From ccdaad40bf7d3de06046d64045cc712ce19b9824 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 5 Jul 2021 09:17:36 -0500 Subject: [PATCH] zezere: role/playbook to deploy Zezere Zezere is the Fedora IoT device provisioning service. It is the software that runs *provision.fedoraproject.org*, but it can be self-hosted (if you can figure it out; there is no documentation whatsoever). The main use case for running Zezere locally is to automatically add trusted SSH public keys to Fedora IoT devices, without depending on a cloud service. This playbook sets up Zezere with the very minimal configuration needed to meet this goal. --- roles/zezere/defaults/main.yml | 3 + roles/zezere/files/zezere.httpd.conf | 14 +++++ roles/zezere/files/zezere.wsgi | 1 + roles/zezere/handlers/main.yml | 2 + roles/zezere/meta/main.yml | 4 ++ roles/zezere/tasks/main.yml | 82 +++++++++++++++++++++++++++ roles/zezere/templates/zezere.conf.j2 | 25 ++++++++ roles/zezere/vars/main.yml | 3 + zezere.yml | 6 ++ 9 files changed, 140 insertions(+) create mode 100644 roles/zezere/defaults/main.yml create mode 100644 roles/zezere/files/zezere.httpd.conf create mode 100644 roles/zezere/files/zezere.wsgi create mode 100644 roles/zezere/handlers/main.yml create mode 100644 roles/zezere/meta/main.yml create mode 100644 roles/zezere/tasks/main.yml create mode 100644 roles/zezere/templates/zezere.conf.j2 create mode 100644 roles/zezere/vars/main.yml create mode 100644 zezere.yml diff --git a/roles/zezere/defaults/main.yml b/roles/zezere/defaults/main.yml new file mode 100644 index 0000000..5817f43 --- /dev/null +++ b/roles/zezere/defaults/main.yml @@ -0,0 +1,3 @@ +zezere_allowed_hosts: +- '{{ ansible_fqdn }}' +- zezere.{{ ansible_domain }} diff --git a/roles/zezere/files/zezere.httpd.conf b/roles/zezere/files/zezere.httpd.conf new file mode 100644 index 0000000..0ab483e --- /dev/null +++ b/roles/zezere/files/zezere.httpd.conf @@ -0,0 +1,14 @@ +# vim: set ft=apache : + +WSGIDaemonProcess zezere \ + user=zezere \ + group=zezere \ + display-name=%{GROUP} + + +WSGIScriptAlias / /usr/local/share/zezere.wsgi \ + process-group=zezere + + + Require all granted + diff --git a/roles/zezere/files/zezere.wsgi b/roles/zezere/files/zezere.wsgi new file mode 100644 index 0000000..569d085 --- /dev/null +++ b/roles/zezere/files/zezere.wsgi @@ -0,0 +1 @@ +from zezere.wsgi import application diff --git a/roles/zezere/handlers/main.yml b/roles/zezere/handlers/main.yml new file mode 100644 index 0000000..1bba3b5 --- /dev/null +++ b/roles/zezere/handlers/main.yml @@ -0,0 +1,2 @@ +- name: relabel zezere data directory + command: restorecon -RF /var/lib/zezere diff --git a/roles/zezere/meta/main.yml b/roles/zezere/meta/main.yml new file mode 100644 index 0000000..3180f38 --- /dev/null +++ b/roles/zezere/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: +- role: apache + tags: + - apache diff --git a/roles/zezere/tasks/main.yml b/roles/zezere/tasks/main.yml new file mode 100644 index 0000000..7269094 --- /dev/null +++ b/roles/zezere/tasks/main.yml @@ -0,0 +1,82 @@ +- name: ensure zezere is installed + package: + name: '{{ zezere_packages }}' + state: present + register: install_zezere + tags: + - install + +- name: ensure zezere group is present + group: + name: zezere + system: true + state: present + tags: + - user + - group +- name: ensure zezere user is present + user: + name: zezere + group: zezere + system: true + shell: /sbin/nologin + home: /var/lib/zezere + createhome: false + state: present + tags: + - user + +- name: ensure zezere data directory exists + file: + path: /var/lib/zezere + owner: zezere + group: zezere + mode: '0700' + state: directory + tags: + - datadir +- name: ensure zezere data directory selinux label is set + sefcontext: + path: /var/lib/zezere(/.*)? + setype: httpd_var_lib_t + state: present + notify: relabel zezere data directory + tags: + - datadir + - selinux + +- name: ensure zezere is configured + template: + src: zezere.conf.j2 + dest: /etc/zezere.conf + mode: '0640' + owner: root + group: zezere + notify: + - reload httpd + tags: + - config + +- name: run zezere database migrations + become: true + become_user: zezere + command: + zezere-manage migrate + when: >- + zezere_migrate|d|bool or + install_zezere is defined and install_zezere.changed + tags: + - migration + +- name: ensure zezere wsgi script is installed + copy: + src: zezere.wsgi + dest: /usr/local/share/zezere.wsgi + notify: reload httpd +- name: ensure apache is configured to serve zezere + copy: + src: zezere.httpd.conf + dest: /etc/httpd/conf.d/zezere.conf + notify: reload httpd + tags: + - apache-config diff --git a/roles/zezere/templates/zezere.conf.j2 b/roles/zezere/templates/zezere.conf.j2 new file mode 100644 index 0000000..77abde9 --- /dev/null +++ b/roles/zezere/templates/zezere.conf.j2 @@ -0,0 +1,25 @@ +[global] +secret_key = {{ zezere_secret_key }} +debug = no +allowed_hosts = {{ zezere_allowed_hosts|join(' ') }} +secure_cookie = yes +auth_method = local + +[oidc.rp] +# client_id = +# client_secret = +sign_algo = RS256 + +[oidc.op] +# authorization_endpoint = +# token_endpoint = +# userinfo_endpoint = +# jwks_endpoint = + +[database] +engine = django.db.backends.sqlite3 +name = /var/lib/zezere/db.sqlite3 + +[secure_proxy_ssl_header] +# header = HTTP_X_FORWARDED_PROTO +# value = https diff --git a/roles/zezere/vars/main.yml b/roles/zezere/vars/main.yml new file mode 100644 index 0000000..0917a64 --- /dev/null +++ b/roles/zezere/vars/main.yml @@ -0,0 +1,3 @@ +zezere_packages: +- mod_wsgi +- zezere diff --git a/zezere.yml b/zezere.yml new file mode 100644 index 0000000..7da2ca3 --- /dev/null +++ b/zezere.yml @@ -0,0 +1,6 @@ +- hosts: zezere + vars_files: + - vault/zezere/{{ inventory_hostname }} + roles: + - role: zezere + tags: zezere