Hey guys I looked into your project since we are phasing out the Yubico OTP validation software at our company (somehow Yubico decided that it is no longer a need to be able to validate your tokens on premises). And I’m a great fan. So, I am practicing for my RHCE exam and I was thinking that there is no official Ansible role that configures privacyIDEA (and Ansible is in a way a de facto standard these days to deploy a solution, aside from k8s of course). And I was thinking is there any desire to have this, are you already working on it? Because I would love to do something meaningful as practice for my RHCE. And if I were to start where would we agree on the scope and flexibility of the role etc.
By the way you guys should tell Yubico that they should link you on their old Yubico validation server page. Since I feel like a lot of high security setup systems were looking for something that can do Yubico OTP validation and is actively maintained. I almost did not find you guys and you are probably one of the only professionally maintained yubico on premises validation software provider (there exists many python, go ports but they are not maintained let alone secure). A link to your product here would be nice: YubiCloud Validation Servers
It’s a shame because I looked at most other solutions that can do Yubico OTP and none of them looked even close to something that you could run in production with confidence. So PrivacyIDEA is probably the only solution out there that can validate Yubico OTP on premises that is actively maintained.
Do you have some installation method that has priority development/support wise? For example for me it seems that the ubuntu install has priority since there are privacyIDEA ubuntu 22.04 packages whereas with CentOS the latest is for CentOS 7 I think. I guess as first priority I would support the pip installation method since it’s more universal. Second priority support would be Ubuntu and last CentOS.
Hmm I am just thinking about if I should just install the Deb / RPM package via Ansible or just do the pip installation method via Ansible.
Do you pin the mysql and/or apache2/nginx version explicitly when you create the package? Then it might make more sense to use the package because the webserver and database are pinned correctly and the version compatibility of privacyIDEA and apache2/nginx/mysql is guaranteed.
Is the deb / rpm packaging pipeline a public repository? I could not find it in your GitHub space.
I found your repo I must admit I am not super familiar with Makefiles (we use FPM at our office) so the only line where you could pin httpd was this one:
The same goes for the ubuntu build: Within the repo I do not see a version pinning. So it would have to be enforced on the build server as well. Sorry to keep bothering you about it.
Because if privacyIDEA-apache2 just uses latest of the currently configured apt or centos repository for the webserver and the database then I would not install and configure apache2/mysql/nginx as part of my ansible role. I would rather just use other existing roles for the database and the webserver part. This would make my role more flexible (folks could cluster the db, use any SLQalchemy supported db, more choices for the webserver). So that’s why I keep bothering you plus because I am just curious
The ansible control node is tested with python >= 3.8 against all the ansible 6.x. versions (it takes about 5 hours to test the whole matrix). It passes the ansible-lint production profile and yamllint.
I wrote the role for maximum flexibility in mind (HA clustering with mySQL or Postgres) so you can use any db with any webserver with any role. I do end-to-end testing with apache and mySQL (geerlingguy roles) where the database is hosted on a separate VM. I check if it works with SELinux and Firewalling.
Currently I only support RHEL8/9 and its binary compatible derivates (AlmaLinux, Rockylinux). Because I think you should use SELinux for your MFA system. RHEL7 is only getting security patches till 2024.
Before I publish it to ansible-galaxy for easy reuse I have some questions.
In the logging.yaml could you explain me a bit better what root_level, log_level and logger_handlers_level do exactly ( sorry to lazy to grep the source code)
Do you see some improvements? Absolutely needed features?
As soon as privacyidea 3.7.4 is available on pypi I will test it against the patch release.
No. There would probably to many different scenarios.
I would basically check:
Does the webui work (complete stack: webui → API → database
Problems could occur with quirky DB settings and result in timing and redundancy issues. But imho this would not be the task of the ansible role. THere should still be a guy with brains in front of the computer!