Official ansible role to configure privacyIDEA

Hey guys I looked into your project since we are phasing out the Yubico OTP validation software at our company (somehow Yubico decided that it is no longer a need to be able to validate your tokens on premises). And I’m a great fan. So, I am practicing for my RHCE exam and I was thinking that there is no official Ansible role that configures privacyIDEA (and Ansible is in a way a de facto standard these days to deploy a solution, aside from k8s of course). And I was thinking is there any desire to have this, are you already working on it? Because I would love to do something meaningful as practice for my RHCE. And if I were to start where would we agree on the scope and flexibility of the role etc.

By the way you guys should tell Yubico that they should link you on their old Yubico validation server page. Since I feel like a lot of high security setup systems were looking for something that can do Yubico OTP validation and is actively maintained. I almost did not find you guys and you are probably one of the only professionally maintained yubico on premises validation software provider (there exists many python, go ports but they are not maintained let alone secure). A link to your product here would be nice: YubiCloud Validation Servers

There is not, right. I think this is not our primary task to provide this.


If you have any question in regards to privacyIDEA, shoot. This would be great. But you need to do the logical transfer to ansible, yourself.

They try to be product neutral at this point.

They only list possible products at “works with yubikey” here:

It’s a shame because I looked at most other solutions that can do Yubico OTP and none of them looked even close to something that you could run in production with confidence. So PrivacyIDEA is probably the only solution out there that can validate Yubico OTP on premises that is actively maintained.

Do you have some installation method that has priority development/support wise? For example for me it seems that the ubuntu install has priority since there are privacyIDEA ubuntu 22.04 packages whereas with CentOS the latest is for CentOS 7 I think. I guess as first priority I would support the pip installation method since it’s more universal. Second priority support would be Ubuntu and last CentOS.

Thank you for the positive feedback! :slight_smile:

Community Wise we have Ubuntu repositories.

Enterprise wise the company NetKnights provides packages and repos for Ubunut LTS (22.04 in late beta) and RHEL 7 and 8.

Hmm I am just thinking about if I should just install the Deb / RPM package via Ansible or just do the pip installation method via Ansible.

Do you pin the mysql and/or apache2/nginx version explicitly when you create the package? Then it might make more sense to use the package because the webserver and database are pinned correctly and the version compatibility of privacyIDEA and apache2/nginx/mysql is guaranteed.
Is the deb / rpm packaging pipeline a public repository? I could not find it in your GitHub space.


Yes. Look at the “NetKnights-GmbH” github account.

I found your repo I must admit I am not super familiar with Makefiles (we use FPM at our office) so the only line where you could pin httpd was this one:

Requires:       privacyidea = %{version}, mariadb-server, httpd, mod_ssl, shadow-utils, rng-tools

centos7/privacyidea-server.spec at master · NetKnights-GmbH/centos7 · GitHub at line 18 but there the version is not pinned. The only way to enforce an exact version of httpd would be if on your build server (lancelot) a specific httpd stream is enabled.

The same goes for the ubuntu build: Within the repo I do not see a version pinning. So it would have to be enforced on the build server as well. Sorry to keep bothering you about it.

Because if privacyIDEA-apache2 just uses latest of the currently configured apt or centos repository for the webserver and the database then I would not install and configure apache2/mysql/nginx as part of my ansible role. I would rather just use other existing roles for the database and the webserver part. This would make my role more flexible (folks could cluster the db, use any SLQalchemy supported db, more choices for the webserver). So that’s why I keep bothering you plus because I am just curious :grinning:

We also do not pin the kernel version! :wink:

The important stuff happens in the python virtualenv.

You need an apache for the privacyIDEA app server role!
Of course I think it is a good idea to use an external DB.

1 Like

so I finished my role took me a while :sweat_smile: The repository is here: GitHub - GitarPlayer/ansible-role-privacyidea

The ansible control node is tested with python >= 3.8 against all the ansible 6.x. versions (it takes about 5 hours to test the whole matrix). It passes the ansible-lint production profile and yamllint.

I wrote the role for maximum flexibility in mind (HA clustering with mySQL or Postgres) so you can use any db with any webserver with any role. I do end-to-end testing with apache and mySQL (geerlingguy roles) where the database is hosted on a separate VM. I check if it works with SELinux and Firewalling.

Currently I only support RHEL8/9 and its binary compatible derivates (AlmaLinux, Rockylinux). Because I think you should use SELinux for your MFA system. RHEL7 is only getting security patches till 2024.

Before I publish it to ansible-galaxy for easy reuse I have some questions.

  1. Do you have any good ideas how I could test a good installation (I do check if I can login via the API, create a resolver and a realm in my CI/CD deployment ansible-role-privacyidea/ at main · GitarPlayer/ansible-role-privacyidea · GitHub)? Maybe you know something good to test.
  2. In the logging.yaml could you explain me a bit better what root_level, log_level and logger_handlers_level do exactly ( sorry to lazy to grep the source code)
  3. Do you see some improvements? Absolutely needed features?

As soon as privacyidea 3.7.4 is available on pypi I will test it against the patch release.

Thanks for your time cheers

1 Like

No. There would probably to many different scenarios.

I would basically check:

  1. Does the webui work (complete stack: webui → API → database

  2. Problems could occur with quirky DB settings and result in timing and redundancy issues. But imho this would not be the task of the ansible role. THere should still be a guy with brains in front of the computer!

  3. With HA you could test replication:

    • create token on node A
    • check token on node B
    • delete token on node B
    • check that token is gone on node A

This is the normal python logging config syntax.