From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/apache/tasks/gssapi.yml | 49 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 roles/apache/tasks/gssapi.yml

(limited to 'roles/apache/tasks/gssapi.yml')

diff --git a/roles/apache/tasks/gssapi.yml b/roles/apache/tasks/gssapi.yml
new file mode 100644
index 0000000..c006d54
--- /dev/null
+++ b/roles/apache/tasks/gssapi.yml
@@ -0,0 +1,49 @@
+- name: create HTTP service principal
+  ipaservice:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'HTTP/{{ ansible_fqdn }}'
+    state: present
+
+- name: retrieve HTTP keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: 'HTTP/{{ ansible_fqdn }}'
+    keytab_path: '{{ apache_keytab }}'
+
+- name: configure gssproxy for kerberized HTTP
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: httpd
+    gssproxy_section: service/HTTP
+    gssproxy_keytab: '{{ apache_keytab }}'
+    gssproxy_cred_usage: accept
+    gssproxy_euid: apache
+    gssproxy_program: /usr/sbin/httpd
+
+- name: create systemd override directory
+  file:
+    path: /etc/systemd/system/httpd.service.d
+    state: directory
+
+- name: set GSS_USE_PROXY=yes in httpd environment
+  copy:
+    src: etc/systemd/system/httpd.service.d/override.conf
+    dest: /etc/systemd/system/httpd.service.d/override.conf
+  register: apache_systemd_unit
+  notify: restart apache
+
+- name: reload systemd units
+  systemd:
+    daemon_reload: yes
+  when: apache_systemd_unit.changed
+
+- name: create gssapi session directory
+  file:
+    path: '{{ apache_session_dir }}'
+    mode: 0700
+    owner: apache
+    group: apache
+    state: directory
-- 
cgit