From 7157da1221d8cb771ad37da3ccacd8fe348b1abe Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 27 Apr 2015 19:50:21 +0000 Subject: [PATCH] More sigul adjustments for secondary --- files/sign/bridge.conf.secondary.j2 | 44 ++++++++++++++++ .../sign/{server.conf => server.conf.primary} | 0 files/sign/server.conf.secondary | 51 +++++++++++++++++++ tasks/sign_setup.yml | 26 +++++++--- 4 files changed, 114 insertions(+), 7 deletions(-) create mode 100644 files/sign/bridge.conf.secondary.j2 rename files/sign/{server.conf => server.conf.primary} (100%) create mode 100644 files/sign/server.conf.secondary diff --git a/files/sign/bridge.conf.secondary.j2 b/files/sign/bridge.conf.secondary.j2 new file mode 100644 index 0000000000..94ec5827d6 --- /dev/null +++ b/files/sign/bridge.conf.secondary.j2 @@ -0,0 +1,44 @@ +# This is a configuration for the sigul bridge. +# +[bridge] +# Nickname of the bridge's certificate in the NSS database specified below +bridge-cert-nickname: secondary-signer +# Port on which the bridge expects client connections +client-listen-port: 44334 +# Port on which the bridge expects server connections +server-listen-port: 44333 +# A Fedora account system group required for access to the signing server. If +# empty, no Fedora account check is done. +; required-fas-group: +# User name and password for an account on the Fedora account system that can +# be used to verify group memberships +; fas-user-name: +; fas-password: +# +[koji] +# Config file used to connect to the Koji hub +# ; koji-config: ~/.koji/config +# # Recognized alternative instances +koji-instances: ppc s390 arm sparc +# +# # Example configuration of alternative instances: +# # koji-instances: ppc64 s390 +# # Configuration paths for alternative instances: +koji-config-ppc: /etc/koji-ppc.conf +koji-config-s390: /etc/koji-s390.conf +koji-config-arm: /etc/koji-arm.conf +koji-config-sparc: /etc/koji-sparc.conf +# +# +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul +# +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the bridge will +# ask on startup +# diff --git a/files/sign/server.conf b/files/sign/server.conf.primary similarity index 100% rename from files/sign/server.conf rename to files/sign/server.conf.primary diff --git a/files/sign/server.conf.secondary b/files/sign/server.conf.secondary new file mode 100644 index 0000000000..38d6a0cbfc --- /dev/null +++ b/files/sign/server.conf.secondary @@ -0,0 +1,51 @@ +# This is a configuration for the sigul server. + +# FIXME: remove my data + +[server] +# Host name of the publically acessible bridge to clients +bridge-hostname: secondary-signer +# Port on which the bridge expects server connections +; bridge-port: 44333 +# Maximum accepted size of payload stored on disk +max-file-payload-size: 2073741824 +# Maximum accepted size of payload stored in server's memory +max-memory-payload-size: 1048576 +# Nickname of the server's certificate in the NSS database specified below +server-cert-nickname: secondary-signer-server + +signing-timeout: 4000 + +[database] +# Path to a SQLite database +; database-path: /var/lib/sigul/server.conf + +[gnupg] +# Path to a directory containing GPG configuration and keyrings +gnupg-home: /var/lib/sigul/gnupg +# Default primary key type for newly created keys +gnupg-key-type: RSA +# Default primary key length for newly created keys +gnupg-key-length: 4096 +# Default subkey type for newly created keys, empty for no subkey +#gnupg-subkey-type: ELG-E +# Default subkey length for newly created keys if gnupg-subkey-type is not empty +# gnupg-subkey-length: 4096 +# Default key usage flags for newly created keys +gnupg-key-usage: encrypt, sign +# Length of key passphrases used for newsly created keys +; passphrase-length: 64 + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the server will +# ask on startup +; nss-password is not specified by default + diff --git a/tasks/sign_setup.yml b/tasks/sign_setup.yml index ed57ec4fa7..dbc080ef71 100644 --- a/tasks/sign_setup.yml +++ b/tasks/sign_setup.yml @@ -1,7 +1,7 @@ --- - name: put builder-repo on system - action: copy src="{{ files }}/sign/{{ item }}" dest="/etc/yum.repos.d/{{ item }}" + copy: src="{{ files }}/sign/{{ item }}" dest="/etc/yum.repos.d/{{ item }}" with_items: - builder-rpms.repo when: is_rhel is defined @@ -10,7 +10,7 @@ - packages - name: install sigul - action: yum state=present name={{ item }} + yum: state=present name={{ item }} with_items: - sigul - ntp @@ -22,18 +22,30 @@ - packages - name: setup /etc/sigul/bridge.conf file - action: template src="{{ files }}/sign/bridge.conf.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640 + template: src="{{ files }}/sign/bridge.conf.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640 tags: - config + when: inventory_hostname.startswith('sign') - name: setup /etc/sigul/server.conf file - action: copy src="{{ files }}/sign/server.conf" dest=/etc/sigul/server.conf owner=root group=sigul mode=640 + copy: src="{{ files }}/sign/server.conf.primary" dest=/etc/sigul/server.conf owner=root group=sigul mode=640 + when: inventory_hostname.startswith('sign') + +- name: setup secondary /etc/sigul/bridge.conf file + template: src="{{ files }}/sign/bridge.conf.secondary.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640 + tags: + - config + when: inventory_hostname.startswith('secondary') + +- name: setup secondary /etc/sigul/server.conf file + copy: src="{{ files }}/sign/server.conf.secondary" dest=/etc/sigul/server.conf owner=root group=sigul mode=640 + when: inventory_hostname.startswith('secondary') - name: ntp steptickers - action: copy src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers + copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers - name: ntp.conf - action: copy src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf + copy: src="{{ files }}/common/ntp.conf" dest=/etc/ntp.conf - name: enable ntpd - action: service name=ntpd enabled=true state=started + service: name=ntpd enabled=true state=started