mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-21 20:51:27 +00:00
commit
84d07f4a25
@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
@ -20,8 +20,8 @@ auth required pam_deny.so
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
|
@ -1,11 +1,3 @@
|
||||
******* **
|
||||
/**////** /** ** **
|
||||
/** /** ****** ***** /** ** //** **
|
||||
/******* **////** **///**/** ** //***
|
||||
/**///** /** /**/** // /**** /**
|
||||
/** //** /** /**/** **/**/** **
|
||||
/** //**//****** //***** /**//** **
|
||||
// // ////// ///// // // //
|
||||
This is a Rocky Linux system
|
||||
|
||||
All access is logged and monitored. Unauthorized access is prohibited.
|
||||
|
||||
|
@ -1,7 +1,10 @@
|
||||
---
|
||||
# Basic system configuration. All hardening should also be imported here.
|
||||
# Use --extra-vars="host=..." and specify a hostname in the inventory or
|
||||
# provide an ansible host group name. You can also just use "all" if you
|
||||
# want to ensure all systems are up to date on the configuration.
|
||||
- name: Configure system
|
||||
hosts: all
|
||||
hosts: "{{ host }}"
|
||||
become: true
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
|
@ -1,2 +1,26 @@
|
||||
---
|
||||
# Account Services
|
||||
- name: Install packages
|
||||
package:
|
||||
name:
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- python3
|
||||
- python3-setuptools
|
||||
- python3-kdcproxy
|
||||
state: present
|
||||
|
||||
- name: Deploy relevant httpd configuration
|
||||
template:
|
||||
src: "etc/httpd/conf.d/id.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/id.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: restart_httpd
|
||||
|
||||
- name: Enable and start
|
||||
systemd:
|
||||
name: httpd
|
||||
state: running
|
||||
enabled: true
|
||||
|
@ -35,18 +35,18 @@
|
||||
|
||||
- name: Override system-auth and password-auth
|
||||
copy:
|
||||
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
dest: "{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
loop:
|
||||
- /etc/authselect/custom/sssd-aoc/system-auth
|
||||
- /etc/authselect/custom/sssd-aoc/password-auth
|
||||
- /etc/authselect/custom/sssd-rocky/system-auth
|
||||
- /etc/authselect/custom/sssd-rocky/password-auth
|
||||
|
||||
- name: Select New Profile
|
||||
command: >
|
||||
/usr/bin/authselect select custom/sssd-aoc
|
||||
/usr/bin/authselect select custom/sssd-rocky
|
||||
without-nullok
|
||||
with-faillock
|
||||
with-mkhomedir
|
||||
|
@ -14,15 +14,35 @@
|
||||
yum:
|
||||
name: "{{ mantis_pkg }}"
|
||||
state: present
|
||||
vars:
|
||||
mantis_pkg:
|
||||
- php
|
||||
- php-ldap
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- php-pgsql
|
||||
- php-mbstring
|
||||
- php-curl
|
||||
- openldap
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Download the bugtracker
|
||||
get_url:
|
||||
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
checksum: "{{ mantis_checksum }}"
|
||||
|
||||
- name: Extract mantis
|
||||
unarchive:
|
||||
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
dest: "/var/www"
|
||||
owner: apache
|
||||
group: apache
|
||||
remote_src: true
|
||||
|
||||
- name: Configure mantis
|
||||
template:
|
||||
src: "var/www/mantis/config/config_inc.php.j2"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
|
||||
owner: apache
|
||||
group: apache
|
||||
mode: '0640'
|
||||
|
||||
- name: Configure httpd
|
||||
template:
|
||||
src: "etc/httpd/conf.d/mantis.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/mantis.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
@ -0,0 +1,48 @@
|
||||
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
|
||||
display-name=%{GROUP}
|
||||
WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
|
||||
process-group=kdcproxy application-group=kdcproxy
|
||||
WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
|
||||
WSGIScriptReloading Off
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName accounts.rockylinux.org
|
||||
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} !=on
|
||||
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName accounts.rockylinux.org
|
||||
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||
RequestHeader set X-Forwarded-Proto https
|
||||
SSLCertificateFile /etc/pki/tls/certs/noggin.crt
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
|
||||
</VirtualHost>
|
||||
|
||||
<Location "/">
|
||||
ProxyPreserveHost On
|
||||
ProxyPass http://127.0.0.1:5000/
|
||||
ProxyPassReverse http://127.0.0.1:5000/
|
||||
<RequireAll>
|
||||
Require all granted
|
||||
Include /etc/httpd/conf/blacklist.conf
|
||||
</RequireAll>
|
||||
</Location>
|
||||
|
||||
<Location "/KdcProxy">
|
||||
Satisfy Any
|
||||
WSGIProcessGroup kdcproxy
|
||||
WSGIApplicationGroup kdcproxy
|
||||
ProxyPass "!"
|
||||
ProxyPassReverse "!"
|
||||
<RequireAll>
|
||||
Require all granted
|
||||
Include /etc/httpd/conf/blacklist.conf
|
||||
</RequireAll>
|
||||
</Location>
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"
|
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
@ -0,0 +1,33 @@
|
||||
<VirtualHost *:80>
|
||||
ServerAdmin infrastructure@rockylinux.org
|
||||
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||
ServerName bugs.rockylinux.org
|
||||
TransferLog /var/log/httpd/mantis_access.log
|
||||
ErrorLog /var/log/httpd/mantis_error.log
|
||||
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||
Options MultiViews FollowSymlinks
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
SSLEngine on
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite PROFILE=SYSTEM
|
||||
SSLProxyCipherSuite PROFILE=SYSTEM
|
||||
SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
|
||||
ServerAdmin infrastructure@rockylinux.org
|
||||
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||
ServerName bugs.rockylinux.org
|
||||
TransferLog /var/log/httpd/mantis_access.log
|
||||
ErrorLog /var/log/httpd/mantis_error.log
|
||||
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||
Options MultiViews FollowSymlinks
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
</VirtualHost>
|
@ -0,0 +1,40 @@
|
||||
<?php
|
||||
$g_hostname = 'build-a-box.labs.angelsofclockwork.net';
|
||||
$g_db_type = 'pgsql';
|
||||
$g_database_name = '{{ mantis_db_name }}';
|
||||
$g_db_username = '{{ mantis_db_user }}';
|
||||
$g_db_password = '{{ mantis_db_pass }}';
|
||||
|
||||
$g_default_timezone = 'UTC';
|
||||
|
||||
$g_crypto_master_salt = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
|
||||
|
||||
# Added
|
||||
$g_login_method = 'LDAP';
|
||||
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
|
||||
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
|
||||
$g_ldap_organization = '(objectClass=posixAccount)';
|
||||
$g_ldap_protocol_version = 3;
|
||||
$g_ldap_network_timeout = 30;
|
||||
$g_ldap_follow_referrals = ON;
|
||||
$g_ldap_bind_dn = '{{ mantis_binder_user }}';
|
||||
$g_ldap_bind_passwd = '{{ mantis_binder_pass }}';
|
||||
$g_ldap_uid_field = 'uid';
|
||||
$g_ldap_realname_field = 'cn';
|
||||
$g_use_ldap_realname = ON;
|
||||
$g_use_ldap_email = ON;
|
||||
|
||||
$g_webmaster_email = 'infrastructure@rockylinux.org';
|
||||
$g_from_email = 'noreply@rockylinux.org';
|
||||
$g_return_path_email = 'noreply@rockylinux.org';
|
||||
$g_from_name = 'Rocky Linux Bugzilla';
|
||||
$g_allow_file_upload = ON;
|
||||
$g_file_upload_method = DATABASE; # or DISK
|
||||
$g_dropzone_enabled = ON;
|
||||
$g_show_realname = ON;
|
||||
$g_allowed_files = 'log,patch,txt';
|
||||
$g_disallowed_files = 'exe,tar,tgz,tar.gz,pl,sh';
|
||||
$g_window_title = 'Rocky Bugzilla';
|
||||
$g_allow_signup = OFF;
|
||||
$g_allow_anonymous_login = ON;
|
||||
$g_anonymous_account = 'anonymous';
|
2
ansible/playbooks/vars/ipaserver.yml
Normal file
2
ansible/playbooks/vars/ipaserver.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
ipatype: server
|
18
ansible/playbooks/vars/mantis.yml
Normal file
18
ansible/playbooks/vars/mantis.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
# mantis vars
|
||||
mantis_version: 2.24.2
|
||||
mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
|
||||
mantis_pkg:
|
||||
- php
|
||||
- php-ldap
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- php-pgsql
|
||||
- php-mbstring
|
||||
- php-curl
|
||||
- openldap
|
||||
mantis_db_name: mantis
|
||||
mantis_db_user: mantis
|
||||
#mantis_db_pass: ThisIsNotThePassword!
|
||||
mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
#mantis_binder_pass: ThisIsNotThePassword!
|
Loading…
Reference in New Issue
Block a user