From 32571764f21eb1c1d49c075290f12eeab396e266 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 5 Jan 2016 23:14:02 +0000 Subject: [PATCH] Remove fedoauth role and playbook and iptables rules. Ipisilon is the ultimate power in the galaxy now. --- .../host_vars/db-fas01.phx2.fedoraproject.org | 4 - .../db-fas01.stg.phx2.fedoraproject.org | 4 +- playbooks/groups/fedoauth.yml | 68 -------------- roles/fedoauth/tasks/main.yml | 73 -------------- roles/fedoauth/templates/fedoauth.cfg | 94 ------------------- roles/fedoauth/templates/fedoauth.log.cfg | 31 ------ 6 files changed, 2 insertions(+), 272 deletions(-) delete mode 100644 playbooks/groups/fedoauth.yml delete mode 100644 roles/fedoauth/tasks/main.yml delete mode 100644 roles/fedoauth/templates/fedoauth.cfg delete mode 100644 roles/fedoauth/templates/fedoauth.log.cfg diff --git a/inventory/host_vars/db-fas01.phx2.fedoraproject.org b/inventory/host_vars/db-fas01.phx2.fedoraproject.org index 5ef280fcee..2ae20a856c 100644 --- a/inventory/host_vars/db-fas01.phx2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.phx2.fedoraproject.org @@ -33,10 +33,6 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.26 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.30 --dport 5432 -j ACCEPT', - # fedoauth01 and fedoauth02 - '-A INPUT -p tcp -m tcp -s 10.5.126.240 --dport 5432 -j ACCEPT', - '-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5432 -j ACCEPT' , - # ipsilon01 and ipsilon02 '-A INPUT -p tcp -m tcp -s 10.5.126.46 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.47 --dport 5432 -j ACCEPT' , diff --git a/inventory/host_vars/db-fas01.stg.phx2.fedoraproject.org b/inventory/host_vars/db-fas01.stg.phx2.fedoraproject.org index d7b16d731a..09a95043ef 100644 --- a/inventory/host_vars/db-fas01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.stg.phx2.fedoraproject.org @@ -25,9 +25,9 @@ num_cpus: 2 fas_client_groups: sysadmin-dba,sysadmin-noc # -# Only allow postgresql access from the frontend node and fedoauth01.stg +# Only allow postgresql access from the frontend node and ipsilon01.stg # -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.86 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.28 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.35 --dport 5432 -j ACCEPT'] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.86 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.35 --dport 5432 -j ACCEPT'] # # Large updates pushes cause lots of db threads doing the tag moves, so up this from default. diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml deleted file mode 100644 index 90c2e2ff74..0000000000 --- a/playbooks/groups/fedoauth.yml +++ /dev/null @@ -1,68 +0,0 @@ -# create a new FedOAuth server -# NOTE: should be used with --limit most of the time -# NOTE: make sure there is room/space for this server on the vmhost -# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars - -- name: make fedoauth - hosts: fedoauth - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - include: "{{ tasks }}/virt_instance_create.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" - -- name: make the box be real - hosts: fedoauth - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - rkhunter - - nagios_client - - hosts - - fas_client - - rsyncd - - sudo - - { role: openvpn/client, - when: env != "staging" } - - apache - - collectd/base - - tasks: - - include: "{{ tasks }}/yumrepos.yml" - - include: "{{ tasks }}/2fa_client.yml" - - include: "{{ tasks }}/motd.yml" - - include: "{{ tasks }}/mod_wsgi.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" - -- name: deploy fedoauth itself - hosts: fedoauth - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - "{{ vars_path }}/{{ ansible_distribution }}.yml" - - roles: - - fedoauth - - handlers: - - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml deleted file mode 100644 index 0e84d848b0..0000000000 --- a/roles/fedoauth/tasks/main.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# Configuration for the fedoauth webapp - -- name: clean yum metadata - command: yum clean all - tags: - - packages - -- name: install needed packages - yum: pkg={{ item }} state=present - with_items: - - fedoauth - - fedoauth-template-fedora - - fedoauth-backend-fedora - - fedoauth-provider-openid - - fedoauth-provider-persona - - python-psycopg2 - - libsemanage-python - tags: - - packages - -- name: copy fedoauth configuration - template: src=fedoauth.cfg - dest=/etc/fedoauth/fedoauth.cfg - owner=fedoauth group=fedoauth mode=0600 - tags: - - config - notify: - - restart apache - -- name: copy fedoauth logging configuration - template: src=fedoauth.log.cfg - dest=/etc/fedoauth/fedoauth.log.cfg - owner=fedoauth group=fedoauth mode=0600 - tags: - - config - notify: - - restart apache - -- name: copy fedoauth private key - copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key - owner=fedoauth group=fedoauth mode=0600 - when: env != "staging" - -- name: copy fedoauth STG private key - copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key - owner=fedoauth group=fedoauth mode=0600 - when: env == "staging" - -- name: create the database scheme - command: /usr/bin/python2 /usr/share/fedoauth/createdb.py - environment: - FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg - -#- name: Clean the database -# command: /usr/bin/python2 /usr/share/fedoauth/cleanup.py -# environment: -# FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg - -- name: set sebooleans so fedoauth can talk to the db - action: seboolean name=httpd_can_network_connect_db - state=true - persistent=true - -- name: set sebooleans so fedoauth can send error logs - action: seboolean name=httpd_can_network_connect - state=true - persistent=true - -- name: apply selinux type to the wsgi file - file: > - dest=/usr/share/fedoauth/fedoauth.wsgi - setype=httpd_sys_content_t diff --git a/roles/fedoauth/templates/fedoauth.cfg b/roles/fedoauth/templates/fedoauth.cfg deleted file mode 100644 index 1e19af43d5..0000000000 --- a/roles/fedoauth/templates/fedoauth.cfg +++ /dev/null @@ -1,94 +0,0 @@ -# Beware that the quotes around the values are mandatory - -# GENERAL CONFIGURATION -GLOBAL = {'reverse_proxied': True, -{% if env == 'staging' %} -'database_url': "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}", -{% else %} -'database_url': "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}", -{% endif %} - 'cookies_secure': True, - 'transactions_timeout': 5, - 'global_template_dir': '/usr/share/fedoauth/templates/global/', - 'template_dir': '/usr/share/fedoauth/templates/fedora/', - 'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg', - 'secret_key': '{{ fedoauth_secret_key }}', - -{% if env == 'staging' %} - 'url_root': 'https://id.stg.fedoraproject.org', - 'static_content_root': 'https://id.stg.fedoraproject.org/static', - 'enable_test_endpoint': True, -{% else %} - 'url_root': 'https://id.fedoraproject.org', - 'static_content_root': 'https://id.fedoraproject.org/static', - 'enable_test_endpoint': False, -{% endif %} -} - - -AUTH_MODULE_CONFIGURATION = { - # This module authenticates against the Fedora Account System - # (https://admin.fedoraproject.org/accounts/) - 'fedoauth.auth.fas.Auth_FAS': {'enabled': True, - 'listed': True, - 'select_image': '/static/fedora/fedora-authn-logo-white.png', - 'reauth_timeout': 15, - 'email_alias_when_cla': True, - 'user_agent': 'FedOAuth', - 'check_cert': True, -{% if env == 'staging' %} - 'email_auth_domains': ['stg.fedoraproject.org'], - 'base_url': 'https://admin.stg.fedoraproject.org/accounts/', -{% else %} - 'email_auth_domains': ['fedoraproject.org'], - 'base_url': 'https://admin.fedoraproject.org/accounts/', -{% endif %} - } -} - - -AUTH_PROVIDER_CONFIGURATION = { - 'fedoauth.provider.persona': {'enabled': True, -{% if env == 'staging' %} - 'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'], - 'private_key': {'path': '/etc/fedoauth/persona.stg.key', - 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, -{% else %} - 'domains': ['id.fedoraproject.org', 'fedoraproject.org'], - 'private_key': {'path': '/etc/fedoauth/persona.key', - 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, -{% endif %} - }, - 'fedoauth.provider.openid': {'enabled': True, -{% if env == 'staging' %} - 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/', - 'trusted_roots': [], -{% else %} - 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/', - 'trusted_roots': ['http://jenkins.fedorainfracloud.org/securityRealm/finishLogin', - 'http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', - 'https://ask.fedoraproject.org/', - 'https://fedorahosted.org/', - 'https://badges.fedoraproject.org', - 'https://apps.fedoraproject.org/tagger/', - 'https://apps.fedoraproject.org/nuancier/', - 'https://apps.fedoraproject.org/datagrepper/', - 'https://apps.fedoraproject.org/calendar/', - 'http://apps.fedoraproject.org/notifications/', - 'http://copr.fedoraproject.org/', - 'http://copr-fe.cloud.fedoraproject.org/', - 'https://copr.fedoraproject.org/', - 'https://admin.fedoraproject.org/pkgdb/', - 'https://admin.fedoraproject.org/voting/', - 'https://apps.fedoraproject.org/github2fedmsg', - 'https://admin.fedoraproject.org', # Nagios - 'https://apps.fedoraproject.org/', # FMN - 'https://release-monitoring.org/', # Anitya - 'http://pagure.io/', # Pagure - 'http://admin.fedoraproject.org/mirrormanager/'], # MM - -{% endif %} - 'non_trusted_roots': [], - 'handle_magic_groups_value': True - } -} diff --git a/roles/fedoauth/templates/fedoauth.log.cfg b/roles/fedoauth/templates/fedoauth.log.cfg deleted file mode 100644 index 8a6bf6d5e6..0000000000 --- a/roles/fedoauth/templates/fedoauth.log.cfg +++ /dev/null @@ -1,31 +0,0 @@ -[loggers] -keys=root - -[handlers] -keys=syslog,email - -[formatters] -keys=form01 - - -[logger_root] -level=INFO -handlers=syslog,email - - -[handler_syslog] -class=handlers.SysLogHandler -level=NOTSET -formatter=form01 -args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_LOCAL4) - - -[handler_email] -class=handlers.SMTPHandler -level=WARN -formatter=form01 -args=('bastion.phx2.fedoraproject.org', 'fedoauth@fedoraproject.org', ['puiterwijk@fedoraproject.org'], 'FedOAuth error') - -[formatter_form01] -format='%(asctime)-15s FedOAuth[%(process)d] %(levelname)s %(message)s -datefmt=