[ansible] Update pkgdb openid endpoint
by Nicolas Chauvet
commit 57b95fde604733f7a0b800341c5acdd2b68f52fe
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jun 21 09:45:58 2017 +0200
Update pkgdb openid endpoint
roles/pkgdb2/templates/pkgdb2.cfg | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/pkgdb2/templates/pkgdb2.cfg b/roles/pkgdb2/templates/pkgdb2.cfg
index 51a69dd..95f35ca 100644
--- a/roles/pkgdb2/templates/pkgdb2.cfg
+++ b/roles/pkgdb2/templates/pkgdb2.cfg
@@ -85,7 +85,7 @@ SITE_ROOT = 'https://admin.rpmfusion.org'
SITE_URL = '%s/pkgdb' % SITE_ROOT
## Upon changes in pkgdb, update bugzilla
PKGDB2_BUGZILLA_NOTIFICATION = False
-FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/'
+FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/openid/'
{% else %}
PKGDB2_FAS_URL = 'http://fas01.online.rpmfusion.net/accounts'
PKGDB2_FAS_INSECURE = True
@@ -93,7 +93,7 @@ SITE_ROOT = 'https://admin.rpmfusion.org'
SITE_URL = '%s/pkgdb' % SITE_ROOT
## Upon changes in pkgdb, update bugzilla
PKGDB2_BUGZILLA_NOTIFICATION = True
-FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/'
+FAS_OPENID_ENDPOINT = 'https://id.rpmfusion.org/openid/'
{% endif %}
## name of the user the pkgdb application can log in to FAS with
7 years, 6 months
[ansible] Update wikiconfig.py
by Nicolas Chauvet
commit bf8bcbf7c185c2f14755fafc6f0931a2721c2ece
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jun 9 14:31:32 2017 +0200
Update wikiconfig.py
files/moin/wikiconfig.py | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
---
diff --git a/files/moin/wikiconfig.py b/files/moin/wikiconfig.py
index 1a50c9e..a71c9a2 100644
--- a/files/moin/wikiconfig.py
+++ b/files/moin/wikiconfig.py
@@ -123,6 +123,7 @@ class Config(multiconfig.DefaultConfig):
# short or too easy passwords. If you don't like this and your site has
# rather low security requirements, feel free to DISABLE the checker by:
#password_checker = None # None means "don't do any password strength checks"
+ password_scheme = "{SSHA}"
# Link spam protection for public wikis (Uncomment to enable)
# Needs a reliable internet connection.
@@ -214,4 +215,9 @@ class Config(multiconfig.DefaultConfig):
# Disable rdns https://moinmo.in/HowTo/Tune%20Performance
log_reverse_dns_lookups = False
+ # https://master19.moinmo.in/HelpOnRobots
+ html_head_normal = '<meta name="robots" content="index,follow">\n'
+
+ # https://moinmo.in/ActionMarket/SiteMap
+ html_head = '<meta name="google-site-verification" content="4srSOTHB6Y0gbPm7vjFz3A0BEcMUqucE1pRdqYpMqW0" />'
7 years, 6 months
[ansible] Add host_vars/group_vars for ipa
by Nicolas Chauvet
commit 20554dea5015ad694fd58c5c599f23601e89c913
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Jun 6 11:18:05 2017 +0200
Add host_vars/group_vars for ipa
inventory/group_vars/ipa | 19 +++++++++++++++++++
inventory/host_vars/ipa01.online.rpmfusion.net | 13 +++++++++++++
2 files changed, 32 insertions(+), 0 deletions(-)
---
diff --git a/inventory/group_vars/ipa b/inventory/group_vars/ipa
new file mode 100644
index 0000000..eca7c8b
--- /dev/null
+++ b/inventory/group_vars/ipa
@@ -0,0 +1,19 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 30000
+mem_size: 2048
+num_cpus: 1
+
+tcp_ports: [ 80, 88, 389, 443, 464, 636 ]
+
+custom_rules: [
+ '-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 53 -j ACCEPT'
+]
+
+fas_client_groups: sysadmin-main,sysadmin-accounts
+
+nrpe_procs_warn: 300
+nrpe_procs_crit: 500
+
+ipa_dm_password: "{{ ipa_prod_dm_password }}"
+ipa_ldap_socket: ldapi://%2fvar%2frun%2fslapd-RPMFUSION-ORG.socket
diff --git a/inventory/host_vars/ipa01.online.rpmfusion.net b/inventory/host_vars/ipa01.online.rpmfusion.net
new file mode 100644
index 0000000..cafd5c5
--- /dev/null
+++ b/inventory/host_vars/ipa01.online.rpmfusion.net
@@ -0,0 +1,13 @@
+nm: 255.255.255.0
+gw: 192.168.181.254
+dns: 62.210.16.6
+ks_url: http://192.168.181.254/install/ks/ipa01.ks
+
+volgroup: /dev/vg_hv03_virt
+eth0_ip: 192.168.181.11
+vmhost: hv01.online.rpmfusion.net
+datacenter: online
+
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
7 years, 6 months
[ansible] Add initial ipa server role
by Nicolas Chauvet
commit 64f0335977065907d40e9df704c3f65285534f9f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Jun 6 10:44:09 2017 +0200
Add initial ipa server role
roles/ipa/server/files/configure-ipa.sh | 22 ++
.../files/grant_anonymous_replication_view.ldif | 4 +
roles/ipa/server/files/grant_fas_sync.ldif | 4 +
roles/ipa/server/files/ipa-rewrite.conf | 1 +
roles/ipa/server/files/use_id_fp_o.ldif | 4 +
roles/ipa/server/tasks/main.yml | 250 ++++++++++++++++++++
roles/ipa/server/templates/referer-override.conf | 2 +
7 files changed, 287 insertions(+), 0 deletions(-)
---
diff --git a/roles/ipa/server/files/configure-ipa.sh b/roles/ipa/server/files/configure-ipa.sh
new file mode 100644
index 0000000..0b62940
--- /dev/null
+++ b/roles/ipa/server/files/configure-ipa.sh
@@ -0,0 +1,22 @@
+#!/bin/bash -x
+ADMIN_PASSWORD="$1"
+
+function cleanup {
+ kdestroy -A
+}
+trap cleanup EXIT
+
+echo $ADMIN_PASSWORD | kinit admin
+
+# Disallow all users to change their own settings
+ipa selfservice-find | grep "Self-service name:" | sed -e "s/ Self-service name: //" | \
+while read line
+do
+ echo "Removing $line"
+ ipa selfservice-del "$line"
+done
+
+# Disable default permissions so we don't break our privacy policy
+ipa permission-mod "System: Read User Addressbook Attributes" --bindtype=permission
+
+# TODO: Add custom permissions to grant specific access to user attributes
diff --git a/roles/ipa/server/files/grant_anonymous_replication_view.ldif b/roles/ipa/server/files/grant_anonymous_replication_view.ldif
new file mode 100644
index 0000000..62f47b5
--- /dev/null
+++ b/roles/ipa/server/files/grant_anonymous_replication_view.ldif
@@ -0,0 +1,4 @@
+dn: cn="dc=rpmfusion,dc=org",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
diff --git a/roles/ipa/server/files/grant_fas_sync.ldif b/roles/ipa/server/files/grant_fas_sync.ldif
new file mode 100644
index 0000000..f6dfe65
--- /dev/null
+++ b/roles/ipa/server/files/grant_fas_sync.ldif
@@ -0,0 +1,4 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+changetype: modify
+add: passSyncManagersDNs
+passSyncManagersDNs: uid=fas_sync,cn=users,cn=accounts,dc=rpmfusion,dc=org
diff --git a/roles/ipa/server/files/ipa-rewrite.conf b/roles/ipa/server/files/ipa-rewrite.conf
new file mode 100644
index 0000000..12722ee
--- /dev/null
+++ b/roles/ipa/server/files/ipa-rewrite.conf
@@ -0,0 +1 @@
+# VERSION 6 - DO NOT REMOVE THIS LINE
diff --git a/roles/ipa/server/files/use_id_fp_o.ldif b/roles/ipa/server/files/use_id_fp_o.ldif
new file mode 100644
index 0000000..f5b2a48
--- /dev/null
+++ b/roles/ipa/server/files/use_id_fp_o.ldif
@@ -0,0 +1,4 @@
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=rpmfusion,dc=org
+changetype: modify
+add: memberPrincipal
+memberPrincipal: HTTP/id.rpmfusion.org(a)RPMFUSION.ORG
diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
new file mode 100644
index 0000000..47e1e12
--- /dev/null
+++ b/roles/ipa/server/tasks/main.yml
@@ -0,0 +1,250 @@
+---
+# Configuration for IPA
+
+- name: install needed packages
+ yum: pkg={{ item }} state=present
+ with_items:
+ - haveged
+ - ipa-server
+ - ipa-server-dns
+ - pynag
+ - python-ldap
+ tags:
+ - ipa/server
+ - packages
+
+- name: enable haveged
+ service: name=haveged state=started enabled=yes
+ tags:
+ - ipa/server
+ - config
+
+- name: install IPA
+ command: ipa-server-install
+ --realm={{ipa_realm}}
+ --domain={{ipa_realm}}
+ --ds-password={{ipa_dm_password}}
+ --admin-password={{ipa_admin_password}}
+ --mkhomedir
+ --no-ntp
+ --unattended
+ --no-ssh
+ --no-sshd
+ --setup-dns
+ --forwarder=192.168.181.254
+ --log-file=/var/log/ipainstall.log
+ creates=/etc/ipa/default.conf
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+
+- name: install IPA vault
+ command: ipa-kra-install
+ --password={{ipa_dm_password}}
+ --unattended
+ --log-file=/var/log/ipakrainstall.log
+ creates=/var/log/ipakrainstall.log
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+
+- name: determine whether we need to set up replication
+ stat: path=/etc/ipa/default.conf
+ register: replication_status
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01")
+
+- name: create replica file
+ delegate_to: ipa01.online.rpmfusion.net
+ command: ipa-replica-prepare
+ --password={{ipa_dm_password}}
+ --ip-address={{eth0_ip}}
+ {{inventory_hostname}}
+ creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
+
+- name: retrieve replica file
+ delegate_to: ipa01.online.rpmfusion.net
+ fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
+ dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg
+ flat=yes
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
+
+- name: deploy replica file
+ copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg
+ dest=/root/ipa_replica_{{inventory_hostname}}.gpg
+ mode=0600 owner=root group=root
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
+
+- name: destroy replica file on ansible host
+ delegate_to: localhost
+ file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
+
+- name: deploy replica
+ command: ipa-replica-install
+ --setup-ca
+ --setup-kra
+ --password={{ipa_dm_password}}
+ --admin-password={{ipa_admin_password}}
+ --mkhomedir
+ --no-ntp
+ --unattended
+ --no-ssh
+ --no-sshd
+ --setup-dns
+ --forwarder=192.168.181.254
+ --skip-conncheck
+ --log-file=/var/log/ipainstall.log
+ /root/ipa_replica_{{inventory_hostname}}.gpg
+ creates=/etc/ipa/default.conf
+ tags:
+ - ipa/server
+ - config
+ when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
+
+- name: Disable rewrites
+ copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf
+ notify:
+ - reload httpd
+ tags:
+ - ipa/server
+ - config
+
+- name: Deploy configuration script
+ copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root
+ register: config_deployed
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+
+- name: Run configuration script
+ command: /bin/bash /root/configure-ipa.sh {{ipa_admin_password}}
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01") and config_deployed.changed
+
+- name: Get admin ticket
+ shell: echo "{{ipa_admin_password}}" | kinit admin
+ tags:
+ - ipa/server
+ - keytab
+ - config
+ - krb5
+ when: inventory_hostname.startswith("ipa01")
+
+- name: Create fas_sync user
+ command: ipa user-add fas_sync --first=FAS --last=Sync
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+ register: create_output
+ changed_when: "'already exists' not in create_output.stderr"
+ failed_when: "'already exists' not in create_output.stderr and create_output.rc != 0"
+
+- name: Promote fas_sync user
+ command: ipa group-add-member admins --users=fas_sync
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+ register: promote_output
+ changed_when: "'already a member' not in promote_output.stdout"
+ failed_when: "'already a member' not in promote_output.stdout and promote_output.rc != 0"
+
+- name: Configure password policy
+ command: ipa pwpolicy-mod global_policy --maxlife=0 --minlife=0 --history=0 --minclasses=0 --minlength=0 --maxfail=0
+ tags:
+ - ipa/server
+ - config
+ when: inventory_hostname.startswith("ipa01")
+ register: pwpolicy_output
+ changed_when: "'no modifications to be performed' not in pwpolicy_output.stderr"
+ failed_when: "'no modifications to be performed' not in pwpolicy_output.stderr and pwpolicy_output.rc != 0"
+
+- name: Destroy admin ticket
+ command: kdestroy -A
+ tags:
+ - ipa/server
+ - keytab
+ - config
+ - krb5
+ when: inventory_hostname.startswith("ipa01")
+
+- name: Create LDIF directory
+ file: path=/root/ldif state=directory owner=root group=root mode=0750
+ tags:
+ - ipa/server
+ - config
+
+- name: Copy LDIF files
+ copy: src={{item}} dest=/root/ldif/{{item}}
+ with_items:
+ - grant_anonymous_replication_view.ldif
+ - grant_fas_sync.ldif
+ - use_id_fp_o.ldif
+ tags:
+ - ipa/server
+ - config
+
+- name: Apply LDIF files
+ command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}
+ -f /root/ldif/{{item}}.ldif
+ with_items:
+ - grant_fas_sync
+ - use_id_fp_o
+ when: inventory_hostname.startswith("ipa01")
+ tags:
+ - ipa/server
+ - config
+ register: apply_output
+ changed_when: "'Type or value exists' not in apply_output.stderr"
+ failed_when: "'Type or value exists' not in apply_output.stderr and 'modifying entry' not in apply_output.stdout"
+
+# This is a special one, in that it needs to apply on each master since it's non-replicated.
+- name: Grant access to replication status
+ command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}
+ -f /root/ldif/grant_anonymous_replication_view.ldif
+ tags:
+ - ipa/server
+ - config
+ register: grant_repl_status_output
+ changed_when: "'Type or value exists' not in grant_repl_status_output.stderr"
+ failed_when: "'Type or value exists' not in grant_repl_status_output.stderr and 'modifying entry' not in grant_repl_status_output.stdout"
+
+# Make some httpd changes
+- name: Configure referer override
+ template: src=referer-override.conf
+ dest=/etc/httpd/conf.d/referer-override.conf
+ notify:
+ - reload apache
+ tags:
+ - ipa/server
+ - config
+
+- name: Update xmlrpc_uri
+ lineinfile: dest=/etc/ipa/default.conf
+ regexp='xmlrpc_uri ='
+ line='xmlrpc_uri = https://id{{env_suffix}}.rpmfusion.org/ipa/xml'
+ tags:
+ - ipa/server
+ - config
diff --git a/roles/ipa/server/templates/referer-override.conf b/roles/ipa/server/templates/referer-override.conf
new file mode 100644
index 0000000..1667548
--- /dev/null
+++ b/roles/ipa/server/templates/referer-override.conf
@@ -0,0 +1,2 @@
+SetEnvIf Referer "https://id{{env_suffix}}.rpmfusion.org/ipa" HAVE_CORRECT_REFERER
+RequestHeader set Referer "https://{{inventory_hostname}}/ipa" env=HAVE_CORRECT_REFERER
7 years, 6 months