Dotfiles/setup/modules/FreeipaAnsible/ansible/deploy-ansipa-policies.yml

---
# deploy-ansipa-policies.yml — deploy the policy enforcement daemon to enrolled clients.
#
# Installs ansipa-enforce-policies.sh and a systemd timer that runs it every 30 minutes.
# Policies are declared by adding hosts to the following FreeIPA host groups:
#
#   policy-block-binary-<name>   Block execution of <name> via a PATH-priority wrapper
#   policy-timeshift-backup      Enforce daily Timeshift snapshots (03:00)
#   policy-security-scan         Enforce daily ClamAV + rkhunter + chkrootkit scans (02:00)
#
# Prerequisites:
#   - Host enrolled in FreeIPA (sssd + ipa CLI available)
#   - For security-scan: also add host to ansipa-module-anti-malware group
#   - For timeshift-backup: also add host to ansipa-module-timeshift group and
#     configure Timeshift (type + target device) on the host
#
# Usage:
#   ansible-playbook -i inventory deploy-ansipa-policies.yml

- name: Deploy FreeIPA policy enforcer
  hosts: all
  become: yes

  tasks:

    - name: Deploy policy enforcer script
      copy:
        src: ansipa-enforce-policies.sh
        dest: /usr/local/bin/ansipa-enforce-policies.sh
        mode: '0755'

    - name: Create policy state directory
      file:
        path: /var/lib/ansipa-policies
        state: directory
        mode: '0700'

    - name: Install policy enforcer systemd service
      copy:
        dest: /etc/systemd/system/ansipa-enforce-policies.service
        mode: '0644'
        content: |
          [Unit]
          Description=Enforce FreeIPA host-group policies (binary blocks, backups, scans)
          After=network-online.target sssd.service
          Wants=network-online.target

          [Service]
          Type=oneshot
          ExecStart=/usr/local/bin/ansipa-enforce-policies.sh
          StandardOutput=journal
          StandardError=journal          

    - name: Install policy enforcer systemd timer
      copy:
        dest: /etc/systemd/system/ansipa-enforce-policies.timer
        mode: '0644'
        content: |
          [Unit]
          Description=Periodic FreeIPA policy enforcement

          [Timer]
          OnBootSec=5min
          OnUnitActiveSec=30min

          [Install]
          WantedBy=timers.target          

    - name: Reload systemd
      command: systemctl daemon-reload

    - name: Enable and start policy enforcer timer
      systemd:
        name: ansipa-enforce-policies.timer
        enabled: yes
        state: started