diff --git a/roles/fas_server/files/ipa.staging.pem b/roles/fas_server/files/ipa.staging.pem new file mode 100644 index 0000000000..b4f721fcfe --- /dev/null +++ b/roles/fas_server/files/ipa.staging.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDsDCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu +RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0 +eTAeFw0xNjA4MDQxNzI3NTlaFw0zNjA4MDQxNzI3NTlaMEAxHjAcBgNVBAoMFVNU +Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HiQvnHPP+3AEJPR +wlizXKhaxPhwVoO68r9VEcEDUOkRo78LQ0ZLEcwaAZBX64uTeStPd5azU6pEN0Gi +124djqJZpBs3v9YNsvt+R4Au7SQhAdBu370VcKEKjj79UYc7e70E04ycv3jJP6hi +7+RD+BeOwPHmMwEUXF2JrKytNOmRCfxoZ7LnQfH80a+YZA1MmpAEGIo8+pRuvGth +cORUTtyEWsaBgpek6wnPjs7lDQG1LJyi0K2L/YQPYAisZCMBoM/ck5SAHSd4F6+P +BcHMhQd2DhsxRhIb5Se4Zi8LUxAvkVdRlCsIk+6bdIM9SpzVd9+RtBnE3LOKu1TH +bxCW2QIDAQABo4G0MIGxMB8GA1UdIwQYMBaAFFfHodJF0pk5OgP9sgMqtPOdOaqC +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRXx6HS +RdKZOToD/bIDKrTznTmqgjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0 +dHA6Ly9pcGEwMS5zdGcucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3Nw +MA0GCSqGSIb3DQEBCwUAA4IBAQAnBIll/83TixgIu6JByImWWK7Ew++33heW+rDQ +GQhol1Bp7Gk4wsLpGLATDI+ur25kREnzPfwXLcptO/5GvMEe8rwwvo1b6zkl5VEq +vCA5dQimBTKTlTX2JFZze/KkiKa7WKZAopnSQVkPsSnAZXClTbjALXHwdQ0bDEUU +old29skK0Xvf+WGmE3/SvQmEcueDeDJcV7Jckj45ZuqegklBG6y+fG5ELV0B4u9l +p0ySWPVoaWSRR+izB8Kq9gCP0a5HsO3u5qJ+HRWr+Md7KboMGX29pQehakvtcnta +jr+txnKWhel7c7bEwa6JVRFoOO7jcOHEMohPbKl3Ef/n0uCQ +-----END CERTIFICATE----- + diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml index 05586d72f6..d50b827772 100644 --- a/roles/fas_server/tasks/main.yml +++ b/roles/fas_server/tasks/main.yml @@ -15,6 +15,42 @@ - packages - fas +- name: install needed packages + when: env == "staging" + yum: pkg={{ item }} state=installed + with_items: + - krb5-workstation + - python-requests-kerberos + tags: + - packages + - fas + +- name: configure krb5 + when: env == "staging" + template: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644 + tags: + - config + - fas + +- name: install IPA keytab + when: env == "staging" + copy: > + src="{{ private }}/files/keytabs/{{env}}/fas_sync" + dest="/etc/fas_sync_keytab" + owner=fas + group=fas + mode=0600 + tags: + - config + - fas + +- name: install ipa public cert + when: env == "staging" + copy: src=ipa.{{env}}.pem dest=/etc/fas_sync_cert.pem owner=root group=root mode=0644 + tags: + - config + - fas + - name: enable httpd_can_network_connect selinux boolean seboolean: name={{ item }} state=yes persistent=yes with_items: diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index b8162b1997..a828f9e6ce 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -57,6 +57,16 @@ country_blacklist = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", tgcaptcha2.key = '{{ fasCaptchaSecret }}' tgcaptcha2.jpeg_generator = 'vanasco_dowty' +{% if env == "staging" %} +### +### IPA Sync settings +### +ipa_sync_enabled = True +ipa_sync_server = ipa01.stg.phx2.fedoraproject.org +ipa_sync_principal = fas_sync@STG.FEDORAPROJECT.ORG +ipa_sync_keytab = /etc/fas_sync_keytab +ipa_sync_certfile = /etc/fas_sync_cert.pem +{% endif %} ### ### Administrative settings ### diff --git a/roles/fas_server/templates/krb5.conf.j2 b/roles/fas_server/templates/krb5.conf.j2 new file mode 100644 index 0000000000..d403ab43b1 --- /dev/null +++ b/roles/fas_server/templates/krb5.conf.j2 @@ -0,0 +1,31 @@ +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] +{% if env == "production" %} + default_realm = FEDORAPROJECT.ORG +{% else %} + default_realm = STG.FEDORAPROJECT.ORG +{% endif %} + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + +[realms] +{% if env == "production" %} + FEDORAPROJECT.ORG = { + kdc = ipa01.phx2.fedoraproject.org + admin_server = ipa01.phx2.fedoraproject.org + } +{% else %} + STG.FEDORAPROJECT.ORG = { + kdc = ipa01.stg.phx2.fedoraproject.org + admin_server = ipa01.stg.phx2.fedoraproject.org + } +{% endif %} + +[domain_realm]