Official ansible role to configure privacyIDEA

Hey guys I looked into your project since we are phasing out the Yubico OTP validation software at our company (somehow Yubico decided that it is no longer a need to be able to validate your tokens on premises). And I’m a great fan. So, I am practicing for my RHCE exam and I was thinking that there is no official Ansible role that configures privacyIDEA (and Ansible is in a way a de facto standard these days to deploy a solution, aside from k8s of course). And I was thinking is there any desire to have this, are you already working on it? Because I would love to do something meaningful as practice for my RHCE. And if I were to start where would we agree on the scope and flexibility of the role etc.

By the way you guys should tell Yubico that they should link you on their old Yubico validation server page. Since I feel like a lot of high security setup systems were looking for something that can do Yubico OTP validation and is actively maintained. I almost did not find you guys and you are probably one of the only professionally maintained yubico on premises validation software provider (there exists many python, go ports but they are not maintained let alone secure). A link to your product here would be nice: YubiCloud Validation Servers

There is not, right. I think this is not our primary task to provide this.

No.

If you have any question in regards to privacyIDEA, shoot. This would be great. But you need to do the logical transfer to ansible, yourself.

They try to be product neutral at this point.

They only list possible products at “works with yubikey” here:

It’s a shame because I looked at most other solutions that can do Yubico OTP and none of them looked even close to something that you could run in production with confidence. So PrivacyIDEA is probably the only solution out there that can validate Yubico OTP on premises that is actively maintained.

Do you have some installation method that has priority development/support wise? For example for me it seems that the ubuntu install has priority since there are privacyIDEA ubuntu 22.04 packages whereas with CentOS the latest is for CentOS 7 I think. I guess as first priority I would support the pip installation method since it’s more universal. Second priority support would be Ubuntu and last CentOS.

Thank you for the positive feedback! :slight_smile:

Community Wise we have Ubuntu repositories.

Enterprise wise the company NetKnights provides packages and repos for Ubunut LTS (22.04 in late beta) and RHEL 7 and 8.

Hmm I am just thinking about if I should just install the Deb / RPM package via Ansible or just do the pip installation method via Ansible.

Do you pin the mysql and/or apache2/nginx version explicitly when you create the package? Then it might make more sense to use the package because the webserver and database are pinned correctly and the version compatibility of privacyIDEA and apache2/nginx/mysql is guaranteed.
Is the deb / rpm packaging pipeline a public repository? I could not find it in your GitHub space.

Yes

Yes. Look at the “NetKnights-GmbH” github account.

I found your repo I must admit I am not super familiar with Makefiles (we use FPM at our office) so the only line where you could pin httpd was this one:

Requires:       privacyidea = %{version}, mariadb-server, httpd, mod_ssl, shadow-utils, rng-tools

centos7/privacyidea-server.spec at master · NetKnights-GmbH/centos7 · GitHub at line 18 but there the version is not pinned. The only way to enforce an exact version of httpd would be if on your build server (lancelot) a specific httpd stream is enabled.

The same goes for the ubuntu build: Within the repo I do not see a version pinning. So it would have to be enforced on the build server as well. Sorry to keep bothering you about it.

Because if privacyIDEA-apache2 just uses latest of the currently configured apt or centos repository for the webserver and the database then I would not install and configure apache2/mysql/nginx as part of my ansible role. I would rather just use other existing roles for the database and the webserver part. This would make my role more flexible (folks could cluster the db, use any SLQalchemy supported db, more choices for the webserver). So that’s why I keep bothering you plus because I am just curious :grinning:

We also do not pin the kernel version! :wink:

The important stuff happens in the python virtualenv.

You need an apache for the privacyIDEA app server role!
Of course I think it is a good idea to use an external DB.

1 Like