mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-12 08:41:25 +00:00
commit
84d07f4a25
@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
|
|||||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||||
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||||
auth sufficient pam_sss.so forward_pass
|
auth sufficient pam_sss.so forward_pass
|
||||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
@ -20,8 +20,8 @@ auth required pam_deny.so
|
|||||||
account required pam_access.so {include if "with-pamaccess"}
|
account required pam_access.so {include if "with-pamaccess"}
|
||||||
account required pam_faillock.so {include if "with-faillock"}
|
account required pam_faillock.so {include if "with-faillock"}
|
||||||
account required pam_unix.so
|
account required pam_unix.so
|
||||||
account sufficient pam_localuser.so
|
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
account sufficient pam_usertype.so issystem
|
||||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||||
account required pam_permit.so
|
account required pam_permit.so
|
||||||
|
|
||||||
|
@ -1,11 +1,3 @@
|
|||||||
******* **
|
This is a Rocky Linux system
|
||||||
/**////** /** ** **
|
|
||||||
/** /** ****** ***** /** ** //** **
|
|
||||||
/******* **////** **///**/** ** //***
|
|
||||||
/**///** /** /**/** // /**** /**
|
|
||||||
/** //** /** /**/** **/**/** **
|
|
||||||
/** //**//****** //***** /**//** **
|
|
||||||
// // ////// ///// // // //
|
|
||||||
|
|
||||||
All access is logged and monitored. Unauthorized access is prohibited.
|
All access is logged and monitored. Unauthorized access is prohibited.
|
||||||
|
|
||||||
|
@ -1,7 +1,10 @@
|
|||||||
---
|
---
|
||||||
# Basic system configuration. All hardening should also be imported here.
|
# Basic system configuration. All hardening should also be imported here.
|
||||||
|
# Use --extra-vars="host=..." and specify a hostname in the inventory or
|
||||||
|
# provide an ansible host group name. You can also just use "all" if you
|
||||||
|
# want to ensure all systems are up to date on the configuration.
|
||||||
- name: Configure system
|
- name: Configure system
|
||||||
hosts: all
|
hosts: "{{ host }}"
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
|
@ -1,2 +1,26 @@
|
|||||||
---
|
---
|
||||||
# Account Services
|
# Account Services
|
||||||
|
- name: Install packages
|
||||||
|
package:
|
||||||
|
name:
|
||||||
|
- httpd
|
||||||
|
- mod_ssl
|
||||||
|
- python3
|
||||||
|
- python3-setuptools
|
||||||
|
- python3-kdcproxy
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Deploy relevant httpd configuration
|
||||||
|
template:
|
||||||
|
src: "etc/httpd/conf.d/id.conf.j2"
|
||||||
|
dest: "/etc/httpd/conf.d/id.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
notify: restart_httpd
|
||||||
|
|
||||||
|
- name: Enable and start
|
||||||
|
systemd:
|
||||||
|
name: httpd
|
||||||
|
state: running
|
||||||
|
enabled: true
|
||||||
|
@ -35,18 +35,18 @@
|
|||||||
|
|
||||||
- name: Override system-auth and password-auth
|
- name: Override system-auth and password-auth
|
||||||
copy:
|
copy:
|
||||||
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||||
dest: "{{ item }}"
|
dest: "{{ item }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
loop:
|
loop:
|
||||||
- /etc/authselect/custom/sssd-aoc/system-auth
|
- /etc/authselect/custom/sssd-rocky/system-auth
|
||||||
- /etc/authselect/custom/sssd-aoc/password-auth
|
- /etc/authselect/custom/sssd-rocky/password-auth
|
||||||
|
|
||||||
- name: Select New Profile
|
- name: Select New Profile
|
||||||
command: >
|
command: >
|
||||||
/usr/bin/authselect select custom/sssd-aoc
|
/usr/bin/authselect select custom/sssd-rocky
|
||||||
without-nullok
|
without-nullok
|
||||||
with-faillock
|
with-faillock
|
||||||
with-mkhomedir
|
with-mkhomedir
|
||||||
|
@ -14,15 +14,35 @@
|
|||||||
yum:
|
yum:
|
||||||
name: "{{ mantis_pkg }}"
|
name: "{{ mantis_pkg }}"
|
||||||
state: present
|
state: present
|
||||||
vars:
|
|
||||||
mantis_pkg:
|
|
||||||
- php
|
|
||||||
- php-ldap
|
|
||||||
- httpd
|
|
||||||
- mod_ssl
|
|
||||||
- php-pgsql
|
|
||||||
- php-mbstring
|
|
||||||
- php-curl
|
|
||||||
- openldap
|
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
- name: Download the bugtracker
|
||||||
|
get_url:
|
||||||
|
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
|
||||||
|
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||||
|
checksum: "{{ mantis_checksum }}"
|
||||||
|
|
||||||
|
- name: Extract mantis
|
||||||
|
unarchive:
|
||||||
|
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||||
|
dest: "/var/www"
|
||||||
|
owner: apache
|
||||||
|
group: apache
|
||||||
|
remote_src: true
|
||||||
|
|
||||||
|
- name: Configure mantis
|
||||||
|
template:
|
||||||
|
src: "var/www/mantis/config/config_inc.php.j2"
|
||||||
|
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
|
||||||
|
owner: apache
|
||||||
|
group: apache
|
||||||
|
mode: '0640'
|
||||||
|
|
||||||
|
- name: Configure httpd
|
||||||
|
template:
|
||||||
|
src: "etc/httpd/conf.d/mantis.conf.j2"
|
||||||
|
dest: "/etc/httpd/conf.d/mantis.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
|
||||||
|
display-name=%{GROUP}
|
||||||
|
WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
|
||||||
|
process-group=kdcproxy application-group=kdcproxy
|
||||||
|
WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
|
||||||
|
WSGIScriptReloading Off
|
||||||
|
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName accounts.rockylinux.org
|
||||||
|
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTPS} !=on
|
||||||
|
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName accounts.rockylinux.org
|
||||||
|
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||||
|
RequestHeader set X-Forwarded-Proto https
|
||||||
|
SSLCertificateFile /etc/pki/tls/certs/noggin.crt
|
||||||
|
SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<Location "/">
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyPass http://127.0.0.1:5000/
|
||||||
|
ProxyPassReverse http://127.0.0.1:5000/
|
||||||
|
<RequireAll>
|
||||||
|
Require all granted
|
||||||
|
Include /etc/httpd/conf/blacklist.conf
|
||||||
|
</RequireAll>
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location "/KdcProxy">
|
||||||
|
Satisfy Any
|
||||||
|
WSGIProcessGroup kdcproxy
|
||||||
|
WSGIApplicationGroup kdcproxy
|
||||||
|
ProxyPass "!"
|
||||||
|
ProxyPassReverse "!"
|
||||||
|
<RequireAll>
|
||||||
|
Require all granted
|
||||||
|
Include /etc/httpd/conf/blacklist.conf
|
||||||
|
</RequireAll>
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
ServerSignature Off
|
||||||
|
ServerTokens Prod
|
||||||
|
ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"
|
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<VirtualHost *:80>
|
||||||
|
ServerAdmin infrastructure@rockylinux.org
|
||||||
|
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||||
|
ServerName bugs.rockylinux.org
|
||||||
|
TransferLog /var/log/httpd/mantis_access.log
|
||||||
|
ErrorLog /var/log/httpd/mantis_error.log
|
||||||
|
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||||
|
Options MultiViews FollowSymlinks
|
||||||
|
AllowOverride All
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
SSLEngine on
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
SSLCipherSuite PROFILE=SYSTEM
|
||||||
|
SSLProxyCipherSuite PROFILE=SYSTEM
|
||||||
|
SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
|
||||||
|
SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
|
||||||
|
ServerAdmin infrastructure@rockylinux.org
|
||||||
|
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||||
|
ServerName bugs.rockylinux.org
|
||||||
|
TransferLog /var/log/httpd/mantis_access.log
|
||||||
|
ErrorLog /var/log/httpd/mantis_error.log
|
||||||
|
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||||
|
Options MultiViews FollowSymlinks
|
||||||
|
AllowOverride All
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
@ -0,0 +1,40 @@
|
|||||||
|
<?php
|
||||||
|
$g_hostname = 'build-a-box.labs.angelsofclockwork.net';
|
||||||
|
$g_db_type = 'pgsql';
|
||||||
|
$g_database_name = '{{ mantis_db_name }}';
|
||||||
|
$g_db_username = '{{ mantis_db_user }}';
|
||||||
|
$g_db_password = '{{ mantis_db_pass }}';
|
||||||
|
|
||||||
|
$g_default_timezone = 'UTC';
|
||||||
|
|
||||||
|
$g_crypto_master_salt = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
|
||||||
|
|
||||||
|
# Added
|
||||||
|
$g_login_method = 'LDAP';
|
||||||
|
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
|
||||||
|
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
|
||||||
|
$g_ldap_organization = '(objectClass=posixAccount)';
|
||||||
|
$g_ldap_protocol_version = 3;
|
||||||
|
$g_ldap_network_timeout = 30;
|
||||||
|
$g_ldap_follow_referrals = ON;
|
||||||
|
$g_ldap_bind_dn = '{{ mantis_binder_user }}';
|
||||||
|
$g_ldap_bind_passwd = '{{ mantis_binder_pass }}';
|
||||||
|
$g_ldap_uid_field = 'uid';
|
||||||
|
$g_ldap_realname_field = 'cn';
|
||||||
|
$g_use_ldap_realname = ON;
|
||||||
|
$g_use_ldap_email = ON;
|
||||||
|
|
||||||
|
$g_webmaster_email = 'infrastructure@rockylinux.org';
|
||||||
|
$g_from_email = 'noreply@rockylinux.org';
|
||||||
|
$g_return_path_email = 'noreply@rockylinux.org';
|
||||||
|
$g_from_name = 'Rocky Linux Bugzilla';
|
||||||
|
$g_allow_file_upload = ON;
|
||||||
|
$g_file_upload_method = DATABASE; # or DISK
|
||||||
|
$g_dropzone_enabled = ON;
|
||||||
|
$g_show_realname = ON;
|
||||||
|
$g_allowed_files = 'log,patch,txt';
|
||||||
|
$g_disallowed_files = 'exe,tar,tgz,tar.gz,pl,sh';
|
||||||
|
$g_window_title = 'Rocky Bugzilla';
|
||||||
|
$g_allow_signup = OFF;
|
||||||
|
$g_allow_anonymous_login = ON;
|
||||||
|
$g_anonymous_account = 'anonymous';
|
2
ansible/playbooks/vars/ipaserver.yml
Normal file
2
ansible/playbooks/vars/ipaserver.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
ipatype: server
|
18
ansible/playbooks/vars/mantis.yml
Normal file
18
ansible/playbooks/vars/mantis.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
# mantis vars
|
||||||
|
mantis_version: 2.24.2
|
||||||
|
mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
|
||||||
|
mantis_pkg:
|
||||||
|
- php
|
||||||
|
- php-ldap
|
||||||
|
- httpd
|
||||||
|
- mod_ssl
|
||||||
|
- php-pgsql
|
||||||
|
- php-mbstring
|
||||||
|
- php-curl
|
||||||
|
- openldap
|
||||||
|
mantis_db_name: mantis
|
||||||
|
mantis_db_user: mantis
|
||||||
|
#mantis_db_pass: ThisIsNotThePassword!
|
||||||
|
mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||||
|
#mantis_binder_pass: ThisIsNotThePassword!
|
Loading…
Reference in New Issue
Block a user