Update freeipa_client role (#220)

Signed-off-by: Webster Mudge <wmudge@cloudera.com>

Author: wmudge

roles/freeipa_client/README.md

@@ -1,17 +1,54 @@
-<!--
- Copyright 2024 Cloudera, Inc.
+# freeipa_client
 
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+Set up FreeIPA client, registering the host with a FreeIPA server, configured for DNS updates.
 
-     https://www.apache.org/licenses/LICENSE-2.0
+The role will:
+- Update `cloud-init` configuration to disable hostname management, if needed
+- Update the hostname to the Ansible `inventory_hostname`
+- Update `/etc/hosts` with the Ansible `inventory_hostname` and default IPv4 address
+- Create and activate a `cldr` connection ethernet profile in `NetworkManager` for the Ansible default IPv4 alias to set domain search and name servers, if needed
+- Update the DHCP client configuration to set domain search and name servers, if needed
+- Update `/etc/resolv.conf` directly to set domain search and name servers, if needed
+- Set the SSSD configuration to enumerate users and groups, if needed.
+- Install defined FreeIPA client packages, if needed
+- Set up and register FreeIPA client with the FreeIPA servers.
 
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
+## Requirements
 
-# freeipa_client
+None.
+
+## Dependencies
+
+- `freeipa.ansible_freeipa.ipaclient`
+
+## Examples
+
+```yaml
+- name: Install FreeIPA client
+  ansible.builtin.import_role:
+    name: freeipa_client
+  vars:
+    ipaclient_domain: example.internal
+    ipaclient_realm: EXAMPLE.INTERNAL
+    ipaclient_servers: [ "freeipa.example.internal" ]
+    ipaclient_dns_servers: [ "10.0.0.4" ]
+    ipaadmin_password: "SomEpassWord"
+```
+
+## License
+
+```
+Copyright 2024 Cloudera, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```

roles/freeipa_client/defaults/main.yml

@@ -1,25 +1,26 @@
----
-
-# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+# Copyright 2025 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# ipaserver_domain:
-# ipaserver_realm:
-# ipa_hosts:          # List of FQDN of IPA hosts
-# ipa_server_ips:     # List of IP of IPA hosts
-# ipaadmin_principal:
-# ipaadmin_password:
+# ipaclient_packages: []
+
+ipaclient_domain: "{{ undef(hint='Please define the DNS domain') }}"
+ipaclient_realm: "{{ undef(hint='Please define the Kerberos realm') }}"
+
+ipaclient_servers: "{{ undef(hint='Please define the hostnames of the FreeIPA servers') }}"
+ipaclient_dns_servers: "{{ undef(hint='Please define the IP addresses of the DNS servers') }}"
+
+ipaclient_sssd_enumeration: false
 
-enable_dns: false
-fallback_nameservers: ["8.8.8.8"]
+ipaadmin_principal: admin
+ipaadmin_password: "{{ undef(hint='Please define the FreeIPA adminstrator principal password') }}"

roles/freeipa_client/files/freeipa_dbus_session.conf

@@ -0,0 +1,22 @@
+<!--
+Copyright 2025 Cloudera, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<limit name="service_start_timeout">360000</limit>
+	<limit name="reply_timeout">360000</limit>
+</busconfig>

roles/freeipa_client/handlers/main.yml

@@ -1,19 +1,35 @@
----
-# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+# Copyright 2025 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Restart network
+- name: Restart host
+  ansible.builtin.reboot:
+
+- name: Restart SSSD
+  ansible.builtin.service:
+    name: "{{ sssd_service }}"
+    state: restarted
+
+# RHEL only
+- name: Restart DBUS
+  ansible.builtin.systemd:
+    name: dbus
+    enabled: true
+    masked: false
+    state: restarted
+
+# RHEL only
+- name: Restart logind
   ansible.builtin.service:
-    name: NetworkManager
+    name: systemd-logind
     state: restarted

roles/freeipa_client/meta/argument_specs.yml

@@ -0,0 +1,66 @@
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Set up FreeIPA client
+    description:
+      - Set up FreeIPA client, registering the host with a FreeIPA server, configured for DNS updates.
+      - Set up DNS search domain and DNS forwarders for name resolution.
+      - Install either defined or default FreeIPA client packages.
+      - Optionally, configure SSSD to enumerate users and groups.
+    author: Cloudera Labs
+    version_added: "5.0.0"
+    options:
+      ipaclient_packages:
+        description:
+          - List of FreeIPA packages to install.
+          - If not defined, the role will default to the packages defined in the
+            L(freeipa.ansible_freeipa.ipaclient,https://github.com/freeipa/ansible-freeipa/tree/master/roles/ipaclient) role.
+        type: list
+        elements: str
+      ipaclient_domain:
+        description:
+          - Domain name for DNS search and FreeIPA registration.
+        required: true
+      ipaclient_realm:
+        description:
+          - Realm for the Kerberos service.
+        required: true
+      ipaclient_servers:
+        description:
+          - List of hostnames of the FreeIPA servers.
+        type: list
+        elements: str
+        required: true
+      ipaclient_dns_servers:
+        description:
+          - List of IP address of the DNS servers to use for resolution.
+          - Typically, the IP addresses of the FreeIPA DNS servers.
+        type: list
+        elements: str
+        required: true
+      ipaclient_sssd_enumeration:
+        description:
+          - Flag to enable the C(enumeration) setting in the SSSD configuration file.
+        type: bool
+        default: false
+      ipaadmin_principal:
+        description:
+          - Principal of the FreeIPA user with elevated priviledges allowing host registration.
+        default: admin
+      ipaadmin_password:
+        description:
+          - Password of the FreeIPA user with elevated priviledges allowing host registration.
+        required: true

roles/freeipa_client/meta/main.yml

@@ -0,0 +1,36 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Converge
+  hosts: clients
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Gather network details from the FreeIPA servers
+      ansible.builtin.setup:
+        gather_subset: default_ipv4
+      delegate_to: "{{ __ipa_server }}"
+      delegate_facts: true
+      loop: "{{ groups['server'] }}"
+      loop_control:
+        loop_var: __ipa_server
+
+    - name: Install FreeIPA client
+      ansible.builtin.import_role:
+        name: freeipa_client
+      vars:
+        ipaclient_domain: "{{ ipaserver_domain }}"
+        ipaclient_realm: "{{ ipaserver_realm }}"
+        ipaclient_servers: "{{ groups['server'] }}" # hostnames of FreeIPA servers
+        ipaclient_dns_servers: "{{ groups['server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list }}"