commit 0079d257ea41c1f9b745a728851171a3e88a8353
Author: Vassiliy Yegorov <vasyakrg@gmail.com>
Date:   Thu Mar 10 11:01:43 2022 +0700

    init

diff --git a/install.MD b/install.MD
new file mode 100644
index 0000000..9e8ccd3
--- /dev/null
+++ b/install.MD
@@ -0,0 +1,179 @@
+# Setup
+
+## install soft
+
+dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop
+
+## setup
+
+export HNAME="id1.bildme.local"
+hostnamectl set-hostname $HNAME --static && hostname $HNAME
+
+check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)
+
+192.168.9.42 id1.bildme.local id1
+192.168.9.45 id2.bildme.local id2
+
+ipa-server-install
+
+SAVE you PASSWORD!! (zAgQ9T2UEtGF0FRMPxIbg)
+
+for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
+for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
+firewall-cmd --reload
+
+//todo: add groups\sudo setting with '!authenticate' and more..
+
+Done.
+
+## replica setup
+
+dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop
+
+export HNAME="id2.bildme.local"
+hostnamectl set-hostname $HNAME --static && hostname $HNAME
+
+check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)
+
+192.168.9.42 id1.bildme.local id1
+192.168.9.45 id2.bildme.local id2
+
+- check dns
+set resolv.conf on master replica!
+
+ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
+	--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
+	--hostname=`hostname -f` --enable-dns-updates
+
+on ID1!
+
+kinit admin
+ipa hostgroup-add-member ipaservers --hosts id2.bildme.local
+
+on ID2!
+
+for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
+for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
+firewall-cmd --reload
+
+ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.9.9
+
+# Replica teardown
+
+on del replica
+ipa-server-install --uninstall
+
+on master:
+ipa-replica-manage del <name> --force
+ipa hostgroup-remove-member ipaservers --hosts <name>
+
+# Client setup
+
+- check hostname
+
+/etc/hostname = client2.bildme.local
+
+- check dns
+set resolv.conf on master\slave replica!
+
+apt update && apt upgrade -y
+apt-get install freeipa-client
+
+ipa-client-install --mkhomedir --hostname=`hostname -f` \
+ --server=id1.bildme.local --server=id2.bildme.local --bildme=bildme.local --realm=BILDME.LOCAL \
+ --ntp-server=192.168.9.42 --ntp-server=192.168.9.45
+
+ # Client windows setup
+
+ from AD:
+ ipa-getkeytab -s id1.bildme.local -p host/client1.bildme.local -e aes256-cts,aes128-cts,des3-hmac-sha1,des-hmac-sha1,des-cbc-md5,des-cbc-crc -k krb5.keytab.windows -P
+
+ from client:
+
+ksetup /setrealm BILDME
+ksetup /setbildme BILDME.LOCAL
+ksetup /addkdc BILDME.LOCAL id1.bildme.local
+ksetup /addkpasswd BILDME.LOCAL id1.bildme.local
+ksetup /setcomputerpassword [ПАРОЛЬ]
+ksetup /mapuser vasyansk@BILDME.LOCAL vasyansk
+
+
+# Fix warning on ID2
+
+0. dnf install -y ipa-healthcheck
+
+1. chmod 600 /var/log/kadmind.log
+2. fix idrange
+
+ipa-replica-manage dnarange-show
+>> 762600004-762799999 # (199 995 / 2 = 99 997)
+
+ipa-replica-manage dnarange-set id1.bildme.local 762600004-762700001
+ipa-replica-manage dnarange-set id2.bildme.local 762700002-762799999
+
+# Backup catalog
+
+- check dns
+set resolv.conf on master replica!
+
+0. add new client to catalog
+ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
+	--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
+	--hostname=`hostname -f` --enable-dns-updates
+
+- check new records of its replica in DNS-masters
+
+- open ports
+for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
+for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
+firewall-cmd --reload
+
+- add its replica to ipaservers group
+
+1. add hidden replica for backup (if you have more resource)
+ipa-replica-install --hidden-replica
+
+# Restore replica
+
+- check dns, ip, hostname and version of ipa packages
+- install ipaserver if you need
+
+- ipa-restore /var/lib/ipa/backup/ipa-full-2022-03-07-10-42-22/
+
+run ipa-healthcheck get error of replication
+
+- ipa-replica-manage re-initialize --from id1.bildme.local
+- ipa-replica-manage force-sync --from id1.bildme.local
+- ipactl restart
+
+# Auth application LDAP connect
+
+https://docs.gitlab.com/ee/administration/auth/ldap/
+
+- add uidgitlab to system users by ipa-ctl.sh
+- add ENV's config to you gitlab app
+
+```bash
+LDAP_ENABLED=true
+LDAP_LABEL=LDAP
+
+# "start_tls" if 389, or "simple_tls" if 636
+LDAP_METHOD=simple_tls
+LDAP_ACTIVE_DIRECTORY=false
+LDAP_HOST=id1.bildme.local
+LDAP_PORT=636
+LDAP_UID=uid
+LDAP_PASS=zAgQ9T2UEtGF0FRMPxIbg
+LDAP_VERIFY_SSL=false
+LDAP_BASE="cn=users,cn=accounts,dc=bildme,dc=local"
+LDAP_USER_FILTER="(&(objectClass=posixaccount)(memberOf=cn=gitlab,cn=groups,cn=accounts,dc=bildme,dc=local))"
+LDAP_BIND_DN="uid=uidgitlab,cn=sysaccounts,cn=etc,dc=bildme,dc=local"
+```
+
+# Migrate users from AD
+
+1. https://github.com/akeske/AD-to-FreeIPA-user-migration/blob/master/ad2ipa.py
+
+# Freeipa behind ssl-proxy
+
+1. https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
diff --git a/ipa-ctl.sh b/ipa-ctl.sh
new file mode 100755
index 0000000..5631b81
--- /dev/null
+++ b/ipa-ctl.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+ssleval=true
+prefix=ldaps
+passeval() { [ -z $bindpass ] && passeval="UNSET!" || passeval="SET!"; }
+ssleval() { [ "$prefix" == "ldaps" ] && ssleval="true" || ssleval="false"; }
+actionseval() { [ "$ldapserver" ] && [ "$binduser" ] && [ "$domain" ] && [ "$passeval" == "SET!" ] && actionseval="ready" || actionseval="conditions not yet met" && return 1; }
+
+menu() {
+  passeval
+  ssleval
+  actionseval
+  clear
+  echo "\
+### FreeIPA - System Account Manager ###
+1.) ldapserver=$ldapserver
+2.) domain=$domain (ldapdomain=$ldapdomain)
+3.) binduser=$binduser
+4.) bindpass=$passeval
+5.) ssl=$ssleval
+
+Actions ($actionseval):
+  add | rm | ls | info | passwd
+
+---   Results   ---
+$results
+--- End Results ---
+"
+}
+
+domain2ldapdomain() {
+   echo "${1}" | awk -F'.' '{for(i=1;i<=NF;i++) printf "dc="$i","; print ""}' | sed 's/,$//'
+}
+
+dotask() {
+  case $1 in
+# Setup
+    1|ldapserver)
+      read -p "ldapserver=" ldapserver
+      [ -z $domain ] && domain=${ldapserver#*.} && ldapdomain=$(domain2ldapdomain "$domain")
+      ;;
+    2|domain)
+      read -p "domain=" domain
+      ldapdomain=$(domain2ldapdomain "$domain")
+      #read -p "ldapdomain=" ldapdomain
+      ;;
+    3|binduser)
+      [ -z $domain ] && echo "We need the domain first." &&  dotask domain
+      echo "Enter \"mgr\" for Directory Manager. Otherwise enter the username or full binddn (-D option in ldapsearch)"
+      read -p "binduser=" swap
+      [ "$swap" == "mgr" ] && binduser='cn=Directory Manager' && return
+      echo "$swap" | grep '=' -q && binduser="$swap" || binduser="uid=$swap,cn=users,cn=accounts,$ldapdomain"
+      ;;
+    4|bindpass)
+      read -sp "Enter password (will not echo): " bindpass
+      ;;
+    5|ssl)
+      [ "$prefix" == "ldaps" ] && prefix=ldap || prefix=ldaps
+      ;;
+
+# Actions
+    # poc)
+    #   results=$(ldapsearch "$prefix""://""$ldapserver" -b "$ldapdomain" -D "$binduser" -w "$bindpass")
+    #   ;;
+    ls)
+      results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=*)" "dn" | grep 'dn: uid')
+      ;;
+    info)
+      [ "$2" ] && local uid="$2" || uid="*"
+      results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=$uid)" "uid" "memberOf" "passwordExpirationTime")
+      ;;
+    add)
+      local uid password
+      [ "$2" ] && local uid="$2" || read -p "uid of new user=" uid
+      read -sp "password of new user (blank to generate a password)=" password
+      [ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
+      echo
+      read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
+      [ -z "$expire" ] && expire=20380119
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: $uid
+userPassword: $password
+passwordExpirationTime: ${expire}031407Z
+nsIdleTimeout: 0" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    rm)
+      local uid
+      [ "$2" ] && local uid="$2" || read -p "uid of user to remove=" uid
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: delete" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    passwd)
+    local uid password
+    [ "$2" ] && local uid="$2" || read -p "uid of user=" uid
+    read -sp "new password for user (blank to generate a password)=" password
+    [ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
+    echo
+    read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
+    [ -z "$expire" ] && expire=20380119
+echo -E "\
+dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
+changetype: modify
+replace: userPassword
+userPassword: $password
+-
+replace: passwordExpirationTime
+passwordExpirationTime: ${expire}031407Z" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
+      ;;
+    exit)
+      exit
+      ;;
+    "")
+      results=""
+      ;;
+    *)
+      results="\"$input\" command not found."
+  esac
+}
+
+prompt() { read -p '> ' input; dotask $input; }
+randpw() { < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-20};echo;}
+
+while :; do
+  menu
+  prompt
+done
diff --git a/letsencrypt/ipa-httpd.cnf b/letsencrypt/ipa-httpd.cnf
new file mode 100644
index 0000000..7711508
--- /dev/null
+++ b/letsencrypt/ipa-httpd.cnf
@@ -0,0 +1,18 @@
+# the fully qualified server (or service) name
+FQDN = id1.storedme.com
+ALTNAMES = DNS:$FQDN
+
+# --- no modifications required below ---
+[ req ]
+default_bits = 2048
+default_md = sha256
+prompt = no
+encrypt_key = no
+distinguished_name = dn
+req_extensions = req_ext
+
+[ dn ]
+CN = $FQDN
+
+[ req_ext ]
+subjectAltName = $ALTNAMES
diff --git a/letsencrypt/renew-le.sh b/letsencrypt/renew-le.sh
new file mode 100755
index 0000000..3ae9d94
--- /dev/null
+++ b/letsencrypt/renew-le.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/bash
+set -o nounset
+
+WORKDIR=$(dirname "$(realpath $0)")
+EMAIL="mail@mail.ru"
+
+### cron
+# check that the cert will last at least 2 days from now to prevent too frequent renewal
+# comment out this line for the first run
+if [ "${1:-renew}" != "--first-time" ]
+then
+	start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
+	now_timestamp=`date +%s`
+	let diff=($now_timestamp-$start_timestamp)/86400
+	if [ "$diff" -lt "2" ]; then
+		echo "Certificate is actuality"
+		exit 0
+	fi
+fi
+cd "$WORKDIR"
+# cert renewal is needed if we reached this line
+
+# cleanup
+rm -f "$WORKDIR"/*.pem
+rm -f "$WORKDIR"/httpd-csr.*
+
+# generate CSR
+OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
+[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
+openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
+
+# httpd process prevents letsencrypt from working, stop it
+service httpd stop
+
+# get a new cert
+letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
+
+# replace the cert
+cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
+mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
+restorecon -v /var/lib/ipa/certs/httpd.crt
+
+# start httpd with the new cert
+service httpd start
diff --git a/letsencrypt/setup-le.sh b/letsencrypt/setup-le.sh
new file mode 100755
index 0000000..ea2a694
--- /dev/null
+++ b/letsencrypt/setup-le.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/bash
+set -o nounset -o errexit
+
+FQDN=$(hostname -f)
+WORKDIR=$(dirname "$(realpath $0)")
+CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
+
+sed -i "s/server.example.test/$FQDN/g" $WORKDIR/ipa-httpd.cnf
+
+dnf install letsencrypt -y
+
+if [ ! -d "/etc/ssl/$FQDN" ]
+then
+  mkdir -p "/etc/ssl/$FQDN"
+fi
+
+for CERT in "${CERTS[@]}"
+do
+  if command -v wget &> /dev/null
+  then
+    wget -O "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
+  elif command -v curl &> /dev/null
+  then
+    curl -o "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
+  fi
+  ipa-cacert-manage install "/etc/ssl/$FQDN/$CERT"
+done
+
+ipa-certupdate
+
+"$WORKDIR/renew-le.sh" --first-time