--- # Configuration for the ipsilon webapp - name: Install needed packages ansible.builtin.package: state: present update_cache: yes name: - ipsilon - ipsilon-openid - ipsilon-saml2 - ipsilon-openidc - ipsilon-authgssapi - ipsilon-authform - ipsilon-authpam - ipsilon-infosssd - ipsilon-infofas - ipsilon-theme-Fedora - ipsilon-tools-ipa - mod_auth_openidc - mod_auth_gssapi - python3-psycopg2 - python3-pam # For the openid api extension - python3-freeipa # For the playbook itself - git - krb5-workstation tags: - ipsilon - packages - name: Download Fedora-specific code ansible.builtin.git: repo: https://pagure.io/fedora-infra/ipsilon-fedora dest: /opt/ipsilon-fedora version: "{{ env }}" force: yes tags: - ipsilon notify: - Install Fedora-specific code - name: Install Fedora-specific code on initial run ansible.builtin.command: cmd: ./install.sh chdir: /opt/ipsilon-fedora creates: "{{ ansible_facts['python3']['sitelib'] }}/ipsilon/providers/openidc/plugins/account-scopes.py" notify: - Restart apache tags: - ipsilon - name: Apply patch for OpenID banner ansible.posix.patch: src: openid_banner.patch dest: /usr/share/ipsilon/themes/Fedora/templates/layout.html when: openid is defined and openid tags: - ipsilon - patch - name: Include ipa/client role ansible.builtin.include_role: name: ipa/client - name: Get admin ticket ansible.builtin.shell: set -o pipefail && echo "{{ ipa_admin_password }}" | kinit admin check_mode: no changed_when: true no_log: true tags: - ipsilon - name: Install ipsilon ansible.builtin.command: cmd: ipsilon-server-install --root-instance --admin-user=admin --ipa=yes --openidc=yes --openid=yes --saml2=yes --info-sssd=yes --form=yes creates: /etc/ipsilon/root/ipsilon.conf tags: - ipsilon - name: Destroy admin ticket ansible.builtin.command: kdestroy -A changed_when: true tags: - ipsilon - name: Import patches.yml tasks ansible.builtin.import_tasks: patches.yml tags: - ipsilon - patches - name: Make sure /etc/ipsilon/root is owned correctly ansible.builtin.file: path: "/etc/ipsilon/root" owner: ipsilon group: ipsilon state: directory mode: "0700" tags: - ipsilon - config - name: Copy ipsilon configuration ansible.builtin.template: src: "ipsilon.conf" dest: "/etc/ipsilon/root/ipsilon.conf" owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - config notify: - Restart apache - name: Copy ipsilon admin configuration ansible.builtin.template: src: "configuration.conf" dest: "/etc/ipsilon/root/configuration.conf" owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - config notify: - Restart apache - name: Copy ipsilon OIDC client config ansible.builtin.copy: src: "{{ private }}/files/ipsilon/openidc.{{ env }}.static" dest: /etc/ipsilon/root/openidc.static.cfg owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - config - oidc-config notify: - Restart apache when: "env != 'staging'" - name: Template ipsilon OIDC client config ansible.builtin.template: src: "openidc.{{ env }}.static.j2" dest: /etc/ipsilon/root/openidc.static.cfg owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - config - oidc-config notify: - Restart apache when: "env == 'staging'" - name: Copy ipsilon httpd config ansible.builtin.template: src: "httpd.conf.j2" dest: /etc/ipsilon/root/idp.conf mode: "0644" tags: - ipsilon - config notify: - Restart apache - name: Copy OIDC private key ansible.builtin.copy: src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key" dest: /etc/ipsilon/root/openidc.key owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - name: Create SAML2 dir ansible.builtin.file: path: /etc/ipsilon/root/saml2 state: directory mode: "0700" owner: ipsilon group: ipsilon setype: httpd_var_lib_t tags: - ipsilon - name: Copy SAML2 private key ansible.builtin.copy: src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key" dest: /etc/ipsilon/root/saml2/idp.key owner: ipsilon group: ipsilon mode: "0600" tags: - ipsilon - name: Copy SAML2 public key ansible.builtin.copy: src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt" dest: /etc/ipsilon/root/saml2/idp.crt owner: ipsilon group: ipsilon mode: "0644" tags: - ipsilon - name: Copy saml2 metadata script ansible.builtin.template: src: prepare-saml2-metadata.py dest: /usr/local/bin/prepare-saml2-metadata owner: root group: root mode: "0755" tags: - ipsilon - name: Generate the saml2 metadata become_user: ipsilon become: yes ansible.builtin.command: cmd: /usr/local/bin/prepare-saml2-metadata creates: /etc/ipsilon/root/saml2/metadata.xml tags: - ipsilon - name: Set sebooleans so ipsilon can talk to the db ansible.posix.seboolean: name: httpd_can_network_connect_db state: true persistent: true tags: - ipsilon - name: Set sebooleans so ipsilon can talk to IPA for the openid extension ansible.posix.seboolean: name: httpd_can_network_connect state: true persistent: true tags: - ipsilon - name: Set sebooleans so ipsilon can talk to sssd ansible.posix.seboolean: name: httpd_dbus_sssd state: true persistent: true tags: - ipsilon - name: Set sebooleans so ipsilon can use python-pam ansible.posix.seboolean: name: "{{ item }}" state: true persistent: true loop: - httpd_tmp_exec - httpd_mod_auth_pam tags: - ipsilon - name: Apply selinux type to the wsgi file ansible.builtin.file: dest: /usr/libexec/ipsilon setype: httpd_sys_content_t tags: - ipsilon - name: Copy SSSd configuration ansible.builtin.template: src: sssd.conf dest: /etc/sssd/sssd.conf owner: root group: root mode: "0600" tags: - ipsilon - config notify: - Restart sssd