Hey guys I looked into your project since we are phasing out the Yubico OTP validation software at our company (somehow Yubico decided that it is no longer a need to be able to validate your tokens on premises). And I’m a great fan. So, I am practicing for my RHCE exam and I was thinking that there is no official Ansible role that configures privacyIDEA (and Ansible is in a way a de facto standard these days to deploy a solution, aside from k8s of course). And I was thinking is there any desire to have this, are you already working on it? Because I would love to do something meaningful as practice for my RHCE. And if I were to start where would we agree on the scope and flexibility of the role etc.
By the way you guys should tell Yubico that they should link you on their old Yubico validation server page. Since I feel like a lot of high security setup systems were looking for something that can do Yubico OTP validation and is actively maintained. I almost did not find you guys and you are probably one of the only professionally maintained yubico on premises validation software provider (there exists many python, go ports but they are not maintained let alone secure). A link to your product here would be nice: YubiCloud Validation Servers
It’s a shame because I looked at most other solutions that can do Yubico OTP and none of them looked even close to something that you could run in production with confidence. So PrivacyIDEA is probably the only solution out there that can validate Yubico OTP on premises that is actively maintained.
Do you have some installation method that has priority development/support wise? For example for me it seems that the ubuntu install has priority since there are privacyIDEA ubuntu 22.04 packages whereas with CentOS the latest is for CentOS 7 I think. I guess as first priority I would support the pip installation method since it’s more universal. Second priority support would be Ubuntu and last CentOS.
Hmm I am just thinking about if I should just install the Deb / RPM package via Ansible or just do the pip installation method via Ansible.
Do you pin the mysql and/or apache2/nginx version explicitly when you create the package? Then it might make more sense to use the package because the webserver and database are pinned correctly and the version compatibility of privacyIDEA and apache2/nginx/mysql is guaranteed.
Is the deb / rpm packaging pipeline a public repository? I could not find it in your GitHub space.
The same goes for the ubuntu build: Within the repo I do not see a version pinning. So it would have to be enforced on the build server as well. Sorry to keep bothering you about it.
Because if privacyIDEA-apache2 just uses latest of the currently configured apt or centos repository for the webserver and the database then I would not install and configure apache2/mysql/nginx as part of my ansible role. I would rather just use other existing roles for the database and the webserver part. This would make my role more flexible (folks could cluster the db, use any SLQalchemy supported db, more choices for the webserver). So that’s why I keep bothering you plus because I am just curious