diff --git a/ansible/playbooks/adhoc-ipadns.yml b/ansible/playbooks/adhoc-ipadnszone.yml
similarity index 100%
rename from ansible/playbooks/adhoc-ipadns.yml
rename to ansible/playbooks/adhoc-ipadnszone.yml
diff --git a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
index d4e9a0d..37ec715 100644
--- a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
+++ b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
@@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
-auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
-auth requisite pam_succeed_if.so uid >= 1000 quiet_success
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
auth required pam_deny.so
@@ -20,8 +20,8 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
-account sufficient pam_succeed_if.so uid < 1000 quiet
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/ansible/playbooks/files/etc/rockybanner b/ansible/playbooks/files/etc/rockybanner
index b7b2f5f..283b178 100644
--- a/ansible/playbooks/files/etc/rockybanner
+++ b/ansible/playbooks/files/etc/rockybanner
@@ -1,11 +1,3 @@
- ******* **
-/**////** /** ** **
-/** /** ****** ***** /** ** //** **
-/******* **////** **///**/** ** //***
-/**///** /** /**/** // /**** /**
-/** //** /** /**/** **/**/** **
-/** //**//****** //***** /**//** **
-// // ////// ///// // // //
+This is a Rocky Linux system
All access is logged and monitored. Unauthorized access is prohibited.
-
diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml
index 7a8d771..3c20900 100644
--- a/ansible/playbooks/init-rocky-system-config.yml
+++ b/ansible/playbooks/init-rocky-system-config.yml
@@ -1,7 +1,10 @@
---
# Basic system configuration. All hardening should also be imported here.
+# Use --extra-vars="host=..." and specify a hostname in the inventory or
+# provide an ansible host group name. You can also just use "all" if you
+# want to ensure all systems are up to date on the configuration.
- name: Configure system
- hosts: all
+ hosts: "{{ host }}"
become: true
# This is to try to avoid the handler issue in pre/post tasks
diff --git a/ansible/playbooks/tasks/account_services.yml b/ansible/playbooks/tasks/account_services.yml
index f1ea699..506a293 100644
--- a/ansible/playbooks/tasks/account_services.yml
+++ b/ansible/playbooks/tasks/account_services.yml
@@ -1,2 +1,26 @@
---
# Account Services
+- name: Install packages
+ package:
+ name:
+ - httpd
+ - mod_ssl
+ - python3
+ - python3-setuptools
+ - python3-kdcproxy
+ state: present
+
+- name: Deploy relevant httpd configuration
+ template:
+ src: "etc/httpd/conf.d/id.conf.j2"
+ dest: "/etc/httpd/conf.d/id.conf"
+ owner: root
+ group: root
+ mode: '0644'
+ notify: restart_httpd
+
+- name: Enable and start
+ systemd:
+ name: httpd
+ state: running
+ enabled: true
diff --git a/ansible/playbooks/tasks/authentication.yml b/ansible/playbooks/tasks/authentication.yml
index 227f3c3..14794c9 100644
--- a/ansible/playbooks/tasks/authentication.yml
+++ b/ansible/playbooks/tasks/authentication.yml
@@ -35,18 +35,18 @@
- name: Override system-auth and password-auth
copy:
- src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
+ src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
owner: root
group: root
mode: '0644'
loop:
- - /etc/authselect/custom/sssd-aoc/system-auth
- - /etc/authselect/custom/sssd-aoc/password-auth
+ - /etc/authselect/custom/sssd-rocky/system-auth
+ - /etc/authselect/custom/sssd-rocky/password-auth
- name: Select New Profile
command: >
- /usr/bin/authselect select custom/sssd-aoc
+ /usr/bin/authselect select custom/sssd-rocky
without-nullok
with-faillock
with-mkhomedir
diff --git a/ansible/playbooks/tasks/mantis.yml b/ansible/playbooks/tasks/mantis.yml
index b0133c9..52abeee 100644
--- a/ansible/playbooks/tasks/mantis.yml
+++ b/ansible/playbooks/tasks/mantis.yml
@@ -14,15 +14,35 @@
yum:
name: "{{ mantis_pkg }}"
state: present
- vars:
- mantis_pkg:
- - php
- - php-ldap
- - httpd
- - mod_ssl
- - php-pgsql
- - php-mbstring
- - php-curl
- - openldap
tags:
- packages
+
+- name: Download the bugtracker
+ get_url:
+ url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
+ dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
+ checksum: "{{ mantis_checksum }}"
+
+- name: Extract mantis
+ unarchive:
+ src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
+ dest: "/var/www"
+ owner: apache
+ group: apache
+ remote_src: true
+
+- name: Configure mantis
+ template:
+ src: "var/www/mantis/config/config_inc.php.j2"
+ dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
+ owner: apache
+ group: apache
+ mode: '0640'
+
+- name: Configure httpd
+ template:
+ src: "etc/httpd/conf.d/mantis.conf.j2"
+ dest: "/etc/httpd/conf.d/mantis.conf"
+ owner: root
+ group: root
+ mode: '0644'
diff --git a/ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2 b/ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
new file mode 100644
index 0000000..bd3f63a
--- /dev/null
+++ b/ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
@@ -0,0 +1,48 @@
+WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
+ display-name=%{GROUP}
+WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
+ process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
+WSGIScriptReloading Off
+
+
+ ServerName accounts.rockylinux.org
+ ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
+ RewriteEngine On
+ RewriteCond %{HTTPS} !=on
+ RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+
+
+
+ ServerName accounts.rockylinux.org
+ ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
+ RequestHeader set X-Forwarded-Proto https
+ SSLCertificateFile /etc/pki/tls/certs/noggin.crt
+ SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
+
+
+
+ ProxyPreserveHost On
+ ProxyPass http://127.0.0.1:5000/
+ ProxyPassReverse http://127.0.0.1:5000/
+
+ Require all granted
+ Include /etc/httpd/conf/blacklist.conf
+
+
+
+
+ Satisfy Any
+ WSGIProcessGroup kdcproxy
+ WSGIApplicationGroup kdcproxy
+ ProxyPass "!"
+ ProxyPassReverse "!"
+
+ Require all granted
+ Include /etc/httpd/conf/blacklist.conf
+
+
+
+ServerSignature Off
+ServerTokens Prod
+ErrorDocument 403 "Your IP is on the blacklist.
Please contact Rocky Linux Staff to see if this can be corrected.
"
diff --git a/ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2 b/ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
new file mode 100644
index 0000000..5d08ddd
--- /dev/null
+++ b/ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
@@ -0,0 +1,33 @@
+
+ ServerAdmin infrastructure@rockylinux.org
+ DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
+ ServerName bugs.rockylinux.org
+ TransferLog /var/log/httpd/mantis_access.log
+ ErrorLog /var/log/httpd/mantis_error.log
+
+ Options MultiViews FollowSymlinks
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
+
+
+ SSLEngine on
+ SSLHonorCipherOrder on
+ SSLCipherSuite PROFILE=SYSTEM
+ SSLProxyCipherSuite PROFILE=SYSTEM
+ SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
+ SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
+ ServerAdmin infrastructure@rockylinux.org
+ DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
+ ServerName bugs.rockylinux.org
+ TransferLog /var/log/httpd/mantis_access.log
+ ErrorLog /var/log/httpd/mantis_error.log
+
+ Options MultiViews FollowSymlinks
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
diff --git a/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2 b/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2
new file mode 100644
index 0000000..ec78437
--- /dev/null
+++ b/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2
@@ -0,0 +1,40 @@
+