11:08 a.m.
commit 420bb462530ac485cfb22ec15f78714f76417938
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Oct 4 13:08:35 2016 +0200
Add sigul
roles/sigul/bridge/files/koji-primary.conf | 24 +++++++++++
roles/sigul/bridge/tasks/main.yml | 14 ++++++
roles/sigul/bridge/templates/bridge.conf.j2 | 38 +++++++++++++++++
roles/sigul/server/files/00-sigul.rules | 12 +++++
roles/sigul/server/tasks/main.yml | 57 +++++++++++++++++++++++++
roles/sigul/server/templates/server.conf.j2 | 60 +++++++++++++++++++++++++++
6 files changed, 205 insertions(+), 0 deletions(-)
---
diff --git a/roles/sigul/bridge/files/koji-primary.conf
b/roles/sigul/bridge/files/koji-primary.conf
new file mode 100644
index 0000000..5ff3981
--- /dev/null
+++ b/roles/sigul/bridge/files/koji-primary.conf
@@ -0,0 +1,24 @@
+[koji]
+
+;configuration for koji cli tool
+
+;url of XMLRPC server
+server = http://koji.rpmfusion.org/kojihub
+
+;url of web interface
+weburl = http://koji.rpmfusion.org/koji
+
+;url of package download site
+topurl = https://kojipkgs.rpmfusion.org/
+
+;path to the koji top directory
+;topdir = /mnt/koji
+
+anon_retry = true
+
+;client certificate
+cert = /etc/sigul/rpmfusion.cert
+
+;certificate of the CA that issued the HTTP server certificate
+serverca = /etc/sigul/rpmfusion-server-ca.cert
+
diff --git a/roles/sigul/bridge/tasks/main.yml b/roles/sigul/bridge/tasks/main.yml
new file mode 100644
index 0000000..4ebadb7
--- /dev/null
+++ b/roles/sigul/bridge/tasks/main.yml
@@ -0,0 +1,14 @@
+- name: Install sigul bridge
+ yum: state=present name=sigul-bridge
+ tags:
+ - packages
+
+- name: Setup sigul bridge.conf
+ template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf
+ owner=sigul group=sigul mode=0640
+ tags:
+ - config
+
+- name: Setup primary koji config file
+ copy: src=koji-primary.conf dest=/etc/koji-primary.conf owner=root group=root mode=644
+
diff --git a/roles/sigul/bridge/templates/bridge.conf.j2
b/roles/sigul/bridge/templates/bridge.conf.j2
new file mode 100644
index 0000000..3c13e2e
--- /dev/null
+++ b/roles/sigul/bridge/templates/bridge.conf.j2
@@ -0,0 +1,38 @@
+# This is a configuration for the sigul bridge.
+#
+[bridge]
+# Nickname of the bridge's certificate in the NSS database specified below
+bridge-cert-nickname: sign-bridge1 - RPM Fusion Project
+
+# Port on which the bridge expects client connections
+client-listen-port: 44334
+# Port on which the bridge expects server connections
+server-listen-port: 44333
+# A RPM Fusion account system group required for access to the signing server. If
+# empty, no RPM Fusion account check is done.
+required-fas-group: signers
+# User name and password for an account on the RPM Fusion account system that can
+# be used to verify group memberships
+fas-user-name: {{ fedoraDummyUser }}
+fas-password: {{ fedoraDummyUserPassword }}
+
+[koji]
+koji-instances: primary
+koji-config-primary: /etc/koji-primary.conf
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the bridge will
+# ask on startup
+# Currently no password is used
+nss-password:
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
diff --git a/roles/sigul/server/files/00-sigul.rules
b/roles/sigul/server/files/00-sigul.rules
new file mode 100644
index 0000000..d3234c2
--- /dev/null
+++ b/roles/sigul/server/files/00-sigul.rules
@@ -0,0 +1,12 @@
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+ subject.user == "sigul") {
+ return polkit.Result.YES;
+ }
+});
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_card" &&
+ subject.user == "sigul") {
+ return polkit.Result.YES; }
+});
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
new file mode 100644
index 0000000..d368ea6
--- /dev/null
+++ b/roles/sigul/server/tasks/main.yml
@@ -0,0 +1,57 @@
+- name: put rhel AH repos on rhel systems
+ copy: src="{{ files }}/common/rhel7ah.repo"
dest="/etc/yum.repos.d/rhel7ah.repo"
+ when: ansible_distribution == 'RedHat' or ansible_distribution ==
'CentOS'
+ tags:
+ - config
+ - packages
+ - yumrepos
+
+- name: Install sigul server
+ package: state=present name={{ item }}
+ with_items:
+ - sigul-server
+ - rpm-sign
+ - bzip2
+ - p11-kit
+ - engine_pkcs11
+ - gnutls-utils
+ - ykpers
+ - yubico-piv-tool
+ - pcsc-lite
+ - opensc
+ tags:
+ - packages
+
+- name: Enable pcscd
+ service: name=pcscd state=started enabled=yes
+
+- name: install rhel7 only packages
+ package: state=present name={{ item }}
+ with_items:
+ - gnupg1
+ when: ansible_distribution_major_version|int == 7
+ tags:
+ - packages
+
+- name: install fedora only packages
+ package: state=present name={{ item }}
+ with_items:
+ - gnupg
+ when: ansible_distribution_major_version|int > 23
+ tags:
+ - packages
+
+- name: Setup sigul server.conf
+ template: src=server.conf.j2 dest=/etc/sigul/server.conf
+ owner=sigul group=sigul mode=0640
+ tags:
+ - config
+
+- name: Setup gpg link on rhel7
+ file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
+ when: ansible_distribution_major_version|int == 7
+
+- name: add polkit rules to allow sigul user to access the smartcard/yubikey
+ file: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
+ tags:
+ - config
diff --git a/roles/sigul/server/templates/server.conf.j2
b/roles/sigul/server/templates/server.conf.j2
new file mode 100644
index 0000000..d712a87
--- /dev/null
+++ b/roles/sigul/server/templates/server.conf.j2
@@ -0,0 +1,60 @@
+# This is a configuration for the sigul server.
+
+[server]
+# Host name of the publically acessible bridge to clients
+
+bridge-hostname: koji01.online.rpmfusion.net
+server-cert-nickname: sign-vault1 - RPM Fusion Project
+
+# Port on which the bridge expects server connections
+bridge-port: 44333
+# Maximum accepted size of payload stored on disk
+max-file-payload-size: 2073741824
+# Maximum accepted size of payload stored in server's memory
+max-memory-payload-size: 1048576
+
+# Whether to relax the CN vs username check
+lenient-username-check: yes
+# Which CN's are allowed to use different usernames, comma seperated
+proxy-usernames:
+
+
+[database]
+# Path to a directory containing a SQLite database
+;database-path: /var/lib/sigul
+
+[gnupg]
+# Path to a directory containing GPG configuration and keyrings
+gnupg-home: /var/lib/sigul/gnupg
+# Default primary key type for newly created keys
+gnupg-key-type: RSA
+# Default primary key length for newly created keys
+gnupg-key-length: 4096
+# Default subkey type for newly created keys, empty for no subkey
+gnupg-subkey-type:
+# Default subkey length for newly created keys if gnupg-subkey-type is not empty
+; gnupg-subkey-length: 2048
+# Default key usage flags for newly created keys
+gnupg-key-usage: encrypt, sign
+# Length of key passphrases used for newsly created keys
+passphrase-length: 128
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the server will
+# ask on startup
+; nss-password is not specified by default
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
+
+[binding]
+# List of binding modules enabled
+enabled: