From faaa683e4066fbb7d3bfa605107599a844d07af7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 9 Feb 2014 18:14:16 +0000 Subject: [PATCH] Add fedoauth --- ...edoauth01.stg.phx2.fedoraproject.org-hosts | 11 +++ playbooks/groups/fedoauth.yml | 70 +++++++++++++++++++ roles/fedoauth/tasks/main.yml | 61 ++++++++++++++++ roles/fedoauth/templates/fedoauth.stg.cfg | 51 ++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts create mode 100644 playbooks/groups/fedoauth.yml create mode 100644 roles/fedoauth/tasks/main.yml create mode 100644 roles/fedoauth/templates/fedoauth.stg.cfg diff --git a/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..9a51f702d5 --- /dev/null +++ b/files/hosts/fedoauth01.stg.phx2.fedoraproject.org-hosts @@ -0,0 +1,11 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.5.126.89 admin.fedoraproject.org +10.5.126.88 proxy01.phx2.fedoraproject.org proxy1 proxy2 proxy3 proxy4 proxy01 proxy02 proxy03 proxy04 fedoraproject.org +10.5.126.86 fas01.phx2.fedoraproject.org fas1 fas2 fas01 fas02 fas03 fas-all +10.5.126.23 infrastructure.fedoraproject.org + +10.5.126.81 memcached03 memcached03.stg app01 app01.stg + +10.5.126.85 fedoauth_db diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml new file mode 100644 index 0000000000..ebbe4dbc19 --- /dev/null +++ b/playbooks/groups/fedoauth.yml @@ -0,0 +1,70 @@ +# create a new FedOAuth server +# NOTE: should be used with --limit most of the time +# NOTE: make sure there is room/space for this server on the vmhost +# NOTE: most of these vars_path come from group_vars/fedoauth* or from hostvars + +- name: make fedoauth + hosts: fedoauth-stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + - include: "{{ tasks }}/accelerate_prep.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: fedoauth-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - denyhosts + - nagios_client + - fas_client + + tasks: + - include: "{{ tasks }}/hosts.yml" + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/sudo.yml" + - include: "{{ tasks }}/openvpn_client.yml" + when: env != "staging" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: deploy fedoauth itself + hosts: fedoauth-stg + user: root + gather_facts: True + accelerate: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - "{{ vars_path }}/{{ ansible_distribution }}.yml" + + roles: + - fedoauth + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml new file mode 100644 index 0000000000..58723fcf7d --- /dev/null +++ b/roles/fedoauth/tasks/main.yml @@ -0,0 +1,61 @@ +--- +# Configuration for the fedoauth webapp + +- name: clean yum metadata + command: yum clean all + tags: + - packages + +- name: install needed packages + yum: pkg={{ item }} state=installed + with_items: + - fedoauth + - fedoauth-template-fedora + - fedoauth-backend-fedora + - python-psycopg2 + - libsemanage-python + tags: + - packages + +- name: copy fedoauth configuration + template: src=fedoauth.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=apache group=apache mode=0600 + when: env != "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth STG configuration + template: src=fedoauth.stg.cfg + dest=/etc/fedoauth/fedoauth.cfg + owner=apache group=apache mode=0600 + when: env == "staging" + tags: + - config + notify: + - restart apache + +- name: copy fedoauth private key + copy: src={{ private_files }}/fedoauth/persona.key + when: env != "staging" + +- name: copy fedoauth STG private key + copy: src={{ private_files }}/fedoauth/persona.stg.key + when: env == "staging" + +- name: create the database scheme + command: /usr/bin/python2 /usr/share/fedoauth/createdb.py + environment: + FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg + +- name: set sebooleans so fedoauth can talk to the db + action: seboolean name=httpd_can_network_connect_db + state=true + persistent=true + +- name: apply selinux type to the wsgi file + file: > + dest=/usr/share/fedoauth/fedoauth.wsgi + setype=httpd_sys_content_t diff --git a/roles/fedoauth/templates/fedoauth.stg.cfg b/roles/fedoauth/templates/fedoauth.stg.cfg new file mode 100644 index 0000000000..d7e4454dfe --- /dev/null +++ b/roles/fedoauth/templates/fedoauth.stg.cfg @@ -0,0 +1,51 @@ +# Beware that the quotes around the values are mandatory + +# GENERAL CONFIGURATION +### url to the database server: +SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" +#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite' +#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name' +#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name' + +# This is the OpenID endpoint url, at which the server is available +WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' +COOKIE_DOMAIN = 'id.stg.fedoraproject.org' +COOKIE_SECURE = True +OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' + +# Modules to use +AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' + +# FAS PROVIDER CONFIGURATION +FAS_USER_AGENT = 'FAS-OpenID' +FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' +FAS_CHECK_CERT=False +FAS_HTTPS_REQUIRED=False + +# Enable a filter to make this only available to a specific list of users +FAS_AVAILABLE_FILTER = False +FAS_AVAILABLE_TO = [] + +# PERSONA CONFIGURATION +# This is the domain for which we are willing to sign +PERSONA_DOMAIN = 'id.stg.fedoraproject.org' +PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' +PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' + +# OPENID CONFIGURATION +# This is the OpenID url provided to users. Add %(username)s where the username should be entered +# A list of trust roots for which the user will not need to confirm again +OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'https://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/'] +OPENID_NON_TRUSTED_ROOTS = [] +### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) +OPENID_MAX_AUTH_TIME = 120