fedora-infra_ansible/roles/ipsilon/tasks/main.yml

---
# Configuration for the ipsilon webapp

- name: Install needed packages
  ansible.builtin.package:
    state: present
    update_cache: yes
    name:
    - ipsilon
    - ipsilon-openid
    - ipsilon-saml2
    - ipsilon-openidc
    - ipsilon-authgssapi
    - ipsilon-authform
    - ipsilon-authpam
    - ipsilon-infosssd
    - ipsilon-infofas
    - ipsilon-theme-Fedora
    - ipsilon-tools-ipa
    - mod_auth_openidc
    - mod_auth_gssapi
    - python3-psycopg2
    - python3-pam
    # For the openid api extension
    - python3-freeipa
    # For the playbook itself
    - git
    - krb5-workstation
  tags:
  - ipsilon
  - packages

- name: Download Fedora-specific code
  ansible.builtin.git:
    repo: https://pagure.io/fedora-infra/ipsilon-fedora
    dest: /opt/ipsilon-fedora
    version: "{{ env }}"
    force: yes
  tags:
  - ipsilon
  notify:
  - Install Fedora-specific code

- name: Install Fedora-specific code on initial run
  ansible.builtin.command:
    cmd: ./install.sh
    chdir: /opt/ipsilon-fedora
    creates: "{{ ansible_facts['python3']['sitelib'] }}/ipsilon/providers/openidc/plugins/account-scopes.py"
  notify:
  - Restart apache
  tags:
  - ipsilon

- name: Include ipa/client role
  ansible.builtin.include_role:
    name: ipa/client

- name: Get admin ticket
  ansible.builtin.shell: set -o pipefail && echo "{{ ipa_admin_password }}" | kinit admin
  check_mode: no
  changed_when: true
  no_log: true
  tags:
  - ipsilon

- name: Install ipsilon
  ansible.builtin.command:
    cmd: ipsilon-server-install
         --root-instance
         --admin-user=admin
         --ipa=yes
         --openidc=yes
         --openid=yes
         --saml2=yes
         --info-sssd=yes
         --form=yes
    creates: /etc/ipsilon/root/ipsilon.conf
  tags:
  - ipsilon

- name: Destroy admin ticket
  ansible.builtin.command: kdestroy -A
  changed_when: true
  tags:
  - ipsilon

- name: Import patches.yml tasks
  ansible.builtin.import_tasks: patches.yml
  tags:
  - ipsilon
  - patches

- name: Make sure /etc/ipsilon/root is owned correctly
  ansible.builtin.file:
    path: "/etc/ipsilon/root"
    owner: ipsilon
    group: ipsilon
    state: directory
    mode: "0700"
  tags:
  - ipsilon
  - config

- name: Copy ipsilon configuration
  ansible.builtin.template:
    src: "ipsilon.conf"
    dest: "/etc/ipsilon/root/ipsilon.conf"
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon
  - config
  notify:
  - Restart apache

- name: Copy ipsilon admin configuration
  ansible.builtin.template:
    src: "configuration.conf"
    dest: "/etc/ipsilon/root/configuration.conf"
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon
  - config
  notify:
  - Restart apache

- name: Copy ipsilon OIDC client config
  ansible.builtin.copy:
    src: "{{ private }}/files/ipsilon/openidc.{{ env }}.static"
    dest: /etc/ipsilon/root/openidc.static.cfg
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon
  - config
  - oidc-config
  notify:
  - Restart apache
  when: "env != 'staging'"

- name: Template ipsilon OIDC client config
  ansible.builtin.template:
    src: "openidc.{{ env }}.static.j2"
    dest: /etc/ipsilon/root/openidc.static.cfg
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon
  - config
  - oidc-config
  notify:
  - Restart apache
  when: "env == 'staging'"

- name: Copy ipsilon httpd config
  ansible.builtin.template:
    src: "httpd.conf.j2"
    dest: /etc/ipsilon/root/idp.conf
    mode: "0644"
  tags:
  - ipsilon
  - config
  notify:
  - Restart apache

- name: Copy OIDC private key
  ansible.builtin.copy:
    src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
    dest: /etc/ipsilon/root/openidc.key
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon

- name: Create SAML2 dir
  ansible.builtin.file:
    path: /etc/ipsilon/root/saml2
    state: directory
    mode: "0700"
    owner: ipsilon
    group: ipsilon
    setype: httpd_var_lib_t
  tags:
  - ipsilon

- name: Copy SAML2 private key
  ansible.builtin.copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
    dest: /etc/ipsilon/root/saml2/idp.key
    owner: ipsilon
    group: ipsilon
    mode: "0600"
  tags:
  - ipsilon

- name: Copy SAML2 public key
  ansible.builtin.copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
    dest: /etc/ipsilon/root/saml2/idp.crt
    owner: ipsilon
    group: ipsilon
    mode: "0644"
  tags:
  - ipsilon

- name: Copy saml2 metadata script
  ansible.builtin.template:
    src: prepare-saml2-metadata.py
    dest: /usr/local/bin/prepare-saml2-metadata
    owner: root
    group: root
    mode: "0755"
  tags:
  - ipsilon

- name: Generate the saml2 metadata
  become_user: ipsilon
  become: yes
  ansible.builtin.command:
    cmd: /usr/local/bin/prepare-saml2-metadata
    creates: /etc/ipsilon/root/saml2/metadata.xml
  tags:
  - ipsilon

- name: Set sebooleans so ipsilon can talk to the db
  ansible.posix.seboolean:
    name: httpd_can_network_connect_db
    state: true
    persistent: true
  tags:
  - ipsilon

- name: Set sebooleans so ipsilon can talk to IPA for the openid extension
  ansible.posix.seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true
  tags:
  - ipsilon

- name: Set sebooleans so ipsilon can talk to sssd
  ansible.posix.seboolean:
    name: httpd_dbus_sssd
    state: true
    persistent: true
  tags:
  - ipsilon

- name: Set sebooleans so ipsilon can use python-pam
  ansible.posix.seboolean:
    name: "{{ item }}"
    state: true
    persistent: true
  loop:
  - httpd_tmp_exec
  - httpd_mod_auth_pam
  tags:
  - ipsilon

- name: Apply selinux type to the wsgi file
  ansible.builtin.file:
    dest: /usr/libexec/ipsilon
    setype: httpd_sys_content_t
  tags:
  - ipsilon

- name: Copy SSSd configuration
  ansible.builtin.template:
    src: sssd.conf
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: "0600"
  tags:
  - ipsilon
  - config
  notify:
  - Restart sssd