Add IPA sync stuff to staging fas

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/fas_server/files/ipa.staging.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDsDCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu
+RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0xNjA4MDQxNzI3NTlaFw0zNjA4MDQxNzI3NTlaMEAxHjAcBgNVBAoMFVNU
+Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y
+aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HiQvnHPP+3AEJPR
+wlizXKhaxPhwVoO68r9VEcEDUOkRo78LQ0ZLEcwaAZBX64uTeStPd5azU6pEN0Gi
+124djqJZpBs3v9YNsvt+R4Au7SQhAdBu370VcKEKjj79UYc7e70E04ycv3jJP6hi
+7+RD+BeOwPHmMwEUXF2JrKytNOmRCfxoZ7LnQfH80a+YZA1MmpAEGIo8+pRuvGth
+cORUTtyEWsaBgpek6wnPjs7lDQG1LJyi0K2L/YQPYAisZCMBoM/ck5SAHSd4F6+P
+BcHMhQd2DhsxRhIb5Se4Zi8LUxAvkVdRlCsIk+6bdIM9SpzVd9+RtBnE3LOKu1TH
+bxCW2QIDAQABo4G0MIGxMB8GA1UdIwQYMBaAFFfHodJF0pk5OgP9sgMqtPOdOaqC
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRXx6HS
+RdKZOToD/bIDKrTznTmqgjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0
+dHA6Ly9pcGEwMS5zdGcucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3Nw
+MA0GCSqGSIb3DQEBCwUAA4IBAQAnBIll/83TixgIu6JByImWWK7Ew++33heW+rDQ
+GQhol1Bp7Gk4wsLpGLATDI+ur25kREnzPfwXLcptO/5GvMEe8rwwvo1b6zkl5VEq
+vCA5dQimBTKTlTX2JFZze/KkiKa7WKZAopnSQVkPsSnAZXClTbjALXHwdQ0bDEUU
+old29skK0Xvf+WGmE3/SvQmEcueDeDJcV7Jckj45ZuqegklBG6y+fG5ELV0B4u9l
+p0ySWPVoaWSRR+izB8Kq9gCP0a5HsO3u5qJ+HRWr+Md7KboMGX29pQehakvtcnta
+jr+txnKWhel7c7bEwa6JVRFoOO7jcOHEMohPbKl3Ef/n0uCQ
+-----END CERTIFICATE-----
+

roles/fas_server/tasks/main.yml

@@ -15,6 +15,42 @@
   - packages
   - fas
 
+- name: install needed packages
+  when: env == "staging"
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - krb5-workstation
+  - python-requests-kerberos
+  tags:
+  - packages
+  - fas
+
+- name: configure krb5
+  when: env == "staging"
+  template: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644
+  tags:
+  - config
+  - fas
+
+- name: install IPA keytab
+  when: env == "staging"
+  copy: >
+    src="{{ private }}/files/keytabs/{{env}}/fas_sync"
+    dest="/etc/fas_sync_keytab"
+    owner=fas
+    group=fas
+    mode=0600
+  tags:
+  - config
+  - fas
+
+- name: install ipa public cert
+  when: env == "staging"
+  copy: src=ipa.{{env}}.pem dest=/etc/fas_sync_cert.pem owner=root group=root mode=0644
+  tags:
+  - config
+  - fas
+
 - name: enable httpd_can_network_connect selinux boolean
   seboolean: name={{ item }} state=yes persistent=yes
   with_items:

roles/fas_server/templates/fas.cfg.j2

@@ -57,6 +57,16 @@ country_blacklist = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC",
 tgcaptcha2.key = '{{ fasCaptchaSecret }}'
 tgcaptcha2.jpeg_generator = 'vanasco_dowty'
 
+{% if env == "staging" %}
+###
+### IPA Sync settings
+###
+ipa_sync_enabled = True
+ipa_sync_server = ipa01.stg.phx2.fedoraproject.org
+ipa_sync_principal = fas_sync@STG.FEDORAPROJECT.ORG
+ipa_sync_keytab = /etc/fas_sync_keytab
+ipa_sync_certfile = /etc/fas_sync_cert.pem
+{% endif %}
 ###
 ### Administrative settings
 ###

roles/fas_server/templates/krb5.conf.j2

@@ -0,0 +1,31 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+{% if env == "production" %}
+ default_realm = FEDORAPROJECT.ORG
+{% else %}
+ default_realm = STG.FEDORAPROJECT.ORG
+{% endif %}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+{% if env == "production" %}
+ FEDORAPROJECT.ORG = {
+  kdc = ipa01.phx2.fedoraproject.org
+  admin_server = ipa01.phx2.fedoraproject.org
+ }
+{% else %}
+ STG.FEDORAPROJECT.ORG = {
+  kdc = ipa01.stg.phx2.fedoraproject.org
+  admin_server = ipa01.stg.phx2.fedoraproject.org
+ }
+{% endif %}
+
+[domain_realm]