From 1a1f7d79e41d2bb4cc3c2c68c5d1b72d82e9b726 Mon Sep 17 00:00:00 2001 From: Aurélien Bompard Date: Oct 07 2020 12:53:45 +0000 Subject: Ipsilon: fix files location Signed-off-by: Aurélien Bompard --- diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 28684b7..0d35b7a 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -141,7 +141,7 @@ --saml2=yes --info-sssd=yes --form=yes - creates: /etc/ipsilon/ipsilon.conf + creates: /etc/ipsilon/root/ipsilon.conf tags: - ipsilon @@ -153,7 +153,7 @@ ## - name: copy ipsilon configuration ## template: ## src: "ipsilon.conf" -## dest: "/etc/ipsilon/ipsilon.conf" +## dest: "/etc/ipsilon/root/ipsilon.conf" ## owner: ipsilon ## group: ipsilon ## mode: 0600 @@ -166,7 +166,7 @@ ## - name: copy ipsilon admin configuration ## template: ## src: "configuration.conf" -## dest: "/etc/ipsilon/configuration.conf" +## dest: "/etc/ipsilon/root/configuration.conf" ## owner: ipsilon ## group: ipsilon ## mode: 0600 @@ -179,7 +179,7 @@ - name: copy ipsilon OIDC client config copy: src: "{{ private }}/files/ipsilon/openidc.{{env}}.static" - dest: /etc/ipsilon/openidc.static.cfg + dest: /etc/ipsilon/root/openidc.static.cfg owner: ipsilon group: ipsilon mode: 0600 @@ -192,14 +192,14 @@ ## - name: copy ipsilon httpd config ## template: ## src: "httpd.conf.{{ env }}.j2" -## dest: /etc/httpd/conf.d/ipsilon.conf +## dest: /etc/ipsilon/root/idp.conf ## tags: ## - ipsilon # - name: Create Ipsilon config symlink # file: # dest: /var/lib/ipsilon/ipsilon.conf -# src: /etc/ipsilon/ipsilon.conf +# src: /etc/ipsilon/root/ipsilon.conf # state: link # tags: # - ipsilon @@ -207,7 +207,7 @@ # - reload apache # - name: create wellknown directory -# file: path=/etc/ipsilon/wellknown state=directory +# file: path=/etc/ipsilon/root/wellknown state=directory # owner=ipsilon group=ipsilon mode=0755 # tags: # - ipsilon @@ -215,28 +215,28 @@ # - reload apache # - name: copy persona private key -# copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key +# copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/root/persona.key # owner=ipsilon group=ipsilon mode=0600 # when: env != "staging" # tags: # - ipsilon # # - name: copy persona public key -# copy: src=browserid dest=/etc/ipsilon/wellknown/browserid +# copy: src=browserid dest=/etc/ipsilon/root/wellknown/browserid # owner=ipsilon group=ipsilon mode=0644 # when: env != "staging" # tags: # - ipsilon # # - name: copy persona STG private key -# copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key +# copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/root/persona.stg.key # owner=ipsilon group=ipsilon mode=0600 # when: env == "staging" # tags: # - ipsilon # # - name: copy persona STG public key -# copy: src=browserid.stg dest=/etc/ipsilon/wellknown/browserid +# copy: src=browserid.stg dest=/etc/ipsilon/root/wellknown/browserid # owner=ipsilon group=ipsilon mode=0644 # when: env == "staging" # tags: @@ -245,7 +245,7 @@ - name: copy OIDC private key copy: src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key" - dest: /etc/ipsilon/openidc.key + dest: /etc/ipsilon/root/openidc.key owner: ipsilon group: ipsilon mode: 0600 @@ -254,7 +254,7 @@ - ipsilon # - name: copy OIDC STG private key -# copy: src={{ private }}/files/ipsilon/openidc.stg.key dest=/etc/ipsilon/openidc.stg.key +# copy: src={{ private }}/files/ipsilon/openidc.stg.key dest=/etc/ipsilon/root/openidc.stg.key # owner=ipsilon group=ipsilon mode=0600 # when: env == "staging" # tags: @@ -262,7 +262,7 @@ - name: create SAML2 dir file: - path: /etc/ipsilon/saml2 + path: /etc/ipsilon/root/saml2 state: directory mode: 0700 owner: ipsilon @@ -274,7 +274,7 @@ - name: copy SAML2 private key copy: src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key" - dest: /etc/ipsilon/saml2/idp.key + dest: /etc/ipsilon/root/saml2/idp.key owner: ipsilon group: ipsilon mode: 0600 @@ -284,7 +284,7 @@ - name: copy SAML2 public key copy: src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt" - dest: /etc/ipsilon/saml2/idp.crt + dest: /etc/ipsilon/root/saml2/idp.crt owner: ipsilon group: ipsilon mode: 0644 diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index bf57797..910cc29 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -39,9 +39,14 @@ openidc subject salt={{ ipsilon_stg_openidc_subject_salt }} openidc subject salt={{ ipsilon_openidc_subject_salt }} {% endif %} openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/ +{% if env == 'staging' %} +openidc idp key file=/etc/ipsilon/root/openidc.key +openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg +{% else %} openidc idp key file=/etc/ipsilon/openidc.key -openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg +{% endif %} +openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy @@ -65,11 +70,12 @@ openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ openid untrusted roots= openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API -saml2 idp storage path=/etc/ipsilon/saml2 saml2 idp metadata file=metadata.xml {% if env == 'staging' %} +saml2 idp storage path=/etc/ipsilon/root/saml2 saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }} {% else %} +saml2 idp storage path=/etc/ipsilon/saml2 saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }} {% endif %} saml2 idp certificate file=idp.crt diff --git a/roles/ipsilon/templates/httpd.conf.staging.j2 b/roles/ipsilon/templates/httpd.conf.staging.j2 index 4531300..9cc81b6 100644 --- a/roles/ipsilon/templates/httpd.conf.staging.j2 +++ b/roles/ipsilon/templates/httpd.conf.staging.j2 @@ -1,8 +1,10 @@ #RewriteEngine on #RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] -Redirect /.well-known/webfinger /webfinger +#Alias /ui /usr/share/ipsilon/themes/Fedora +Alias /ui /usr/share/ipsilon/ui Alias /.well-known /var/lib/ipsilon/idp/public/well-known Alias /cache /var/cache/ipsilon +Redirect /.well-known/webfinger /webfinger # This is for mapping $username.id.fp.o -> id.fp.o/id/$username RewriteEngine on @@ -18,8 +20,6 @@ RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] {% endif %} -Alias /ui /usr/share/ipsilon/themes/Fedora -#Alias /ui /usr/share/ipsilon/ui WSGIScriptAlias / /usr/libexec/ipsilon WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon display-name=ipsilon processes=2 threads=2 maximum-requests=1000 # This header is required to be passed for OIDC client_secret_basic @@ -45,8 +45,7 @@ WSGISocketPrefix run/wsgi Require all granted -# - + Require all granted diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf index 563b580..1f2864b 100644 --- a/roles/ipsilon/templates/ipsilon.conf +++ b/roles/ipsilon/templates/ipsilon.conf @@ -6,7 +6,11 @@ template_dir = "/usr/share/ipsilon/templates" log.screen = True base.dir = "/usr/share/ipsilon" +{% if env == 'staging' %} +admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" +{% else %} admin.config.db = "configfile:///etc/ipsilon/configuration.conf" +{% endif %} user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"