ansible/roles/ipsilon/templates/configuration.conf

[login_config]
{% if env == "production" %}
global enabled=gssapi,fas
fas FAS url=https://admin{{env_suffix}}.fedoraproject.org/accounts/
fas FAS Proxy client user Agent=Fedora Ipsilon
fas FAS Insecure Auth=False
{% else %}
global enabled=gssapi,form
{% endif %}

[info_config]
{% if env == "production" %}
global enabled=fas
fas FAS url=https://admin{{env_suffix}}.fedoraproject.org/accounts/
fas FAS Proxy client user Agent=Fedora Ipsilon
fas FAS Insecure Auth=False
fas Bind Username={{ ipsilon_fasinfo_username }}
fas Bind Password={{ ipsilon_fasinfo_prod_password }}
{% else %}
sssd preconfigured = True
global enabled = sssd
{% endif %}

[authz_config]
global enabled=allow

[provider_config]
global enabled=openid,saml2,openidc

{% if env == "production" %}
openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest
{% else %}
openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest
{% endif %}

{% if env == 'staging' %}
openidc subject salt={{ ipsilon_stg_openidc_subject_salt }}
{% else %}
openidc subject salt={{ ipsilon_openidc_subject_salt }}
{% endif %}
openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/
openidc idp key file=/etc/ipsilon/openidc.key
openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg
openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication
openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
openidc idp sig key id=20161031-sig
openidc allow dynamic client registration=False
{% if env == 'staging' %}
openidc default attribute mapping=[["*", "*"]]
openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasGPGKeyId", "gpgkeyids"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"], ["nsAccountLock", "locked"]]
{% else %}
openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
{% endif %}

openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/
openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/
{% if env == 'staging' %}
openid trusted roots=
{% else %}
openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
{% endif %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
openid untrusted roots=
openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API

saml2 idp storage path=/etc/ipsilon/saml2
saml2 idp metadata file=metadata.xml
{% if env == 'staging' %}
saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }}
{% else %}
saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
{% endif %}
saml2 idp certificate file=idp.crt
saml2 idp key file=idp.key
saml2 allow self registration=False
saml2 default nameid=transient
saml2 default email domain=fedoraproject.org
saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}

[saml2_data]
{% if env == 'staging' %}
{% include "saml2_data_stg" %}
{% else %}
{% include "saml2_data" %}
{% endif %}
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00			`[login_config]`
Prepare ipsilon for a VM deployment in staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-10-05 17:24:48 +02:00			`{% if env == "production" %}`
			`global enabled=gssapi,fas`
			`fas FAS url=https://admin{{env_suffix}}.fedoraproject.org/accounts/`
			`fas FAS Proxy client user Agent=Fedora Ipsilon`
			`fas FAS Insecure Auth=False`
			`{% else %}`
			`global enabled=gssapi,form`
			`{% endif %}`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00
Deploy GSSAPI for Ipsilon in stg Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-24 16:34:50 +00:00			`[info_config]`
Ipsilon: prepare config changes for staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-11 15:22:15 +02:00			`{% if env == "production" %}`
Re-enable gssapi Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-29 16:28:37 +00:00			`global enabled=fas`
Someone else also got annoyed by .stg all over the place Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-24 18:37:32 +00:00			`fas FAS url=https://admin{{env_suffix}}.fedoraproject.org/accounts/`
Deploy GSSAPI for Ipsilon in stg Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-24 16:34:50 +00:00			`fas FAS Proxy client user Agent=Fedora Ipsilon`
			`fas FAS Insecure Auth=False`
Give Ipsilon a new user to use for fasinfo Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-29 16:22:18 +00:00			`fas Bind Username={{ ipsilon_fasinfo_username }}`
			`fas Bind Password={{ ipsilon_fasinfo_prod_password }}`
			`{% else %}`
Prepare ipsilon for a VM deployment in staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-10-05 17:24:48 +02:00			`sssd preconfigured = True`
			`global enabled = sssd`
Give Ipsilon a new user to use for fasinfo Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-29 16:22:18 +00:00			`{% endif %}`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00
Allow all authorization for Ipsilon Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-31 11:40:07 +00:00			`[authz_config]`
			`global enabled=allow`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00
			`[provider_config]`
Persona is dead. Nuke it Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2019-05-09 13:45:28 +02:00			`global enabled=openid,saml2,openidc`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00
OIDC extensions are enabled per deployment stage Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-02-07 13:28:59 +00:00			`{% if env == "production" %}`
freshmaker: remove everything Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-10-30 21:56:59 +00:00			`openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest`
OIDC extensions are enabled per deployment stage Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-02-07 13:28:59 +00:00			`{% else %}`
Get rid of modernpaste everywhere, redirect it to paste.centos.org everywhere Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-03 16:32:25 +00:00			`openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest`
OIDC extensions are enabled per deployment stage Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-02-07 13:28:59 +00:00			`{% endif %}`

Add OIDC configuration Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-31 14:22:11 +00:00			`{% if env == 'staging' %}`
			`openidc subject salt={{ ipsilon_stg_openidc_subject_salt }}`
			`{% else %}`
			`openidc subject salt={{ ipsilon_openidc_subject_salt }}`
			`{% endif %}`
Someone else also got annoyed by .stg all over the place Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-24 18:37:32 +00:00			`openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/`
In openshift, always use oidc.key Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2019-05-09 14:07:52 +02:00			`openidc idp key file=/etc/ipsilon/openidc.key`
Add forgotten c Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-23 22:12:37 +00:00			`openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}`
Add OIDC configuration Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-31 14:22:11 +00:00			`openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg`
			`openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication`
			`openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy`
			`openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy`
			`openidc idp sig key id=20161031-sig`
			`openidc allow dynamic client registration=False`
Ipsilon: prepare config changes for staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-11 15:22:15 +02:00			`{% if env == 'staging' %}`
Ipsilon: Fix the attribute mapping Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-17 17:02:23 +02:00			`openidc default attribute mapping=[["", ""]]`
Prepare ipsilon for a VM deployment in staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-10-05 17:24:48 +02:00			`openidc default attribute mapping=[["", ""], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasGPGKeyId", "gpgkeyids"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"], ["nsAccountLock", "locked"]]`
Ipsilon: prepare config changes for staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-11 15:22:15 +02:00			`{% else %}`
Add the preferred_username mapping for mediawiki Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-11-12 20:34:19 +00:00			`openidc default attribute mapping=[["", ""], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]`
Ipsilon: prepare config changes for staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-11 15:22:15 +02:00			`{% endif %}`
Add OIDC configuration Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-31 14:22:11 +00:00
Someone else also got annoyed by .stg all over the place Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-24 18:37:32 +00:00			`openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/`
			`openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00			`{% if env == 'staging' %}`
			`openid trusted roots=`
			`{% else %}`
ipsilon: Update Koschei URL in openid trusted roots 2019-09-26 06:45:15 +02:00			openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00			`{% endif %}`
Use seperate databases for different Ipsilon databases 2015-07-08 08:19:34 +00:00			`openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00			`openid untrusted roots=`
Enable Fedora Teams 2015-10-07 11:29:07 +00:00			`openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API`
Add Ipsilon role and config Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-02-24 17:58:29 +00:00
Prepare ipsilon for a VM deployment in staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-10-05 17:24:48 +02:00			`saml2 idp storage path=/etc/ipsilon/saml2`
			`saml2 idp metadata file=metadata.xml`
Use separate nameid salt for stg 2015-09-30 09:25:24 +00:00			`{% if env == 'staging' %}`
Moved this earlier in the name 2015-09-30 09:40:02 +00:00			`saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }}`
Use separate nameid salt for stg 2015-09-30 09:25:24 +00:00			`{% else %}`
Add Ipsilon SAML2 config 2015-09-30 09:15:39 +00:00			`saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}`
Make stg ipsilon use the new certs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-06-14 23:52:48 +00:00			`{% endif %}`
Prepare ipsilon for a VM deployment in staging Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-10-05 17:24:48 +02:00			`saml2 idp certificate file=idp.crt`
			`saml2 idp key file=idp.key`
Add Ipsilon SAML2 config 2015-09-30 09:15:39 +00:00			`saml2 allow self registration=False`
			`saml2 default nameid=transient`
			`saml2 default email domain=fedoraproject.org`
			`saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}`
Add saml2 data 2015-09-30 10:51:08 +00:00
			`[saml2_data]`
			`{% if env == 'staging' %}`
Try the templates dir 2015-09-30 10:55:03 +00:00			`{% include "saml2_data_stg" %}`
Add saml2 data 2015-09-30 10:51:08 +00:00			`{% else %}`
Try the templates dir 2015-09-30 10:55:03 +00:00			`{% include "saml2_data" %}`
Add saml2 data 2015-09-30 10:51:08 +00:00			`{% endif %}`