Ipsilon in prod is now on a VM like in staging

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2021-03-24 13:49:24 +01:00 · 2021-03-24 13:49:24 +01:00 · 7b2c578983
commit 7b2c578983
parent ad78542ff5
6 changed files with 6 additions and 216 deletions
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -39,24 +39,15 @@ openidc subject salt={{ ipsilon_stg_openidc_subject_salt }}
 openidc subject salt={{ ipsilon_openidc_subject_salt }}
 {% endif %}
 openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/
 {% if env == 'staging' %}
 openidc idp key file=/etc/ipsilon/root/openidc.key
 openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg
 {% else %}
 openidc idp key file=/etc/ipsilon/openidc.key
 openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg
 {% endif %}
 openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
 openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication
 openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
 openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
 openidc idp sig key id=20161031-sig
 openidc allow dynamic client registration=False
 {% if env == 'staging' %}
 openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
 {% else %}
 openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
 {% endif %}
 openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/
 openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/
@ -68,25 +59,17 @@ openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,ht
 openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
 openid untrusted roots=
 openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API
 {% if env == 'staging' %}
 openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
 {% else %}
 openid default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
 {% endif %}
 {% if env == 'staging' %}
 saml2 idp metadata file=metadata.xml
 saml2 idp storage path=/etc/ipsilon/root/saml2
 {% if env == 'staging' %}
 saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }}
 {% else %}
 saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
 {% endif %}
 saml2 idp certificate file=idp.crt
 saml2 idp key file=idp.key
 {% else %}
 saml2 idp metadata file=/httpdir/metadata.xml
 saml2 idp storage path=/etc/ipsilon
 saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
 saml2 idp certificate file=saml2_idp.crt
 saml2 idp key file=saml2_idp.key
 {% endif %}
 saml2 allow self registration=False
 saml2 default nameid=transient
 saml2 default email domain=fedoraproject.org
--- a/roles/ipsilon/templates/httpd.conf.j2
+++ b/roles/ipsilon/templates/httpd.conf.j2
@ -2,11 +2,9 @@ RewriteEngine on
 RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
 #Alias /ui /usr/share/ipsilon/ui
 Alias /ui /usr/share/ipsilon/themes/Fedora
 {% if env == "staging" %}
 Alias /.well-known /var/lib/ipsilon/root/public/well-known
 Alias /cache /var/cache/ipsilon
 Redirect /.well-known/webfinger /webfinger
 {% endif %}
 # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
 RewriteEngine on
@ -23,15 +21,10 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
 WSGIScriptAlias / /usr/libexec/ipsilon
 {% if env == "staging" %}
 WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
 WSGISocketPrefix run/wsgi
-{% else %}
+#WSGIRestrictStdout Off
-WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+#WSGIRestrictSignal Off
 WSGISocketPrefix /httpdir/run/wsgi
 WSGIRestrictStdout Off
 WSGIRestrictSignal Off
 {% endif %}
 # This header is required to be passed for OIDC client_secret_basic
 WSGIPassAuthorization On
 # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
@ -52,11 +45,7 @@ WSGIApplicationGroup %{GLOBAL}
    Require all granted
 </Directory>
 {% if env == "staging" %}
 <Directory /var/lib/ipsilon/root/public/well-known>
 {% else %}
 <Directory /etc/ipsilon/wellknown>
 {% endif %}
    Require all granted
 </Directory>
@ -66,11 +55,7 @@ WSGIApplicationGroup %{GLOBAL}
 <Location /login/gssapi/negotiate>
    AuthName "GSSAPI Single Sign On Login"
 {% if env == "staging" %}
    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
 {% else %}
    GssapiCredStore keytab:/etc/keytabs/service.keytab
 {% endif %}
    AuthType GSSAPI
    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
    GssapiSSLonly Off
@ -80,7 +65,6 @@ WSGIApplicationGroup %{GLOBAL}
    ErrorDocument 500 /login/gssapi/failed
 </Location>
 {% if env == "staging" %}
 LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
 LoadModule authnz_pam_module modules/mod_authnz_pam.so
@ -104,4 +88,3 @@ LoadModule authnz_pam_module modules/mod_authnz_pam.so
    Allow from All
  </IfModule>
 </Directory>
 {% endif %}
--- a/roles/ipsilon/templates/httpd.conf.staging.j2
+++ b/roles/ipsilon/templates/httpd.conf.staging.j2
@ -1,107 +0,0 @@
 RewriteEngine on
 RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
 #Alias /ui /usr/share/ipsilon/ui
 Alias /ui /usr/share/ipsilon/themes/Fedora
 {% if env == "staging" %}
 Alias /.well-known /var/lib/ipsilon/root/public/well-known
 Alias /cache /var/cache/ipsilon
 Redirect /.well-known/webfinger /webfinger
 {% endif %}
 # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
 RewriteEngine on
 RewriteMap lowercase int:tolower
 {% if env == "staging" %}
 RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$
 RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
 RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
 {% else %}
 RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$
 RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
 RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
 {% endif %}
 WSGIScriptAlias / /usr/libexec/ipsilon
 {% if env == "staging" %}
 WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
 WSGISocketPrefix run/wsgi
 {% else %}
 WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
 WSGISocketPrefix /httpdir/run/wsgi
 WSGIRestrictStdout Off
 WSGIRestrictSignal Off
 {% endif %}
 # This header is required to be passed for OIDC client_secret_basic
 WSGIPassAuthorization On
 # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
 # Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
 WSGIApplicationGroup %{GLOBAL}
 <Location />
    WSGIProcessGroup ipsilon
 </Location>
 <Directory /usr/libexec>
    Require all granted
 </Directory>
 <Directory /usr/share/ipsilon>
    Options +SymLinksIfOwnerMatch
    Require all granted
 </Directory>
 {% if env == "staging" %}
 <Directory /var/lib/ipsilon/root/public/well-known>
 {% else %}
 <Directory /etc/ipsilon/wellknown>
 {% endif %}
    Require all granted
 </Directory>
 <Location /.well-known/browserid>
    ForceType application/json
 </Location>
 <Location /login/gssapi/negotiate>
    AuthName "GSSAPI Single Sign On Login"
 {% if env == "staging" %}
    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
 {% else %}
    GssapiCredStore keytab:/etc/keytabs/service.keytab
 {% endif %}
    AuthType GSSAPI
    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
    GssapiSSLonly Off
    GssapiLocalName on
    Require valid-user
    ErrorDocument 401 /login/gssapi/unauthorized
    ErrorDocument 500 /login/gssapi/failed
 </Location>
 {% if env == "staging" %}
 LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
 LoadModule authnz_pam_module modules/mod_authnz_pam.so
 <Location /login/form>
  InterceptFormPAMService ipsilon
  InterceptFormLogin login_name
  InterceptFormPassword login_password
  # InterceptFormLoginSkip admin
  # InterceptFormClearRemoteUserForSkipped on
  InterceptFormPasswordRedact on
 </Location>
 <Directory "/var/cache/ipsilon">
  SetHandler None
  AllowOverride None
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from All
  </IfModule>
 </Directory>
 {% endif %}
--- a/roles/ipsilon/templates/ipsilon.conf
+++ b/roles/ipsilon/templates/ipsilon.conf
@ -4,17 +4,12 @@ tools.log_request_response.on = False
 theme_dir = "/usr/share/ipsilon/themes/Fedora"
 template_dir = "/usr/share/ipsilon/templates"
 base.dir = "/usr/share/ipsilon"
 {% if env == 'staging' %}
 cache_dir = "/var/cache/ipsilon"
 cleanup_interval = 30
 db.conn.log = False
 db.echo = False
 # base.mount = ""
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
 {% else %}
 admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
 log.screen = True
 {% endif %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
--- a/roles/ipsilon/templates/ipsilon.conf.production
+++ b/roles/ipsilon/templates/ipsilon.conf.production
@ -1,32 +0,0 @@
 [global]
 debug = {{ (env == 'production')|ternary('False', 'True') }}
 tools.log_request_response.on = False
 theme_dir = "/usr/share/ipsilon/themes/Fedora"
 template_dir = "/usr/share/ipsilon/templates"
 base.dir = "/usr/share/ipsilon"
 {% if env == 'staging' %}
 cache_dir = "/var/cache/ipsilon"
 cleanup_interval = 30
 db.conn.log = False
 db.echo = False
 # base.mount = ""
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
 {% else %}
 admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
 log.screen = True
 {% endif %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
 tools.sessions.on = True
 tools.sessions.name = "fedora_ipsilon_session_id"
 tools.sessions.storage_type = "sql"
 tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
 tools.sessions.timeout = 15
 tools.sessions.httponly = True
 tools.sessions.secure = True
 tools.sessions.locking = 'explicit'
 tools.proxy.on = True
 tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org"
--- a/roles/ipsilon/templates/ipsilon.conf.staging
+++ b/roles/ipsilon/templates/ipsilon.conf.staging
@ -1,32 +0,0 @@
 [global]
 debug = {{ (env == 'production')|ternary('False', 'True') }}
 tools.log_request_response.on = False
 theme_dir = "/usr/share/ipsilon/themes/Fedora"
 template_dir = "/usr/share/ipsilon/templates"
 base.dir = "/usr/share/ipsilon"
 {% if env == 'staging' %}
 cache_dir = "/var/cache/ipsilon"
 cleanup_interval = 30
 db.conn.log = False
 db.echo = False
 # base.mount = ""
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
 {% else %}
 admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
 log.screen = True
 {% endif %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
 tools.sessions.on = True
 tools.sessions.name = "fedora_ipsilon_session_id"
 tools.sessions.storage_type = "sql"
 tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
 tools.sessions.timeout = 15
 tools.sessions.httponly = True
 tools.sessions.secure = True
 tools.sessions.locking = 'explicit'
 tools.proxy.on = True
 tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org"