--- # deploy-ansipa-policies.yml — deploy the policy enforcement daemon to enrolled clients. # # Installs ansipa-enforce-policies.sh and a systemd timer that runs it every 30 minutes. # Policies are declared by adding hosts to the following FreeIPA host groups: # # policy-block-binary- Block execution of via a PATH-priority wrapper # policy-timeshift-backup Enforce daily Timeshift snapshots (03:00) # policy-security-scan Enforce daily ClamAV + rkhunter + chkrootkit scans (02:00) # # Prerequisites: # - Host enrolled in FreeIPA (sssd + ipa CLI available) # - For security-scan: also add host to ansipa-module-anti-malware group # - For timeshift-backup: also add host to ansipa-module-timeshift group and # configure Timeshift (type + target device) on the host # # Usage: # ansible-playbook -i inventory deploy-ansipa-policies.yml - name: Deploy FreeIPA policy enforcer hosts: all become: yes tasks: - name: Deploy policy enforcer script copy: src: ansipa-enforce-policies.sh dest: /usr/local/bin/ansipa-enforce-policies.sh mode: '0755' - name: Create policy state directory file: path: /var/lib/ansipa-policies state: directory mode: '0700' - name: Install policy enforcer systemd service copy: dest: /etc/systemd/system/ansipa-enforce-policies.service mode: '0644' content: | [Unit] Description=Enforce FreeIPA host-group policies (binary blocks, backups, scans) After=network-online.target sssd.service Wants=network-online.target [Service] Type=oneshot ExecStart=/usr/local/bin/ansipa-enforce-policies.sh StandardOutput=journal StandardError=journal - name: Install policy enforcer systemd timer copy: dest: /etc/systemd/system/ansipa-enforce-policies.timer mode: '0644' content: | [Unit] Description=Periodic FreeIPA policy enforcement [Timer] OnBootSec=5min OnUnitActiveSec=30min [Install] WantedBy=timers.target - name: Reload systemd command: systemctl daemon-reload - name: Enable and start policy enforcer timer systemd: name: ansipa-enforce-policies.timer enabled: yes state: started