zezere: role/playbook to deploy Zezere

Zezere is the Fedora IoT device provisioning service.  It is the
software that runs *provision.fedoraproject.org*, but it can be
self-hosted (if you can figure it out; there is no documentation
whatsoever).

The main use case for running Zezere locally is to automatically add
trusted SSH public keys to Fedora IoT devices, without depending on a
cloud service.  This playbook sets up Zezere with the very minimal
configuration needed to meet this goal.

roles/zezere/defaults/main.yml

@@ -0,0 +1,3 @@
+zezere_allowed_hosts:
+- '{{ ansible_fqdn }}'
+- zezere.{{ ansible_domain }}

roles/zezere/files/zezere.httpd.conf

@@ -0,0 +1,14 @@
+# vim: set ft=apache :
+
+WSGIDaemonProcess zezere \
+	user=zezere \
+	group=zezere \
+	display-name=%{GROUP}
+
+
+WSGIScriptAlias / /usr/local/share/zezere.wsgi \
+    process-group=zezere
+
+<Location />
+    Require all granted
+</Location>

roles/zezere/files/zezere.wsgi

@@ -0,0 +1 @@
+from zezere.wsgi import application

roles/zezere/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: relabel zezere data directory
+  command: restorecon -RF /var/lib/zezere

roles/zezere/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+- role: apache
+  tags:
+  - apache

roles/zezere/tasks/main.yml

@@ -0,0 +1,82 @@
+- name: ensure zezere is installed
+  package:
+    name: '{{ zezere_packages }}'
+    state: present
+  register: install_zezere
+  tags:
+  - install
+
+- name: ensure zezere group is present
+  group:
+    name: zezere
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure zezere user is present
+  user:
+    name: zezere
+    group: zezere
+    system: true
+    shell: /sbin/nologin
+    home: /var/lib/zezere
+    createhome: false
+    state: present
+  tags:
+  - user
+
+- name: ensure zezere data directory exists
+  file:
+    path: /var/lib/zezere
+    owner: zezere
+    group: zezere
+    mode: '0700'
+    state: directory
+  tags:
+  - datadir
+- name: ensure zezere data directory selinux label is set
+  sefcontext:
+    path: /var/lib/zezere(/.*)?
+    setype: httpd_var_lib_t
+    state: present
+  notify: relabel zezere data directory
+  tags:
+  - datadir
+  - selinux
+
+- name: ensure zezere is configured
+  template:
+    src: zezere.conf.j2
+    dest: /etc/zezere.conf
+    mode: '0640'
+    owner: root
+    group: zezere
+  notify:
+  - reload httpd
+  tags:
+  - config
+
+- name: run zezere database migrations
+  become: true
+  become_user: zezere
+  command:
+    zezere-manage migrate
+  when: >-
+    zezere_migrate|d|bool or
+    install_zezere is defined and install_zezere.changed
+  tags:
+  - migration
+
+- name: ensure zezere wsgi script is installed
+  copy:
+    src: zezere.wsgi
+    dest: /usr/local/share/zezere.wsgi
+  notify: reload httpd
+- name: ensure apache is configured to serve zezere
+  copy:
+    src: zezere.httpd.conf
+    dest: /etc/httpd/conf.d/zezere.conf
+  notify: reload httpd
+  tags:
+  - apache-config

roles/zezere/templates/zezere.conf.j2

@@ -0,0 +1,25 @@
+[global]
+secret_key = {{ zezere_secret_key }}
+debug = no
+allowed_hosts = {{ zezere_allowed_hosts|join(' ') }}
+secure_cookie = yes
+auth_method = local
+
+[oidc.rp]
+# client_id =
+# client_secret =
+sign_algo = RS256
+
+[oidc.op]
+# authorization_endpoint =
+# token_endpoint =
+# userinfo_endpoint =
+# jwks_endpoint =
+
+[database]
+engine = django.db.backends.sqlite3
+name = /var/lib/zezere/db.sqlite3
+
+[secure_proxy_ssl_header]
+# header = HTTP_X_FORWARDED_PROTO
+# value = https

roles/zezere/vars/main.yml

@@ -0,0 +1,3 @@
+zezere_packages:
+- mod_wsgi
+- zezere

zezere.yml

@@ -0,0 +1,6 @@
+- hosts: zezere
+  vars_files:
+  - vault/zezere/{{ inventory_hostname }}
+  roles:
+  - role: zezere
+    tags: zezere