diff --git a/buildKaraage3.x.yml b/buildKaraage3.x.yml
index 6523ca2f5fde8a5796ef9dfc536fc1e833e39db5..16c15168613e7e18925483d26ce2097064d05c28 100644
--- a/buildKaraage3.x.yml
+++ b/buildKaraage3.x.yml
@@ -50,6 +50,7 @@
- etcHosts
- easy-rsa-certificate
- karaage3.1.17
+ - shibboleth-sp
sudo: true
vars:
- x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
@@ -78,3 +79,138 @@
- x509_csr_args: ""
- x509_sign_args: "{{ x509_csr_args }}"
- x509_common_name: "{{ inventory_hostname }}"
+ - aaf_federation_url: "https://ds.test.aaf.edu.au/distribution/metadata"
+ - aaf_discovery_url: "https://ds.test.aaf.edu.au/discovery/DS"
+ - admin_email: "shahaan@gmail.com"
+ - aaf_metadata_xml: '<EntityDescriptor entityID="https://vm-118-138-241-159.erc.monash.edu.au/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <dsr:DiscoveryResponse xmlns:dsr="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/Login" index="0" isDefault="true" />
+ </Extensions>
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIIFDDCCA/SgAwIBAgIJALO1/Blx64tvMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNV
+BAoTBE1lUkMxETAPBgNVBAsTCG9wZW5sZGFwMS0wKwYDVQQDEyR2bS0xMTgtMTM4
+LTI0MS0xNTkuZXJjLm1vbmFzaC5lZHUuYXUxEDAOBgNVBCkTB0Vhc3lSU0ExIDAe
+BgkqhkiG9w0BCQEWEXNoYWhhYW5AZ21haWwuY29tMB4XDTE1MDMyMzEyMjYzOFoX
+DTI1MDMyMDEyMjYzOFowgbQxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQ
+BgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMETWVSQzERMA8GA1UECxMIb3Blbmxk
+YXAxLTArBgNVBAMTJHZtLTExOC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5h
+dTEQMA4GA1UEKRMHRWFzeVJTQTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFp
+bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTcsIqn/HKgeRK
+gj4rXYu8V/kTkv63d2Rtmv6zSlRwtjKBCvePEo/4ZpwOK235kBfX9KZKU9wlyFhf
+DdmOvIBYvhrLqtIYNfMWLt8iUFkdt2N/dNmftu7WUXuZezsRXMqbPG7dLjMLyJ7D
+7UCox1IB2SYzHx0K9w7PtCleV5A/o9Eg/7G8/FvOCB5askY/YywzEWLrxIYYn6Cr
+Gsioh5hXxac9p3KuO6dvbMLIMHVZ4u7mbLrdp/e6TZTlyZN+Tfbjta0VYBw0beuS
+KpwZc8Toow2B22O3K15o6tr0nvVSTEj2Qrd+LPolFSFBKVaD+9G/i0FMLHNOuQVP
+Cw/62vEnAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUouRhu/Wc+jU1rfUd+kiqbtg/
+q3cwgekGA1UdIwSB4TCB3oAUouRhu/Wc+jU1rfUd+kiqbtg/q3ehgbqkgbcwgbQx
+CzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTEN
+MAsGA1UEChMETWVSQzERMA8GA1UECxMIb3BlbmxkYXAxLTArBgNVBAMTJHZtLTEx
+OC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5hdTEQMA4GA1UEKRMHRWFzeVJT
+QTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFpbC5jb22CCQCztfwZceuLbzAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDFKPmj1TGpUZsdviOwMjU/
+IHqZ+3RwFcvkfBu8JmwxaO86GrC1mwZyQExvQLQF6LLaGHyVlZa3PxUkmcqq1for
+ZcYYyVRip4fgtOI6WcKg+nWI9+rDX5fU5gZAYm3er4MNZ/R7sTmgHEemOcuSiatQ
+hDoUkv9GOZKoxw4uJJq/yUumAkziAIuMWoTHYrR9cqOkoKQiFUjqmhI3m4phtoV4
+OaeVf3hkhXakbk1OkAAAzPxsrpAaUM5eLC75SV5Hopid9ltpFjpD457TXKdE+IyB
+oBDUnCaHSkrDmbeX6iSUHLWjjcOs0MI0UOXH+XNKNR3kUUvS+0ZCwRIPXc11/AFN
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <KeyDescriptor use="encryption">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIIFDDCCA/SgAwIBAgIJALO1/Blx64tvMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNV
+BAoTBE1lUkMxETAPBgNVBAsTCG9wZW5sZGFwMS0wKwYDVQQDEyR2bS0xMTgtMTM4
+LTI0MS0xNTkuZXJjLm1vbmFzaC5lZHUuYXUxEDAOBgNVBCkTB0Vhc3lSU0ExIDAe
+BgkqhkiG9w0BCQEWEXNoYWhhYW5AZ21haWwuY29tMB4XDTE1MDMyMzEyMjYzOFoX
+DTI1MDMyMDEyMjYzOFowgbQxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQ
+BgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMETWVSQzERMA8GA1UECxMIb3Blbmxk
+YXAxLTArBgNVBAMTJHZtLTExOC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5h
+dTEQMA4GA1UEKRMHRWFzeVJTQTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFp
+bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTcsIqn/HKgeRK
+gj4rXYu8V/kTkv63d2Rtmv6zSlRwtjKBCvePEo/4ZpwOK235kBfX9KZKU9wlyFhf
+DdmOvIBYvhrLqtIYNfMWLt8iUFkdt2N/dNmftu7WUXuZezsRXMqbPG7dLjMLyJ7D
+7UCox1IB2SYzHx0K9w7PtCleV5A/o9Eg/7G8/FvOCB5askY/YywzEWLrxIYYn6Cr
+Gsioh5hXxac9p3KuO6dvbMLIMHVZ4u7mbLrdp/e6TZTlyZN+Tfbjta0VYBw0beuS
+KpwZc8Toow2B22O3K15o6tr0nvVSTEj2Qrd+LPolFSFBKVaD+9G/i0FMLHNOuQVP
+Cw/62vEnAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUouRhu/Wc+jU1rfUd+kiqbtg/
+q3cwgekGA1UdIwSB4TCB3oAUouRhu/Wc+jU1rfUd+kiqbtg/q3ehgbqkgbcwgbQx
+CzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTEN
+MAsGA1UEChMETWVSQzERMA8GA1UECxMIb3BlbmxkYXAxLTArBgNVBAMTJHZtLTEx
+OC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5hdTEQMA4GA1UEKRMHRWFzeVJT
+QTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFpbC5jb22CCQCztfwZceuLbzAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDFKPmj1TGpUZsdviOwMjU/
+IHqZ+3RwFcvkfBu8JmwxaO86GrC1mwZyQExvQLQF6LLaGHyVlZa3PxUkmcqq1for
+ZcYYyVRip4fgtOI6WcKg+nWI9+rDX5fU5gZAYm3er4MNZ/R7sTmgHEemOcuSiatQ
+hDoUkv9GOZKoxw4uJJq/yUumAkziAIuMWoTHYrR9cqOkoKQiFUjqmhI3m4phtoV4
+OaeVf3hkhXakbk1OkAAAzPxsrpAaUM5eLC75SV5Hopid9ltpFjpD457TXKdE+IyB
+oBDUnCaHSkrDmbeX6iSUHLWjjcOs0MI0UOXH+XNKNR3kUUvS+0ZCwRIPXc11/AFN
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <ContactPerson contactType="technical">
+ <Company>Monash University</Company>
+ <GivenName>Shahaan</GivenName>
+ <SurName>Ayyub</SurName>
+ <EmailAddress>mailto:shahaan.ayyub@monash.edu</EmailAddress>
+ </ContactPerson>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/Artifact" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/POST" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/SOAP" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/Redirect" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/POST" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/Redirect" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/SOAP" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/Artifact" />
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SAML2/Artifact" index="3" isDefault="false" />
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SAML2/POST" index="1" isDefault="true" />
+ <AttributeConsumingService index="1" isDefault="false">
+ <ServiceName xml:lang="en">vm-118-138-241-159.erc.monash.edu.au</ServiceName>
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.3" FriendlyName="commonName" isRequired="true" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="email" isRequired="true" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="false" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.4" FriendlyName="surname" isRequired="true" />
+ </AttributeConsumingService>
+ </SPSSODescriptor>
+ <Organization>
+ <OrganizationName xml:lang="en">monash.edu.au</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Monash University</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">https://manager.aaf.edu.au/support</OrganizationURL>
+ </Organization>
+</EntityDescriptor>'
+ - aaf_metadata_cert: '-----BEGIN CERTIFICATE-----
+MIIEbDCCA1SgAwIBAgIESWrmGDANBgkqhkiG9w0BAQUFADCB9zEQMA4GA1UEBhMH
+VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G
+A1UEChMHVW5rbm93bjFaMFgGA1UECxNRb3BlbnNzbCB4NTA5IC1vdXQgbWV0YWRh
+dGEtY2VydC5wZW0gLW91dGZvcm0gcGVtIC1pbiBtZXRhZGF0YS1kZXIuY3J0IC1p
+bmZvcm0gZGVyMVEwTwYDVQQDDEhrZXl0b29sIC1rZXlzdG9yZSBrZXlzdG9yZS5r
+cyAtZXhwb3J0IC1hbGlhcyBtZXRhZGF0YSA+IG1ldGFkYXRhLWRlci5jcnQwHhcN
+MDkwMTEyMDY0MTI4WhcNMTQwMTExMDY0MTI4WjCB9zEQMA4GA1UEBhMHVW5rbm93
+bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMH
+VW5rbm93bjFaMFgGA1UECxNRb3BlbnNzbCB4NTA5IC1vdXQgbWV0YWRhdGEtY2Vy
+dC5wZW0gLW91dGZvcm0gcGVtIC1pbiBtZXRhZGF0YS1kZXIuY3J0IC1pbmZvcm0g
+ZGVyMVEwTwYDVQQDDEhrZXl0b29sIC1rZXlzdG9yZSBrZXlzdG9yZS5rcyAtZXhw
+b3J0IC1hbGlhcyBtZXRhZGF0YSA+IG1ldGFkYXRhLWRlci5jcnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZgh/InL2LixNtzuA+dNXSn19/W4IMbD6+
+Zzysk/jMi4Sgr4FrEfMeTi2G2/rpf32TeSG1P4MZqqyy5yuhNX7RQTFSZyl5D9cs
+98dE7FY/g7uySGv7oao1rkJfEmFmcZQIvRkLs89PQqKok2/m807DnzF1zCAt+YcY
+wqHyXyTrzxr4hMDDB2Ij8PeDZeSIB3s/CK2F6hIg13VeYEZjAWf4KPwsOteuzR4Y
+uuuGDlNFjcJGu+97N4LTnOBb6uW8qNtAAq6UWtA28A4KQejrzBZrfBGPLGbe6KHs
+WrziN2uk8kEY1TQw0cp+Am/ph8nl00KU+oVrswjS8oUklL98C5LnAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADggEBAEy0xLMJBneC+DQ0cSNH3kXaW9cdqzsoD/UawJHaDqIJ
+UjIslR38p5H3pRQ7rZ1+c7z0lUaBqQO/i+MZUEMHCpbhEcZK0Ep5dlWc80DFGSxS
+ItbghQ5loS4JOgKYZZdRSzCxV3PAqlzqXoZrFeaeJL7xFIRglpphN06joOlX0zQM
+0iN8qn7oTTaR3U2Kxkh6NQ2qTH3IvP71YJnjSzljqZHFughhTpl8cA8i9ijcmeyP
+Y5TYJTbtwQ0X+435LTX8xxW/B4E8XnH7iEOykvfZMYxt5cSrtzF1eAMQ/ln2r54O
+bk0oX1BGue0XcgeMObQrs/eC+2uspENHKtUdYDU0OK4=
+-----END CERTIFICATE-----'
diff --git a/roles/etcHosts/tasks/main.yml b/roles/etcHosts/tasks/main.yml
index 9d8e8fe8aeb9436e8afcbe54f882f036b389ed36..cb16e4d93ad6f85156dfe18d37ce303d7830769a 100644
--- a/roles/etcHosts/tasks/main.yml
+++ b/roles/etcHosts/tasks/main.yml
@@ -12,6 +12,7 @@
command: /tmp/makehosts.py /tmp/groups {{ domain }}
delegate_to: 127.0.0.1
run_once: True
+ sudo: true
register: hosts_data
- name: write hosts file
@@ -22,3 +23,22 @@
state: present
sudo: true
with_items: hosts_data.stdout_lines
+
+- name: set hostname by sysctl
+ shell: sysctl kernel.hostname="{{ ansible_hostname }}"
+ sudo: true
+
+- name: set domainname by sysctl
+ shell: sysctl kernel.domainname="{{ domain }}"
+ sudo: true
+
+- name: set /etc/sysconfig/network on CentOS 6
+ lineinfile: dest=/etc/sysconfig/network line='HOSTNAME={{ ansible_hostname }}' regexp='^HOSTNAME'
+ sudo: true
+ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "6"
+
+- name: set /etc/sysctl.conf on Debian 8
+ lineinfile: dest=/etc/sysctl.conf line='kernel.domainname = {{ domain }}' regexp='^#kernel.domainname'
+ sudo: true
+ when: ansible_distribution == "Debian" and ansible_distribution_major_version == "8"
+
diff --git a/roles/extra_rpms/vars/main.yml b/roles/extra_rpms/vars/main.yml
index 22aedc71b3610a8a8119092601475e96d0e13c2f..df10f44104f4a08b545af265cbefa0b3ce8338ec 100644
--- a/roles/extra_rpms/vars/main.yml
+++ b/roles/extra_rpms/vars/main.yml
@@ -16,6 +16,7 @@ pkgs:
- enchant
- eog
- evince
+ - finger
- fftw
- file-roller
- firefox
@@ -174,6 +175,7 @@ pkgs:
- python-babel
- python-dateutil
- python-devel
+ - python-ldap
- python-matplotlib
- python-nose
- python-paramiko
@@ -205,6 +207,10 @@ pkgs:
- unzip
- util-linux-ng
- uuid
+ - vim-X11
+ - vim-common
+ - vim-enhanced
+ - vim-minimal
- wacomexpresskeys
- wdaemon
- wxBase
diff --git a/roles/karaage3.1.17/handlers/main.yml b/roles/karaage3.1.17/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d6a6cfb778cf5f17c29b904dab32dfe4c4a9e0b5
--- /dev/null
+++ b/roles/karaage3.1.17/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: restart apache2
+ service: name=apache2 state=restarted
+ sudo: true
diff --git a/roles/karaage3.1.17/tasks/apacheDebian.yml b/roles/karaage3.1.17/tasks/apacheDebian.yml
index 0a08f63e7073a0e2167f69ebcf544f7069998fec..f47cad3de27cc007689cc0295428bba08c86c959 100644
--- a/roles/karaage3.1.17/tasks/apacheDebian.yml
+++ b/roles/karaage3.1.17/tasks/apacheDebian.yml
@@ -1,24 +1,46 @@
---
-
name: "Install Apache2"
- apt: name=apache2 state=present
+ apt: name={{ item }} state=present
+ with_items:
+ - apache2
+ - apache2-dev
+ sudo: true
+-
+ name: "Setting default site"
+ lineinfile: dest=/etc/apache2/sites-available/000-default.conf regexp="#ServerName" line="ServerName {{ ansible_nodename }}" backrefs=yes
+-
+ name: "Setting default-ssl site"
+ lineinfile: dest=/etc/apache2/sites-available/default-ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
+ with_items:
+ - { regexp : "^\\s+SSLCertificateFile", line : " SSLCertificateFile {{ x509_cert_file }}" }
+ - { regexp : "SSLCertificateKeyFile", line : " SSLCertificateKeyFile {{ x509_key_file }}" }
+ - { regexp : "SSLCACertificateFile", line : " SSLCACertificateFile {{ x509_cacert_file }}" }
-
name: "Templating default-ssl site"
template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+ sudo: true
-
name: "Templating default site"
template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
+ sudo: true
-
name: "Templating ssl configuration"
template: src=ssl.conf.j2 dest=/etc/apache2/mods-available/ssl.conf owner=www-data group=www-data
+ sudo: true
+ notify: restart apache2
-
name: "Enable ssl module"
apache2_module: state=present name=ssl
+ sudo: true
-
name: "Enable default-ssl site"
shell: a2ensite default-ssl
+ sudo: true
-
- name: "Restarting Apache2"
- service: name=apache2 state=restarted
+ name: "Starting Apache2"
+ service: name=apache2 state=started
+ sudo: true
+
diff --git a/roles/karaage3.1.17/tasks/apacheRedHat.yml b/roles/karaage3.1.17/tasks/apacheRedHat.yml
index 6c7d2ad00d162b6df16022548f48992e3c594481..3515c7c200e7b4dd18045dcc478b2d61b535322b 100644
--- a/roles/karaage3.1.17/tasks/apacheRedHat.yml
+++ b/roles/karaage3.1.17/tasks/apacheRedHat.yml
@@ -2,6 +2,7 @@
-
name: "Installing Apache"
+ sudo: true
yum: name={{ item }} state=latest
with_items:
- mod_ssl
@@ -11,9 +12,11 @@
- httpd-devel
-
name: Setting httpd.conf
+ sudo: true
replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
-
name: Setting ssl.conf
+ sudo: true
lineinfile: dest=/etc/httpd/conf.d/ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
with_items:
- { regexp : "^SSLCertificateFile", line : "SSLCertificateFile {{ x509_cert_file }}" }
@@ -21,7 +24,9 @@
- { regexp : "SSLCACertificateFile", line : "SSLCACertificateFile {{ x509_cacert_file }}" }
-
name: Templating wsgi.conf
+ sudo: true
template: src=wsgi.conf.j2 dest=/etc/httpd/conf.d/wsgi.conf owner=root group=root
-
name: Restarting Apache
+ sudo: true
service: name=httpd state=restarted
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index 57101bed1b63a55301cfc8fffad8396aa60902e5..cc847b8006d59ae7e7ef03a6619fc01bb1559c5a 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -2,6 +2,7 @@
-
name: "Installing prerequisites Debian"
apt: name={{ item }} update_cache=yes
+ sudo: true
with_items:
- libxml2-dev
- libxslt1-dev
@@ -11,10 +12,12 @@
- ldap-utils
- python-cracklib
- git
+ - apache2-dev
when: ansible_os_family == "Debian"
-
name: "Installing prerequisites Redhat"
yum: name={{ item }} state=latest
+ sudo: true
with_items:
- libxml2-devel
- libxslt-devel
@@ -35,12 +38,21 @@
name: Install the latest pip
shell: easy_install pip
when: ansible_os_family == "RedHat"
+
-
name: "Getting Karaage from Github"
- git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7"
+ git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7" force=yes
+ sudo: true
+
+-
+ name: "Create log directory, start aoacge will have errors without it"
+ file: dest=/etc/apache2/logs state=directory
+ sudo: true
+
-
name: "Installing Karaage Dependencies"
pip: name={{ item }}
+ sudo: true
with_items:
- six
- MySQL-python
@@ -51,6 +63,7 @@
- mod_wsgi
-
name: "Restrict Django version to 1.7.8"
+ sudo: true
replace: dest=/root/karaage3.1.7/setup.py regexp="Django >= 1.7" replace="Django == 1.7.8"
-
name: "Installing Karaage from source"
@@ -58,9 +71,11 @@
args:
chdir: /root/karaage3.1.7
creates: /root/karaage3.1.7/build/bdist.linux-x86_64
+ sudo: true
-
name: "Templating Karaage settings"
template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group={{ apache_user }} mode=0640
+ sudo: true
-
name: "Creating karaage3 in /var directories log, lib "
file: path={{ item }} state=directory owner=root group={{ apache_user }} mode=0775
@@ -68,12 +83,15 @@
- /var/log/karaage3
- /var/lib/karaage3
- /var/cache/karaage3
+ sudo: true
-
name: "Change permissions for /var/www"
file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
+ sudo: true
-
name: "enabling Karaage configuration"
shell: a2enconf karaage3-wsgi
+ sudo: true
when: ansible_os_family == "Debian"
-
name: "enabling Karaage configuration"
@@ -86,6 +104,7 @@
- python-kgusage
- karaage-cluster-tools
- karaage3-celery
+ sudo: true
when: ansible_os_family == "Debian"
-
name: Downloading other packages RedHat
@@ -97,12 +116,14 @@
- { repo : 'https://github.com/Karaage-Cluster/karaage-usage.git', dest : '/root/karaage-usage' }
- { repo : 'https://github.com/Karaage-Cluster/karaage-applications.git', dest : '/root/karaage-applications' }
- { repo : 'https://github.com/Karaage-Cluster/karaage-cluster-tools.git', dest : '/root/karaage-cluster-tools' }
+ sudo: true
when: ansible_os_family == "RedHat"
-
args:
chdir: "/root/{{ item }}"
creates: "/root/{{ item }}/build/bdist.linux-x86_64"
name: "Installing other packages RedHat"
+ sudo: true
shell: "env python setup.py install"
when: ansible_os_family == "RedHat"
with_items:
@@ -115,19 +136,45 @@
-
name: "Set Secret Key"
lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
+ sudo: true
+
+-
+ # TODO: Fix it
+ name: "Check DB tables has been created or not"
+ shell: ls /root/.karaage_db_init
+ ignore_errors: true
+ sudo: true
+ register: karaage_db_init
+
+-
+ name: "Enable wsgi config"
+ file: src=/etc/apache2/mods-available/wsgi.conf path=/etc/apache2/mods-enabled/wsgi.conf state=link
+ sudo: true
+
+-
+ name: "Enable wsgi load"
+ file: src=/etc/apache2/mods-available/wsgi.load path=/etc/apache2/mods-enabled/wsgi.load state=link
+ sudo: true
+
-
name: " Create DB tables"
- shell: kg-manage migrate
+ shell: kg-manage migrate && touch /root/.karaage_db_init
+ sudo: true
+ when: karaage_db_init is not defined
+
-
name: "Restarting Celery"
service: name=karaage3-celery state=restarted
+ sudo: true
when: ansible_os_family == "Debian"
-
name: "Reloading apache"
service: name=apache2 state=reloaded
+ sudo: true
when: ansible_os_family == "Debian"
-
name: "Reloading apache"
service: name=httpd state=reloaded
+ sudo: true
when: ansible_os_family == "RedHat"
diff --git a/roles/karaage3.1.17/tasks/main.yml b/roles/karaage3.1.17/tasks/main.yml
index 3fb11c21787e45de3da5ff4380ccc60b8662a0e4..66d2a9b7fc01263ffe647ed8d4961bd90f63d7ec 100644
--- a/roles/karaage3.1.17/tasks/main.yml
+++ b/roles/karaage3.1.17/tasks/main.yml
@@ -5,5 +5,4 @@
when: ansible_os_family == "Debian"
- include: apacheRedHat.yml
when: ansible_os_family == 'RedHat'
- - include: mysql.yml
- include: karaage.yml
diff --git a/roles/karaage3.1.17/tasks/mysql.yml b/roles/karaage3.1.17/tasks/mysql.yml
deleted file mode 100644
index e2df0e3db90c7f569db638ed4c94b1b646bd51a9..0000000000000000000000000000000000000000
--- a/roles/karaage3.1.17/tasks/mysql.yml
+++ /dev/null
@@ -1,78 +0,0 @@
----
--
- name: "Installing MySQL Debian"
- apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
- with_items:
- - python
- - python-dev
- - libmysqlclient-dev
- - python-pip
- - libapache2-mod-wsgi
- - python-mysql.connector
- - mysql-server
- - python-mysqldb
- when: ansible_os_family == "Debian"
--
- name: Installing MySQL RedHat
- yum: name="{{ item }}" state=latest
- with_items:
- - python
- - python-devel
- - mysql-devel
- - mysql-libs
- - MySQL-python
- - mysql-server
- when: ansible_os_family == "RedHat"
--
- name: "Starting MySQL"
- service: name=mysql state=started enabled=true
- when: ansible_os_family == "Debian"
-
--
- name: "Starting MySQL"
- service: name=mysqld state=started enabled=true
- when: ansible_os_family == "RedHat"
--
- name: "Templating karaage.cnf"
- template: src="karaage.cnf.j2" dest=/etc/mysql/conf.d/karaage.cnf owner=root group=root
- when: ansible_os_family == "Debian"
-
--
- name: "Adding root"
- sudo: true
- mysql_user: name=root host="{{ item }}" password="{{ mysql_root_password }}" login_user=root login_password="{{ mysql_root_password }}" check_implicit_admin=yes priv="*.*:ALL,GRANT"
- with_items:
- - "{{ ansible_hostname }}"
- - 127.0.0.1
- - ::1
- - localhost
--
- name: Setting mysql global variables
- mysql_variables: variable={{ item.var }} value={{ item.val }} login_user=root login_password="{{ mysql_root_password }}"
- with_items:
- - { var : 'character_set_server', val : 'utf8' }
- - { var : 'storage_engine', val : 'innodb' }
- - { var : 'sql_mode', val : 'STRICT_ALL_TABLES' }
- when: ansible_os_family == "RedHat"
--
- name: "Editing my.cnf"
- lineinfile: dest=/etc/my.cnf line="{{ item }}"
- with_items:
- - '[client]'
- - 'default-character-set = utf8'
- when: ansible_os_family == "RedHat"
--
- name: "Adding Karaage Database"
- mysql_db: name=karaage state=present login_user=root login_password={{ mysql_root_password }}
--
- name: "Giving priviliges to karaage user"
- mysql_user: name=karaage password={{ karaage_sql_password }} login_user=root login_password={{ mysql_root_password }} priv=karaage.*:ALL state=present
-
--
- name: "Starting MySQL"
- service: name=mysql state=restarted
- when: ansible_os_family == "Debian"
--
- name: "Starting MySQL"
- service: name=mysqld state=restarted
- when: ansible_os_family == "RedHat"
diff --git a/roles/karaage3.1.17/tasks/prerequisitesDebian.yml b/roles/karaage3.1.17/tasks/prerequisitesDebian.yml
index 8ca53ad498ec98d4550b7481999ee73f47570113..c0517a924ae7db1a5f9039d9d33a584b59fa6a62 100644
--- a/roles/karaage3.1.17/tasks/prerequisitesDebian.yml
+++ b/roles/karaage3.1.17/tasks/prerequisitesDebian.yml
@@ -1,18 +1,24 @@
---
-
name: "Installing prereq packages"
+ sudo: true
apt: name={{ item }} update_cache=yes
with_items:
- debian-keyring
-
apt_key: "url=http://code.vpac.org/debian/vpac-debian-key.gpg state=present"
name: "Installing the VPAC Debian Archive signing key"
+ sudo: true
-
apt_repository: "repo='deb http://code.vpac.org/debian jessie main' state=present"
name: "Adding VPAC repository in the source list"
+ sudo: true
-
apt_repository: "repo='deb-src http://code.vpac.org/debian jessie main' state=present"
name: "Adding VPAC source repository"
+ sudo: true
-
apt: update_cache=yes
name: "Upgrading apt..."
+ sudo: true
+
diff --git a/roles/karaage3.1.17/templates/default-ssl.j2 b/roles/karaage3.1.17/templates/default-ssl.j2
index 10c9fd7d0ce285aad05ce1a6480b350c2fa3e09b..690c03cc63901cc0eebeb5ece72d62393fe3b373 100644
--- a/roles/karaage3.1.17/templates/default-ssl.j2
+++ b/roles/karaage3.1.17/templates/default-ssl.j2
@@ -1,6 +1,9 @@
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
+ {% if hpcidDomain is defined %}
+ ServerName {{ hpcidDomain }}
+ {% endif %}
DocumentRoot /var/www
<Directory />
@@ -39,8 +42,8 @@
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
- SSLCertificateFile /etc/ssl/certs/server.crt
- SSLCertificateKeyFile /etc/ssl/private/server.key
+ SSLCertificateFile {{ x509_cert_file }}
+ SSLCertificateKeyFile {{ x509_key_file }}
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
@@ -56,8 +59,12 @@
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
+ {% if x509_cert_path is defined %}
+ SSLCACertificatePath {{ x509_cert_path }}
+ {% else %}
SSLCACertificatePath /etc/ssl/certs/
- SSLCACertificateFile /etc/ssl/certs/ca.crt
+ {% endif %}
+ SSLCACertificateFile {{ x509_cacert_file }}
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
diff --git a/roles/karaage3.1.17/templates/settings.py.j2 b/roles/karaage3.1.17/templates/settings.py.j2
index 1db75154159f1408ec150b3dba136095969865b0..9d05b119b111e3ba59308a28683e5788c1ebee9d 100644
--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -67,23 +67,32 @@ HTTP_HOST = "{{ x509_common_name }}"
# exception information. Each member of the tuple should be a tuple of (Full
# name, email address).
ADMINS = (
+{% if karaageAdminName is defined and karaageAdminEmail is defined %}
+ ('{{ karaageAdminName }}', '{{ karaageAdminEmail }}'),
+{% else %}
# ('Your Name', 'your_email@domain.com'),
+{% endif %}
)
# A tuple in the same format as ADMINS that specifies who should get broken
# link notifications when BrokenLinkEmailsMiddleware is enabled.
MANAGERS = ADMINS
+{% if defaultProject is defined and defaultMachineCategory is defined %}
+DEFAULT_PROJECT_PID = {{ defaultProject }}
+DEFAULT_MACHINE_CATEGORY_NAME = {{ defaultMachineCategory }}
+{% endif %}
+
# A dictionary containing the settings for all databases to be used with
# Django. It is a nested dictionary whose contents maps database aliases to a
# dictionary containing the options for an individual database.
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
- 'NAME': 'karaage',
- 'USER': 'karaage',
- 'PASSWORD': 'imkaraage',
- 'HOST': 'localhost',
+ 'NAME': '{{ karaageDbName }}',
+ 'USER': '{{ karaageDbUser }}',
+ 'PASSWORD': '{{ karaagePassword }}',
+ 'HOST': '{{ karaageDbHost }}',
'PORT': '',
'ATOMIC_REQUESTS': True,
}
@@ -92,7 +101,7 @@ DATABASES = {
LDAP = {
'default': {
'ENGINE': 'tldap.backend.fake_transactions',
- 'URI': 'ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}/',
+ 'URI': '{{ ldapURI }}',
'USER': '{{ ldapManager }}',
'PASSWORD': '{{ ldapManagerPassword }}',
'REQUIRE_TLS': True,
@@ -114,8 +123,8 @@ MACHINE_CATEGORY_DATASTORES = {
'HOME_DIRECTORY': "/home/%(uid)s",
'LOCKED_SHELL': "/usr/local/sbin/locked",
'NUMBER_SCHEME': 'default',
- 'LDAP_ACCOUNT_BASE': 'ou=Accounts,dc=monash,dc=edu,dc=au',
- 'LDAP_GROUP_BASE': 'ou=Groups,dc=monash,dc=edu,dc=au',
+ 'LDAP_ACCOUNT_BASE': 'ou=Accounts,{{ ldapDomain }}',
+ 'LDAP_GROUP_BASE': 'ou=Groups,{{ ldapDomain }}',
},
],
'dummy': [
@@ -130,13 +139,13 @@ GLOBAL_DATASTORES = [
'PERSON': 'karaage.datastores.ldap_schemas.openldap_person',
'GROUP': 'karaage.datastores.ldap_schemas.openldap_person_group',
'NUMBER_SCHEME': 'global',
- 'LDAP_PERSON_BASE': 'ou=People,dc=monash,dc=edu,dc=au',
- 'LDAP_GROUP_BASE': 'ou=People_Groups,dc=monash,dc=edu,dc=au',
+ 'LDAP_PERSON_BASE': 'ou=People,{{ ldapDomain }}',
+ 'LDAP_GROUP_BASE': 'ou=Groups,{{ ldapDomain }}',
},
]
# The email address that error messages come from, such as those sent to ADMINS
# and MANAGERS.
-SERVER_EMAIL = 'karaage@example.org'
+SERVER_EMAIL = '{{ karaageAdminEmail }}'
# The host to use for sending email.
EMAIL_HOST = 'localhost'
@@ -258,7 +267,7 @@ LOGGING = {
# Users are advised to contact this address if having problems.
# This is also used as the from address in outgoing emails.
-ACCOUNTS_EMAIL = 'accounts@example.com'
+ACCOUNTS_EMAIL = '{{ karaageAdminEmail }}'
# This organisation name, used in outgoing emails.
ACCOUNTS_ORG_NAME = 'Example'
diff --git a/roles/karaage3.1.17/templates/ssl.conf.j2 b/roles/karaage3.1.17/templates/ssl.conf.j2
index 46ae7a92679ca4b7c8504b80c550f62f189b1447..b9af9099757c95a2fbf3093acd1e9037882c4fea 100644
--- a/roles/karaage3.1.17/templates/ssl.conf.j2
+++ b/roles/karaage3.1.17/templates/ssl.conf.j2
@@ -70,7 +70,8 @@ SSLCryptoDevice builtin
## SSL Virtual Host Context
##
-<VirtualHost {{ ansible_fqdn }}:443>
+### <VirtualHost {{ ansible_fqdn }}:443>
+<VirtualHost {{ ansible_nodename }}.{{ ansible_domain }}:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 1a2ab0e0077240a74ca20f89890cd5dce86af78f..356eeef7b1972f293342b90284210df8ac6005a4 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -44,6 +44,9 @@
- name: template accounts.ldif
template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
+- name: template real accounts.ldif
+ template: src=real_accounts_ldif.j2 dest=/tmp/real_accounts.ldif
+
- name: template groups.ldif
template: src=groups_ldif.j2 dest=/tmp/groups.ldif
@@ -129,6 +132,12 @@
ignore_errors: true
register: accountsConfigured
+- name: check real Accounts config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: realAccountsConfigured
+ when: ldapAccountBase is defined
+
- name: check Groups config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
@@ -146,7 +155,9 @@
- ppolicy
- cosine
- nis
+ - inetorgperson
ignore_errors: true
+ sudo: true
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: initialise server ssl
@@ -181,6 +192,10 @@
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
when: accountsConfigured|failed
+- name: add real Accounts OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+ when: realAccountsConfigured is defined and realAccountsConfigured|failed
+
- name: add Groups OU
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
when: groupsConfigured|failed
diff --git a/roles/ldapserver/templates/real_accounts_ldif.j2 b/roles/ldapserver/templates/real_accounts_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..825600374ae339b3798bfd06f4fb5a1996777b1f
--- /dev/null
+++ b/roles/ldapserver/templates/real_accounts_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapAccountBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
index 38cf871d127b1287cf0811c4f34f4e4601717630..c3953ac3b4519d1c524c869bf716230d12821911 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
@@ -2,3 +2,4 @@
ldapcert: /etc/openldap/certs/ldapcert.pem
ldapkey: /etc/openldap/certs/ldapkey.pem
cacert: /etc/openldap/certs/cacert.pem
+
diff --git a/roles/mysql/handlers/main.yml b/roles/mysql/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d99e29a582d56d55b854a5a889b02bdb1218f917
--- /dev/null
+++ b/roles/mysql/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: "Restart MySQL"
+ service: name=mysql state=restarted
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+- name: "Restart MySQL"
+ service: name=mysqld state=restarted
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bc39805e12f63115eb9d0d88fc9d19af77fbb8de
--- /dev/null
+++ b/roles/mysql/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+ - include: mysql_client.yml mysql_type=mysql_client
+ - include: mysql_server.yml mysql_type=mysql_server
diff --git a/roles/mysql/tasks/mysql_client.yml b/roles/mysql/tasks/mysql_client.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3c69675b3b9d74e7bdb2a975f2a364fe5901d431
--- /dev/null
+++ b/roles/mysql/tasks/mysql_client.yml
@@ -0,0 +1,18 @@
+---
+- name: "Installing MySQL Debian"
+ apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
+ with_items:
+ - python
+ - mysql-client
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+- name: Installing MySQL RedHat
+ yum: name="{{ item }}" state=latest
+ with_items:
+ - python
+ - mysql
+ - mysql-connector-odbc
+ - MySQL-python
+ sudo: true
+ when: ansible_os_family == "RedHat"
diff --git a/roles/mysql/tasks/mysql_server.yml b/roles/mysql/tasks/mysql_server.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5fb1ce2ec919353890835ce2db9a642bacbb31ae
--- /dev/null
+++ b/roles/mysql/tasks/mysql_server.yml
@@ -0,0 +1,79 @@
+---
+- name: "Installing MySQL Debian"
+ apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
+ with_items:
+ - python
+ - python-dev
+ - libmysqlclient-dev
+ - python-pip
+ - libapache2-mod-wsgi
+ - python-mysql.connector
+ - mysql-server
+ - python-mysqldb
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+- name: Installing MySQL RedHat
+ yum: name="{{ item }}" state=latest
+ with_items:
+ - python
+ - python-devel
+ - mysql-devel
+ - mysql-libs
+ - MySQL-python
+ - mysql-server
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
+- name: "Starting MySQL"
+ service: name=mysql state=started enabled=true
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+- name: "Starting MySQL"
+ service: name=mysqld state=started enabled=true
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
+- name: make sure mysql conf directory exists
+ file: dest=/etc/mysql/conf.d state=directory
+ sudo: true
+
+- name: "Templating mysql configure file"
+ template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/{{ mysql_config_file_name }}.cnf owner=root group=root
+ sudo: true
+
+- name: "Adding root"
+ sudo: true
+ mysql_user: name=root host="{{ item }}" password="{{ mysql_root_password }}" login_user=root login_password="{{ mysql_root_password }}" check_implicit_admin=yes priv="*.*:ALL,GRANT"
+ with_items:
+ - "{{ ansible_hostname }}"
+ - 127.0.0.1
+ - ::1
+ - localhost
+
+- name: Setting mysql global variables
+ mysql_variables: variable={{ item.var }} value={{ item.val }} login_user=root login_password="{{ mysql_root_password }}"
+ with_items:
+ - { var : 'character_set_server', val : 'utf8' }
+ - { var : 'storage_engine', val : 'innodb' }
+ - { var : 'sql_mode', val : 'STRICT_ALL_TABLES' }
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
+- name: "Editing my.cnf"
+ lineinfile: dest=/etc/my.cnf line="{{ item }}"
+ with_items:
+ - '[client]'
+ - 'default-character-set = utf8'
+ - 'log_warnings = 2'
+ - 'log_error = /var/log/mysql/error.log'
+ sudo: true
+ notify: Restart MySQL
+ when: ansible_os_family == "RedHat"
+
+- name: "Adding user database"
+ mysql_db: name={{ mysql_user_db_name }} state=present login_user=root login_password={{ mysql_root_password }}
+
+- name: "Giving priviliges to user"
+ mysql_user: name={{ mysql_user_name }} host={{ mysql_user_host }} password={{ mysql_user_password }} login_user=root login_password={{ mysql_root_password }} priv={{ mysql_user_name }}.*:ALL state=present
diff --git a/roles/mysql/templates/mysql.cnf.j2 b/roles/mysql/templates/mysql.cnf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f32a6e4e4d854b0be3f96170136db120cf8feadc
--- /dev/null
+++ b/roles/mysql/templates/mysql.cnf.j2
@@ -0,0 +1,7 @@
+[mysqld]
+character_set_server=utf8
+default-storage-engine = innodb
+sql_mode = STRICT_ALL_TABLES
+
+[client]
+default-character-set = utf8
diff --git a/roles/mysql/vars/readme.txt b/roles/mysql/vars/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..a17f539ae37d149078df23444a80a1c00d611cb1
--- /dev/null
+++ b/roles/mysql/vars/readme.txt
@@ -0,0 +1,10 @@
+# Select one of mysql installation type for mysql_client or mysql_client
+mysql_type: mysql_client | mysql_server
+
+mysql_user_db_name: "my_database"
+mysql_user_name: "my_database"
+mysql_user_host: "localhost"
+mysql_config_file_name: "mysql_config"
+mysql_root_password: "secret"
+mysql_user_password: "secret"
+
diff --git a/roles/shibboleth-sp/tasks/main.yml b/roles/shibboleth-sp/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7ccef2b904cb5cdaa17881b0531277b1d2380c03
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+- include: shibbolethPrerequisites.yml
+- include: shibbolethConfig.yml
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0d7f23aab6dfa7eafbddb94def41512b2ce73dd5
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -0,0 +1,109 @@
+---
+-
+ name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
+ template: src="{{ item }}.j2" dest="/etc/shibboleth/{{ item }}" mode=0644
+ with_items:
+ - metadata.aaf.xml
+ - aaf-metadata-cert.pem
+-
+ name: "Setting shibboleth2.xml sp.example.org"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: sp.example.org
+ replace: "{{ ansible_fqdn }}"
+ backup: yes
+
+
+-
+ name: "Setting shibboleth2.xml handlerSSL"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'handlerSSL="false"'
+ replace: 'handlerSSL="true" handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"'
+
+
+-
+ name: "Setting shibboleth2.xml supportContact"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'supportContact="root@localhost"'
+ replace: 'supportContact="{{ admin_email }}"'
+
+
+-
+ name: "Enabling MetadataProvider"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '<!-- Example of remotely supplied batch of signed metadata. -->\s+<!--\s+<MetadataProvider'
+ replace: '<!-- Example of remotely supplied batch of signed metadata. -->\n\t<MetadataProvider'
+
+-
+ name: "Enabling MetadataProvider"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '</MetadataProvider>\s+-->'
+ replace: '</MetadataProvider>'
+-
+ name: "Setting shibboleth2.xml Federation URI"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'uri="http://federation.org/federation-metadata.xml"'
+ replace: 'uri="{{ aaf_federation_url }}/metadata.aaf.signed.complete.xml"'
+
+-
+ name: "Setting shibboleth2.xml backingFilePath"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'backingFilePath="federation-metadata.xml"'
+ replace: 'backingFilePath="metadata.aaf.xml"'
+
+-
+ name: "Setting shibboleth2.xml aaf Certificate"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'type="Signature" certificate="fedsigner.pem"'
+ replace: 'type="Signature" certificate="aaf-metadata-cert.pem"'
+
+-
+ name: "Setting shibboleth2.xml AAF Discovery URL"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'discoveryURL="https://ds.example.org/DS/WAYF"'
+ replace: 'discoveryURL="{{ aaf_discovery_url }}"'
+
+-
+ name: "Setting shibboleth2.xml Credential Resolver"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>'
+ replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+
+-
+ name: "Templating attribute-map.xml"
+ template:
+ args:
+ src: attribute-map.xml.j2
+ dest: /etc/shibboleth/attribute-map.xml
+-
+ name: "Restarting Apache"
+ service:
+ args:
+ name: apache2
+ state: restarted
+
+-
+ name: "Restarting shibboleth"
+ service:
+ args:
+ name: shibd
+ state: restarted
diff --git a/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml b/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b6bdee0292243446d057c7b8afc89e4337a021ce
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml
@@ -0,0 +1,12 @@
+---
+-
+ name: Install base packages - Debian
+ apt: name={{ item }} state=present
+ with_items:
+ - shibboleth-sp2-schemas
+ - libshibsp-dev
+ - libapache2-mod-shib2
+ - opensaml2-tools
+ - xmlstarlet
+
+
diff --git a/roles/shibboleth-sp/templates/attribute-map.xml.j2 b/roles/shibboleth-sp/templates/attribute-map.xml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6b8a8c85270e92ea601908afd94eb399d05d59e8
--- /dev/null
+++ b/roles/shibboleth-sp/templates/attribute-map.xml.j2
@@ -0,0 +1,153 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+ community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+ few exceptions for newer attributes where the name is the same for both versions. You will
+ usually want to uncomment or map the names for both SAML versions as a unit.
+ -->
+
+ <!-- First some useful eduPerson attributes that many sites might use. -->
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+ <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+ </Attribute>
+
+ <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ -->
+
+ <!-- Third, the new version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- Fourth, the SAML 2.0 NameID Format: -->
+ <!--
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ -->
+
+ <!-- Some more eduPerson attributes, uncomment these to use them... -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+ -->
+ <!-- Added BY Shahaan -->
+ <Attribute name="urn:oid:2.5.4.3" id="commonName"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+
+ <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+ -->
+
+</Attributes>