Add fedoauth

2014-02-09 18:14:16 +00:00 · 2014-02-09 18:14:16 +00:00 · faaa683e40
commit faaa683e40
parent aa91fc61bb
4 changed files with 193 additions and 0 deletions
--- a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts
+++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts
@ -0,0 +1,11 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+
+10.5.126.89     admin.fedoraproject.org
+10.5.126.88     proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org
+10.5.126.86     fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all
+10.5.126.23     infrastructure.fedoraproject.org
+
+10.5.126.81     memcached03 memcached03.stg app01 app01.stg
+
+10.5.126.85     fedoauth_db
--- a/playbooks/groups/fedoauth.yml
+++ b/playbooks/groups/fedoauth.yml
@ -0,0 +1,70 @@
+# create a new FedOAuth server
+# NOTE: should be used with --limit most of the time
+# NOTE: make sure there is room/space for this server on the vmhost
+# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars
+
+- name: make fedoauth
+  hosts: fedoauth-stg
+  user: root
+  gather_facts: False
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+  - include: "{{ tasks }}/accelerate_prep.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the box be real
+  hosts: fedoauth-stg
+  user: root
+  gather_facts: True
+  accelerate: True
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - denyhosts
+  - nagios_client
+  - fas_client
+
+  tasks:
+  - include: "{{ tasks }}/hosts.yml"
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/sudo.yml"
+  - include: "{{ tasks }}/openvpn_client.yml"
+    when: env != "staging"
+  - include: "{{ tasks }}/apache.yml"
+  - include: "{{ tasks }}/mod_wsgi.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: deploy fedoauth itself
+  hosts: fedoauth-stg
+  user: root
+  gather_facts: True
+  accelerate: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - "{{ vars_path }}/{{ ansible_distribution }}.yml"
+
+  roles:
+  - fedoauth
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
--- a/roles/fedoauth/tasks/main.yml
+++ b/roles/fedoauth/tasks/main.yml
@ -0,0 +1,61 @@
+---
+# Configuration for the fedoauth webapp
+
+- name: clean yum metadata
+  command: yum clean all
+  tags:
+  - packages
+
+- name: install needed packages
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - fedoauth
+  - fedoauth-template-fedora
+  - fedoauth-backend-fedora
+  - python-psycopg2
+  - libsemanage-python
+  tags:
+  - packages
+
+- name: copy fedoauth configuration
+  template: src=fedoauth.cfg
+            dest=/etc/fedoauth/fedoauth.cfg
+            owner=apache group=apache mode=0600
+  when: env != "staging"
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy fedoauth STG configuration
+  template: src=fedoauth.stg.cfg
+            dest=/etc/fedoauth/fedoauth.cfg
+            owner=apache group=apache mode=0600
+  when: env == "staging"
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy fedoauth private key
+  copy: src={{ private_files }}/fedoauth/persona.key
+  when: env != "staging"
+
+- name: copy fedoauth STG private key
+  copy: src={{ private_files }}/fedoauth/persona.stg.key
+  when: env == "staging"
+
+- name: create the database scheme
+  command: /usr/bin/python2 /usr/share/fedoauth/createdb.py
+  environment:
+      FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
+
+- name: set sebooleans so fedoauth can talk to the db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: apply selinux type to the wsgi file
+  file: >
+    dest=/usr/share/fedoauth/fedoauth.wsgi
+    setype=httpd_sys_content_t
--- a/roles/fedoauth/templates/fedoauth.stg.cfg
+++ b/roles/fedoauth/templates/fedoauth.stg.cfg
@ -0,0 +1,51 @@
+# Beware that the quotes around the values are mandatory
+
+# GENERAL CONFIGURATION
+### url to the database server:
+SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
+#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite'
+#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name'
+#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name'
+
+# This is the OpenID endpoint url, at which the server is available
+WEBSITE_ROOT = 'https://id.stg.fedoraproject.org'
+COOKIE_DOMAIN = 'id.stg.fedoraproject.org'
+COOKIE_SECURE = True
+OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/'
+
+# Modules to use
+AUTH_MODULE='fedoauth.auth.fas.Auth_FAS'
+
+# FAS PROVIDER CONFIGURATION
+FAS_USER_AGENT = 'FAS-OpenID'
+FAS_BASE_URL='https://admin.fedoraproject.org/accounts/'
+FAS_CHECK_CERT=False
+FAS_HTTPS_REQUIRED=False
+
+# Enable a filter to make this only available to a specific list of users
+FAS_AVAILABLE_FILTER = False
+FAS_AVAILABLE_TO = []
+
+# PERSONA CONFIGURATION
+# This is the domain for which we are willing to sign
+PERSONA_DOMAIN = 'id.stg.fedoraproject.org'
+PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key'
+PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}'
+
+# OPENID CONFIGURATION
+# This is the OpenID url provided to users. Add %(username)s where the username should be entered
+# A list of trust roots for which the user will not need to confirm again
+OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
+                        'https://ask.fedoraproject.org/',
+                        'https://fedorahosted.org/',
+                        'https://badges.fedoraproject.org',
+                        'https://apps.fedoraproject.org/tagger/',
+                        'https://apps.fedoraproject.org/nuancier/',
+                        'https://apps.fedoraproject.org/datagrepper/',
+                        'https://apps.fedoraproject.org/calendar/',
+                        'https://apps.fedoraproject.org/notifications/',
+                        'http://copr.fedoraproject.org/',
+                        'http://copr-fe.cloud.fedoraproject.org/']
+OPENID_NON_TRUSTED_ROOTS = []
+### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit)
+OPENID_MAX_AUTH_TIME = 120