name: ipa1
description: LXD profile for lxc
devices:
  eth0:
    ipv4.address: 10.1.3.2
    network: ipa
    type: nic
  root:
    path: /
    pool: btrfs1
    size: 5GiB
    type: disk
config:
  limits.memory: 2GiB
  limits.memory.swap: 'false'
  snapshots.schedule: '@daily'
  snapshots.expiry: 4d
  cloud-init.network-config: |
    version: 1
    config:
      - type: physical
        name: eth0
        subnets:
          - type: static
            ipv4: true
            address: 10.1.3.2
            netmask: 255.255.255.0
            gateway: 10.1.3.1
            control: auto
      - type: nameserver
        address: [1.1.1.1] 
  cloud-init.user-data: |
    #cloud-config
    write_files:
      - path: /etc/dnf/dnf.conf
        permissions: '0644'
        owner: root:root
        append: true
        content: |
          proxy=http://10.1.2.2:3128/

    package_update: true
    package_upgrade: true
    packages:
      - less
      - lsof
      - NetworkManager-tui
      - tcpdump
      - chrony
    runcmd:
      - hostnamectl set-hostname ipa1.martin.ads
      - timedatectl set-timezone Europe/Berlin
      - echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
      - echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
      - echo "net.ipv6.conf.lo.disable_ipv6 = 0" >> /etc/sysctl.conf
      - sysctl -w net.ipv6.conf.lo.disable_ipv6=0
      - sysctl -p
      - sed -i '/::1/d' /etc/hosts
      - sed -i '/localhost.localdomain/d' /etc/hosts
      - sed -i 's#ExecStart=/usr/sbin/chronyd#ExecStart=/usr/sbin/chronyd -x#' /usr/lib/systemd/system/chronyd.service
      - systemctl daemon-reload
      - systemctl enable --now chronyd
      - chronyc sources
      - sed -i '/^allow /d' /etc/chrony.conf 
      - echo 'allow 0.0.0.0/0' >> /etc/chrony.conf 
      - sed -i '/^server /d' /etc/chrony.conf 
      - echo "server 0.pool.ntp.org iburst" >> /etc/chrony.conf
      - systemctl restart chronyd
      - dnf install -y ipa-server-dns ipa-server
      - ipa-server-install --skip-mem-check --unattended --domain=domain.ads --realm=DOMAIN.ADS --netbios-name=DOMAIN --ds-password="PASSWORD1" --admin-password="PASSWORD1" --hostname=ipa1.domain.ads
      - echo -n PASSWORD1 | kinit admin
      - echo -n "PASSWORD2" | ipa user-add serveradmin --first="serveradmin" --last="serveradmin" --password
      - ipa user-mod serveradmin --setattr=krbPasswordExpiration=$(date -u -d "+1 year" +"%Y-%m-%dT%H:%M:%SZ")
      - ipa user-mod serveradmin --shell /bin/bash

      - ipa group-add service_accounts --desc="Service Accounts"
      - ipa pwpolicy-add service_accounts --minlife=0 --maxlife=0 --history= --priority=1
      - ipa group-add-member service_accounts --users=admin

      - ipa group-add guacamole_user --desc "guacamole_user"
      - ipa group-add-member guacamole_user --users=serveradmin

      - ipa hbacrule-disable allow_all

      - echo "BrowserMatch Windows gssapi-no-negotiate" > /etc/httpd/conf.d/no-login-popup.conf

      - |
        cat << 'EOF' | tee /root/disable_anon_bind.ldif > /dev/null
        dn: cn=config
        changetype: modify
        replace: nsslapd-allow-anonymous-access
        nsslapd-allow-anonymous-access: rootdse
        EOF

      - ldapmodify -x -D "cn=Directory Manager" -w PASSWORD1 -H ldap:// -ZZ -f /root/disable_anon_bind.ldif

      - ipactl restart
      - |
        #!/bin/bash
        cat << 'EOF' > /root/add_HBAC.sh
        ipa hbacsvc-add xrdp-sesman
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa hbacrule-add "allow_login_$host"; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa hbacrule-add-host "allow_login_$host" --hosts="$host"; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa hbacrule-add-service "allow_login_$host" --hbacsvcs=login; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa hbacrule-add-service "allow_login_$host" --hbacsvcs=sshd; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa hbacrule-add-service "allow_login_$host" --hbacsvcs=sudo; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-add "become_root_$host" --desc="Sudo rule for host $host"; done
        ipa sudocmd-add "/usr/bin/su" --desc="Allow su command"
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-add-allow-command "become_root_$host" --sudocmds="/usr/bin/su"; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-add-option "become_root_$host" --sudooption=!authenticate; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-mod "become_root_$host" --runasusercat=all; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-mod "become_root_$host" --runasgroupcat=all; done
        for host in $(ipa host-find --all | grep 'serverhostname' | awk '{print $2}'); do ipa sudorule-add-host "become_root_$host" --hosts="$host"; done
        EOF
      - chmod +x /root/add_HBAC.sh
      - systemctl stop auth-rpcgss-module
      - systemctl disable auth-rpcgss-module
      - systemctl reset-failed
      - systemctl daemon-reload
      - systemctl disable cloud-init
      - systemctl stop cloud-init      

access_entitlements:
  - can_delete
  - can_edit
project: default