aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolan McMahon <caolan@caolanmcmahon.com>2014-12-14 13:46:08 +0000
committerCaolan McMahon <caolan@caolanmcmahon.com>2014-12-14 13:46:08 +0000
commit05f5e59b9672cfea26443834eedaa8a97a188434 (patch)
treeb74bb393b9950461ee0a42470a5f74d48d11960d
downloadid.darkpeak.org-05f5e59b9672cfea26443834eedaa8a97a188434.tar.gz
id.darkpeak.org-05f5e59b9672cfea26443834eedaa8a97a188434.tar.xz
id.darkpeak.org-05f5e59b9672cfea26443834eedaa8a97a188434.zip
first commit
-rw-r--r--README.md1
-rw-r--r--create_freeipa.sh34
-rw-r--r--freeipa-client-f21.ks106
-rw-r--r--freeipa-server-f21.ks74
4 files changed, 215 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..0d9627b
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+Tools for provisioning the Dark Peak FreeIPA identity server
diff --git a/create_freeipa.sh b/create_freeipa.sh
new file mode 100644
index 0000000..db7570e
--- /dev/null
+++ b/create_freeipa.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Check if we are root
+if [ "$(id -u)" != "0" ] ; then
+ echo ""
+ echo "Not running as root, exiting."
+ echo "Try:"
+ echo " \$ sudo $0 [server|client]"
+ echo ""
+ exit 1
+fi
+
+if [ -z "$1" ] || [ "$1" != "server" ] && [ "$1" != "client" ] ; then
+ echo ""
+ echo "Incorrect type specified, exiting."
+ echo "Try:"
+ echo " \$ sudo $0 [server|client]"
+ echo ""
+ exit 1
+else
+ TYPE=$1
+fi
+
+# Install the tools if we haven't got them
+if [ "$(which virt-viewer virt-install virt-manager | wc -l)" -lt 3 ] ; then
+ yum -y install virt-manager virt-install virt-viewer libvirt-daemon-kvm
+fi
+
+# Create VM and kick off the installation
+virt-install --virt-type=kvm --name=freeipa-$TYPE --ram=2048 --vcpus=1 --arch=x86_64 --graphics=spice --os-variant=fedora20 \
+ --disk=size=15, --network=network=virt \
+ --location="http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/development/21/x86_64/os/" \
+ --initrd-inject="./freeipa-$TYPE-f21.ks" --extra-args="ks=file:/freeipa-$TYPE-f21.ks"
+
diff --git a/freeipa-client-f21.ks b/freeipa-client-f21.ks
new file mode 100644
index 0000000..2b96a55
--- /dev/null
+++ b/freeipa-client-f21.ks
@@ -0,0 +1,106 @@
+# Kickstart for deploying FreeIPA infrastructure on F21
+
+# Network installation
+install
+url --url="http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/development/21/x86_64/os/"
+repo --name=updates
+repo --name=updates-testing
+
+# System authorization information
+auth --enableshadow --passalgo=sha512
+rootpw --plaintext freeipa
+
+# Network information
+network --bootproto=dhcp --device=eth0 --noipv6 --activate
+network --hostname=service.darkpeak.org
+
+# Disk partitioning information
+zerombr
+ignoredisk --only-use=vda
+bootloader --location=mbr --boot-drive=vda
+autopart --type=lvm
+clearpart --all --initlabel --drives=vda
+
+# Localisation
+keyboard --vckeymap=uk --xlayouts='gb'
+lang en_GB.UTF-8
+timezone Europe/London --nontp --isUtc
+
+# Security information
+firewall --disabled
+selinux --permissive
+
+# Don't run setup agent
+firstboot --disabled
+
+# Other services
+services --disabled="chronyd"
+
+# Reboot when done
+reboot
+
+%packages
+# Base packages
+@core
+@standard
+@hardware-support
+@server-product
+@headless-management
+-abrt-cli
+# Everything needed to be a FreeIPA Client
+@domain-client
+# To apply a patch to the ipa-client-install script
+patch
+# For building the example web service
+git
+maven
+%end
+
+%post
+# Patch ipa-client-install script so we don't hang when there's no NTP
+# daemon running on the IPA server
+pushd /usr/sbin
+patch -p3 <<EOF
+--- /usr/sbin/ipa-client-install 2014-10-24 18:03:01.203000000 +0100
++++ /usr/sbin/ipa-client-install 2014-10-24 18:00:38.760000000 +0100
+@@ -2343,8 +2343,8 @@
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+ if synced_ntp:
+ break
+- if not synced_ntp:
+- synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
++ #if not synced_ntp:
++ #synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
+ if not synced_ntp:
+ root_logger.warning("Unable to sync time with IPA NTP " +
+ "server, assuming the time is in sync. Please check " +
+EOF
+popd
+
+# Write FreeIPA enrollement script, this should be executed after first boot
+cat <<EOF >/root/freeipa_enroll.sh
+#!/bin/sh
+
+# Check we are given an IP address
+if [ -z "\$1" ] ; then
+ echo ""
+ echo "Must specify IP address of FreeIPA DNS server, exiting."
+ echo ""
+ exit 1
+else
+ DNS_IP_ADDR="\$1"
+fi
+
+# Configure DNS
+nmcli connection modify eth0 ipv4.ignore-auto-dns yes
+nmcli connection modify eth0 ipv4.dns-search darkpeak.org
+nmcli connection modify eth0 ipv4.dns \$DNS_IP_ADDR
+systemctl restart NetworkManager.service
+
+# Enroll
+ipa-client-install --enable-dns-updates --no-dns-sshfp --no-sudo --no-sshd --no-ssh \\
+ --no-nisdomain --no-ntp --principal=admin@DARKPEAK.ORG
+EOF
+chmod +x /root/freeipa_enroll.sh
+%end
+
diff --git a/freeipa-server-f21.ks b/freeipa-server-f21.ks
new file mode 100644
index 0000000..bec70e2
--- /dev/null
+++ b/freeipa-server-f21.ks
@@ -0,0 +1,74 @@
+# Kickstart for deploying FreeIPA infrastructure on F21
+
+# Network installation
+install
+url --url="http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/development/21/x86_64/os/"
+repo --name=updates
+repo --name=updates-testing
+
+# System authorization information
+auth --enableshadow --passalgo=sha512
+rootpw --plaintext freeipa
+
+# Network information
+network --bootproto=dhcp --device=eth0 --noipv6 --activate
+network --hostname=id.darkpeak.org
+
+# Disk partitioning information
+zerombr
+ignoredisk --only-use=vda
+bootloader --location=mbr --boot-drive=vda
+autopart --type=lvm
+clearpart --all --initlabel --drives=vda
+
+# Localisation
+keyboard --vckeymap=uk --xlayouts='gb'
+lang en_GB.UTF-8
+timezone Europe/London --nontp --isUtc
+
+# Security information
+firewall --disabled
+selinux --permissive
+
+# Don't run setup agent
+firstboot --disabled
+
+# Other services
+services --disabled="chronyd"
+
+# Reboot when done
+reboot
+
+%packages
+# Base packages
+@core
+@standard
+@hardware-support
+@server-product
+@headless-management
+-abrt-cli
+# Everything needed to be a FreeIPA Client
+@domain-client
+# Everything needed to be a FreeIPA Server
+@freeipa-server
+%end
+
+%post
+cat <<EOF >/root/freeipa_setup.sh
+#!/bin/sh
+
+# Kerberos Master and LDAP Manager password
+PASS_MASTER=$( < /dev/urandom tr -dc [:alnum:] | head -c16 )
+# FreeIPA "admin" password
+PASS_ADMIN=$( < /dev/urandom tr -dc [:alnum:] | head -c16 )
+
+IP_ADDR=\$(ip -family inet -oneline address show dev eth0 | awk '{print $4}' | cut -d'/' -f1)
+
+ipa-server-install -r DARKPEAK.ORG -n darkpeak.org --hostname=id.darkpeak.org --ip-address=\$IP_ADDR \\
+ --no-ssh --no-sshd --no-dns-sshfp --setup-dns --no-host-dns --no-forwarders --no-dnssec-validation \\
+ --no-ntp --ds-password=\$PASS_MASTER --master-password=\$PASS_MASTER --admin-password=\$PASS_ADMIN \\
+ --idstart=5000 --subject="O=Dark Peak Data Co-operative Limited" \\
+ && echo "FreeIPA Admin Password is: \$PASS_ADMIN"
+EOF
+chmod +x /root/freeipa_setup.sh
+%end