ipsilon: Finish up openidc config

roles/ipsilon/tasks/main.yml

@@ -36,6 +36,51 @@
     group: ipsilon
   notify: Restart ipsilon-container
 
+- name: Fix SELinux contexts from config directory
+  community.general.sefcontext:
+    path: /etc/ipsilon(/.*)?
+    setype: container_file_t
+  when: ansible_selinux_python_present
+
+- name: Get subuid number
+  ansible.builtin.command:
+    argv:
+      - awk
+      - "-F:"
+      - '{ if ($1 == "ipsilon") print $2 + 899 }'
+      - /etc/subuid
+  changed_when: false
+  register: subuid
+
+- name: Get subgid number
+  ansible.builtin.command:
+    argv:
+      - awk
+      - "-F:"
+      - '{ if ($1 == "ipsilon") print $2 + 899 }'
+      - /etc/subgid
+  changed_when: false
+  register: subgid
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/ipsilon
+    state: directory
+    mode: "0750"
+    owner: root
+    group: ipsilon
+    setype: _default
+
+- name: Copy OIDC static config
+  ansible.builtin.copy:
+    dest: /etc/ipsilon/openidc-static.conf
+    src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf"
+    mode: "0600"
+    owner: "{{ subuid.stdout }}"
+    group: "{{ subgid.stdout }}"
+    setype: _default
+  notify: Restart ipsilon-container
+
 - name: Get container source
   ansible.builtin.git:
     dest: /usr/local/src/docker-ipsilon

roles/ipsilon/templates/ipsilon-container.service.j2

@@ -14,6 +14,7 @@ ExecStart=/usr/bin/podman run \
     --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \
     --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \
     --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \
+    --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \
     ipsilon:latest
 ExecStop=/usr/bin/podman stop --ignore ipsilon
 ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon