Add fedoauth

roles/fedoauth/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+# Configuration for the fedoauth webapp
+
+- name: clean yum metadata
+  command: yum clean all
+  tags:
+  - packages
+
+- name: install needed packages
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - fedoauth
+  - fedoauth-template-fedora
+  - fedoauth-backend-fedora
+  - python-psycopg2
+  - libsemanage-python
+  tags:
+  - packages
+
+- name: copy fedoauth configuration
+  template: src=fedoauth.cfg
+            dest=/etc/fedoauth/fedoauth.cfg
+            owner=apache group=apache mode=0600
+  when: env != "staging"
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy fedoauth STG configuration
+  template: src=fedoauth.stg.cfg
+            dest=/etc/fedoauth/fedoauth.cfg
+            owner=apache group=apache mode=0600
+  when: env == "staging"
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy fedoauth private key
+  copy: src={{ private_files }}/fedoauth/persona.key
+  when: env != "staging"
+
+- name: copy fedoauth STG private key
+  copy: src={{ private_files }}/fedoauth/persona.stg.key
+  when: env == "staging"
+
+- name: create the database scheme
+  command: /usr/bin/python2 /usr/share/fedoauth/createdb.py
+  environment:
+      FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
+
+- name: set sebooleans so fedoauth can talk to the db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: apply selinux type to the wsgi file
+  file: >
+    dest=/usr/share/fedoauth/fedoauth.wsgi
+    setype=httpd_sys_content_t

roles/fedoauth/templates/fedoauth.stg.cfg

@@ -0,0 +1,51 @@
+# Beware that the quotes around the values are mandatory
+
+# GENERAL CONFIGURATION
+### url to the database server:
+SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
+#SQLALCHEMY_DATABASE_URI='sqlite:///fedoauth.sqlite'
+#SQLALCHEMY_DATABASE_URI='mysql://user:pass@host/db_name'
+#SQLALCHEMY_DATABASE_URI='postgresql://user:pass@host/db_name'
+
+# This is the OpenID endpoint url, at which the server is available
+WEBSITE_ROOT = 'https://id.stg.fedoraproject.org'
+COOKIE_DOMAIN = 'id.stg.fedoraproject.org'
+COOKIE_SECURE = True
+OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/'
+
+# Modules to use
+AUTH_MODULE='fedoauth.auth.fas.Auth_FAS'
+
+# FAS PROVIDER CONFIGURATION
+FAS_USER_AGENT = 'FAS-OpenID'
+FAS_BASE_URL='https://admin.fedoraproject.org/accounts/'
+FAS_CHECK_CERT=False
+FAS_HTTPS_REQUIRED=False
+
+# Enable a filter to make this only available to a specific list of users
+FAS_AVAILABLE_FILTER = False
+FAS_AVAILABLE_TO = []
+
+# PERSONA CONFIGURATION
+# This is the domain for which we are willing to sign
+PERSONA_DOMAIN = 'id.stg.fedoraproject.org'
+PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key'
+PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}'
+
+# OPENID CONFIGURATION
+# This is the OpenID url provided to users. Add %(username)s where the username should be entered
+# A list of trust roots for which the user will not need to confirm again
+OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
+                        'https://ask.fedoraproject.org/',
+                        'https://fedorahosted.org/',
+                        'https://badges.fedoraproject.org',
+                        'https://apps.fedoraproject.org/tagger/',
+                        'https://apps.fedoraproject.org/nuancier/',
+                        'https://apps.fedoraproject.org/datagrepper/',
+                        'https://apps.fedoraproject.org/calendar/',
+                        'https://apps.fedoraproject.org/notifications/',
+                        'http://copr.fedoraproject.org/',
+                        'http://copr-fe.cloud.fedoraproject.org/']
+OPENID_NON_TRUSTED_ROOTS = []
+### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit)
+OPENID_MAX_AUTH_TIME = 120