From f32720f0de24f527d3d8c4d3e4d1c236dc5ece31 Mon Sep 17 00:00:00 2001
From: nazunalika <tucklesepk@gmail.com>
Date: Mon, 14 Dec 2020 02:01:23 -0700
Subject: [PATCH] adding ipsilon

---
 ansible/playbooks/role-rocky-ipa-ipsilon.yml | 38 +++++++++++++
 ansible/playbooks/vars/ipsilon.yml           | 59 ++++++++++++++++++++
 ansible/roles/requirements.yml               |  1 +
 3 files changed, 98 insertions(+)
 create mode 100644 ansible/playbooks/role-rocky-ipa-ipsilon.yml
 create mode 100644 ansible/playbooks/vars/ipsilon.yml

diff --git a/ansible/playbooks/role-rocky-ipa-ipsilon.yml b/ansible/playbooks/role-rocky-ipa-ipsilon.yml
new file mode 100644
index 0000000..751cf5c
--- /dev/null
+++ b/ansible/playbooks/role-rocky-ipa-ipsilon.yml
@@ -0,0 +1,38 @@
+---
+# Installs ipsilon for basic SSO services
+- name: Install and configure ipsilon server
+  hosts: ipsilon
+  become: true
+  vars_files:
+    - vars/encpass.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+  # For now, this is sufficient for testing with a localhost cert. In the
+  # future we will come up with a way to issue either an internal cert with a
+  # front-facing externally signed cert, or just external altogether.
+  roles:
+    - role: rockylinux.ipsilon
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
diff --git a/ansible/playbooks/vars/ipsilon.yml b/ansible/playbooks/vars/ipsilon.yml
new file mode 100644
index 0000000..3c5e960
--- /dev/null
+++ b/ansible/playbooks/vars/ipsilon.yml
@@ -0,0 +1,59 @@
+---
+# Vars for ipsilon
+ipsilon_databases:
+  - name: rockyipsilon
+
+ipsilon_database_users:
+  - name: ipsilon
+    host: "localhost"
+    password: "{{ ipsilon_db_password }}"
+    priv: "ipsilon.*:ALL"
+
+# apache configuration for ipsilon
+apache_listen_port: 80
+apache_listen_port_ssl: 443
+apache_create_vhosts: true
+apache_vhosts_filename: "vhosts_ipsilon.conf"
+apache_ssl_protocol: "PROFILE=SYSTEM"
+apache_ssl_cipher_suite: "PROFILE=SYSTEM"
+# Setting this to true for now until we have certificates. The parameters will
+# be certificate_file, certificate_key_file, and certificate_chain_file
+apache_ignore_missing_ssl_certificate: true
+apache_vhosts:
+  - servername: "{{ inventory_hostname }}"
+    documentroot: /var/www/html
+    serveradmin: identitymanagement@rockylinux.org
+    extra_parameters: |
+      CustomLog logs/{{ inventory_hostname }}_access.log combined
+      ErrorLog logs/{{ inventory_hostname }}_error.log
+      AccessFileName .htaccess
+      Header always set X-Frame-Options "SAMEORIGIN"
+      Header always set X-Xss-Protection "1; mode=block"
+      Header always set X-Content-Type-Options "nosniff"
+      Header always set Referrer-Policy "same-origin"
+      RewriteEngine On
+      RewriteCond $1 !^.well-known
+      RewriteCond %{HTTPS} !=on
+      RewriteRule ^/?(.*) https://{{ inventory_hostname }}/$1 [R,L]
+  - servername: "{{ inventory_hostname }}"
+    documentroot: /var/www/html
+    serveradmin: identitymanagement@rockylinux.org
+    extra_parameters: |
+      RewriteEngine On
+      RewriteCond $1 !^idp
+      RewriteRule ^/?(.*) https://%{SERVER_NAME}/idp [R,L]
+      Header always set Strict-Transport-Security "max-age=31536000"
+      Header always set X-Xss-Protection "1; mode=block"
+      Header always set X-Content-Type-Options "nosniff"
+      Header always set Referrer-Policy "same-origin"
+      ErrorLog logs/ssl-{{ inventory_hostname }}_error.log
+      TransferLog logs/ssl-{{ inventory_hostname }}_access.log
+      LogLevel warn
+      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+        SSLOptions +StdEnvVars
+      </Files>
+      <Directory "/var/www/cgi-bin">
+        SSLOptions +StdEnvVars
+      </Directory>
+      SetEnvIf User-Agent ".*MSIE.*"  nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+      CustomLog logs/ssl-seven.rockylinux.org.org_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml
index 1330c7b..52678cb 100644
--- a/ansible/roles/requirements.yml
+++ b/ansible/roles/requirements.yml
@@ -15,3 +15,4 @@ collections:
     version: 0.3.1
   - name: community.general
   - name: ansible.posix
+  - name: community.mysql.mysql_db