n"
 	printf "  --dm-password\t\tDirectory Manager password\n"
 	printf "\n"

 	printf "Replica Role Options\n"
 	printf "  --server\t\tThe FreeIPA server to replicate\n"
 	printf "  --force-join\t\tForce join\n"
 	printf "\n"

 	printf "DNS Server Options\n"
 	printf "  --no-dns\t\tDisable builtin BIND server\n"
 	printf "  --dns-forwarder\tDNS Forwarders (google, cloudflare, opendns)\n"
 	printf "\n"
 }

 if [[ $# -eq 0 ]]; then
 	help
 	exit 0
 fi

 positional=()

 while [[ $# -gt 0 ]]
 do
 	key=$1
 	case $key in
 		--role)
 			if ! [[ "$2" =~ (server)|(replica)  ]]; then
 				die "--role must be either 'server' or 'replica'" 2
 			fi

 			role=$2
 			shift
 			shift
 			;;

 		--hostname)
 			if [[ -z "$2" ]]; then
 				die "--hostname cannot be blank" 2
 			fi

 			hostname=$2
 			shift
 			shift
 			;;
 			
 		--domain)
 			if [[ -z "$2" ]]; then
 				die "--domain cannot be blank" 2
 			fi

 			domain=$2
 			shift
 			shift
 			;;

 		--realm)
 			if [[ -z "$2" ]]; then
 				die "--realm cannot be blank" 2
 			fi

 			realm=${2^^}
 			shift
 			shift
 			;;

 		--dm-password)
 			if [[ -z "$2" ]]; then
 				die "--dm-password cannot be blank" 2
 			fi

 			if [[ ${#2} -lt 6 ]]; then
 				warn "--dm-password is less than 6 characters long"
 			fi

 			dm_password=$2
 			shift
 			shift
 			;;

 		--admin-password)
 			if [[ -z "$2" ]]; then
 				die "--admin-password cannot be blank" 2
 			fi

 			if [[ ${#2} -lt 6 ]]; then
 				warn "--admin-password is less than 6 characters long"
 			fi

 			admin_password=$2
 			shift
 			shift
 			;;

 		--dns-forwarder)
 			case $2 in
 				google)
 					dns_forwarders+=("8.8.8.8")
 					dns_forwarders+=("8.8.4.4")
 					;;

 				opendns)
 					dns_forwarders+=("208.67.222.222")
 					dns_forwarders+=("208.67.220.220")
 					;;
 				cloudflare)
 					dns_forwarders+=("1.1.1.1")
 					dns_forwarders+=("1.0.0.1")
 					;;
 				*)
 					dns_forwarders+=("$2")
 					;;
 			esac

 			shift
 			shift
 			;;

 		--ntp-server)
 			ntp_servers+=("$2")
 			shift
 			shift
 			;;

 		--server)
 			if [[ -z "$2" ]]; then
 				die "--server cannot be blank if specified" 2
 			fi

 			if [[ "$2" =~ ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
 				warn "--server is not a fully qualified domain name"
 			fi

 			server=$2
 			shift
 			shift
 			;;

 		--skip-system-update)
 			warn "skipping initial system update"

 			skip_system_update=yes
 			shift
 			;;

 		--no-dns)
 			no_dns=yes
 			shift
 			;;
 		
 		--no-ntp)
 			no_ntp=yes
 			shift
 			;;

 		--mkhomedir)
 			mkhomedir=yes
 			shift
 			;;

 		--force-join)
 			force_join=yes
 			shift
 			;;

 		--dry-run)
 			dry_run=yes
 			shift
 			;;

 		--help)
 			help
 			exit 0
 			;;

 		*)
 			positional+=("$1")
 			shift
 			;;
 	esac
 done

 # role
 if [[ -z "$role" ]]; then
 	warn "role is not specified, defaulting to 'server'"
 	role="server"
 fi

 # hostname
 if [[ -z "$hostname" ]]; then
 	die "missing parameter --hostname" 2
 fi

 # domain
 if [[ -z "$domain" ]]; then
 	die "missing parameter --domain" 2
 fi

 # realm
 if [[ -z "$realm" ]]; then
 	die "missing parameter --realm" 2
 fi

 if [[ "$realm" =~ [[:lower:]] ]]; then
 	warn "specified realm has lowercase characters"
 fi

 # admin Password
 if [[ -z "$admin_password" ]]; then
 	die "missing parameter --admin-password" 2
 fi

 # role-specific parameters
 if [[ "$role" == "server" ]]; then
 	if [[ -z "$dm_password" ]]; then
 		die "missing parameter --dm-password" 2
 	fi
 else
 	if [[ -z "$server" ]]; then
 		die "missing parameter --server" 2
 	fi
 fi

 skip_system_update=${skip_system_update:-no}
 no_dns=${no_dns:-no}
 no_ntp=${no_ntp:-no}
 mkhomedir=${mkhomedir:-yes}
 dry_run=${dry_run:-no}

 # exit early if in dry run
 if [[ "$dry_run" == "yes" ]]; then
 	exit 0
 fi

 fqdn="${hostname}.${domain}"

 echo "setting hostname to '${fqdn}'"
 hostnamectl set-hostname "$fqdn"

 if [[ "$skip_system_update" != "yes" ]]; then
 	echo "performing initial system update"
 	dnf update -qy
 fi

 echo "installing FreeIPA"
 dnf module install -qy idm:DL1/{client,server}

 if [[ "$no_dns" != "yes" ]]; then
 	echo "installing BIND"
 	dnf module install -qy idm:DL1/dns
 fi

 echo "allowing FreeIPA ports in firewall"
 firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd} --permanent
 firewall-cmd --add-port={9443,9444,9445,7389}/{tcp,udp}

 if [[ "$no_dns" != "yes" ]]; then
 	echo "allowing DNS in firewall"
 	firewall-cmd --add-service=dns --permanent
 fi

 if [[ "$no_ntp" != "yes" ]]; then
 	echo "allowing NTP in firewall"
 	firewall-cmd --add-service=ntp --permanent
 fi

 echo "reloading firewall"
 firewall-cmd --reload

 echo "installing FreeIPA as ${role}"

 install_args="-U -n ${domain} -r ${realm} --hostname ${fqdn} --setup-kra --ssh-trust-dns"

 # dns
 if [[ "$no_dns" != "yes" ]]; then
 	install_args+=" --setup-dns --allow-zone-overlap --no-reverse --forward-policy first"

 	if [[ ${#dns_forwarders[@]} -eq 0 ]]; then
 		warn "no forwarders specified, using root nameservers"
 		install_args+=" --no-forwarders"
 	else
 		install_args+=" $(printf -- '--forwarder %s ' ${dns_forwarders[@]})"
 	fi
 fi

 # ntp
 if [[ "$no_ntp" != "yes" ]]; then
 	if [[ ${#ntp_servers[@]} -eq 0 ]]; then
 		warn "no ntp servers specified, using default servers"
 		ntp_servers+=("0.pool.ntp.org")
 		ntp_servers+=("1.pool.ntp.org")
 		ntp_servers+=("2.pool.ntp.org")
 		ntp_servers+=("3.pool.ntp.org")
 	fi
 	
 	install_args+=" $(printf -- '--ntp-server %s ' ${ntp_servers[@]})"
 else
 	install_args+=" -N"
 fi

 # misc
 if [[ "$mkhomedir" == "yes" ]]; then
 	install_args+=" --mkhomedir"
 fi

 if [[ "$role" == "server" ]]; then
 	install_args+=" -p ${dm_password} -a ${admin_password}"

 	ipa-server-install $install_args
 else
 	install_args+=" --server ${server} -P admin -p ${admin_password} --setup-ca"

 	if [[ "$force_join" == "yes" ]]; then
 		install_args+=" --force-join"
 	fi

 	ipa-replica-install $install_args
 fi
	#!/bin/bash

	# FreeIPA installer script for CentOS 8
	# https://gist.github.com/caguiclajmg/d293c49dfc4514e12ec81f50c6ceb724

	COLOR_ERROR='\033[0;31m'
	COLOR_WARNING='\033[1;33m'
	COLOR_NONE='\033[0m'

	function die {
	echo -e "${COLOR_ERROR}error: ${1}${COLOR_NONE}"
	exit "$2"
	}

	function warn {
	echo -e "${COLOR_WARNING}warning: $1${COLOR_NONE}"
	}

	function help {
	printf "Usage: freeipa-setup.sh options\n"
	printf "\n"

	printf "General Options\n"
	printf " --role\t\tRole of this FreeIPA node (server, replica)\n"
	printf " --hostname\t\tHostname\n"
	printf " --domain\t\tDomain\n"
	printf " --realm\t\tRealm\n"
	printf " --admin-password\tAdmin password\n"
	printf " --mkhomedir\t\tAutomatically create user home directory on first logon\n"
	printf "\n"

	printf "Server Role Options\n"
	printf " --dm-password\t\tDirectory Manager password\n"
	printf "\n"

	printf "Replica Role Options\n"
	printf " --server\t\tThe FreeIPA server to replicate\n"
	printf " --force-join\t\tForce join\n"
	printf "\n"

	printf "DNS Server Options\n"
	printf " --no-dns\t\tDisable builtin BIND server\n"
	printf " --dns-forwarder\tDNS Forwarders (google, cloudflare, opendns)\n"
	printf "\n"
	}

	if [[ $# -eq 0 ]]; then
	help
	exit 0
	fi

	positional=()

	while [[ $# -gt 0 ]]
	do
	key=$1
	case $key in
	--role)
	if ! [[ "$2" =~ (server)\|(replica) ]]; then
	die "--role must be either 'server' or 'replica'" 2
	fi

	role=$2
	shift
	shift
	;;

	--hostname)
	if [[ -z "$2" ]]; then
	die "--hostname cannot be blank" 2
	fi

	hostname=$2
	shift
	shift
	;;

	--domain)
	if [[ -z "$2" ]]; then
	die "--domain cannot be blank" 2
	fi

	domain=$2
	shift
	shift
	;;

	--realm)
	if [[ -z "$2" ]]; then
	die "--realm cannot be blank" 2
	fi

	realm=${2^^}
	shift
	shift
	;;

	--dm-password)
	if [[ -z "$2" ]]; then
	die "--dm-password cannot be blank" 2
	fi

	if [[ ${#2} -lt 6 ]]; then
	warn "--dm-password is less than 6 characters long"
	fi

	dm_password=$2
	shift
	shift
	;;

	--admin-password)
	if [[ -z "$2" ]]; then
	die "--admin-password cannot be blank" 2
	fi

	if [[ ${#2} -lt 6 ]]; then
	warn "--admin-password is less than 6 characters long"
	fi

	admin_password=$2
	shift
	shift
	;;

	--dns-forwarder)
	case $2 in
	google)
	dns_forwarders+=("8.8.8.8")
	dns_forwarders+=("8.8.4.4")
	;;

	opendns)
	dns_forwarders+=("208.67.222.222")
	dns_forwarders+=("208.67.220.220")
	;;
	cloudflare)
	dns_forwarders+=("1.1.1.1")
	dns_forwarders+=("1.0.0.1")
	;;
	*)
	dns_forwarders+=("$2")
	;;
	esac

	shift
	shift
	;;

	--ntp-server)
	ntp_servers+=("$2")
	shift
	shift
	;;

	--server)
	if [[ -z "$2" ]]; then
	die "--server cannot be blank if specified" 2
	fi

	if [[ "$2" =~ ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
	warn "--server is not a fully qualified domain name"
	fi

	server=$2
	shift
	shift
	;;

	--skip-system-update)
	warn "skipping initial system update"

	skip_system_update=yes
	shift
	;;

	--no-dns)
	no_dns=yes
	shift
	;;

	--no-ntp)
	no_ntp=yes
	shift
	;;

	--mkhomedir)
	mkhomedir=yes
	shift
	;;

	--force-join)
	force_join=yes
	shift
	;;

	--dry-run)
	dry_run=yes
	shift
	;;

	--help)
	help
	exit 0
	;;

	*)
	positional+=("$1")
	shift
	;;
	esac
	done

	# role
	if [[ -z "$role" ]]; then
	warn "role is not specified, defaulting to 'server'"
	role="server"
	fi

	# hostname
	if [[ -z "$hostname" ]]; then
	die "missing parameter --hostname" 2
	fi

	# domain
	if [[ -z "$domain" ]]; then
	die "missing parameter --domain" 2
	fi

	# realm
	if [[ -z "$realm" ]]; then
	die "missing parameter --realm" 2
	fi

	if [[ "$realm" =~ [[:lower:]] ]]; then
	warn "specified realm has lowercase characters"
	fi

	# admin Password
	if [[ -z "$admin_password" ]]; then
	die "missing parameter --admin-password" 2
	fi

	# role-specific parameters
	if [[ "$role" == "server" ]]; then
	if [[ -z "$dm_password" ]]; then
	die "missing parameter --dm-password" 2
	fi
	else
	if [[ -z "$server" ]]; then
	die "missing parameter --server" 2
	fi
	fi

	skip_system_update=${skip_system_update:-no}
	no_dns=${no_dns:-no}
	no_ntp=${no_ntp:-no}
	mkhomedir=${mkhomedir:-yes}
	dry_run=${dry_run:-no}

	# exit early if in dry run
	if [[ "$dry_run" == "yes" ]]; then
	exit 0
	fi

	fqdn="${hostname}.${domain}"

	echo "setting hostname to '${fqdn}'"
	hostnamectl set-hostname "$fqdn"

	if [[ "$skip_system_update" != "yes" ]]; then
	echo "performing initial system update"
	dnf update -qy
	fi

	echo "installing FreeIPA"
	dnf module install -qy idm:DL1/{client,server}

	if [[ "$no_dns" != "yes" ]]; then
	echo "installing BIND"
	dnf module install -qy idm:DL1/dns
	fi

	echo "allowing FreeIPA ports in firewall"
	firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd} --permanent
	firewall-cmd --add-port={9443,9444,9445,7389}/{tcp,udp}

	if [[ "$no_dns" != "yes" ]]; then
	echo "allowing DNS in firewall"
	firewall-cmd --add-service=dns --permanent
	fi

	if [[ "$no_ntp" != "yes" ]]; then
	echo "allowing NTP in firewall"
	firewall-cmd --add-service=ntp --permanent
	fi

	echo "reloading firewall"
	firewall-cmd --reload

	echo "installing FreeIPA as ${role}"

	install_args="-U -n ${domain} -r ${realm} --hostname ${fqdn} --setup-kra --ssh-trust-dns"

	# dns
	if [[ "$no_dns" != "yes" ]]; then
	install_args+=" --setup-dns --allow-zone-overlap --no-reverse --forward-policy first"

	if [[ ${#dns_forwarders[@]} -eq 0 ]]; then
	warn "no forwarders specified, using root nameservers"
	install_args+=" --no-forwarders"
	else
	install_args+=" $(printf -- '--forwarder %s ' ${dns_forwarders[@]})"
	fi
	fi

	# ntp
	if [[ "$no_ntp" != "yes" ]]; then
	if [[ ${#ntp_servers[@]} -eq 0 ]]; then
	warn "no ntp servers specified, using default servers"
	ntp_servers+=("0.pool.ntp.org")
	ntp_servers+=("1.pool.ntp.org")
	ntp_servers+=("2.pool.ntp.org")
	ntp_servers+=("3.pool.ntp.org")
	fi

	install_args+=" $(printf -- '--ntp-server %s ' ${ntp_servers[@]})"
	else
	install_args+=" -N"
	fi

	# misc
	if [[ "$mkhomedir" == "yes" ]]; then
	install_args+=" --mkhomedir"
	fi

	if [[ "$role" == "server" ]]; then
	install_args+=" -p ${dm_password} -a ${admin_password}"

	ipa-server-install $install_args
	else
	install_args+=" --server ${server} -P admin -p ${admin_password} --setup-ca"

	if [[ "$force_join" == "yes" ]]; then
	install_args+=" --force-join"
	fi

	ipa-replica-install $install_args
	fi