36 lines
2.0 KiB
Bash
36 lines
2.0 KiB
Bash
# ── FreeIPA ───────────────────────────────────────────────────────────────────
|
|
IPA_HOSTNAME=ipa.corp.example.com
|
|
IPA_DOMAIN=corp.example.com
|
|
IPA_REALM=CORP.EXAMPLE.COM
|
|
IPA_ADMIN_PASSWORD=ChangeMe123!
|
|
IPA_DM_PASSWORD=ChangeMe456!
|
|
IPA_SETUP_DNS=false
|
|
IPA_DNS_FORWARDER=
|
|
IPA_SETUP_KRA=false
|
|
|
|
# ── Ansipa SMB shares ─────────────────────────────────────────────────────────
|
|
# SMB_SCAN_PASSWORD — password for 'scanupload'; deploy to clients via Ansible
|
|
# with smb_scan_password=<this value> (use ansible-vault).
|
|
# LUKS_KEY_UPLOAD_PASSWORD — password for the 'luks-upload' service account used
|
|
# by the Ansible controller to write LUKS backup keys to
|
|
# the ansipa-luks-keys share. Pass to collect-luks-keys.yml
|
|
# with -e luks_upload_password=<this value>.
|
|
# To grant read access, add a Samba user to KeyAdmin on the
|
|
# container: useradd -r -G KeyAdmin <user> && smbpasswd -a <user>
|
|
SMB_SCAN_PASSWORD=ChangeMe_ScanPass!
|
|
LUKS_KEY_UPLOAD_PASSWORD=ChangeMe_LuksUpload!
|
|
|
|
# ── Keycloak ──────────────────────────────────────────────────────────────────
|
|
KC_HOSTNAME=keycloak.corp.example.com
|
|
KC_REALM=corp
|
|
KC_ADMIN=admin
|
|
KC_ADMIN_PASSWORD=ChangeMe789!
|
|
KC_DB_PASSWORD=ChangeMe000!
|
|
|
|
# ── Keycloak → FreeIPA LDAP federation ───────────────────────────────────────
|
|
# Leave IPA_BIND_PASSWORD blank to reuse IPA_DM_PASSWORD.
|
|
# In production, create a dedicated read-only service account in FreeIPA.
|
|
IPA_BIND_DN=cn=Directory Manager
|
|
IPA_BIND_PASSWORD=
|
|
IPA_USE_LDAPS=false
|