diff --git a/roles/taiga/defaults/main.yml b/roles/taiga/defaults/main.yml index ae3579e..9d2a7ea 100644 --- a/roles/taiga/defaults/main.yml +++ b/roles/taiga/defaults/main.yml @@ -81,9 +81,10 @@ taiga_smtp_ssl: "{{ (taiga_smtp_port == 465) | ternary(True, False) }}" # OIDC authentication taiga_oidc_auth: False -taiga_oidc_auth_url: https://sso.{{ ansible_domain }}/oauth2/authorize -taiga_oidc_user_url: https://sso.{{ ansible_domain }}/oauth2/userinfo -taiga_oidc_token_url: https://sso.{{ ansible_domain }}/oauth2/token +taiga_oidc_base_url: https://sso.{{ ansible_domain }}/oauth2 +taiga_oidc_auth_url: "{{ taiga_oidc_base_url }}/authorize" +taiga_oidc_user_url: "{{ taiga_oidc_base_url }}/userinfo" +taiga_oidc_token_url: "{{ taiga_oidc_base_url }}/token" taiga_oidc_scope: openid email profile taiga_oidc_name: SSO ({{ ansible_domain }}) taiga_oidc_client_id: taiga diff --git a/roles/taiga/tasks/conf.yml b/roles/taiga/tasks/conf.yml index ec4dd37..1f6ebde 100644 --- a/roles/taiga/tasks/conf.yml +++ b/roles/taiga/tasks/conf.yml @@ -35,6 +35,7 @@ rabbitmqctl add_vhost {{ taiga_amqp_vhost }} rabbitmqctl set_permissions -p {{ taiga_amqp_vhost }} {{ taiga_amqp_user }} ".*" ".*" ".*" when: taiga_amqp_server in ['localhost', '127.0.0.1'] + changed_when: False tags: taiga - when: taiga_install_mode != 'none' @@ -59,6 +60,17 @@ app_path: "{{ taiga_root_dir }}/app/back" virtualenv: "{{ taiga_root_dir }}/venv" + - name: Set permissions for nginx + command: | + setfacl -R -k -b {{ taiga_root_dir }} + setfacl -m u:nginx:x {{ taiga_root_dir }} + setfacl -m u:nginx:x {{ taiga_root_dir }}/data + setfacl -m u:nginx:x {{ taiga_root_dir }}/app + setfacl -m u:nginx:x {{ taiga_root_dir }}/app/back + setfacl -R -m u:nginx:rX {{ taiga_root_dir }}/app/front + setfacl -R -m u:nginx:rX {{ taiga_root_dir }}/app/back/static + setfacl -R -m u:nginx:rX {{ taiga_root_dir }}/data/media + environment: DJANGO_SETTINGS_MODULE: settings.config CELERY_ENABLED: False @@ -75,6 +87,16 @@ environment: DJANGO_SUPERUSER_PASSWORD: '{{ taiga_admin_pass }}' + # For some reason, the password isn't correctly initialized + # Let's reset it using expect + - name: Reset admin user password + expect: + command: "{{ taiga_root_dir }}/venv/bin/python3 ./manage.py changepassword admin" + chdir: "{{ taiga_root_dir }}/app/back/" + responses: + 'Password:\s*': "{{ taiga_admin_pass }}" + 'Password \(again\):\s*': "{{ taiga_admin_pass }}" + - name: load initial data django_manage: command: loaddata initial_project_templates @@ -86,3 +108,4 @@ CELERY_ENABLED: False become_user: "{{ taiga_user }}" tags: taiga + diff --git a/roles/taiga/tasks/directories.yml b/roles/taiga/tasks/directories.yml index 157e9ff..e3b93a1 100644 --- a/roles/taiga/tasks/directories.yml +++ b/roles/taiga/tasks/directories.yml @@ -5,7 +5,7 @@ loop: - dir: "{{ taiga_root_dir }}" owner: "{{ taiga_user }}" - group: nginx + group: "{{ taiga_user }}" mode: 750 - dir: "{{ taiga_root_dir }}/backup" owner: root diff --git a/roles/taiga/tasks/facts.yml b/roles/taiga/tasks/facts.yml index 9475372..6ecf8dd 100644 --- a/roles/taiga/tasks/facts.yml +++ b/roles/taiga/tasks/facts.yml @@ -53,7 +53,6 @@ - import_tasks: ../includes/get_rand_pass.yml vars: - pass_file: "{{ taiga_root_dir }}/meta/ansible_admin_pass" - - complex: False - set_fact: taiga_admin_pass={{ rand_pass }} tags: taiga diff --git a/roles/taiga/templates/protected/env.j2 b/roles/taiga/templates/protected/env.j2 index 797339b..aac1d1f 100644 --- a/roles/taiga/templates/protected/env.j2 +++ b/roles/taiga/templates/protected/env.j2 @@ -1,3 +1,3 @@ -SECRET_KEY={{ taiga_secret_key }} -MAX_AGE=300 -TAIGA_SUBPATH={{ taiga_public_url | urlsplit('path') }} +SECRET_KEY="{{ taiga_secret_key }}" +MAX_AGE=600 +TAIGA_SUBPATH="{{ (taiga_public_url | urlsplit('path') == '/') | ternary('', taiga_public_url | urlsplit('path')) }}" diff --git a/roles/taiga/vars/RedHat-8.yml b/roles/taiga/vars/RedHat-8.yml index b70f80f..80eaff2 100644 --- a/roles/taiga/vars/RedHat-8.yml +++ b/roles/taiga/vars/RedHat-8.yml @@ -29,3 +29,4 @@ taiga_packages: - openssl-devel - libffi-devel - policycoreutils + - python3-pexpect