Infrastructure/ansible
5
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
ansible/roles/ipsilon/tasks/main.yml
Aurélien Bompard 1ca3aff8f1
Ipsilon: configure SSSd 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2020-10-08 12:29:37 +02:00

331 lines
7.9 KiB
YAML
Raw Blame History

# NOTE: this is not used anymore since Ipsilon has been moved to OpenShift.
# See playbooks/openshift-apps/ipsilon.yml and roles/openshift-apps/ipsilon/
---
# Configuration for the ipsilon webapp
- name: install needed packages
package: name={{ item }} state=present update_cache=yes
with_items:
- ipsilon
- ipsilon-openid
- ipsilon-saml2
# - ipsilon-persona
- ipsilon-openidc
- ipsilon-authgssapi
- ipsilon-authform
- ipsilon-infosssd
- ipsilon-theme-Fedora
- ipsilon-tools-ipa
- mod_auth_openidc
- mod_auth_gssapi
- python-psycopg2
# For the playbook itself
- git
- krb5-workstation
tags:
- ipsilon
- packages
#- name: Copy OpenID API extension
# copy: src=api.py
# dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/extensions/api.py
# owner=root group=root mode=0644
# notify:
# - reload apache
# tags:
# - ipsilon
#- name: Copy extended infofas
# copy: src=infofas.py
# dest=/usr/lib/python2.7/site-packages/ipsilon/info/infofas.py
# owner=root group=root mode=0644
# notify:
# - reload apache
# tags:
# - ipsilon
#- name: Copy OpenID Connect scope registrations
# copy: src=oidc_scopes/{{item}}.py
# dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openidc/plugins/{{item}}.py
# owner=root group=root mode=0644
# with_items:
# - account-scopes
# - mbs
# - beaker
# - waiverdb
# - odcs
# - wiki
# - src
# - fpdc
# notify:
# - reload apache
# tags:
# - ipsilon
# - ipsilon/oidc_scopes
#- name: Copy OpenID Connect scope registrations (STAGING)
# copy: src=oidc_scopes/{{item}}.py
# dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openidc/plugins/{{item}}.py
# owner=root group=root mode=0644
# when: env == "staging"
# with_items:
# -
# notify:
# - reload apache
# tags:
# - ipsilon
# - ipsilon/oidc_scopes
#- name: Apply hotfix for taiga to get POST results
# copy: src=openid_server.py
# dest=/usr/lib/python2.7/site-packages/openid/server/server.py
# owner=root group=root mode=0644
# notify:
# - reload apache
# tags:
# - ipsilon
# - name: copy ipsilon templates
# copy: src=templates/
# dest=/usr/share/ipsilon/templates-fedora
# owner=ipsilon group=ipsilon mode=0666
# notify:
# - reload apache
# tags:
# - ipsilon
#
# - name: copy ipsilon ui assets
# copy: src=ui-fedora/
# dest=/usr/share/ipsilon/ui/fedora
# owner=ipsilon group=ipsilon mode=0666
# notify:
# - reload apache
# tags:
# - ipsilon
- name: Download Fedora-specific code
git:
repo: https://pagure.io/fedora-infra/ipsilon-fedora.git
dest: /opt/ipsilon-fedora
version: "{{ env }}"
force: yes
tags:
- ipsilon
- name: Install Fedora-specific code
command:
cmd: ./install.sh
chdir: /opt/ipsilon-fedora
creates: /usr/lib/python3.8/site-packages/ipsilon/providers/openidc/plugins/account-scopes.py
tags:
- ipsilon
- include_role:
name: ipa/client
- name: Get admin ticket
shell: echo "{{ipa_admin_password}}" | kinit admin
check_mode: no
tags:
- ipsilon
- name: Install ipsilon
command:
cmd: ipsilon-server-install
--root-instance
--admin-user=admin
--ipa=yes
--openidc=yes
--openid=yes
--saml2=yes
--info-sssd=yes
--form=yes
creates: /etc/ipsilon/root/ipsilon.conf
tags:
- ipsilon
- name: Destroy admin ticket
command: kdestroy -A
tags:
- ipsilon
- name: copy ipsilon configuration
template:
src: "ipsilon.conf.{{ env }}"
dest: "/etc/ipsilon/root/ipsilon.conf"
owner: ipsilon
group: ipsilon
mode: 0600
tags:
- ipsilon
- config
notify:
- restart apache
- name: copy ipsilon admin configuration
template:
src: "configuration.conf"
dest: "/etc/ipsilon/root/configuration.conf"
owner: ipsilon
group: ipsilon
mode: 0600
tags:
- ipsilon
- config
notify:
- restart apache
- name: copy ipsilon OIDC client config
copy:
src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
dest: /etc/ipsilon/root/openidc.static.cfg
owner: ipsilon
group: ipsilon
mode: 0600
tags:
- ipsilon
- config
notify:
- restart apache
- name: copy ipsilon httpd config
template:
src: "httpd.conf.{{ env }}.j2"
dest: /etc/ipsilon/root/idp.conf
tags:
- ipsilon
- config
notify:
- restart apache
# - name: Create Ipsilon config symlink
# file:
# dest: /var/lib/ipsilon/ipsilon.conf
# src: /etc/ipsilon/root/ipsilon.conf
# state: link
# tags:
# - ipsilon
# notify:
# - reload apache
# - name: create wellknown directory
# file: path=/etc/ipsilon/root/wellknown state=directory
# owner=ipsilon group=ipsilon mode=0755
# tags:
# - ipsilon
# notify:
# - reload apache
# - name: copy persona private key
# copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/root/persona.key
# owner=ipsilon group=ipsilon mode=0600
# when: env != "staging"
# tags:
# - ipsilon
#
# - name: copy persona public key
# copy: src=browserid dest=/etc/ipsilon/root/wellknown/browserid
# owner=ipsilon group=ipsilon mode=0644
# when: env != "staging"
# tags:
# - ipsilon
#
# - name: copy persona STG private key
# copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/root/persona.stg.key
# owner=ipsilon group=ipsilon mode=0600
# when: env == "staging"
# tags:
# - ipsilon
#
# - name: copy persona STG public key
# copy: src=browserid.stg dest=/etc/ipsilon/root/wellknown/browserid
# owner=ipsilon group=ipsilon mode=0644
# when: env == "staging"
# tags:
# - ipsilon
- name: copy OIDC private key
copy:
src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
dest: /etc/ipsilon/root/openidc.key
owner: ipsilon
group: ipsilon
mode: 0600
tags:
- ipsilon
# - name: copy OIDC STG private key
# copy: src={{ private }}/files/ipsilon/openidc.stg.key dest=/etc/ipsilon/root/openidc.stg.key
# owner=ipsilon group=ipsilon mode=0600
# when: env == "staging"
# tags:
# - ipsilon
- name: create SAML2 dir
file:
path: /etc/ipsilon/root/saml2
state: directory
mode: 0700
owner: ipsilon
group: ipsilon
setype: httpd_var_lib_t
tags:
- ipsilon
- name: copy SAML2 private key
copy:
src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
dest: /etc/ipsilon/root/saml2/idp.key
owner: ipsilon
group: ipsilon
mode: 0600
tags:
- ipsilon
- name: copy SAML2 public key
copy:
src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
dest: /etc/ipsilon/root/saml2/idp.crt
owner: ipsilon
group: ipsilon
mode: 0644
tags:
- ipsilon
- name: set sebooleans so ipsilon can talk to the db
seboolean:
name: httpd_can_network_connect_db
state: true
persistent: true
tags:
- ipsilon
- name: apply selinux type to the wsgi file
file:
dest: /usr/libexec/ipsilon
setype: httpd_sys_content_t
tags:
- ipsilon
- name: configure SSSd to forward additional attributes (1/2)
replace:
path: /etc/sssd/sssd.conf
regexp: ^ldap_user_extra_attrs = [\w,\s]+$
replace: ldap_user_extra_attrs = mail, street, locality, st, postalCode, telephoneNumber, givenname, sn, fasTimeZone, fasLocale, fasIRCNick, fasGPGKeyId, fasCreationTime, fasStatusNote, fasRHBZEmail, fasGitHubUsername, fasGitLabUsername, fasWebsiteURL, fasIsPrivate
tags:
- ipsilon
- config
notify:
- restart sssd
- name: configure SSSd to forward additional attributes (2/2)
replace:
path: /etc/sssd/sssd.conf
regexp: ^user_attributes = [\w,\s+]+$
replace: user_attributes = +mail, +street, +locality, +st, +postalCode, +telephoneNumber, +givenname, +sn, +fasTimeZone, +fasLocale, +fasIRCNick, +fasGPGKeyId, +fasCreationTime, +fasStatusNote, +fasRHBZEmail, +fasGitHubUsername, +fasGitLabUsername, +fasWebsiteURL, +fasIsPrivate
tags:
- ipsilon
- config
notify:
- restart sssd
Reference in a new issue View git blame Copy permalink