From 85c882043c98412d1ab2b0aa118e2e4ba467bbcc Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 29 Dec 2024 17:42:29 +0000
Subject: [PATCH] ipsilon: Finish up openidc config

---
 roles/ipsilon/tasks/main.yml                  | 45 +++++++++++++++++++
 .../templates/ipsilon-container.service.j2    |  1 +
 2 files changed, 46 insertions(+)

diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index b02b9df..86414ee 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -36,6 +36,51 @@
     group: ipsilon
   notify: Restart ipsilon-container
 
+- name: Fix SELinux contexts from config directory
+  community.general.sefcontext:
+    path: /etc/ipsilon(/.*)?
+    setype: container_file_t
+  when: ansible_selinux_python_present
+
+- name: Get subuid number
+  ansible.builtin.command:
+    argv:
+      - awk
+      - "-F:"
+      - '{ if ($1 == "ipsilon") print $2 + 899 }'
+      - /etc/subuid
+  changed_when: false
+  register: subuid
+
+- name: Get subgid number
+  ansible.builtin.command:
+    argv:
+      - awk
+      - "-F:"
+      - '{ if ($1 == "ipsilon") print $2 + 899 }'
+      - /etc/subgid
+  changed_when: false
+  register: subgid
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/ipsilon
+    state: directory
+    mode: "0750"
+    owner: root
+    group: ipsilon
+    setype: _default
+
+- name: Copy OIDC static config
+  ansible.builtin.copy:
+    dest: /etc/ipsilon/openidc-static.conf
+    src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf"
+    mode: "0600"
+    owner: "{{ subuid.stdout }}"
+    group: "{{ subgid.stdout }}"
+    setype: _default
+  notify: Restart ipsilon-container
+
 - name: Get container source
   ansible.builtin.git:
     dest: /usr/local/src/docker-ipsilon
diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2
index 74bc2b0..d3fe6bf 100644
--- a/roles/ipsilon/templates/ipsilon-container.service.j2
+++ b/roles/ipsilon/templates/ipsilon-container.service.j2
@@ -14,6 +14,7 @@ ExecStart=/usr/bin/podman run \
     --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \
     --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \
     --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \
+    --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \
     ipsilon:latest
 ExecStop=/usr/bin/podman stop --ignore ipsilon
 ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon