From 61eacfd860766bb1cbaf6bf1d55857be0b15c323 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Sun, 5 Feb 2023 22:06:38 +0100
Subject: [PATCH] Improve replica docs

---
 personal_infra/setup_ipa_replicas.md | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/personal_infra/setup_ipa_replicas.md b/personal_infra/setup_ipa_replicas.md
index 683c956..95c9321 100644
--- a/personal_infra/setup_ipa_replicas.md
+++ b/personal_infra/setup_ipa_replicas.md
@@ -1,7 +1,24 @@
-Update and reboot all IPA servers
-https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/2WMK5QOAI4TYF23UKODW3M6WB65BJCHT/
+Update and reboot all IPA servers: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/2WMK5QOAI4TYF23UKODW3M6WB65BJCHT/
 
+If the host has a firewall (e.g. physical or virtual, not LXC container):
+
+```
 firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/
 firewall-cmd --reload
+```
+
+Join the server to IPA:
+
+```
 ipa-client-install -p principal --domain=ipa.pdp7.net -W  --mkhomedir --ntp-pool=pool.ntp.org --force-join
+```
+
+Replace `--ntp-pool` with `-N` if this is a host without clock (e.g. an LXC container).
+Remove `--force-join` if you have never added this host to IPA.
+
+```
 ipa-replica-install --ip-address=thishostaddress -n ipa.pdp7.net -P alex --setup-ca --setup-dns --forwarder=upstreamdnsforthishost
+```
+
+FreeIPA doesn't seem to like having different versions. When updating, when you add a new server with a new version, remove the rest of servers.
+You might have issues joining new replicas otherwise.
-- 
2.47.3