From 5eec0682a01093ccc353dd094cdf90a3116ae4ef Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Mon, 8 Jan 2024 11:00:40 +0100
Subject: [PATCH] Update to 2024-01-08 11:00

---
 roles/lemonldap_ng/defaults/main.yml          |  7 ++++
 roles/lemonldap_ng/tasks/main.yml             | 38 +++++++++++-------
 roles/lemonldap_ng/tasks/nginx.yml            | 26 +++++++++++--
 .../templates/lemonldap-ng.ini.j2             | 39 ++++++++++++-------
 roles/odoo/vars/RedHat-9.yml                  |  2 +-
 roles/seadrive/files/seadrive.te              |  6 +--
 6 files changed, 83 insertions(+), 35 deletions(-)

diff --git a/roles/lemonldap_ng/defaults/main.yml b/roles/lemonldap_ng/defaults/main.yml
index 5b447c1..63bea85 100644
--- a/roles/lemonldap_ng/defaults/main.yml
+++ b/roles/lemonldap_ng/defaults/main.yml
@@ -19,6 +19,11 @@ llng_manager_vhost: sso-manager.{{ ansible_domain }}
 # If llng_portal and llng_manager are both set to False (only the handler is deployed)
 # which conf backend to use. can be api or mysql
 llng_conf_backend: api
+llng_sessions_backend: "{{ llng_conf_backend }}"
+
+# If using the REST API as backend, you must configure the URL endpoint
+# llng_api_conf_url: https://auth.example.org/index.psgi/config
+# llng_api_sessions_url: https://auth.example.org/index.psgi/sessions/global
 
 # List of IP allowed to access SOAP endpoints
 # Empty or undefined disable api endpoints
@@ -39,6 +44,8 @@ llng_reload_use_proxy: False
 # If defined, access to api endpoints will require basic auth.
 llng_api_user: lemonldapapi
 # llng_api_pass: sEcr3t.P@ssw0rd
+# If basic auth is used to access the API, you must set the realm
+llng_api_realm: Lemonldap::NG API
 
 # SSL for vhosts
 # llng_portal_ssl:
diff --git a/roles/lemonldap_ng/tasks/main.yml b/roles/lemonldap_ng/tasks/main.yml
index 5cc3eb8..c575f9e 100644
--- a/roles/lemonldap_ng/tasks/main.yml
+++ b/roles/lemonldap_ng/tasks/main.yml
@@ -9,22 +9,37 @@
   tags: web
 
 - name: Install common packages
-  yum: name={{ llng_common_packages }}
+  package: name={{ llng_common_packages }}
   tags: web
 
 - name: Install Lemonldap::NG handler
-  yum: name=lemonldap-ng-handler
-  when: llng_handler == True
+  package: name=lemonldap-ng-handler
+  when: llng_handler
+  tags: web
+
+- name: Remove Lemonldap::NG handler
+  package: name=lemonldap-ng-handler state=absent
+  when: not llng_handler
   tags: web
 
 - name: Install Lemonldap::NG portal
-  yum: name={{ llng_portal_packages }}
-  when: llng_portal == True
+  package: name={{ llng_portal_packages }}
+  when: llng_portal
+  tags: web
+
+- name: Remove Lemonldap::NG portal
+  package: name=lemonldap-ng-portal state=absent
+  when: not llng_portal
   tags: web
 
 - name: Install Lemonldap::NG manager
-  yum: name={{ llng_manager_packages }}
-  when: llng_manager == True
+  package: name={{ llng_manager_packages }}
+  when: llng_manager
+  tags: web
+
+- name: Remove Lemonldap::NG manager
+  package: name=lemonldap-ng-manager state=absent
+  when: not llng_manager
   tags: web
 
 - name: Create directories
@@ -36,11 +51,6 @@
 - include_tasks: "{{ llng_server }}.yml"
   tags: always
 
-- name: Deploy manager's nginx configuration
-  template: src=nginx_manager.conf.j2 dest=/etc/nginx/ansible_conf.d/23-llng_manager.conf
-  when: llng_manager == True and llng_server == 'nginx'
-  notify: reload nginx
-
 - include_tasks: mysql.yml
   when: llng_conf_backend == 'mysql'
   tags: always
@@ -56,7 +66,7 @@
 
 - name: Copy applications logo
   synchronize: src=logos/ dest=/usr/share/lemonldap-ng/portal/htdocs/static/common/apps/
-  when: llng_portal == True
+  when: llng_portal
   tags: web
 
 - name: Remove old custom logo dir
@@ -121,7 +131,7 @@
     mode: 0640
   when:
     - llng_api_pass is defined
-    - llng_portal == True
+    - llng_portal
   tags: web
 
 - name: Add a cron task to renew OIDC keys
diff --git a/roles/lemonldap_ng/tasks/nginx.yml b/roles/lemonldap_ng/tasks/nginx.yml
index 232220b..e801a22 100644
--- a/roles/lemonldap_ng/tasks/nginx.yml
+++ b/roles/lemonldap_ng/tasks/nginx.yml
@@ -40,19 +40,39 @@
       dest: /etc/nginx/ansible_location.d/10-llng_handler.conf
     - src: llng_headers.inc.j2
       dest: /etc/nginx/ansible_conf.d/llng_headers.inc
-  when: llng_handler == True
+  when: llng_handler
+  notify: reload nginx
+  tags: web
+
+- name: Remove handler's nginx configuration
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/nginx/ansible_location.d/10-llng_handler.conf
+    - /etc/nginx/ansible_conf.d/llng_headers.inc
+  when: not llng_handler
   notify: reload nginx
   tags: web
 
 - name: Deploy portal's nginx configuration
   template: src=nginx_portal.conf.j2 dest=/etc/nginx/ansible_conf.d/22-llng_portal.conf
-  when: llng_portal == True
+  when: llng_portal
+  notify: reload nginx
+  tags: web
+
+- name: Remove portal's nginx configuration
+  file: path=/etc/nginx/ansible_conf.d/22-llng_portal.conf state=absent
+  when: not llng_portal
   notify: reload nginx
   tags: web
 
 - name: Deploy manager's nginx configuration
   template: src=nginx_manager.conf.j2 dest=/etc/nginx/ansible_conf.d/23-llng_manager.conf
-  when: llng_manager == True
+  when: llng_manager and llng_server == 'nginx'
   notify: reload nginx
   tags: web
 
+- name: Remove manager's nginx configuration
+  file: path=/etc/nginx/ansible_conf.d/23-llng_manager.conf state=absent
+  when: not llng_manager and llng_server == 'nginx'
+  notify: reload nginx
+  tags: web
diff --git a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2 b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
index f4b53f3..4c0a6f1 100644
--- a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
+++ b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
@@ -4,23 +4,14 @@
 logLevel                   = notice
 logger                     = Lemonldap::NG::Common::Logger::Syslog
 userLogger                 = Lemonldap::NG::Common::Logger::Syslog
-{% if llng_conf_backend == 'file' %}
+{% if llng_sessions_backend == 'file' %}
 globalStorage        = Apache::Session::File
 globalStorageOptions       = {                                                   \
   'Directory'      => '/var/lib/lemonldap-ng/sessions/',                         \
   'LockDirectory'  => '/var/lib/lemonldap-ng/sessions/lock/',                    \
   'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
 }
-{% endif %}
-localSessionStorage        = Cache::FileCache
-localSessionStorageOptions = {                        \
-  'namespace'          => 'sessions',                 \
-  'default_expires_in' => '{{ llng_session_cache }}',                      \
-  'directory_umask'    => '007',                      \
-  'cache_root'         => '/var/cache/lemonldap-ng',  \
-  'cache_depth'        => 3                           \
-}
-{% if llng_conf_backend == 'mysql' %}
+{% elif llng_sessions_backend == 'mysql' %}
 {% for type in llng_session_tables.keys() | list %}
 {{ type }}Storage        = Apache::Session::Browseable::MySQL
 {{ type }}StorageOptions = { \
@@ -34,7 +25,26 @@ localSessionStorageOptions = {                        \
   'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
 }
 {% endfor %}
+{% elif llng_sessions_backend == 'api' %}
+globalStorage              = Lemonldap::NG::Common::Apache::Session::REST
+globalStorageOptions       = { \
+  'baseUrl'  => "{{ llng_api_sessions_url }}", \
+{% if llng_api_user is defined and llng_api_pass is defined %}
+  'user'     => "{{ llng_api_user }}", \
+  'password' => "{{ llng_api_pass }}", \
+  'realm'    => "{{ llng_api_realm }}" \
 {% endif %}
+}
+{% endif %}
+
+localSessionStorage        = Cache::FileCache
+localSessionStorageOptions = {                        \
+  'namespace'          => 'sessions',                 \
+  'default_expires_in' => '{{ llng_session_cache }}',                      \
+  'directory_umask'    => '007',                      \
+  'cache_root'         => '/var/cache/lemonldap-ng',  \
+  'cache_depth'        => 3                           \
+}
 
 [configuration]
 {% if llng_conf_backend == 'file' %}
@@ -42,10 +52,11 @@ type                = File
 dirName             = /var/lib/lemonldap-ng/conf
 {% elif llng_conf_backend == 'api' %}
 type                = REST
-baseUrl             = {{ llng_api_uri }}
+baseUrl             = {{ llng_api_conf_url }}
 {% if llng_api_user is defined and llng_api_pass is defined %}
-User                = {{ llng_api_user }}
-Password            = {{ llng_api_pass }}
+user                = {{ llng_api_user }}
+password            = {{ llng_api_pass }}
+realm               = {{ llng_api_realm }}
 {% endif %}
 proxyOptions        = { timeout => 5 }
 {% elif llng_conf_backend == 'mysql' %}
diff --git a/roles/odoo/vars/RedHat-9.yml b/roles/odoo/vars/RedHat-9.yml
index de18926..ccbe653 100644
--- a/roles/odoo/vars/RedHat-9.yml
+++ b/roles/odoo/vars/RedHat-9.yml
@@ -12,7 +12,7 @@ odoo_packages:
   #- nodejs-less
   - tar
   - zstd
-  - postgresql15 # for pg_dump
+  - postgresql16 # for pg_dump
   - git
   - acl
 
diff --git a/roles/seadrive/files/seadrive.te b/roles/seadrive/files/seadrive.te
index eadc991..c743b83 100644
--- a/roles/seadrive/files/seadrive.te
+++ b/roles/seadrive/files/seadrive.te
@@ -1,10 +1,10 @@
-module seadrive 1.0;
+module seadrive 1.1;
 
 require {
         type init_t;
         type fusermount_exec_t;
-        class file execute;
+        class file { open read execute };
 }
 
 #============= init_t ==============
-allow init_t fusermount_exec_t:file execute;
+allow init_t fusermount_exec_t:file { open read execute };