Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Remove fedoauth role and playbook and iptables rules. Ipisilon is the ultimate power in the galaxy now.

Browse source
This commit is contained in:
Kevin Fenzi 2016-01-05 23:14:02 +00:00
parent 77202e6597
commit 32571764f2
6 changed files with 2 additions and 272 deletions
Download patch file Download diff file Expand all files Collapse all files

4
inventory/host_vars/db-fas01.phx2.fedoraproject.org
View file

@ -33,10 +33,6 @@ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.5.126.26 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.26 --dport 5432 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.30 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.30 --dport 5432 -j ACCEPT',
# fedoauth01 and fedoauth02
'-A INPUT -p tcp -m tcp -s 10.5.126.240 --dport 5432 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5432 -j ACCEPT' ,
# ipsilon01 and ipsilon02 # ipsilon01 and ipsilon02
'-A INPUT -p tcp -m tcp -s 10.5.126.46 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.46 --dport 5432 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.47 --dport 5432 -j ACCEPT' , '-A INPUT -p tcp -m tcp -s 10.5.126.47 --dport 5432 -j ACCEPT' ,

4
inventory/host_vars/db-fas01.stg.phx2.fedoraproject.org
View file

@ -25,9 +25,9 @@ num_cpus: 2
fas_client_groups: sysadmin-dba,sysadmin-noc fas_client_groups: sysadmin-dba,sysadmin-noc
# #
# Only allow postgresql access from the frontend node and fedoauth01.stg # Only allow postgresql access from the frontend node and ipsilon01.stg
# #
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.86 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.28 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.35 --dport 5432 -j ACCEPT'] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.86 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.35 --dport 5432 -j ACCEPT']
# #
# Large updates pushes cause lots of db threads doing the tag moves, so up this from default. # Large updates pushes cause lots of db threads doing the tag moves, so up this from default.

68
playbooks/groups/fedoauth.yml
View file

@ -1,68 +0,0 @@
# create a new FedOAuth server
# NOTE: should be used with --limit most of the time
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars
- name: make fedoauth
hosts: fedoauth
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: fedoauth
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- rsyncd
- sudo
- { role: openvpn/client,
when: env != "staging" }
- apache
- collectd/base
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/mod_wsgi.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: deploy fedoauth itself
hosts: fedoauth
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles:
- fedoauth
handlers:
- include: "{{ handlers }}/restart_services.yml"

73
roles/fedoauth/tasks/main.yml
View file

@ -1,73 +0,0 @@
---
# Configuration for the fedoauth webapp
- name: clean yum metadata
command: yum clean all
tags:
- packages
- name: install needed packages
yum: pkg={{ item }} state=present
with_items:
- fedoauth
- fedoauth-template-fedora
- fedoauth-backend-fedora
- fedoauth-provider-openid
- fedoauth-provider-persona
- python-psycopg2
- libsemanage-python
tags:
- packages
- name: copy fedoauth configuration
template: src=fedoauth.cfg
dest=/etc/fedoauth/fedoauth.cfg
owner=fedoauth group=fedoauth mode=0600
tags:
- config
notify:
- restart apache
- name: copy fedoauth logging configuration
template: src=fedoauth.log.cfg
dest=/etc/fedoauth/fedoauth.log.cfg
owner=fedoauth group=fedoauth mode=0600
tags:
- config
notify:
- restart apache
- name: copy fedoauth private key
copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key
owner=fedoauth group=fedoauth mode=0600
when: env != "staging"
- name: copy fedoauth STG private key
copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key
owner=fedoauth group=fedoauth mode=0600
when: env == "staging"
- name: create the database scheme
command: /usr/bin/python2 /usr/share/fedoauth/createdb.py
environment:
FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
#- name: Clean the database
# command: /usr/bin/python2 /usr/share/fedoauth/cleanup.py
# environment:
# FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
- name: set sebooleans so fedoauth can talk to the db
action: seboolean name=httpd_can_network_connect_db
state=true
persistent=true
- name: set sebooleans so fedoauth can send error logs
action: seboolean name=httpd_can_network_connect
state=true
persistent=true
- name: apply selinux type to the wsgi file
file: >
dest=/usr/share/fedoauth/fedoauth.wsgi
setype=httpd_sys_content_t

94
roles/fedoauth/templates/fedoauth.cfg
View file

@ -1,94 +0,0 @@
# Beware that the quotes around the values are mandatory
# GENERAL CONFIGURATION
GLOBAL = {'reverse_proxied': True,
{% if env == 'staging' %}
'database_url': "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}",
{% else %}
'database_url': "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}",
{% endif %}
'cookies_secure': True,
'transactions_timeout': 5,
'global_template_dir': '/usr/share/fedoauth/templates/global/',
'template_dir': '/usr/share/fedoauth/templates/fedora/',
'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg',
'secret_key': '{{ fedoauth_secret_key }}',
{% if env == 'staging' %}
'url_root': 'https://id.stg.fedoraproject.org',
'static_content_root': 'https://id.stg.fedoraproject.org/static',
'enable_test_endpoint': True,
{% else %}
'url_root': 'https://id.fedoraproject.org',
'static_content_root': 'https://id.fedoraproject.org/static',
'enable_test_endpoint': False,
{% endif %}
}
AUTH_MODULE_CONFIGURATION = {
# This module authenticates against the Fedora Account System
# (https://admin.fedoraproject.org/accounts/)
'fedoauth.auth.fas.Auth_FAS': {'enabled': True,
'listed': True,
'select_image': '/static/fedora/fedora-authn-logo-white.png',
'reauth_timeout': 15,
'email_alias_when_cla': True,
'user_agent': 'FedOAuth',
'check_cert': True,
{% if env == 'staging' %}
'email_auth_domains': ['stg.fedoraproject.org'],
'base_url': 'https://admin.stg.fedoraproject.org/accounts/',
{% else %}
'email_auth_domains': ['fedoraproject.org'],
'base_url': 'https://admin.fedoraproject.org/accounts/',
{% endif %}
}
}
AUTH_PROVIDER_CONFIGURATION = {
'fedoauth.provider.persona': {'enabled': True,
{% if env == 'staging' %}
'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'],
'private_key': {'path': '/etc/fedoauth/persona.stg.key',
'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
{% else %}
'domains': ['id.fedoraproject.org', 'fedoraproject.org'],
'private_key': {'path': '/etc/fedoauth/persona.key',
'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
{% endif %}
},
'fedoauth.provider.openid': {'enabled': True,
{% if env == 'staging' %}
'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/',
'trusted_roots': [],
{% else %}
'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/',
'trusted_roots': ['http://jenkins.fedorainfracloud.org/securityRealm/finishLogin',
'http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
'https://ask.fedoraproject.org/',
'https://fedorahosted.org/',
'https://badges.fedoraproject.org',
'https://apps.fedoraproject.org/tagger/',
'https://apps.fedoraproject.org/nuancier/',
'https://apps.fedoraproject.org/datagrepper/',
'https://apps.fedoraproject.org/calendar/',
'http://apps.fedoraproject.org/notifications/',
'http://copr.fedoraproject.org/',
'http://copr-fe.cloud.fedoraproject.org/',
'https://copr.fedoraproject.org/',
'https://admin.fedoraproject.org/pkgdb/',
'https://admin.fedoraproject.org/voting/',
'https://apps.fedoraproject.org/github2fedmsg',
'https://admin.fedoraproject.org', # Nagios
'https://apps.fedoraproject.org/', # FMN
'https://release-monitoring.org/', # Anitya
'http://pagure.io/', # Pagure
'http://admin.fedoraproject.org/mirrormanager/'], # MM
{% endif %}
'non_trusted_roots': [],
'handle_magic_groups_value': True
}
}

31
roles/fedoauth/templates/fedoauth.log.cfg
View file

@ -1,31 +0,0 @@
[loggers]
keys=root
[handlers]
keys=syslog,email
[formatters]
keys=form01
[logger_root]
level=INFO
handlers=syslog,email
[handler_syslog]
class=handlers.SysLogHandler
level=NOTSET
formatter=form01
args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_LOCAL4)
[handler_email]
class=handlers.SMTPHandler
level=WARN
formatter=form01
args=('bastion.phx2.fedoraproject.org', 'fedoauth@fedoraproject.org', ['puiterwijk@fedoraproject.org'], 'FedOAuth error')
[formatter_form01]
format='%(asctime)-15s FedOAuth[%(process)d] %(levelname)s %(message)s
datefmt=