This repository contains a configuration template (i.e. an Ansible Role) to customize your environment in the European Weather Cloud (EWC). The template is designed to:
- Configure a pre-existing virtual machine, running RockyLinux versions 9 or 8, or Ubuntu versions 24 or 22, to
connect to an IPA server running on the same subnet, such that it:
- Is able to leverage DNS resolution and discover other private hosts or public addresses
- Is remotely accessible via public key or password to centrally managed LDAP users
Copyright © EUMETSAT 2025.
The provided code and instructions are licensed under the MIT license. They are intended to automate the setup of an environment that includes third-party software components. The usage and distribution terms of the resulting environment are subject to the individual licenses of those third-party libraries.
Users are responsible for reviewing and complying with the licenses of all third-party components included in the environment.
Contact EUMETSAT for details on the usage and distribution terms.
The step-by-step described below assume your local file system follows the
example structure below, with ewc-ansible-role-ipa-client being a clone of this
repository:
.
├── roles
│ └── ewc-ansible-role-ipa-client
├── inventory.yml
└── playbook.yml
Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:
# inventory.yml
---
ewcloud:
hosts:
ipa_client:
ansible_python_interpreter: /usr/bin/python3
ansible_host: <add the IPV4 address of the target host>
ansible_ssh_private_key_file: <add the path to local SSH RSA private key file>
ansible_user: <add the username which owns the SSH RSA private key >Edit input values for the template variables as needed (see Inputs section for details). Then, proceed to create an Ansible Playbook file to load your customizations:
# playbook.yml
---
- name: Deploy IPA Client on RockyLinux or Ubuntu
hosts: ipa_client
become: true
become_user: root
become_method: ansible.builtin.sudo
roles:
- ewc-ansible-role-ipa-client
You can apply changes on the target host by running:
ansible-playbook -i inventory.yml playbook.yml| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ipa_client_hostname | hostname of the target vm where the IPA client will be installed. Example: ipa-client-1 |
string |
n/a | yes |
| ipa_domain | domain name managed by the existing IPA server. Example: eumetsat.sandbox.ewc |
string |
n/a | yes |
| ipa_admin_password | password of the IPA server administrator account. Example: ipaadmin |
string |
n/a | yes |
| ipa_admin_username | username of the IPA server administrator account. Example: my-secret-password |
string |
n/a | yes |
| ipa_server_hostname | IPA server hostname. Example: ipa-server-1 |
string |
n/a | yes |
💡 Upon execution, a SBOM (SPDX format) is auto-generated and stored in the VM's file system root directory (see
/sbom.json). The following third-party components will be included in the resulting environment:
The following components will be included in the resulting environment:
| Component | Home URL |
|---|---|
| sssd | https://github.com/SSSD/sssd |
| sssd-tools | https://github.com/SSSD/sssd |
| authselect | https://github.com/authselect/authselect |
| oddjob | https://pagure.io/oddjob |
| oddjob-mkhomedir | https://pagure.io/oddjob |
| ipa-client | http://www.freeipa.org |
The following components will be included in the resulting environment:
| Component | Home URL |
|---|---|
| sssd | https://github.com/SSSD/sssd |
| sssd-tools | https://github.com/SSSD/sssd |
| libnss-sss | https://github.com/SSSD/sssd |
| libpam-sss | https://github.com/SSSD/sssd |
| oddjob | https://pagure.io/oddjob |
| oddjob-mkhomedir | https://pagure.io/oddjob |
| ipa-client | http://www.freeipa.org |
| cracklib-runtime | https://github.com/cracklib/cracklib |
| nfs-common | https://linux-nfs.org |
| chrony | https://chrony.tuxfamily.org |
All notable changes (i.e. fixes, features and breaking changes) are documented in the CHANGELOG.md.
Thanks for taking the time to join our community and start contributing! Please make sure to:
- Familiarize yourself with our Code of Conduct before contributing.
- See CONTRIBUTING.md for instructions on how to request or submit changes.