From 79eb0db7c0060d650333d665d97b059c81fc352e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Fri, 23 Jan 2015 15:06:47 +0100 Subject: [PATCH] Let distgit install its own fas.conf after the first run of fas_client --- roles/distgit/tasks/main.yml | 12 ++++ roles/distgit/templates/fas.conf.j2 | 96 +++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 roles/distgit/templates/fas.conf.j2 diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index cf4d090a6e..185e604055 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -31,6 +31,18 @@ - name: allow httpd to access the files on NFS seboolean: name=httpd_use_nfs state=yes persistent=yes +- name: setup our own /etc/fas.conf with the proper fas_client_admin_app and fas_client_restricted_app var + template: src={{ item }} dest=/etc/fas.conf owner=root mode=600 + with_items: + - fas.conf.j2 + tags: + - config + - fas_client + notify: + - run fasclient + + + # -- Dist Git -------------------------------------------- # This is the Git setup itself: group, root directory, scripts,... - name: create the distgit root directory (/srv/git) diff --git a/roles/distgit/templates/fas.conf.j2 b/roles/distgit/templates/fas.conf.j2 new file mode 100644 index 0000000000..52a4d776f2 --- /dev/null +++ b/roles/distgit/templates/fas.conf.j2 @@ -0,0 +1,96 @@ +[global] +; url - Location to fas server +{% if env == "staging" %} +url = https://admin.stg.fedoraproject.org/accounts/ +{% else %} +url = https://admin.fedoraproject.org/accounts/ +{% endif %} + +; temp - Location to generate files while user creation process is happening +temp = /var/db + +; login - username to contact fas +login = {{ fedorathirdpartyUser }} + +; password - password for login name +password = {{ fedorathirdpartyPassword }} + +; prefix - install to a location other than / +prefix = / + +; modefile - Location of a file containing saved home directory modes +modefile = /var/lib/fas/client_dir_perms + +; cla_group - Group for CLA requirements +cla_group = cla_done + +[host] +; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups +; so if someone is in all 3, the client behaves the same as if they were just +; in 'groups' + +; groups that should have a shell account on this system. +{% if fas_client_groups is defined %} +groups = sysadmin-main,{{ fas_client_groups }} +{% else %} +groups = sysadmin-main +{% endif %} + +; groups that should have a restricted account on this system. +; restricted accounts use the restricted_shell value in [users] +restricted_groups = + +; ssh_restricted_groups: groups that should be restricted by ssh key. You will +; need to disable password based logins in order for this value to have any +; security meaning. Group types can be placed here as well, for example +; @hg,@git,@svn +{% if fas_client_ssh_groups is defined %} +ssh_restricted_groups = {{ fas_client_ssh_groups }} +{% else %} +ssh_restricted_groups = +{% endif %} + +; aliases_template: Gets prepended to the aliases file when it is generated by +; fasClient +aliases_template = /etc/aliases.template + +[users] +; default shell given to people in [host] groups +shell = /bin/bash + +; home - the location for fas user home dirs +home = /home/fedora + +; home_backup_dir - Location home dirs should get moved to when a user is +; deleted this location should be tmpwatched +home_backup_dir = /home/fedora.bak + +; ssh_restricted_app - This is the path to the restricted shell script. It +; will not work automatically for most people though through alterations it +; is a powerfull way to restrict access to a machine. An alternative example +; could be given to people who should only have cvs access on the machine. +; setting this value to "/usr/bin/cvs server" would do this. +{% if fas_client_restricted_app_2 is defined %} +ssh_restricted_app = {{ fas_client_restricted_app_2 }} +{% else %} +ssh_restricted_app = +{% endif %} + +; ssh_admin_app - This is the path to an app that an admin is allowed to use. +{% if fas_client_admin_app_2 is defined %} +ssh_admin_app = {{ fas_client_admin_app_2 }} +{% else %} +ssh_admin_app = +{% endif %} + +; restricted_shell - The shell given to users in the ssh_restricted_groups +restricted_shell = /sbin/nologin + +; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups +ssh_restricted_shell = /bin/bash + +; ssh_key_options - Options to be appended to people ssh keys. Users in the +; ssh_restricted_groups will have the keys they uploaded altered when they are +; installed on this machine, appended with the options below. +ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty +