diff --git a/playbooks/groups/ipatuura.yml b/playbooks/groups/ipatuura.yml index 25dcbd9f93..b546020cb0 100644 --- a/playbooks/groups/ipatuura.yml +++ b/playbooks/groups/ipatuura.yml @@ -49,12 +49,6 @@ when: env != "staging"} - mod_wsgi - ipa/client - # - role: keytab/service - # owner_user: apache - # owner_group: apache - # service: HTTP - # #host: "ipatuura{{ env_suffix }}.fedoraproject.org" - # host: "{{ ansible_fqdn }}" - ipatuura pre_tasks: diff --git a/roles/ipatuura/tasks/main.yml b/roles/ipatuura/tasks/main.yml index 19eb9fc5d4..10189acec3 100644 --- a/roles/ipatuura/tasks/main.yml +++ b/roles/ipatuura/tasks/main.yml @@ -240,13 +240,33 @@ tags: - ipatuura -- name: Copy the domain template file +# - name: Copy the domain template file +# ansible.builtin.template: +# src: domain.json.j2 +# dest: /etc/ipa-tuura/domain.json +# owner: root +# group: root +# # Contains a password +# mode: 0600 +# tags: +# - ipatuura + +- name: Copy the sssd config file ansible.builtin.template: - src: domain.json.j2 - dest: /etc/ipa-tuura/domain.json + src: sssd.conf.j2 + dest: /etc/sssd/sssd.conf + owner: root + group: sssd + mode: "0640" + tags: + - ipatuura + +- name: Copy the domain data file + ansible.builtin.template: + src: db_domain.json.j2 + dest: /etc/ipa-tuura/db_domain.json owner: root group: root - # Contains a password mode: 0600 tags: - ipatuura @@ -274,17 +294,18 @@ - ipatuura - selinux -- name: Allow HTTPd to run ipa-client-install - community.general.sefcontext: - target: "/var/log/ipaclient-.*\\.log" - setype: httpd_sys_content_rw_t - state: present - tags: - - ipatuura - - selinux +# - name: Allow HTTPd to run ipa-client-install +#  community.general.sefcontext: +#  target: "/var/log/ipaclient-.*\\.log" +#  setype: httpd_sys_content_rw_t +#  state: present +#  tags: +#  - ipatuura +#  - selinux - name: Apply SELinux changes - ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient* + #ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient* + ansible.builtin.command: restorecon -irv /srv/ register: restorecon_output changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0 tags: @@ -305,21 +326,40 @@ - httpd_can_network_connect_db # Allow usage of PAM - httpd_mod_auth_pam - - httpd_setrlimit + # - httpd_setrlimit # - httpd_tmp_exec tags: - ipatuura - selinux -- name: Add a SELinux module for other SELinux permissions for IPA-tuura - import_role: - name: selinux/module - vars: - policy_file: files/local-ipatuura.te - policy_name: local-ipatuura - tags: - - ipatuura - - selinux +# - name: Add a SELinux module for other SELinux permissions for IPA-tuura +# import_role: +# name: selinux/module +# vars: +# policy_file: files/local-ipatuura.te +# policy_name: local-ipatuura +# tags: +# - ipatuura +# - selinux + + +# Keytabs + +- name: Create a keytab for Apache + import_role: keytab/service + owner_user: apache + owner_group: apache + service: ipatuura + host: "{{ ansible_fqdn }}" + kt_location: /var/lib/ipa/ipatuura/service.keytab + +- name: Create a keytab for IPA-tuura + import_role: keytab/service + owner_user: apache + owner_group: apache + service: HTTP + host: "{{ ansible_fqdn }}" + kt_location: /var/lib/ipatuura/httpd.keytab # # Final setup diff --git a/roles/ipatuura/templates/db_domain.json.j2 b/roles/ipatuura/templates/db_domain.json.j2 new file mode 100644 index 0000000000..b41d10b8b2 --- /dev/null +++ b/roles/ipatuura/templates/db_domain.json.j2 @@ -0,0 +1 @@ +[{"model": "domains.domain", "pk": 1, "fields": {"name": "{{env_prefix}}fedoraproject.org", "description": "IPA Integration Domain", "integration_domain_url": "https://{{ipa_server}}", "client_id": "admin", "client_secret": "not-the-actual-secret", "keycloak_hostname": "keycloak.apps.ocp{{env_suffix}}.fedoraproject.org", "id_provider": "ipa", "user_extra_attrs": "mail:mail, sn:sn, givenname:givenname, fullname:name, fasTimeZone:timezone, fasLocale:locale, fasIRCNick:chatnick, fasWebsiteURL:website, fasGPGKeyId:gpg_keyid, ipaSshPubKey:ssh_key, fasIsPrivate:privacy", "user_object_classes": "fasUser", "users_dn": "cn=users,cn=accounts,{{ipa_basedn}}", "ldap_tls_cacert": "/etc/ipa/ca.crt"}}] diff --git a/roles/ipatuura/templates/sssd.conf.j2 b/roles/ipatuura/templates/sssd.conf.j2 new file mode 100644 index 0000000000..76b2f33716 --- /dev/null +++ b/roles/ipatuura/templates/sssd.conf.j2 @@ -0,0 +1,47 @@ +[domain/{{ env_prefix }}fedoraproject.org] +id_provider = ipa +dns_discovery_domain = {{ env_prefix }}fedoraproject.org +ipa_server = _srv_, {{ ipa_server }} +ipa_domain = {{ env_prefix }}fedoraproject.org +ipa_hostname = {{ ansible_fqdn }} +auth_provider = ipa +chpass_provider = ipa +access_provider = ipa +cache_credentials = True +ldap_tls_cacert = /etc/ipa/ca.crt +krb5_store_password_if_offline = True +ldap_deref_threshold = 0 +sudo_provider = ipa +autofs_provider = ipa +subdomains_provider = ipa +session_provider = ipa +hostid_provider = ipa +# IPA-tuura needs these attributes to forward them to applications +ldap_user_extra_attrs = mail, street, locality, st, postalCode, telephoneNumber, givenname, sn, fasTimeZone, fasLocale, fasIRCNick, fasGPGKeyId, fasCreationTime, fasStatusNote, fasRHBZEmail, fasGitHubUsername, fasGitLabUsername, fasWebsiteURL, fasIsPrivate, fasPronoun, ipaSshPubKey + +[sssd] +services = nss, pam, ssh, sudo, ifp +domains = {{ env_prefix }}fedoraproject.org + +[nss] +homedir_substring = /home + +[pam] + +[sudo] + +[autofs] + +[ssh] + +[pac] + +[ifp] +# Allow IPA-tuura to request user attributes +allowed_uids = apache, sssd, root +# Ipsilon needs these attributes to forward them to applications +user_attributes = +mail, +street, +locality, +st, +postalCode, +telephoneNumber, +givenname, +sn, +fasTimeZone, +fasLocale, +fasIRCNick, +fasGPGKeyId, +fasCreationTime, +fasStatusNote, +fasRHBZEmail, +fasGitHubUsername, +fasGitLabUsername, +fasWebsiteURL, +fasIsPrivate, +fasPronoun, +ipaSshPubKey + +[secrets] + +[session_recording]