From 4592e463f4ef61d82f5977e40793e2caeaa06255 Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Thu, 25 Sep 2025 14:15:35 +0200 Subject: [PATCH] Setup ipsilon02 as OpenID only instance This will split the ipsilon config to OpenID and everything else. Signed-off-by: Michal Konecny --- .../ipsilon02.stg.rdu3.fedoraproject.org | 1 + roles/ipsilon/templates/configuration.conf | 41 +++++++++++-------- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/inventory/host_vars/ipsilon02.stg.rdu3.fedoraproject.org b/inventory/host_vars/ipsilon02.stg.rdu3.fedoraproject.org index bfc00794a0..af82abf5dc 100644 --- a/inventory/host_vars/ipsilon02.stg.rdu3.fedoraproject.org +++ b/inventory/host_vars/ipsilon02.stg.rdu3.fedoraproject.org @@ -13,3 +13,4 @@ dns2: 10.16.163.34 dns_search1: "rdu3.fedoraproject.org" dns_search2: "vpn.fedoraproject.org" dns_search3: "fedoraproject.org" +openid: yes diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 2f76b292d2..0eea4467aa 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -11,7 +11,28 @@ fas aws groups=[["aws-master", "arn:aws:iam::125523088429:role/aws-master"], ["a global enabled=allow [provider_config] -global enabled=openid,saml2,openidc +{% if openid %} +global enabled=openid + +openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/ +openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/ +{% if env == 'staging' %} +openid trusted roots= +{% else %} +openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://notifications.fedoraproject.org/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/ +{% endif %} +{% if env == 'staging' %} +openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% else %} +openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% endif %} +openid untrusted roots= +openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API +openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] + +# End of OpenID configuration +{% else %} +global enabled=saml2,openidc openidc enabled extensions=fedora-account,waiverdb,wiki,src,kerneltest @@ -35,22 +56,6 @@ openidc idp sig key id=20161031-sig openidc allow dynamic client registration=False openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] -openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/ -openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/ -{% if env == 'staging' %} -openid trusted roots= -{% else %} -openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://notifications.fedoraproject.org/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/ -{% endif %} -{% if env == 'staging' %} -openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} -{% else %} -openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} -{% endif %} -openid untrusted roots= -openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API -openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] - saml2 idp metadata file=metadata.xml saml2 idp storage path=/etc/ipsilon/root/saml2 {% if env == 'staging' %} @@ -75,3 +80,5 @@ saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass {% else %} {% include "saml2_data" %} {% endif %} +{% endif %} +