Merge pull request #14975 from rocky-linux/develop

General Fixes

ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth

@@ -7,12 +7,12 @@ auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
 auth        required                                     pam_u2f.so cue nouserok                                {include if "with-pam-u2f-2fa"}
-auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
+auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
 auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
 auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
 auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
-auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
+auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900       {include if "with-faillock"}
 auth        required                                     pam_deny.so
@@ -20,8 +20,8 @@ auth        required                                     pam_deny.so
 account     required                                     pam_access.so                                          {include if "with-pamaccess"}
 account     required                                     pam_faillock.so                                        {include if "with-faillock"}
 account     required                                     pam_unix.so
-account     sufficient                                   pam_localuser.so
-account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
+account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+account     sufficient                                   pam_usertype.so issystem
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 

ansible/playbooks/files/etc/rockybanner

@@ -1,11 +1,3 @@
- *******                    **             
-/**////**                  /**      **   **
-/**   /**   ******   ***** /**  ** //** ** 
-/*******   **////** **///**/** **   //***  
-/**///**  /**   /**/**  // /****     /**   
-/**  //** /**   /**/**   **/**/**    **    
-/**   //**//****** //***** /**//**  **     
-//     //  //////   /////  //  //  //      
+This is a Rocky Linux system
 
 All access is logged and monitored. Unauthorized access is prohibited.
-

ansible/playbooks/init-rocky-system-config.yml

@@ -1,7 +1,10 @@
 ---
 # Basic system configuration. All hardening should also be imported here.
+# Use --extra-vars="host=..." and specify a hostname in the inventory or
+# provide an ansible host group name. You can also just use "all" if you
+# want to ensure all systems are up to date on the configuration.
 - name: Configure system
-  hosts: all
+  hosts: "{{ host }}"
   become: true
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/tasks/account_services.yml

@@ -1,2 +1,26 @@
 ---
 # Account Services
+- name: Install packages
+  package:
+    name:
+      - httpd
+      - mod_ssl
+      - python3
+      - python3-setuptools
+      - python3-kdcproxy
+    state: present
+
+- name: Deploy relevant httpd configuration
+  template:
+    src: "etc/httpd/conf.d/id.conf.j2"
+    dest: "/etc/httpd/conf.d/id.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_httpd
+
+- name: Enable and start
+  systemd:
+    name: httpd
+    state: running
+    enabled: true

ansible/playbooks/tasks/authentication.yml

@@ -35,18 +35,18 @@
 
     - name: Override system-auth and password-auth
       copy:
-        src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
+        src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
         dest: "{{ item }}"
         owner: root
         group: root
         mode: '0644'
       loop:
-        - /etc/authselect/custom/sssd-aoc/system-auth
-        - /etc/authselect/custom/sssd-aoc/password-auth
+        - /etc/authselect/custom/sssd-rocky/system-auth
+        - /etc/authselect/custom/sssd-rocky/password-auth
 
     - name: Select New Profile
       command: >
-        /usr/bin/authselect select custom/sssd-aoc
+        /usr/bin/authselect select custom/sssd-rocky
         without-nullok
         with-faillock
         with-mkhomedir

ansible/playbooks/tasks/mantis.yml

@@ -14,15 +14,35 @@
   yum:
     name: "{{ mantis_pkg }}"
     state: present
-  vars:
-    mantis_pkg:
-      - php
-      - php-ldap
-      - httpd
-      - mod_ssl
-      - php-pgsql
-      - php-mbstring
-      - php-curl
-      - openldap
   tags:
     - packages
+
+- name: Download the bugtracker
+  get_url:
+    url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
+    dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
+    checksum: "{{ mantis_checksum }}"
+
+- name: Extract mantis
+  unarchive:
+    src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
+    dest: "/var/www"
+    owner: apache
+    group: apache
+    remote_src: true
+
+- name: Configure mantis
+  template:
+    src: "var/www/mantis/config/config_inc.php.j2"
+    dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
+    owner: apache
+    group: apache
+    mode: '0640'
+
+- name: Configure httpd
+  template:
+    src: "etc/httpd/conf.d/mantis.conf.j2"
+    dest: "/etc/httpd/conf.d/mantis.conf"
+    owner: root
+    group: root
+    mode: '0644'

ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2

@@ -0,0 +1,48 @@
+WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
+  display-name=%{GROUP}
+WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
+  process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
+WSGIScriptReloading Off
+
+<VirtualHost *:80>
+  ServerName accounts.rockylinux.org
+  ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
+  RewriteEngine On
+  RewriteCond %{HTTPS}  !=on
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName accounts.rockylinux.org
+  ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
+  RequestHeader set X-Forwarded-Proto https
+  SSLCertificateFile /etc/pki/tls/certs/noggin.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
+</VirtualHost>
+
+<Location "/">
+  ProxyPreserveHost On
+  ProxyPass http://127.0.0.1:5000/
+  ProxyPassReverse http://127.0.0.1:5000/
+  <RequireAll>
+    Require all granted
+    Include /etc/httpd/conf/blacklist.conf
+  </RequireAll>
+</Location>
+
+<Location "/KdcProxy">
+  Satisfy Any
+  WSGIProcessGroup kdcproxy
+  WSGIApplicationGroup kdcproxy
+  ProxyPass "!"
+  ProxyPassReverse "!"
+  <RequireAll>
+    Require all granted
+    Include /etc/httpd/conf/blacklist.conf
+  </RequireAll>
+</Location>
+
+ServerSignature Off
+ServerTokens Prod
+ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"

ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2

@@ -0,0 +1,33 @@
+<VirtualHost *:80>
+  ServerAdmin infrastructure@rockylinux.org
+  DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
+  ServerName bugs.rockylinux.org
+  TransferLog /var/log/httpd/mantis_access.log
+  ErrorLog /var/log/httpd/mantis_error.log
+  <Directory "/var/www/mantisbt-{{ mantis_version }}/">
+    Options MultiViews FollowSymlinks
+    AllowOverride All
+    Order allow,deny
+    Allow from all
+  </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+  SSLEngine on
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
+  ServerAdmin infrastructure@rockylinux.org
+  DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
+  ServerName bugs.rockylinux.org
+  TransferLog /var/log/httpd/mantis_access.log
+  ErrorLog /var/log/httpd/mantis_error.log
+  <Directory "/var/www/mantisbt-{{ mantis_version }}/">
+    Options MultiViews FollowSymlinks
+    AllowOverride All
+    Order allow,deny
+    Allow from all
+  </Directory>
+</VirtualHost>

ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2

@@ -0,0 +1,40 @@
+<?php
+$g_hostname               = 'build-a-box.labs.angelsofclockwork.net';
+$g_db_type                = 'pgsql';
+$g_database_name          = '{{ mantis_db_name }}';
+$g_db_username            = '{{ mantis_db_user }}';
+$g_db_password            = '{{ mantis_db_pass }}';
+
+$g_default_timezone       = 'UTC';
+
+$g_crypto_master_salt     = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
+
+# Added
+$g_login_method          = 'LDAP';
+$g_ldap_server           = '{{ rocky_ipaserver_lb }}';
+$g_ldap_root_dn          = '{{ rocky_ldap_user_basedn }}';
+$g_ldap_organization     = '(objectClass=posixAccount)';
+$g_ldap_protocol_version = 3;
+$g_ldap_network_timeout  = 30;
+$g_ldap_follow_referrals = ON;
+$g_ldap_bind_dn          = '{{ mantis_binder_user }}';
+$g_ldap_bind_passwd      = '{{ mantis_binder_pass }}';
+$g_ldap_uid_field        = 'uid';
+$g_ldap_realname_field   = 'cn';
+$g_use_ldap_realname     = ON;
+$g_use_ldap_email        = ON;
+
+$g_webmaster_email       = 'infrastructure@rockylinux.org';
+$g_from_email            = 'noreply@rockylinux.org';
+$g_return_path_email     = 'noreply@rockylinux.org';
+$g_from_name             = 'Rocky Linux Bugzilla';
+$g_allow_file_upload     = ON;
+$g_file_upload_method    = DATABASE; # or DISK
+$g_dropzone_enabled      = ON;
+$g_show_realname         = ON;
+$g_allowed_files         = 'log,patch,txt';
+$g_disallowed_files      = 'exe,tar,tgz,tar.gz,pl,sh';
+$g_window_title          = 'Rocky Bugzilla';
+$g_allow_signup          = OFF;
+$g_allow_anonymous_login = ON;
+$g_anonymous_account     = 'anonymous';

ansible/playbooks/vars/ipaserver.yml

@@ -0,0 +1,2 @@
+---
+ipatype: server

ansible/playbooks/vars/mantis.yml

@@ -0,0 +1,18 @@
+---
+# mantis vars
+mantis_version: 2.24.2
+mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
+mantis_pkg:
+  - php
+  - php-ldap
+  - httpd
+  - mod_ssl
+  - php-pgsql
+  - php-mbstring
+  - php-curl
+  - openldap
+mantis_db_name: mantis
+mantis_db_user: mantis
+#mantis_db_pass: ThisIsNotThePassword!
+mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
+#mantis_binder_pass: ThisIsNotThePassword!