diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index b0631d3ff6..5e9b5c84c0 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -21,17 +21,6 @@ template: src=fedoauth.cfg dest=/etc/fedoauth/fedoauth.cfg owner=fedoauth group=fedoauth mode=0600 - when: env != "staging" - tags: - - config - notify: - - restart apache - -- name: copy fedoauth STG configuration - template: src=fedoauth.stg.cfg - dest=/etc/fedoauth/fedoauth.cfg - owner=fedoauth group=fedoauth mode=0600 - when: env == "staging" tags: - config notify: diff --git a/roles/fedoauth/templates/fedoauth.cfg b/roles/fedoauth/templates/fedoauth.cfg index 1bd62956d1..086a091c09 100644 --- a/roles/fedoauth/templates/fedoauth.cfg +++ b/roles/fedoauth/templates/fedoauth.cfg @@ -2,16 +2,27 @@ # GENERAL CONFIGURATION ### url to the database server: +{% if env == 'staging' %} +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" +{% else %} SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" -#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' -#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' -#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' +{% endif %} # This is the OpenID endpoint url, at which the server is available +{% if env == 'staging' %} +WEBSITE_ROOT = 'https://id.stg/fedoraproject.org' +COOKIE_DOMAIN = 'id.stg.fedoraproject.org' +OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' +PERSONA_DOMAIN = 'stg.fedoraproject.org' +PERSONA_ISSUER = 'id.stg.fedoraproject.org' +{% else %} WEBSITE_ROOT = 'https://id.fedoraproject.org' COOKIE_DOMAIN = 'id.fedoraproject.org' -COOKIE_SECURE = True OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/' +PERSONA_DOMAIN = 'fedoraproject.org' +PERSONA_ISSUER = 'id.fedoraproject.org' +{% endif %} +COOKIE_SECURE = True # Modules to use AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' @@ -29,8 +40,6 @@ FAS_AVAILABLE_TO = [] # PERSONA CONFIGURATION # This is the domain for which we are willing to sign -PERSONA_DOMAIN = 'fedoraproject.org' -PERSONA_ISSUER = 'id.fedoraproject.org' PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' @@ -45,7 +54,7 @@ OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/fi 'https://apps.fedoraproject.org/nuancier/', 'https://apps.fedoraproject.org/datagrepper/', 'https://apps.fedoraproject.org/calendar/', - 'https://apps.fedoraproject.org/notifications/', + 'http://apps.fedoraproject.org/notifications/', 'http://copr.fedoraproject.org/', 'http://copr-fe.cloud.fedoraproject.org/'] OPENID_NON_TRUSTED_ROOTS = [] diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg deleted file mode 100644 index ee0da65e83..0000000000 --- a/roles/fedoauth/templates/fedoauth.stg.cfg +++ /dev/null @@ -1,53 +0,0 @@ -# Beware that the quotes around the values are mandatory - -# GENERAL CONFIGURATION -### url to the database server: -SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" -#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' -#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' -#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' - -# This is the OpenID endpoint url, at which the server is available -WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' -COOKIE_DOMAIN = 'id.stg.fedoraproject.org' -COOKIE_SECURE = True -OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' - -# Modules to use -AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' - -# FAS PROVIDER CONFIGURATION -FAS_USER_AGENT = 'FAS-OpenID' -FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' -FAS_CHECK_CERT=False -FAS_HTTPS_REQUIRED=False -FAS_HANDLE_GROUPS_MAGIC_VALUE=True - -# Enable a filter to make this only available to a specific list of users -FAS_AVAILABLE_FILTER = False -FAS_AVAILABLE_TO = [] - -# PERSONA CONFIGURATION -# This is the domain for which we are willing to sign -PERSONA_DOMAIN = 'stg.fedoraproject.org' -PERSONA_ISSUER = 'id.stg.fedoraproject.org' -PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' -PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' - -# OPENID CONFIGURATION -# This is the OpenID url provided to users. Add %(username)s where the username should be entered -# A list of trust roots for which the user will not need to confirm again -OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', - 'https://ask.fedoraproject.org/', - 'https://fedorahosted.org/', - 'https://badges.fedoraproject.org', - 'https://apps.fedoraproject.org/tagger/', - 'https://apps.fedoraproject.org/nuancier/', - 'https://apps.fedoraproject.org/datagrepper/', - 'https://apps.fedoraproject.org/calendar/', - 'https://apps.fedoraproject.org/notifications/', - 'http://copr.fedoraproject.org/', - 'http://copr-fe.cloud.fedoraproject.org/'] -OPENID_NON_TRUSTED_ROOTS = [] -### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) -OPENID_MAX_AUTH_TIME = 120