Make roles out of sigul, and update configs

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

files/sign/bridge.conf.j2

@@ -1,30 +0,0 @@
-# This is a configuration for the sigul bridge.
-
-[bridge]
-# Nickname of the bridge's certificate in the NSS database specified below
-bridge-cert-nickname: sign-bridge1 - Fedora Project
-# Port on which the bridge expects client connections
-client-listen-port: 44334
-# Port on which the bridge expects server connections
-server-listen-port: 44333
-# A Fedora account system group required for access to the signing server.  If
-# empty, no Fedora account check is done.
-required-fas-group: signers
-# User name and password for an account on the Fedora account system that can
-# be used to verify group memberships
-fas-user-name: {{ fedoraDummyUser }}
-fas-password: {{ fedoraDummyUserPassword }}
-
-[daemon]
-# The user to run as
-unix-user: sigul
-# The group to run as
-unix-group: sigul
-
-[nss]
-# Path to a directory containing a NSS database
-nss-dir: /var/lib/sigul
-# Password for accessing the NSS database.  If not specified, the bridge will
-# ask on startup
-# Currently no password is used
-nss-password:

files/sign/builder-rpms.repo

@@ -1,6 +0,0 @@
-[builder-rpms]
-name=Builder Packages from Fedora Infrastructure $releasever - $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/
-enabled=1
-gpgcheck=1
-gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

files/sign/server.conf.secondary

@@ -1,51 +0,0 @@
-# This is a configuration for the sigul server.
-
-# FIXME: remove my data
-
-[server]
-# Host name of the publically acessible bridge to clients
-bridge-hostname: secondary-signer
-# Port on which the bridge expects server connections
-; bridge-port: 44333
-# Maximum accepted size of payload stored on disk
-max-file-payload-size: 2073741824
-# Maximum accepted size of payload stored in server's memory
-max-memory-payload-size: 1048576
-# Nickname of the server's certificate in the NSS database specified below
-server-cert-nickname: secondary-signer-server
-
-signing-timeout: 4000
-
-[database]
-# Path to a SQLite database
-; database-path: /var/lib/sigul/server.conf
-
-[gnupg]
-# Path to a directory containing GPG configuration and keyrings
-gnupg-home: /var/lib/sigul/gnupg
-# Default primary key type for newly created keys
-gnupg-key-type: RSA
-# Default primary key length for newly created keys
-gnupg-key-length: 4096
-# Default subkey type for newly created keys, empty for no subkey
-#gnupg-subkey-type: ELG-E
-# Default subkey length for newly created keys if gnupg-subkey-type is not empty
-# gnupg-subkey-length: 4096
-# Default key usage flags for newly created keys
-gnupg-key-usage: encrypt, sign
-# Length of key passphrases used for newsly created keys
-; passphrase-length: 64
-
-[daemon]
-# The user to run as
-unix-user: sigul
-# The group to run as
-unix-group: sigul
-
-[nss]
-# Path to a directory containing a NSS database
-nss-dir: /var/lib/sigul
-# Password for accessing the NSS database.  If not specified, the server will
-# ask on startup
-; nss-password is not specified by default
-

playbooks/groups/sign-bridge.yml

@@ -24,12 +24,12 @@
   - hosts
   - fas_client
   - sudo
+  - sigul/bridge
 
   tasks:
   - include: "{{ tasks }}/motd.yml"
   - include: "{{ tasks }}/yumrepos.yml"
   - include: "{{ tasks }}/2fa_client.yml"
-  - include: "{{ tasks }}/sign_setup.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"

playbooks/manual/sign-vault.yml

@@ -35,10 +35,10 @@
   roles:
   - base
   - rkhunter
+  - sigul/server
 
   tasks:
   - include: "{{ tasks }}/motd.yml"
-  - include: "{{ tasks }}/sign_setup.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"

roles/sigul/bridge/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Install sigul bridge
+  yum: state=present name=sigul-bridge
+  tags:
+  - packages
+
+- name: Setup sigul bridge.conf
+  template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf
+            owner=sigul group=sigul mode=0640
+  tags:
+  - config
+
+- name: Setup secondary koji config files
+  copy: src={{ item }} dest=/etc/{{ item }} owner=root group=root mode=644
+  with_items:
+  - koji-arm.conf
+  - koji-ppc.conf
+  - koji-s390.conf
+  when: inventory_hostname.startswith('secondary')

roles/sigul/bridge/templates/bridge.conf.j2

@@ -2,40 +2,39 @@
 #
 [bridge]
 # Nickname of the bridge's certificate in the NSS database specified below
+{% if inventory_hostname.startswith('sign') %}
+bridge-cert-nickname: sign-bridge1 - Fedora Project
+{% else %}
 bridge-cert-nickname: secondary-signer
+{% endif %}
+
 # Port on which the bridge expects client connections
 client-listen-port: 44334
 # Port on which the bridge expects server connections
 server-listen-port: 44333
 # A Fedora account system group required for access to the signing server.  If
 # empty, no Fedora account check is done.
-; required-fas-group:
+required-fas-group: signers
 # User name and password for an account on the Fedora account system that can
 # be used to verify group memberships
-; fas-user-name:
-; fas-password:
-#
+fas-user-name: {{ fedoraDummyUser }}
+fas-password: {{ fedoraDummyUserPassword }}
+
+{% if inventory_hostname.startswith('secondary') %}
 [koji]
-# Config file used to connect to the Koji hub
-# ; koji-config: ~/.koji/config
-# # Recognized alternative instances
 koji-instances: ppc s390 arm sparc
-#
-# # Example configuration of alternative instances:
-# # koji-instances: ppc64 s390
-# # Configuration paths for alternative instances:
 koji-config-ppc: /etc/koji-ppc.conf
 koji-config-s390: /etc/koji-s390.conf
 koji-config-arm: /etc/koji-arm.conf
 koji-config-sparc: /etc/koji-sparc.conf
-#
-#
+{% endif %}
+
 [daemon]
 # The user to run as
 unix-user: sigul
 # The group to run as
 unix-group: sigul
-#
+
 [nss]
 # Path to a directory containing a NSS database
 nss-dir: /var/lib/sigul
@@ -43,3 +42,6 @@ nss-dir: /var/lib/sigul
 # ask on startup
 # Currently no password is used
 nss-password:
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2

roles/sigul/server/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Install sigul server
+  yum: state=present name={{ item }}
+  with_items:
+  - sigul-server
+  - gnupg1
+  - rpm-sign
+  - bzip2
+  tags:
+  - packages
+
+- name: Setup sigul server.conf
+  template: src=server.conf.j2 dest=/etc/sigul/server.conf
+            owner=sigul group=sigul mode=0640
+  tags:
+  - config
+
+- name: Setup gpg link
+  file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg

roles/sigul/server/templates/server.conf.j2

@@ -2,15 +2,27 @@
 
 [server]
 # Host name of the publically acessible bridge to clients
+
+{% if inventory_hostname.startswith('sign') %}
 bridge-hostname: sign-bridge1
+server-cert-nickname: sign-vault1 - Fedora Project
+{% else %}
+bridge-hostname: secondary-signer
+server-cert-nickname: secondary-signer-server
+{% endif %}
+
 # Port on which the bridge expects server connections
 bridge-port: 44333
 # Maximum accepted size of payload stored on disk
 max-file-payload-size: 2073741824
 # Maximum accepted size of payload stored in server's memory
 max-memory-payload-size: 1048576
-# Nickname of the server's certificate in the NSS database specified below
-server-cert-nickname: sign-vault1 - Fedora Project
+
+# Whether to relax the CN vs username check
+lenient-username-check: yes
+# Which CN's are allowed to use different usernames, comma seperated
+proxy-usernames:
+
 
 [database]
 # Path to a directory containing a SQLite database
@@ -30,7 +42,7 @@ gnupg-subkey-type:
 # Default key usage flags for newly created keys
 gnupg-key-usage: encrypt, sign
 # Length of key passphrases used for newsly created keys
-passphrase-length: 64
+passphrase-length: 128
 
 [daemon]
 # The user to run as
@@ -44,3 +56,10 @@ nss-dir: /var/lib/sigul
 # Password for accessing the NSS database.  If not specified, the server will
 # ask on startup
 ; nss-password is not specified by default
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
+
+[binding]
+# List of binding modules enabled
+enabled: 

tasks/sign_setup.yml

@@ -1,53 +0,0 @@
----
-
-- name: put builder-repo on system
-  copy: src="{{ files }}/sign/{{ item }}" dest="/etc/yum.repos.d/{{ item }}"
-  with_items:
-  - builder-rpms.repo
-  when: is_rhel is defined
-  tags:
-  - config
-  - packages
-
-- name: install sigul
-  yum: state=present name={{ item }}
-  with_items:
-  - sigul
-  - gnupg1
-  - rpm-sign
-  - bzip2
-  tags:
-  - packages
-
-- name: setup /etc/sigul/bridge.conf file
-  template: src="{{ files }}/sign/bridge.conf.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('sign')
-
-- name: setup /etc/sigul/server.conf file
-  copy: src="{{ files }}/sign/server.conf.primary" dest=/etc/sigul/server.conf owner=root group=sigul mode=640
-  when: inventory_hostname.startswith('sign')
-
-- name: setup secondary /etc/sigul/bridge.conf file
-  template: src="{{ files }}/sign/bridge.conf.secondary.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('secondary')
-
-- name: Install secondary arch koji configs
-  template: src="{{ files }}/sign/bridge.conf.secondary.j2" dest=/etc/sigul/bridge.conf owner=root group=sigul mode=640
-  tags:
-  - config
-  when: inventory_hostname.startswith('secondary')
-
-- name: setup secondary koji config files
-  copy: src="{{ files }}/sign/{{ item }}" dest=/etc/{{ item }} owner=root group=root mode=644
-  with_items:
-  - koji-arm.conf
-  - koji-ppc.conf
-  - koji-s390.conf
-  when: inventory_hostname.startswith('secondary')
-
-- name: setup gpg link
-  file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg