From 6c05b159cce216762f4b4497758127a31b910441 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Mon, 4 Jan 2021 12:01:44 -0700 Subject: [PATCH 1/2] vars for vaults --- ansible/playbooks/vars/common.yml | 2 +- ansible/playbooks/vars/gitlab.yml | 4 ++-- ansible/playbooks/vars/vaults/encpass.yml | 3 +++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ansible/playbooks/vars/common.yml b/ansible/playbooks/vars/common.yml index 98fd358..b73c759 100644 --- a/ansible/playbooks/vars/common.yml +++ b/ansible/playbooks/vars/common.yml @@ -6,4 +6,4 @@ rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org" # Requires jinja 2.9+ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}" # This will need to be vaulted -# rocky_ldap_bind_pw: "ThisIsNotThePassword!" +rocky_ldap_bind_pw: "{{ ipa_binder_password }}" diff --git a/ansible/playbooks/vars/gitlab.yml b/ansible/playbooks/vars/gitlab.yml index 31a0718..2529b2f 100644 --- a/ansible/playbooks/vars/gitlab.yml +++ b/ansible/playbooks/vars/gitlab.yml @@ -63,7 +63,7 @@ gitlab_nginx_listen_https: "false" gitlab_default_theme: 2 -gitlab_external_db: false +gitlab_external_db: true gitlab_external_db_host: db.rockylinux.org gitlab_external_db_user: gitlab -gitlab_external_db_password: gitlab +gitlab_external_db_password: "{{ gitlab_db_pass }}" diff --git a/ansible/playbooks/vars/vaults/encpass.yml b/ansible/playbooks/vars/vaults/encpass.yml index 6d7cd0f..be2f325 100644 --- a/ansible/playbooks/vars/vaults/encpass.yml +++ b/ansible/playbooks/vars/vaults/encpass.yml @@ -22,3 +22,6 @@ koji_db_pass: !vault | pubsub_federation_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 REDACTED +gitlab_db_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + REDACTED From 786be11457ac3a19a137425f91f9f398f8fab302 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Mon, 4 Jan 2021 12:31:13 -0700 Subject: [PATCH 2/2] preparing account services --- ansible/playbooks/vars/ipsilon.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ansible/playbooks/vars/ipsilon.yml b/ansible/playbooks/vars/ipsilon.yml index 8a32b98..ab211d9 100644 --- a/ansible/playbooks/vars/ipsilon.yml +++ b/ansible/playbooks/vars/ipsilon.yml @@ -1,5 +1,6 @@ --- # Vars for ipsilon +ipsilon_fqdn: idp.rockylinux.org ipsilon_databases: - name: rockyipsilon @@ -24,12 +25,12 @@ apache_ssl_cipher_suite: "PROFILE=SYSTEM" # be certificate_file, certificate_key_file, and certificate_chain_file apache_ignore_missing_ssl_certificate: true apache_vhosts: - - servername: "{{ inventory_hostname }}" + - servername: "{{ ipsilon_fqdn }}" documentroot: /var/www/html serveradmin: identitymanagement@rockylinux.org extra_parameters: | - CustomLog logs/{{ inventory_hostname }}_access.log combined - ErrorLog logs/{{ inventory_hostname }}_error.log + CustomLog logs/{{ ipsilon_fqdn }}_access.log combined + ErrorLog logs/{{ ipsilon_fqdn }}_error.log AccessFileName .htaccess Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" @@ -38,8 +39,8 @@ apache_vhosts: RewriteEngine On RewriteCond $1 !^.well-known RewriteCond %{HTTPS} !=on - RewriteRule ^/?(.*) https://{{ inventory_hostname }}/$1 [R,L] - - servername: "{{ inventory_hostname }}" + RewriteRule ^/?(.*) https://{{ ipsilon_fqdn }}/$1 [R,L] + - servername: "{{ ipsilon_fqdn }}" documentroot: /var/www/html serveradmin: identitymanagement@rockylinux.org extra_parameters: | @@ -50,8 +51,8 @@ apache_vhosts: Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "same-origin" - ErrorLog logs/ssl-{{ inventory_hostname }}_error.log - TransferLog logs/ssl-{{ inventory_hostname }}_access.log + ErrorLog logs/ssl-{{ ipsilon_fqdn }}_error.log + TransferLog logs/ssl-{{ ipsilon_fqdn }}_access.log LogLevel warn SSLOptions +StdEnvVars