ansible/roles/ipsilon/tasks/main.yml

---
# Configuration for the ipsilon webapp

- name: install needed packages
  package:
    state: present
    update_cache: yes
    name:
    - ipsilon
    - ipsilon-openid
    - ipsilon-saml2
    - ipsilon-openidc
    - ipsilon-authgssapi
    - ipsilon-authform
    - ipsilon-authpam
    - ipsilon-infosssd
    - ipsilon-infofas
    - ipsilon-theme-Fedora
    - ipsilon-tools-ipa
    - mod_auth_openidc
    - mod_auth_gssapi
    - python3-psycopg2
    - python3-pam
    # For the openid api extension
    - python3-freeipa
    # For the playbook itself
    - git
    - krb5-workstation
  tags:
  - ipsilon
  - packages

- name: Download Fedora-specific code
  git:
    repo: https://pagure.io/fedora-infra/ipsilon-fedora.git
    dest: /opt/ipsilon-fedora
    version: "{{ env }}"
    force: yes
  register: git_update
  tags:
  - ipsilon

- name: Install Fedora-specific code if it changed
  command:
    cmd: ./install.sh
    chdir: /opt/ipsilon-fedora
  when: git_update is changed
  notify:
  - restart apache
  tags:
  - ipsilon

- name: Install Fedora-specific code on initial run
  command:
    cmd: ./install.sh
    chdir: /opt/ipsilon-fedora
    creates: "{{ ansible_facts['python3']['sitelib'] }}/ipsilon/providers/openidc/plugins/account-scopes.py"
  notify:
  - restart apache
  tags:
  - ipsilon

- include_role:
    name: ipa/client

- name: Get admin ticket
  shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
  tags:
  - ipsilon

- name: Install ipsilon
  command:
    cmd: ipsilon-server-install
         --root-instance
         --admin-user=admin
         --ipa=yes
         --openidc=yes
         --openid=yes
         --saml2=yes
         --info-sssd=yes
         --form=yes
    creates: /etc/ipsilon/root/ipsilon.conf
  tags:
  - ipsilon

- name: Destroy admin ticket
  command: kdestroy -A
  tags:
  - ipsilon

- import_tasks: patches.yml
  tags:
  - ipsilon
  - patches

- name: make sure /etc/ipsilon/root is owned correctly
  file:
    path: "/etc/ipsilon/root"
    owner: ipsilon
    group: ipsilon
    state: directory
    mode: 0700
  tags:
  - ipsilon
  - config

- name: copy ipsilon configuration
  template:
    src: "ipsilon.conf"
    dest: "/etc/ipsilon/root/ipsilon.conf"
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: load the AWX SAML2 metadata that will be included in the configuration.conf file
  uri:
    url: https://awx.fedoraproject.org/sso/metadata/saml/
    return_content: yes
  register: awx_metadata
  when: env == "production"
  tags:
  - ipsilon
  - config

- name: copy ipsilon admin configuration
  template:
    src: "configuration.conf"
    dest: "/etc/ipsilon/root/configuration.conf"
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy ipsilon OIDC client config
  copy:
    src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
    dest: /etc/ipsilon/root/openidc.static.cfg
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  - oidc-config
  notify:
  - restart apache

- name: copy ipsilon httpd config
  template:
    src: "httpd.conf.j2"
    dest: /etc/ipsilon/root/idp.conf
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy OIDC private key
  copy:
    src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
    dest: /etc/ipsilon/root/openidc.key
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon

- name: create SAML2 dir
  file:
    path: /etc/ipsilon/root/saml2
    state: directory
    mode: 0700
    owner: ipsilon
    group: ipsilon
    setype: httpd_var_lib_t
  tags:
  - ipsilon

- name: copy SAML2 private key
  copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
    dest: /etc/ipsilon/root/saml2/idp.key
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon

- name: copy SAML2 public key
  copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
    dest: /etc/ipsilon/root/saml2/idp.crt
    owner: ipsilon
    group: ipsilon
    mode: 0644
  tags:
  - ipsilon

- name: copy saml2 metadata script
  template:
    src: prepare-saml2-metadata.py
    dest: /usr/local/bin/prepare-saml2-metadata
    owner: root
    group: root
    mode: 0755
  tags:
  - ipsilon

- name: generate the saml2 metadata
  become_user: ipsilon
  become: yes
  command:
    cmd: /usr/local/bin/prepare-saml2-metadata
    creates: /etc/ipsilon/root/saml2/metadata.xml
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to the db
  seboolean:
    name: httpd_can_network_connect_db
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to IPA for the openid extension
  seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to sssd
  seboolean:
    name: httpd_dbus_sssd
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can use python-pam
  seboolean:
    name: "{{ item }}"
    state: true
    persistent: true
  loop:
  - httpd_tmp_exec
  - httpd_mod_auth_pam
  tags:
  - ipsilon

- name: apply selinux type to the wsgi file
  file:
    dest: /usr/libexec/ipsilon
    setype: httpd_sys_content_t
  tags:
  - ipsilon

- name: copy SSSd configuration
  template:
    src: sssd.conf
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart sssd