Let distgit install its own fas.conf after the first run of fas_client

roles/distgit/tasks/main.yml

@@ -31,6 +31,18 @@
 - name: allow httpd to access the files on NFS
   seboolean: name=httpd_use_nfs state=yes persistent=yes
 
+- name: setup our own /etc/fas.conf with the proper fas_client_admin_app and fas_client_restricted_app var
+  template: src={{ item }} dest=/etc/fas.conf owner=root mode=600
+  with_items:
+  - fas.conf.j2
+  tags:
+  - config
+  - fas_client
+  notify:
+  - run fasclient
+
+
+
 # -- Dist Git --------------------------------------------
 # This is the Git setup itself: group, root directory, scripts,...
 - name: create the distgit root directory (/srv/git)

roles/distgit/templates/fas.conf.j2

@@ -0,0 +1,96 @@
+[global]
+; url - Location to fas server
+{% if env == "staging" %}
+url = https://admin.stg.fedoraproject.org/accounts/
+{% else %}
+url = https://admin.fedoraproject.org/accounts/
+{% endif %}
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = {{ fedorathirdpartyUser }}
+
+; password - password for login name
+password = {{ fedorathirdpartyPassword }}
+
+; prefix - install to a location other than /
+prefix = /
+
+; modefile - Location of a file containing saved home directory modes
+modefile = /var/lib/fas/client_dir_perms
+
+; cla_group - Group for CLA requirements
+cla_group = cla_done
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+{% if fas_client_groups is defined %}
+groups = sysadmin-main,{{ fas_client_groups }}
+{% else %}
+groups = sysadmin-main
+{% endif %}
+
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
+; need to disable password based logins in order for this value to have any
+; security meaning.  Group types can be placed here as well, for example
+; @hg,@git,@svn
+{% if fas_client_ssh_groups is defined %}
+ssh_restricted_groups = {{ fas_client_ssh_groups }}
+{% else %}
+ssh_restricted_groups = 
+{% endif %}
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+{% if fas_client_restricted_app_2 is defined %}
+ssh_restricted_app = {{ fas_client_restricted_app_2 }}
+{% else %}
+ssh_restricted_app = 
+{% endif %}
+
+; ssh_admin_app - This is the path to an app that an admin is allowed to use.
+{% if fas_client_admin_app_2 is defined %}
+ssh_admin_app = {{ fas_client_admin_app_2 }}
+{% else %}
+ssh_admin_app = 
+{% endif %}
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+