fix cdn

ansible/playbooks/files/etc/systemd/system/noggin.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=noggin
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
+Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
+Environment=FLASK_DEBUG=1
+User=noggin
+WorkingDirectory=/opt/noggin/noggin
+ExecStart=/bin/bash /opt/noggin/start_noggin.sh
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

ansible/playbooks/init-rocky-noggin.yml

@@ -0,0 +1,34 @@
+---
+# (Re)deploys the noggin theme
+- name: Deploy Noggin
+  hosts: "idp"
+  become: true
+
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are not able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Deploy Noggin
+      import_tasks: "tasks/noggin.yml"
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/tasks/noggin.yml

@@ -0,0 +1,79 @@
+---
+- name: Ensure python is installed
+  yum:
+    name:
+      - python3
+      - python3-pip
+
+- name: Ensure noggin user exists
+  user:
+    name: noggin
+    comment: "Noggin FAS"
+
+- name: Create noggin directory
+  file:
+    path: /opt/noggin
+    state: directory
+    mode: '0700'
+    owner: noggin
+    group: noggin
+
+- name: Deploy noggin
+  git:
+    repo: https://github.com/fedora-infra/noggin.git
+    dest: /opt/noggin/noggin
+    update: true
+    version: main
+  become: true
+  become_user: noggin
+
+- name: Noggin user must install poetry
+  pip:
+    name: poetry
+    executable: pip3
+  become: true
+  become_user: noggin
+
+- name: Remove any pycache
+  file:
+    path: "/home/noggin/.cache/pypoetry"
+    state: absent
+
+- name: Noggin installation
+  shell:
+    cmd: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
+    chdir: "/opt/noggin/noggin"
+  become: true
+  become_user: noggin
+
+- name: Get the noggin poetry virtualenv
+  shell:
+    cmd: "poetry env list | awk '{print $1}'"
+    chdir: "/opt/noggin/noggin"
+  become: true
+  become_user: noggin
+  register: virtualenv_location
+
+- name: Deploy start up script
+  template:
+    src: "opt/noggin/start_noggin.sh.j2"
+    dest: "/opt/noggin/start_noggin.sh"
+    mode: '0750'
+    user: noggin
+    group: noggin
+
+- name: Deploy systemd unit
+  copy:
+    src: "etc/systemd/system/noggin.service"
+    dest: "/etc/systemd/system/noggin.service"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Deploy noggin configuration
+  template:
+    src: "opt/noggin/noggin.cfg.j2"
+    dest: "/opt/noggin/noggin.cfg"
+    owner: noggin
+    group: noggin
+    mode: '0600'

ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb

@@ -136,3 +136,6 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
 {% if gitlab_trusted_proxies %}
 gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
 {% endif %}
+
+gitlab_rails['gravatar_enabled'] = true
+gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"

ansible/playbooks/templates/opt/noggin/noggin.cfg

@@ -0,0 +1,23 @@
+TEMPLATES_AUTO_RELOAD = False
+FREEIPA_SERVERS = []
+FREEIPA_CACERT = '/etc/ipa/ca.crt'
+FREEIPA_ADMIN_USER = 'userman'
+FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
+THEME = "rocky"
+FERNET_SECRET = b'NOTASECRET='
+SECRET_KEY = b'NOTASECRET='
+SESSION_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SECURE = True
+USER_DEFAULTS = {
+    "locale": "en-US",
+    "timezone": "UTC",
+    "status_note": "active",
+}
+REGISTRATION_OPEN = True
+ACTIVATION_TOKEN_EXPIRATION = 30
+PASSWORD_RESET_EXPIRATION = 10
+MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
+MAIL_SUPPRESS_SEND = False
+AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
+AVATAR_DEFAULT_TYPE = "retro"
+FEDORA_MESSAGING_ENABLED = False

ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/bash
+export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
+export FLASK_DEBUG=1
+export FLASK_APP=/opt/noggin/noggin/noggin/app.py
+source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
+cd /opt/noggin/noggin
+#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
+# --certfile=/etc/pki/tls/certs/noggin.crt \
+# --keyfile=/etc/pki/tls/private/noggin.key \
+gunicorn -w 3 \
+ --env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
+ --bind tcp://0.0.0.0:5000 \
+ noggin.app:app

ansible/playbooks/vars/common.yml

@@ -9,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
 rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
 # This will need to be vaulted
 rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
+rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
+rocky_ldap_userman_pw: "{{ ipa_userman_password }}"