Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Use a VM for Ipsilon in prod too

Browse source 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2021-03-22 17:07:45 +01:00 committed by smooge
parent d52393624d
commit b8e6754f97
13 changed files with 207 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

3
inventory/host_vars/db-fas01.iad2.fedoraproject.org
View file

@ -36,6 +36,9 @@ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.3.163.73 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.73 --dport 5432 -j ACCEPT',
# noc01 needs to connect to check the db # noc01 needs to connect to check the db
'-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT',
# Ipsilon VMs
'-A INPUT -p tcp -m tcp -s 10.3.163.105 --dport 5432 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.3.163.106 --dport 5432 -j ACCEPT',
] ]
# #
# Large updates pushes cause lots of db threads doing the tag moves, so up this from default. # Large updates pushes cause lots of db threads doing the tag moves, so up this from default.

1
main.yml
View file

@ -40,6 +40,7 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipsilon.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml

12
playbooks/groups/ipsilon.yml
View file

@ -28,14 +28,7 @@
owner_user: apache owner_user: apache
owner_group: apache owner_group: apache
service: HTTP service: HTTP
host: "id.stg.fedoraproject.org" host: "id{{ env_suffix }}.fedoraproject.org"
when: env == "staging"
- role: keytab/service
owner_user: apache
owner_group: apache
service: HTTP
host: "id.fedoraproject.org"
when: env == "production"
pre_tasks: pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml" - import_tasks: "{{ tasks_path }}/yumrepos.yml"
@ -103,8 +96,7 @@
ipahbacrule: ipahbacrule:
name: ipsilon name: ipsilon
action: member action: member
host: centos-ipa-client02.stg.iad2.fedoraproject.org host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}"
ipaadmin_password: "{{ ipa_admin_password }}" ipaadmin_password: "{{ ipa_admin_password }}"
tags: tags:
- ipsilon - ipsilon
when: env == "staging"

2
playbooks/include/proxies-reverseproxy.yml
View file

@ -223,7 +223,7 @@
proxyurl: http://localhost:10020 proxyurl: http://localhost:10020
keephost: true keephost: true
tags: tags:
- id.fedoraproject.org - sso.fedoraproject.org
when: env == "staging" when: env == "staging"
- role: httpd/reverseproxy - role: httpd/reverseproxy

2
roles/haproxy/templates/haproxy.cfg
View file

@ -264,7 +264,6 @@ backend pps-backend
{% endif %} {% endif %}
{% if env == "staging" %}
frontend ipsilon-frontend frontend ipsilon-frontend
bind 0.0.0.0:10020 bind 0.0.0.0:10020
default_backend ipsilon-backend default_backend ipsilon-backend
@ -276,7 +275,6 @@ backend ipsilon-backend
server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2 server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2
{% endif %} {% endif %}
option httpchk GET / option httpchk GET /
{% endif %}
frontend ipa-frontend frontend ipa-frontend
bind 0.0.0.0:10053 bind 0.0.0.0:10053

4
roles/ipsilon/tasks/main.yml
View file

@ -152,7 +152,7 @@
- name: copy ipsilon configuration - name: copy ipsilon configuration
template: template:
src: "ipsilon.conf.{{ env }}" src: "ipsilon.conf"
dest: "/etc/ipsilon/root/ipsilon.conf" dest: "/etc/ipsilon/root/ipsilon.conf"
owner: ipsilon owner: ipsilon
group: ipsilon group: ipsilon
@ -191,7 +191,7 @@
- name: copy ipsilon httpd config - name: copy ipsilon httpd config
template: template:
src: "httpd.conf.{{ env }}.j2" src: "httpd.conf.j2"
dest: /etc/ipsilon/root/idp.conf dest: /etc/ipsilon/root/idp.conf
tags: tags:
- ipsilon - ipsilon

4
roles/ipsilon/templates/configmap.yml
View file

@ -94,9 +94,9 @@ data:
CoreDumpDirectory /tmp CoreDumpDirectory /tmp
# Ipsilon stuff # Ipsilon stuff
{{ load_file('httpd.conf.production.j2') | indent() }} {{ load_file('httpd.conf.j2') | indent() }}
ipsilon.conf: |- ipsilon.conf: |-
{{ load_file('ipsilon.conf.production') | indent() }} {{ load_file('ipsilon.conf') | indent() }}
configuration.conf: |- configuration.conf: |-
{{ load_file('configuration.conf') | indent() }} {{ load_file('configuration.conf') | indent() }}
openidc.static.cfg: |- openidc.static.cfg: |-

107
roles/ipsilon/templates/httpd.conf.j2 Normal file
View file

@ -0,0 +1,107 @@
RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
#Alias /ui /usr/share/ipsilon/ui
Alias /ui /usr/share/ipsilon/themes/Fedora
{% if env == "staging" %}
Alias /.well-known /var/lib/ipsilon/root/public/well-known
Alias /cache /var/cache/ipsilon
Redirect /.well-known/webfinger /webfinger
{% endif %}
# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
RewriteEngine on
RewriteMap lowercase int:tolower
{% if env == "staging" %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% else %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% endif %}
WSGIScriptAlias / /usr/libexec/ipsilon
{% if env == "staging" %}
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
WSGISocketPrefix run/wsgi
{% else %}
WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
WSGISocketPrefix /httpdir/run/wsgi
WSGIRestrictStdout Off
WSGIRestrictSignal Off
{% endif %}
# This header is required to be passed for OIDC client_secret_basic
WSGIPassAuthorization On
# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
WSGIApplicationGroup %{GLOBAL}
<Location />
WSGIProcessGroup ipsilon
</Location>
<Directory /usr/libexec>
Require all granted
</Directory>
<Directory /usr/share/ipsilon>
Options +SymLinksIfOwnerMatch
Require all granted
</Directory>
{% if env == "staging" %}
<Directory /var/lib/ipsilon/root/public/well-known>
{% else %}
<Directory /etc/ipsilon/wellknown>
{% endif %}
Require all granted
</Directory>
<Location /.well-known/browserid>
ForceType application/json
</Location>
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
{% if env == "staging" %}
GssapiCredStore keytab:/etc/httpd/conf/http.keytab
{% else %}
GssapiCredStore keytab:/etc/keytabs/service.keytab
{% endif %}
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
{% if env == "staging" %}
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule authnz_pam_module modules/mod_authnz_pam.so
<Location /login/form>
InterceptFormPAMService ipsilon
InterceptFormLogin login_name
InterceptFormPassword login_password
# InterceptFormLoginSkip admin
# InterceptFormClearRemoteUserForSkipped on
InterceptFormPasswordRedact on
</Location>
<Directory "/var/cache/ipsilon">
SetHandler None
AllowOverride None
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from All
</IfModule>
</Directory>
{% endif %}

58
roles/ipsilon/templates/httpd.conf.production.j2
View file

@ -1,58 +0,0 @@
RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
RewriteEngine on
RewriteMap lowercase int:tolower
{% if env == "staging" %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% else %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% endif %}
Alias /ui /usr/share/ipsilon/themes/Fedora
WSGIScriptAlias / /usr/libexec/ipsilon
WSGIPassAuthorization On
WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix /httpdir/run/wsgi
WSGIRestrictStdout Off
WSGIRestrictSignal Off
<Location />
WSGIProcessGroup ipsilon
</Location>
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/keytabs/service.keytab
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
<Directory /usr/libexec>
Require all granted
</Directory>
<Directory /usr/share/ipsilon>
Require all granted
</Directory>
<Directory /etc/ipsilon/wellknown>
Require all granted
</Directory>
<Location /.well-known/browserid>
ForceType application/json
</Location>

72
roles/ipsilon/templates/httpd.conf.staging.j2
View file

@ -2,9 +2,11 @@ RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
#Alias /ui /usr/share/ipsilon/ui #Alias /ui /usr/share/ipsilon/ui
Alias /ui /usr/share/ipsilon/themes/Fedora Alias /ui /usr/share/ipsilon/themes/Fedora
{% if env == "staging" %}
Alias /.well-known /var/lib/ipsilon/root/public/well-known Alias /.well-known /var/lib/ipsilon/root/public/well-known
Alias /cache /var/cache/ipsilon Alias /cache /var/cache/ipsilon
Redirect /.well-known/webfinger /webfinger Redirect /.well-known/webfinger /webfinger
{% endif %}
# This is for mapping $username.id.fp.o -> id.fp.o/id/$username # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
RewriteEngine on RewriteEngine on
@ -21,15 +23,20 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
WSGIScriptAlias / /usr/libexec/ipsilon WSGIScriptAlias / /usr/libexec/ipsilon
{% if env == "staging" %}
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000 WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
WSGISocketPrefix run/wsgi
{% else %}
WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
WSGISocketPrefix /httpdir/run/wsgi
WSGIRestrictStdout Off
WSGIRestrictSignal Off
{% endif %}
# This header is required to be passed for OIDC client_secret_basic # This header is required to be passed for OIDC client_secret_basic
WSGIPassAuthorization On WSGIPassAuthorization On
# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190 # Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
WSGIApplicationGroup %{GLOBAL} WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix run/wsgi
#WSGIRestrictStdout Off
#WSGIRestrictSignal Off
<Location /> <Location />
@ -45,7 +52,11 @@ WSGISocketPrefix run/wsgi
Require all granted Require all granted
</Directory> </Directory>
{% if env == "staging" %}
<Directory /var/lib/ipsilon/root/public/well-known> <Directory /var/lib/ipsilon/root/public/well-known>
{% else %}
<Directory /etc/ipsilon/wellknown>
{% endif %}
Require all granted Require all granted
</Directory> </Directory>
@ -53,6 +64,35 @@ WSGISocketPrefix run/wsgi
ForceType application/json ForceType application/json
</Location> </Location>
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
{% if env == "staging" %}
GssapiCredStore keytab:/etc/httpd/conf/http.keytab
{% else %}
GssapiCredStore keytab:/etc/keytabs/service.keytab
{% endif %}
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
{% if env == "staging" %}
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule authnz_pam_module modules/mod_authnz_pam.so
<Location /login/form>
InterceptFormPAMService ipsilon
InterceptFormLogin login_name
InterceptFormPassword login_password
# InterceptFormLoginSkip admin
# InterceptFormClearRemoteUserForSkipped on
InterceptFormPasswordRedact on
</Location>
<Directory "/var/cache/ipsilon"> <Directory "/var/cache/ipsilon">
SetHandler None SetHandler None
AllowOverride None AllowOverride None
@ -64,28 +104,4 @@ WSGISocketPrefix run/wsgi
Allow from All Allow from All
</IfModule> </IfModule>
</Directory> </Directory>
{% endif %}
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
#GssapiCredStore keytab:/etc/keytabs/service.keytab
GssapiCredStore keytab:/etc/httpd/conf/http.keytab
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule authnz_pam_module modules/mod_authnz_pam.so
<Location /login/form>
InterceptFormPAMService ipsilon
InterceptFormLogin login_name
InterceptFormPassword login_password
# InterceptFormLoginSkip admin
# InterceptFormClearRemoteUserForSkipped on
InterceptFormPasswordRedact on
</Location>

32
roles/ipsilon/templates/ipsilon.conf Normal file
View file

@ -0,0 +1,32 @@
[global]
debug = {{ (env == 'production')|ternary('False', 'True') }}
tools.log_request_response.on = False
theme_dir = "/usr/share/ipsilon/themes/Fedora"
template_dir = "/usr/share/ipsilon/templates"
base.dir = "/usr/share/ipsilon"
{% if env == 'staging' %}
cache_dir = "/var/cache/ipsilon"
cleanup_interval = 30
db.conn.log = False
db.echo = False
# base.mount = ""
admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
{% else %}
admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
log.screen = True
{% endif %}
user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
tools.sessions.on = True
tools.sessions.name = "fedora_ipsilon_session_id"
tools.sessions.storage_type = "sql"
tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
tools.sessions.timeout = 15
tools.sessions.httponly = True
tools.sessions.secure = True
tools.sessions.locking = 'explicit'
tools.proxy.on = True
tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org"

8
roles/ipsilon/templates/ipsilon.conf.production
View file

@ -3,13 +3,17 @@ debug = {{ (env == 'production')|ternary('False', 'True') }}
tools.log_request_response.on = False tools.log_request_response.on = False
theme_dir = "/usr/share/ipsilon/themes/Fedora" theme_dir = "/usr/share/ipsilon/themes/Fedora"
template_dir = "/usr/share/ipsilon/templates" template_dir = "/usr/share/ipsilon/templates"
log.screen = True
base.dir = "/usr/share/ipsilon" base.dir = "/usr/share/ipsilon"
{% if env == 'staging' %} {% if env == 'staging' %}
cache_dir = "/var/cache/ipsilon"
cleanup_interval = 30
db.conn.log = False
db.echo = False
# base.mount = ""
admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
{% else %} {% else %}
admin.config.db = "configfile:///etc/ipsilon/configuration.conf" admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
log.screen = True
{% endif %} {% endif %}
user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"

10
roles/ipsilon/templates/ipsilon.conf.staging
View file

@ -1,16 +1,20 @@
[global] [global]
debug = {{ (env == 'production')|ternary('False', 'True') }} debug = {{ (env == 'production')|ternary('False', 'True') }}
tools.log_request_response.on = False tools.log_request_response.on = False
template_dir = "/usr/share/ipsilon/templates"
theme_dir = "/usr/share/ipsilon/themes/Fedora" theme_dir = "/usr/share/ipsilon/themes/Fedora"
template_dir = "/usr/share/ipsilon/templates"
base.dir = "/usr/share/ipsilon"
{% if env == 'staging' %}
cache_dir = "/var/cache/ipsilon" cache_dir = "/var/cache/ipsilon"
cleanup_interval = 30 cleanup_interval = 30
db.conn.log = False db.conn.log = False
db.echo = False db.echo = False
# base.mount = "" # base.mount = ""
base.dir = "/usr/share/ipsilon"
admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
{% else %}
admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
log.screen = True
{% endif %}
user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"