From 08b2be4a610774cb92272114afa5f168fe1858ac Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Mon, 12 Sep 2016 23:18:08 +0000
Subject: [PATCH] Make roles out of sigul, and update configs

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 files/sign/bridge.conf.j2                     | 30 -----------
 files/sign/builder-rpms.repo                  |  6 ---
 files/sign/server.conf.secondary              | 51 ------------------
 playbooks/groups/sign-bridge.yml              |  2 +-
 playbooks/manual/sign-vault.yml               |  2 +-
 .../sigul/bridge/files}/koji-arm.conf         |  0
 .../sigul/bridge/files}/koji-ppc.conf         |  0
 .../sigul/bridge/files}/koji-s390.conf        |  0
 roles/sigul/bridge/tasks/main.yml             | 18 +++++++
 .../sigul/bridge/templates/bridge.conf.j2     | 30 ++++++-----
 roles/sigul/server/tasks/main.yml             | 18 +++++++
 .../sigul/server/templates/server.conf.j2     | 25 +++++++--
 tasks/sign_setup.yml                          | 53 -------------------
 13 files changed, 76 insertions(+), 159 deletions(-)
 delete mode 100644 files/sign/bridge.conf.j2
 delete mode 100644 files/sign/builder-rpms.repo
 delete mode 100644 files/sign/server.conf.secondary
 rename {files/sign => roles/sigul/bridge/files}/koji-arm.conf (100%)
 rename {files/sign => roles/sigul/bridge/files}/koji-ppc.conf (100%)
 rename {files/sign => roles/sigul/bridge/files}/koji-s390.conf (100%)
 create mode 100644 roles/sigul/bridge/tasks/main.yml
 rename files/sign/bridge.conf.secondary.j2 => roles/sigul/bridge/templates/bridge.conf.j2 (73%)
 create mode 100644 roles/sigul/server/tasks/main.yml
 rename files/sign/server.conf.primary => roles/sigul/server/templates/server.conf.j2 (75%)
 delete mode 100644 tasks/sign_setup.yml

diff --git a/files/sign/bridge.conf.j2 b/files/sign/bridge.conf.j2
deleted file mode 100644
index ef4c26df71..0000000000
--- a/files/sign/bridge.conf.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-# This is a configuration for the sigul bridge.
-
-[bridge]
-# Nickname of the bridge's certificate in the NSS database specified below
-bridge-cert-nickname: sign-bridge1 - Fedora Project
-# Port on which the bridge expects client connections
-client-listen-port: 44334
-# Port on which the bridge expects server connections
-server-listen-port: 44333
-# A Fedora account system group required for access to the signing server.  If
-# empty, no Fedora account check is done.
-required-fas-group: signers
-# User name and password for an account on the Fedora account system that can
-# be used to verify group memberships
-fas-user-name: {{ fedoraDummyUser }}
-fas-password: {{ fedoraDummyUserPassword }}
-
-[daemon]
-# The user to run as
-unix-user: sigul
-# The group to run as
-unix-group: sigul
-
-[nss]
-# Path to a directory containing a NSS database
-nss-dir: /var/lib/sigul
-# Password for accessing the NSS database.  If not specified, the bridge will
-# ask on startup
-# Currently no password is used
-nss-password:
diff --git a/files/sign/builder-rpms.repo b/files/sign/builder-rpms.repo
deleted file mode 100644
index 11c99fe188..0000000000
--- a/files/sign/builder-rpms.repo
+++ /dev/null
@@ -1,6 +0,0 @@
-[builder-rpms]
-name=Builder Packages from Fedora Infrastructure $releasever - $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/
-enabled=1
-gpgcheck=1
-gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
diff --git a/files/sign/server.conf.secondary b/files/sign/server.conf.secondary
deleted file mode 100644
index 38d6a0cbfc..0000000000
--- a/files/sign/server.conf.secondary
+++ /dev/null
@@ -1,51 +0,0 @@
-# This is a configuration for the sigul server.
-
-# FIXME: remove my data
-
-[server]
-# Host name of the publically acessible bridge to clients
-bridge-hostname: secondary-signer
-# Port on which the bridge expects server connections
-; bridge-port: 44333
-# Maximum accepted size of payload stored on disk
-max-file-payload-size: 2073741824
-# Maximum accepted size of payload stored in server's memory
-max-memory-payload-size: 1048576
-# Nickname of the server's certificate in the NSS database specified below
-server-cert-nickname: secondary-signer-server
-
-signing-timeout: 4000
-
-[database]
-# Path to a SQLite database
-; database-path: /var/lib/sigul/server.conf
-
-[gnupg]
-# Path to a directory containing GPG configuration and keyrings
-gnupg-home: /var/lib/sigul/gnupg
-# Default primary key type for newly created keys
-gnupg-key-type: RSA
-# Default primary key length for newly created keys
-gnupg-key-length: 4096
-# Default subkey type for newly created keys, empty for no subkey
-#gnupg-subkey-type: ELG-E
-# Default subkey length for newly created keys if gnupg-subkey-type is not empty
-# gnupg-subkey-length: 4096
-# Default key usage flags for newly created keys
-gnupg-key-usage: encrypt, sign
-# Length of key passphrases used for newsly created keys
-; passphrase-length: 64
-
-[daemon]
-# The user to run as
-unix-user: sigul
-# The group to run as
-unix-group: sigul
-
-[nss]
-# Path to a directory containing a NSS database
-nss-dir: /var/lib/sigul
-# Password for accessing the NSS database.  If not specified, the server will
-# ask on startup
-; nss-password is not specified by default
-
diff --git a/playbooks/groups/sign-bridge.yml b/playbooks/groups/sign-bridge.yml
index 221fa57c40..445a0f3ae5 100644
--- a/playbooks/groups/sign-bridge.yml
+++ b/playbooks/groups/sign-bridge.yml
@@ -24,12 +24,12 @@
   - hosts
   - fas_client
   - sudo
+  - sigul/bridge
 
   tasks:
   - include: "{{ tasks }}/motd.yml"
   - include: "{{ tasks }}/yumrepos.yml"
   - include: "{{ tasks }}/2fa_client.yml"
-  - include: "{{ tasks }}/sign_setup.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
diff --git a/playbooks/manual/sign-vault.yml b/playbooks/manual/sign-vault.yml
index 647b6946f3..1f76b51f26 100644
--- a/playbooks/manual/sign-vault.yml
+++ b/playbooks/manual/sign-vault.yml
@@ -35,10 +35,10 @@
   roles:
   - base
   - rkhunter
+  - sigul/server
 
   tasks:
   - include: "{{ tasks }}/motd.yml"
-  - include: "{{ tasks }}/sign_setup.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
diff --git a/files/sign/koji-arm.conf b/roles/sigul/bridge/files/koji-arm.conf
similarity index 100%
rename from files/sign/koji-arm.conf
rename to roles/sigul/bridge/files/koji-arm.conf
diff --git a/files/sign/koji-ppc.conf b/roles/sigul/bridge/files/koji-ppc.conf
similarity index 100%
rename from files/sign/koji-ppc.conf
rename to roles/sigul/bridge/files/koji-ppc.conf
diff --git a/files/sign/koji-s390.conf b/roles/sigul/bridge/files/koji-s390.conf
similarity index 100%
rename from files/sign/koji-s390.conf
rename to roles/sigul/bridge/files/koji-s390.conf
diff --git a/roles/sigul/bridge/tasks/main.yml b/roles/sigul/bridge/tasks/main.yml
new file mode 100644
index 0000000000..c9f701473e
--- /dev/null
+++ b/roles/sigul/bridge/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Install sigul bridge
+  yum: state=present name=sigul-bridge
+  tags:
+  - packages
+
+- name: Setup sigul bridge.conf
+  template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf
+            owner=sigul group=sigul mode=0640
+  tags:
+  - config
+
+- name: Setup secondary koji config files
+  copy: src={{ item }} dest=/etc/{{ item }} owner=root group=root mode=644
+  with_items:
+  - koji-arm.conf
+  - koji-ppc.conf
+  - koji-s390.conf
+  when: inventory_hostname.startswith('secondary')
diff --git a/files/sign/bridge.conf.secondary.j2 b/roles/sigul/bridge/templates/bridge.conf.j2
similarity index 73%
rename from files/sign/bridge.conf.secondary.j2
rename to roles/sigul/bridge/templates/bridge.conf.j2
index 6225473107..4490eb8ad1 100644
--- a/files/sign/bridge.conf.secondary.j2
+++ b/roles/sigul/bridge/templates/bridge.conf.j2
@@ -2,40 +2,39 @@
 #
 [bridge]
 # Nickname of the bridge's certificate in the NSS database specified below
+{% if inventory_hostname.startswith('sign') %}
+bridge-cert-nickname: sign-bridge1 - Fedora Project
+{% else %}
 bridge-cert-nickname: secondary-signer
+{% endif %}
+
 # Port on which the bridge expects client connections
 client-listen-port: 44334
 # Port on which the bridge expects server connections
 server-listen-port: 44333
 # A Fedora account system group required for access to the signing server.  If
 # empty, no Fedora account check is done.
-; required-fas-group:
+required-fas-group: signers
 # User name and password for an account on the Fedora account system that can
 # be used to verify group memberships
-; fas-user-name:
-; fas-password:
-#
+fas-user-name: {{ fedoraDummyUser }}
+fas-password: {{ fedoraDummyUserPassword }}
+
+{% if inventory_hostname.startswith('secondary') %}
 [koji]
-# Config file used to connect to the Koji hub
-# ; koji-config: ~/.koji/config
-# # Recognized alternative instances
 koji-instances: ppc s390 arm sparc
-#
-# # Example configuration of alternative instances:
-# # koji-instances: ppc64 s390
-# # Configuration paths for alternative instances:
 koji-config-ppc: /etc/koji-ppc.conf
 koji-config-s390: /etc/koji-s390.conf
 koji-config-arm: /etc/koji-arm.conf
 koji-config-sparc: /etc/koji-sparc.conf
-#
-#
+{% endif %}
+
 [daemon]
 # The user to run as
 unix-user: sigul
 # The group to run as
 unix-group: sigul
-#
+
 [nss]
 # Path to a directory containing a NSS database
 nss-dir: /var/lib/sigul
@@ -43,3 +42,6 @@ nss-dir: /var/lib/sigul
 # ask on startup
 # Currently no password is used
 nss-password:
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
new file mode 100644
index 0000000000..20e039398f
--- /dev/null
+++ b/roles/sigul/server/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Install sigul server
+  yum: state=present name={{ item }}
+  with_items:
+  - sigul-server
+  - gnupg1
+  - rpm-sign
+  - bzip2
+  tags:
+  - packages
+
+- name: Setup sigul server.conf
+  template: src=server.conf.j2 dest=/etc/sigul/server.conf
+            owner=sigul group=sigul mode=0640
+  tags:
+  - config
+
+- name: Setup gpg link
+  file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
diff --git a/files/sign/server.conf.primary b/roles/sigul/server/templates/server.conf.j2
similarity index 75%
rename from files/sign/server.conf.primary
rename to roles/sigul/server/templates/server.conf.j2
index 812057b676..b44b6dff4a 100644
--- a/files/sign/server.conf.primary
+++ b/roles/sigul/server/templates/server.conf.j2
@@ -2,15 +2,27 @@
 
 [server]
 # Host name of the publically acessible bridge to clients
+
+{% if inventory_hostname.startswith('sign') %}
 bridge-hostname: sign-bridge1
+server-cert-nickname: sign-vault1 - Fedora Project
+{% else %}
+bridge-hostname: secondary-signer
+server-cert-nickname: secondary-signer-server
+{% endif %}
+
 # Port on which the bridge expects server connections
 bridge-port: 44333
 # Maximum accepted size of payload stored on disk
 max-file-payload-size: 2073741824
 # Maximum accepted size of payload stored in server's memory
 max-memory-payload-size: 1048576
-# Nickname of the server's certificate in the NSS database specified below
-server-cert-nickname: sign-vault1 - Fedora Project
+
+# Whether to relax the CN vs username check
+lenient-username-check: yes
+# Which CN's are allowed to use different usernames, comma seperated
+proxy-usernames:
+
 
 [database]
 # Path to a directory containing a SQLite database
@@ -30,7 +42,7 @@ gnupg-subkey-type:
 # Default key usage flags for newly created keys
 gnupg-key-usage: encrypt, sign
 # Length of key passphrases used for newsly created keys
-passphrase-length: 64
+passphrase-length: 128
 
 [daemon]
 # The user to run as
@@ -44,3 +56,10 @@ nss-dir: /var/lib/sigul
 # Password for accessing the NSS database.  If not specified, the server will
 # ask on startup
 ; nss-password is not specified by default
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
+
+[binding]
+# List of binding modules enabled
+enabled: 
diff --git a/tasks/sign_setup.yml b/tasks/sign_setup.yml
deleted file mode 100644
index d90b23b4a6..0000000000
--- a/tasks/sign_setup.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-
-- name: put builder-repo on system
-  copy: src="{{ files }}/sign/{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
-  with_items:
-  - builder-rpms.repo
-  when: is_rhel is defined
-  tags:
-  - config
-  - packages
-
-- name: install sigul
-  yum: state=present name={{ item }}
-  with_items:
-  - sigul
-  - gnupg1
-  - rpm-sign
-  - bzip2
-  tags:
-  - packages
-
-- name: setup /etc/sigul/bridge.conf file
-  template: src="{{ files }}/sign/bridge.conf.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('sign')
-
-- name: setup /etc/sigul/server.conf file
-  copy: src="{{ files }}/sign/server.conf.primary" dest=/etc/sigul/server.conf owner=root group=sigul mode=640
-  when: inventory_hostname.startswith('sign')
-
-- name: setup secondary /etc/sigul/bridge.conf file
-  template: src="{{ files }}/sign/bridge.conf.secondary.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('secondary')
-
-- name: Install secondary arch koji configs
-  template: src="{{ files }}/sign/bridge.conf.secondary.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('secondary')
-
-- name: setup secondary koji config files
-  copy: src="{{ files }}/sign/{{ item }}" dest=/etc/{{ item }} owner=root group=root mode=644
-  with_items:
-  - koji-arm.conf
-  - koji-ppc.conf
-  - koji-s390.conf
-  when: inventory_hostname.startswith('secondary')
-
-- name: setup gpg link
-  file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg