diff --git a/inventory/host_vars/db-fas01.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.iad2.fedoraproject.org
index 9511809b56..1311c595a7 100644
--- a/inventory/host_vars/db-fas01.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.iad2.fedoraproject.org
@@ -36,6 +36,9 @@ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.3.163.73 --dport 5432 -j ACCEPT',
# noc01 needs to connect to check the db
'-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT',
+ # Ipsilon VMs
+ '-A INPUT -p tcp -m tcp -s 10.3.163.105 --dport 5432 -j ACCEPT',
+ '-A INPUT -p tcp -m tcp -s 10.3.163.106 --dport 5432 -j ACCEPT',
]
#
# Large updates pushes cause lots of db threads doing the tag moves, so up this from default.
diff --git a/main.yml b/main.yml
index cc2f46780d..fe98bd1b9b 100644
--- a/main.yml
+++ b/main.yml
@@ -40,6 +40,7 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipsilon.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml
diff --git a/playbooks/groups/ipsilon.yml b/playbooks/groups/ipsilon.yml
index c254db8067..dc27855a82 100644
--- a/playbooks/groups/ipsilon.yml
+++ b/playbooks/groups/ipsilon.yml
@@ -28,14 +28,7 @@
owner_user: apache
owner_group: apache
service: HTTP
- host: "id.stg.fedoraproject.org"
- when: env == "staging"
- - role: keytab/service
- owner_user: apache
- owner_group: apache
- service: HTTP
- host: "id.fedoraproject.org"
- when: env == "production"
+ host: "id{{ env_suffix }}.fedoraproject.org"
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
@@ -103,8 +96,7 @@
ipahbacrule:
name: ipsilon
action: member
- host: centos-ipa-client02.stg.iad2.fedoraproject.org
+ host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}"
ipaadmin_password: "{{ ipa_admin_password }}"
tags:
- ipsilon
- when: env == "staging"
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 98085cf5a0..eeb54ce409 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -223,7 +223,7 @@
proxyurl: http://localhost:10020
keephost: true
tags:
- - id.fedoraproject.org
+ - sso.fedoraproject.org
when: env == "staging"
- role: httpd/reverseproxy
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 84b5708ec1..23c40a76fd 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -264,7 +264,6 @@ backend pps-backend
{% endif %}
-{% if env == "staging" %}
frontend ipsilon-frontend
bind 0.0.0.0:10020
default_backend ipsilon-backend
@@ -276,7 +275,6 @@ backend ipsilon-backend
server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2
{% endif %}
option httpchk GET /
-{% endif %}
frontend ipa-frontend
bind 0.0.0.0:10053
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 13db3964d9..765439c5bb 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -152,7 +152,7 @@
- name: copy ipsilon configuration
template:
- src: "ipsilon.conf.{{ env }}"
+ src: "ipsilon.conf"
dest: "/etc/ipsilon/root/ipsilon.conf"
owner: ipsilon
group: ipsilon
@@ -191,7 +191,7 @@
- name: copy ipsilon httpd config
template:
- src: "httpd.conf.{{ env }}.j2"
+ src: "httpd.conf.j2"
dest: /etc/ipsilon/root/idp.conf
tags:
- ipsilon
diff --git a/roles/ipsilon/templates/configmap.yml b/roles/ipsilon/templates/configmap.yml
index 677d61226e..c90aba099e 100644
--- a/roles/ipsilon/templates/configmap.yml
+++ b/roles/ipsilon/templates/configmap.yml
@@ -94,9 +94,9 @@ data:
CoreDumpDirectory /tmp
# Ipsilon stuff
- {{ load_file('httpd.conf.production.j2') | indent() }}
+ {{ load_file('httpd.conf.j2') | indent() }}
ipsilon.conf: |-
- {{ load_file('ipsilon.conf.production') | indent() }}
+ {{ load_file('ipsilon.conf') | indent() }}
configuration.conf: |-
{{ load_file('configuration.conf') | indent() }}
openidc.static.cfg: |-
diff --git a/roles/ipsilon/templates/httpd.conf.j2 b/roles/ipsilon/templates/httpd.conf.j2
new file mode 100644
index 0000000000..db5293aa6b
--- /dev/null
+++ b/roles/ipsilon/templates/httpd.conf.j2
@@ -0,0 +1,107 @@
+RewriteEngine on
+RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+#Alias /ui /usr/share/ipsilon/ui
+Alias /ui /usr/share/ipsilon/themes/Fedora
+{% if env == "staging" %}
+Alias /.well-known /var/lib/ipsilon/root/public/well-known
+Alias /cache /var/cache/ipsilon
+Redirect /.well-known/webfinger /webfinger
+{% endif %}
+
+# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
+RewriteEngine on
+RewriteMap lowercase int:tolower
+{% if env == "staging" %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% else %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% endif %}
+
+
+WSGIScriptAlias / /usr/libexec/ipsilon
+{% if env == "staging" %}
+WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix run/wsgi
+{% else %}
+WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix /httpdir/run/wsgi
+WSGIRestrictStdout Off
+WSGIRestrictSignal Off
+{% endif %}
+# This header is required to be passed for OIDC client_secret_basic
+WSGIPassAuthorization On
+# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
+# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
+WSGIApplicationGroup %{GLOBAL}
+
+
+
+ WSGIProcessGroup ipsilon
+
+
+
+ Require all granted
+
+
+
+ Options +SymLinksIfOwnerMatch
+ Require all granted
+
+
+{% if env == "staging" %}
+
+{% else %}
+
+{% endif %}
+ Require all granted
+
+
+
+ ForceType application/json
+
+
+
+ AuthName "GSSAPI Single Sign On Login"
+{% if env == "staging" %}
+ GssapiCredStore keytab:/etc/httpd/conf/http.keytab
+{% else %}
+ GssapiCredStore keytab:/etc/keytabs/service.keytab
+{% endif %}
+ AuthType GSSAPI
+ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+ GssapiSSLonly Off
+ GssapiLocalName on
+ Require valid-user
+ ErrorDocument 401 /login/gssapi/unauthorized
+ ErrorDocument 500 /login/gssapi/failed
+
+
+{% if env == "staging" %}
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+
+ InterceptFormPAMService ipsilon
+ InterceptFormLogin login_name
+ InterceptFormPassword login_password
+ # InterceptFormLoginSkip admin
+ # InterceptFormClearRemoteUserForSkipped on
+ InterceptFormPasswordRedact on
+
+
+
+ SetHandler None
+ AllowOverride None
+
+ Require all granted
+
+
+ Order Allow,Deny
+ Allow from All
+
+
+{% endif %}
diff --git a/roles/ipsilon/templates/httpd.conf.production.j2 b/roles/ipsilon/templates/httpd.conf.production.j2
deleted file mode 100644
index bc5c465870..0000000000
--- a/roles/ipsilon/templates/httpd.conf.production.j2
+++ /dev/null
@@ -1,58 +0,0 @@
-RewriteEngine on
-RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
-
-# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
-RewriteEngine on
-RewriteMap lowercase int:tolower
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
-{% else %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
-{% endif %}
-
-
-Alias /ui /usr/share/ipsilon/themes/Fedora
-WSGIScriptAlias / /usr/libexec/ipsilon
-WSGIPassAuthorization On
-WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
-WSGIApplicationGroup %{GLOBAL}
-WSGISocketPrefix /httpdir/run/wsgi
-WSGIRestrictStdout Off
-WSGIRestrictSignal Off
-
-
-
- WSGIProcessGroup ipsilon
-
-
-
- AuthName "GSSAPI Single Sign On Login"
- GssapiCredStore keytab:/etc/keytabs/service.keytab
- AuthType GSSAPI
- # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
- GssapiSSLonly Off
- GssapiLocalName on
- Require valid-user
- ErrorDocument 401 /login/gssapi/unauthorized
- ErrorDocument 500 /login/gssapi/failed
-
-
-
- Require all granted
-
-
-
- Require all granted
-
-
-
- Require all granted
-
-
-
- ForceType application/json
-
diff --git a/roles/ipsilon/templates/httpd.conf.staging.j2 b/roles/ipsilon/templates/httpd.conf.staging.j2
index d7f6a3992a..db5293aa6b 100644
--- a/roles/ipsilon/templates/httpd.conf.staging.j2
+++ b/roles/ipsilon/templates/httpd.conf.staging.j2
@@ -2,9 +2,11 @@ RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
#Alias /ui /usr/share/ipsilon/ui
Alias /ui /usr/share/ipsilon/themes/Fedora
+{% if env == "staging" %}
Alias /.well-known /var/lib/ipsilon/root/public/well-known
Alias /cache /var/cache/ipsilon
Redirect /.well-known/webfinger /webfinger
+{% endif %}
# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
RewriteEngine on
@@ -21,15 +23,20 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
WSGIScriptAlias / /usr/libexec/ipsilon
+{% if env == "staging" %}
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix run/wsgi
+{% else %}
+WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix /httpdir/run/wsgi
+WSGIRestrictStdout Off
+WSGIRestrictSignal Off
+{% endif %}
# This header is required to be passed for OIDC client_secret_basic
WSGIPassAuthorization On
# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
WSGIApplicationGroup %{GLOBAL}
-WSGISocketPrefix run/wsgi
-#WSGIRestrictStdout Off
-#WSGIRestrictSignal Off
@@ -45,7 +52,11 @@ WSGISocketPrefix run/wsgi
Require all granted
+{% if env == "staging" %}
+{% else %}
+
+{% endif %}
Require all granted
@@ -53,6 +64,35 @@ WSGISocketPrefix run/wsgi
ForceType application/json
+
+ AuthName "GSSAPI Single Sign On Login"
+{% if env == "staging" %}
+ GssapiCredStore keytab:/etc/httpd/conf/http.keytab
+{% else %}
+ GssapiCredStore keytab:/etc/keytabs/service.keytab
+{% endif %}
+ AuthType GSSAPI
+ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+ GssapiSSLonly Off
+ GssapiLocalName on
+ Require valid-user
+ ErrorDocument 401 /login/gssapi/unauthorized
+ ErrorDocument 500 /login/gssapi/failed
+
+
+{% if env == "staging" %}
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+
+ InterceptFormPAMService ipsilon
+ InterceptFormLogin login_name
+ InterceptFormPassword login_password
+ # InterceptFormLoginSkip admin
+ # InterceptFormClearRemoteUserForSkipped on
+ InterceptFormPasswordRedact on
+
+
SetHandler None
AllowOverride None
@@ -64,28 +104,4 @@ WSGISocketPrefix run/wsgi
Allow from All
-
-
- AuthName "GSSAPI Single Sign On Login"
- #GssapiCredStore keytab:/etc/keytabs/service.keytab
- GssapiCredStore keytab:/etc/httpd/conf/http.keytab
- AuthType GSSAPI
- # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
- GssapiSSLonly Off
- GssapiLocalName on
- Require valid-user
- ErrorDocument 401 /login/gssapi/unauthorized
- ErrorDocument 500 /login/gssapi/failed
-
-
-LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
-LoadModule authnz_pam_module modules/mod_authnz_pam.so
-
-
- InterceptFormPAMService ipsilon
- InterceptFormLogin login_name
- InterceptFormPassword login_password
- # InterceptFormLoginSkip admin
- # InterceptFormClearRemoteUserForSkipped on
- InterceptFormPasswordRedact on
-
+{% endif %}
diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf
new file mode 100644
index 0000000000..bcb7c3261a
--- /dev/null
+++ b/roles/ipsilon/templates/ipsilon.conf
@@ -0,0 +1,32 @@
+[global]
+debug = {{ (env == 'production')|ternary('False', 'True') }}
+tools.log_request_response.on = False
+theme_dir = "/usr/share/ipsilon/themes/Fedora"
+template_dir = "/usr/share/ipsilon/templates"
+base.dir = "/usr/share/ipsilon"
+{% if env == 'staging' %}
+cache_dir = "/var/cache/ipsilon"
+cleanup_interval = 30
+db.conn.log = False
+db.echo = False
+# base.mount = ""
+admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
+{% else %}
+admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
+{% endif %}
+user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
+
+tools.sessions.on = True
+tools.sessions.name = "fedora_ipsilon_session_id"
+tools.sessions.storage_type = "sql"
+tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
+tools.sessions.timeout = 15
+tools.sessions.httponly = True
+tools.sessions.secure = True
+tools.sessions.locking = 'explicit'
+
+tools.proxy.on = True
+tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org"
+
diff --git a/roles/ipsilon/templates/ipsilon.conf.production b/roles/ipsilon/templates/ipsilon.conf.production
index 79325e4ab4..bcb7c3261a 100644
--- a/roles/ipsilon/templates/ipsilon.conf.production
+++ b/roles/ipsilon/templates/ipsilon.conf.production
@@ -3,13 +3,17 @@ debug = {{ (env == 'production')|ternary('False', 'True') }}
tools.log_request_response.on = False
theme_dir = "/usr/share/ipsilon/themes/Fedora"
template_dir = "/usr/share/ipsilon/templates"
-
-log.screen = True
base.dir = "/usr/share/ipsilon"
{% if env == 'staging' %}
+cache_dir = "/var/cache/ipsilon"
+cleanup_interval = 30
+db.conn.log = False
+db.echo = False
+# base.mount = ""
admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
{% else %}
admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
{% endif %}
user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
diff --git a/roles/ipsilon/templates/ipsilon.conf.staging b/roles/ipsilon/templates/ipsilon.conf.staging
index f80a4311ed..bcb7c3261a 100644
--- a/roles/ipsilon/templates/ipsilon.conf.staging
+++ b/roles/ipsilon/templates/ipsilon.conf.staging
@@ -1,16 +1,20 @@
[global]
debug = {{ (env == 'production')|ternary('False', 'True') }}
tools.log_request_response.on = False
-template_dir = "/usr/share/ipsilon/templates"
theme_dir = "/usr/share/ipsilon/themes/Fedora"
+template_dir = "/usr/share/ipsilon/templates"
+base.dir = "/usr/share/ipsilon"
+{% if env == 'staging' %}
cache_dir = "/var/cache/ipsilon"
cleanup_interval = 30
db.conn.log = False
db.echo = False
-
# base.mount = ""
-base.dir = "/usr/share/ipsilon"
admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
+{% else %}
+admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
+{% endif %}
user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"