From 4e63bbb7b273cab3a61a27579081217956bed956 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 29 Oct 2020 10:17:04 -0700
Subject: [PATCH] Add a crypto-policies to set to LEGACY on fedora 33 hosts

This is needed to get our 2fa working.
We should drop this once we are moved to sssd.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/tasks/crypto-policies.yml        | 10 ++++++++++
 roles/base/tasks/main.yml                   |  3 +++
 roles/base/templates/crypto-policies-config |  1 +
 3 files changed, 14 insertions(+)
 create mode 100644 roles/base/tasks/crypto-policies.yml
 create mode 100644 roles/base/templates/crypto-policies-config

diff --git a/roles/base/tasks/crypto-policies.yml b/roles/base/tasks/crypto-policies.yml
new file mode 100644
index 0000000000..d7351ffde8
--- /dev/null
+++ b/roles/base/tasks/crypto-policies.yml
@@ -0,0 +1,10 @@
+- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
+  template:
+    dest: /etc/crypto-policies/config
+    src: crypto-policies-config
+    owner: root
+    mode: 644
+  when: ansible_distribution_major_version|int >= 33
+  tags:
+  - crypto-policies
+  - base/crypto-policies
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 35a59fbb5a..f78beec184 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -581,3 +581,6 @@
   - base
   - config
   - python3alternative
+
+- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
+  import_tasks: crypto-policies.yml
diff --git a/roles/base/templates/crypto-policies-config b/roles/base/templates/crypto-policies-config
new file mode 100644
index 0000000000..af05e9bc61
--- /dev/null
+++ b/roles/base/templates/crypto-policies-config
@@ -0,0 +1 @@
+LEGACY