mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-04-29 13:01:36 +08:00
a23c9df05a
The only secrets in this file, AFAIK, are the client secrets. Most of those are already defined as secret variables for the plays in this repo that deploy the services to use. So instead of duplicating most of the secrets, and keeping this file in the private repo where we can't do PRs and editing it is awkward, let's just make all the client secrets be variables, and make this file public. For all the cases where a secret wasn't already defined as a variable, I've added it, so this should work as-is. Note that the use of `flask_oidc_dev_stg_oidc_client_secret` twice is not an error in this PR; that secret was reused for the staging community blog client config. I have reported this at https://pagure.io/fedora-infrastructure/issue/12161#comment-963303 . This also removes the client configurations for several services which no longer exist. Signed-off-by: Adam Williamson <awilliam@redhat.com>
289 lines
5.8 KiB
YAML
289 lines
5.8 KiB
YAML
---
|
|
# Configuration for the ipsilon webapp
|
|
|
|
- name: Install needed packages
|
|
ansible.builtin.package:
|
|
state: present
|
|
update_cache: yes
|
|
name:
|
|
- ipsilon
|
|
- ipsilon-openid
|
|
- ipsilon-saml2
|
|
- ipsilon-openidc
|
|
- ipsilon-authgssapi
|
|
- ipsilon-authform
|
|
- ipsilon-authpam
|
|
- ipsilon-infosssd
|
|
- ipsilon-infofas
|
|
- ipsilon-theme-Fedora
|
|
- ipsilon-tools-ipa
|
|
- mod_auth_openidc
|
|
- mod_auth_gssapi
|
|
- python3-psycopg2
|
|
- python3-pam
|
|
# For the openid api extension
|
|
- python3-freeipa
|
|
# For the playbook itself
|
|
- git
|
|
- krb5-workstation
|
|
tags:
|
|
- ipsilon
|
|
- packages
|
|
|
|
- name: Download Fedora-specific code
|
|
git:
|
|
repo: https://pagure.io/fedora-infra/ipsilon-fedora.git
|
|
dest: /opt/ipsilon-fedora
|
|
version: "{{ env }}"
|
|
force: yes
|
|
register: git_update
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Install Fedora-specific code if it changed
|
|
ansible.builtin.command:
|
|
cmd: ./install.sh
|
|
chdir: /opt/ipsilon-fedora
|
|
when: git_update is changed
|
|
notify:
|
|
- Restart apache
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Install Fedora-specific code on initial run
|
|
ansible.builtin.command:
|
|
cmd: ./install.sh
|
|
chdir: /opt/ipsilon-fedora
|
|
creates: "{{ ansible_facts['python3']['sitelib'] }}/ipsilon/providers/openidc/plugins/account-scopes.py"
|
|
notify:
|
|
- Restart apache
|
|
tags:
|
|
- ipsilon
|
|
|
|
- include_role:
|
|
name: ipa/client
|
|
|
|
- name: Get admin ticket
|
|
ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
|
|
check_mode: no
|
|
no_log: true
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Install ipsilon
|
|
ansible.builtin.command:
|
|
cmd: ipsilon-server-install
|
|
--root-instance
|
|
--admin-user=admin
|
|
--ipa=yes
|
|
--openidc=yes
|
|
--openid=yes
|
|
--saml2=yes
|
|
--info-sssd=yes
|
|
--form=yes
|
|
creates: /etc/ipsilon/root/ipsilon.conf
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Destroy admin ticket
|
|
ansible.builtin.command: kdestroy -A
|
|
tags:
|
|
- ipsilon
|
|
|
|
- import_tasks: patches.yml
|
|
tags:
|
|
- ipsilon
|
|
- patches
|
|
|
|
- name: Make sure /etc/ipsilon/root is owned correctly
|
|
ansible.builtin.file:
|
|
path: "/etc/ipsilon/root"
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
state: directory
|
|
mode: "0700"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
|
|
- name: Copy ipsilon configuration
|
|
ansible.builtin.template:
|
|
src: "ipsilon.conf"
|
|
dest: "/etc/ipsilon/root/ipsilon.conf"
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
notify:
|
|
- Restart apache
|
|
|
|
- name: Copy ipsilon admin configuration
|
|
ansible.builtin.template:
|
|
src: "configuration.conf"
|
|
dest: "/etc/ipsilon/root/configuration.conf"
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
notify:
|
|
- Restart apache
|
|
|
|
- name: Copy ipsilon OIDC client config
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
|
|
dest: /etc/ipsilon/root/openidc.static.cfg
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
- oidc-config
|
|
notify:
|
|
- Restart apache
|
|
when: "env != 'staging'"
|
|
|
|
- name: Template ipsilon OIDC client config
|
|
ansible.builtin.template:
|
|
src: "openidc.{{env}}.static.j2"
|
|
dest: /etc/ipsilon/root/openidc.static.cfg
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
- oidc-config
|
|
notify:
|
|
- Restart apache
|
|
when: "env == 'staging'"
|
|
|
|
- name: Copy ipsilon httpd config
|
|
ansible.builtin.template:
|
|
src: "httpd.conf.j2"
|
|
dest: /etc/ipsilon/root/idp.conf
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
notify:
|
|
- Restart apache
|
|
|
|
- name: Copy OIDC private key
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
|
|
dest: /etc/ipsilon/root/openidc.key
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Create SAML2 dir
|
|
ansible.builtin.file:
|
|
path: /etc/ipsilon/root/saml2
|
|
state: directory
|
|
mode: "0700"
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
setype: httpd_var_lib_t
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Copy SAML2 private key
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
|
|
dest: /etc/ipsilon/root/saml2/idp.key
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Copy SAML2 public key
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
|
|
dest: /etc/ipsilon/root/saml2/idp.crt
|
|
owner: ipsilon
|
|
group: ipsilon
|
|
mode: "0644"
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Copy saml2 metadata script
|
|
ansible.builtin.template:
|
|
src: prepare-saml2-metadata.py
|
|
dest: /usr/local/bin/prepare-saml2-metadata
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Generate the saml2 metadata
|
|
become_user: ipsilon
|
|
become: yes
|
|
ansible.builtin.command:
|
|
cmd: /usr/local/bin/prepare-saml2-metadata
|
|
creates: /etc/ipsilon/root/saml2/metadata.xml
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Set sebooleans so ipsilon can talk to the db
|
|
seboolean:
|
|
name: httpd_can_network_connect_db
|
|
state: true
|
|
persistent: true
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Set sebooleans so ipsilon can talk to IPA for the openid extension
|
|
seboolean:
|
|
name: httpd_can_network_connect
|
|
state: true
|
|
persistent: true
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Set sebooleans so ipsilon can talk to sssd
|
|
seboolean:
|
|
name: httpd_dbus_sssd
|
|
state: true
|
|
persistent: true
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Set sebooleans so ipsilon can use python-pam
|
|
seboolean:
|
|
name: "{{ item }}"
|
|
state: true
|
|
persistent: true
|
|
loop:
|
|
- httpd_tmp_exec
|
|
- httpd_mod_auth_pam
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Apply selinux type to the wsgi file
|
|
ansible.builtin.file:
|
|
dest: /usr/libexec/ipsilon
|
|
setype: httpd_sys_content_t
|
|
tags:
|
|
- ipsilon
|
|
|
|
- name: Copy SSSd configuration
|
|
ansible.builtin.template:
|
|
src: sssd.conf
|
|
dest: /etc/sssd/sssd.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
tags:
|
|
- ipsilon
|
|
- config
|
|
notify:
|
|
- Restart sssd
|