Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • antiz/infrastructure
  • okabe/infrastructure
  • eworm/infrastructure
  • polyzen/infrastructure
  • pitastrudl/infrastructure
  • sjon/infrastructure
  • torxed/infrastructure
  • jinmiaoluo/infrastructure
  • moson/infrastructure
  • serebit/infrastructure
  • ivabus/infrastructure
  • lb-wilson/infrastructure
  • gromit/infrastructure
  • matt-1-2-3/infrastructure
  • jocke-l/infrastructure
  • alucryd/infrastructure
  • maximbaz/infrastructure
  • ainola/infrastructure
  • segaja/infrastructure
  • nl6720/infrastructure
  • peanutduck/infrastructure
  • aminvakil/infrastructure
  • xenrox/infrastructure
  • felixonmars/infrastructure
  • denisse/infrastructure
  • artafinde/infrastructure
  • jleclanche/infrastructure
  • kpcyrd/infrastructure
  • metalmatze/infrastructure
  • kevr/infrastructure
  • dvzrv/infrastructure
  • dhoppe/infrastructure
  • ekkelett/infrastructure
  • seblu/infrastructure
  • lahwaacz/infrastructure
  • klausenbusk/infrastructure
  • alerque/infrastructure
  • hashworks/infrastructure
  • foxboron/infrastructure
  • shibumi/infrastructure
  • lambdaclan/infrastructure
  • ffy00/infrastructure
  • freswa/infrastructure
  • archlinux/infrastructure
44 results
Show changes
Commits on Source (2)
$ANSIBLE_VAULT;1.1;AES256
62386537326331346332353038653137616430366531626637653762636135353232653835333831
6431393138396537373937663963646365313464326565380a386266316266316463663163343434
62333165643134663564366136633238613238373636353033303136653662343465326665616239
3161326364306430350a343138653566363464333366353131383430336431363964613831303561
34636163313064643830336665386635396231646533356163623938323165626236336633393863
63313338316639333033393239336131306231346237353934393838323861646264656361346533
32363864663436613333373130383462656134386632636337376539323562366137313762623433
34663561626265626165383736656566353135336630656638373139353238636262313035366265
61653965636331626162323539353635626337313830616634323236656463316331
62336563323762646634643633386665333866653263363636326665396132653433336635366439
6138343537306135663332306465643337333733613530390a353331666236633437666237383536
39373036373963633234663234386164373663366530323963363732393061333562363636303431
6530353331613734330a343065366162346263396262316133323362656234343036623861626164
32316337666433386162656534376533383064666365303261393534306134643831666265656637
33353239623830323039343237303164316636636431346361336437333037356635363461366434
36326365313663363939393565663535396130383961303763303461303961636639623136623039
31646630613161633835613636613339303038633961383930623165646366396361343933396464
38623937623633326463303734623738663535393332356361646136313331656135383639623866
37386332653964323636333063323439653436386436383263316465313262633532393839636633
65346336346264343730323330633333336366633065336230316234386661373235356330346339
61353835646665396363336232633733626661336361623364623433303065383131373062663965
34353033396636343165373061653834653862343962373630636630373164646139
---
security_tracker_version: "780b05c5d7d47b3f298f801df6cbe16a56746379"
security_tracker_version: "8ce112b697b81a6df5a3f8c8650344549a124614"
......@@ -16,7 +16,8 @@
- git
- make
- python
- python-sqlalchemy1.3
- python-authlib
- python-sqlalchemy
- python-sqlalchemy-continuum
- python-flask
- python-flask-sqlalchemy
......@@ -29,6 +30,7 @@
- python-feedgen
- python-pytz
- python-email-validator
- python-markupsafe
- pyalpm
- sqlite
- expac
......@@ -102,7 +104,7 @@
- name: deploy new release
become: true
become_user: security
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
when: release.changed
- name: start and enable security-tracker timer
......
[flask]
secret_key = '{{ vault_security_tracker.secret_key }}'
[sso]
enabled = yes
metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
client_id = openid_security_tracker
client_secret = {{ vault_security_tracker_openid_client_secret }}
administrator_group = /Arch Linux Staff/Security Team/Admins
security_team_group = /Arch Linux Staff/Security Team/Members
reporter_group = /External Contributors/Security Team/Reporters
......@@ -46,6 +46,12 @@ data "external" "vault_matrix" {
"--format", "json"]
}
data "external" "vault_security_tracker" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
"vault_security_tracker_openid_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
......@@ -855,3 +861,27 @@ resource "keycloak_openid_client" "gluebuddy_openid_client" {
"https://gitlab.archlinux.org/"
]
}
resource "keycloak_openid_client" "security_tracker_openid_client" {
realm_id = "archlinux"
client_id = "openid_security_tracker"
client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
name = "Security Tracker"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://security.archlinux.org/*",
]
web_origins = []
}
resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.security_tracker_openid_client.id
name = "group-membership-mapper"
claim_name = "groups"
}