WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-11 10:32:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Setup ipsilon02 as OpenID only instance

Browse Source 
This will split the ipsilon config to OpenID and everything else.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
This commit is contained in:
Michal Konecny
2025-09-25 14:15:35 +02:00
parent d2a66a0bf4
commit 4592e463f4
2 changed files with 25 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
inventory/host_vars/ipsilon02.stg.rdu3.fedoraproject.org
View File

@@ -13,3 +13,4 @@ dns2: 10.16.163.34
dns_search1: "rdu3.fedoraproject.org"
dns_search2: "vpn.fedoraproject.org"
dns_search3: "fedoraproject.org"
openid: yes

41
roles/ipsilon/templates/configuration.conf
View File

@@ -11,7 +11,28 @@ fas aws groups=[["aws-master", "arn:aws:iam::125523088429:role/aws-master"], ["a
global enabled=allow
[provider_config]
global enabled=openid,saml2,openidc
{% if openid %}
global enabled=openid
openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/
openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/
{% if env == 'staging' %}
openid trusted roots=
{% else %}
openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://notifications.fedoraproject.org/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
{% endif %}
{% if env == 'staging' %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% else %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% endif %}
openid untrusted roots=
openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API
openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
# End of OpenID configuration
{% else %}
global enabled=saml2,openidc
openidc enabled extensions=fedora-account,waiverdb,wiki,src,kerneltest
@@ -35,22 +56,6 @@ openidc idp sig key id=20161031-sig
openidc allow dynamic client registration=False
openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/
openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/
{% if env == 'staging' %}
openid trusted roots=
{% else %}
openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://notifications.fedoraproject.org/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
{% endif %}
{% if env == 'staging' %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% else %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% endif %}
openid untrusted roots=
openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API
openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
saml2 idp metadata file=metadata.xml
saml2 idp storage path=/etc/ipsilon/root/saml2
{% if env == 'staging' %}
@@ -75,3 +80,5 @@ saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass
{% else %}
{% include "saml2_data" %}
{% endif %}
{% endif %}