From 600880a8c3b963ff33cbbc863769fef863f19996 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Wed, 16 Aug 2023 15:52:06 +0200
Subject: [PATCH 01/19] Manage: Metadata changes for resource servers as well

---
 .../oauth20_rs.schema.json.j2                   | 17 +++++++++++++++++
 .../single_tenant_template.schema.json.j2       | 12 ++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/roles/manage-server/files/metadata_configuration/oauth20_rs.schema.json.j2 b/roles/manage-server/files/metadata_configuration/oauth20_rs.schema.json.j2
index 42cf83d34..af3cf014a 100644
--- a/roles/manage-server/files/metadata_configuration/oauth20_rs.schema.json.j2
+++ b/roles/manage-server/files/metadata_configuration/oauth20_rs.schema.json.j2
@@ -143,6 +143,18 @@
           "type": "string",
           "info": "Explains why the SP answered no on the subject of the SURFmarket DPA."
         },
+        "coin:privacy:dpa_type": {
+          "type": "string",
+          "enum": [
+            "dpa_not_applicable",
+            "dpa_in_surf_agreement",
+            "dpa_model_surf",
+            "dpa_supplied_by_service",
+            "other"
+          ],
+          "default": "dpa_supplied_by_service",
+          "info": "Determines what DPA this service has to offer"
+        },
         "coin:privacy:privacy_policy": {
           "type": "boolean",
           "info": "Does the SP publish an applicable privacy policy on a web page?"
@@ -192,6 +204,11 @@
           "type": "string",
           "info": "The friendly name of the organization. e.g. University of Harderwijk."
         },
+        "^mdui:PrivacyStatementURL:({{ supported_language_codes | replace(',','|') }})$": {
+          "type": "string",
+          "format": "url",
+          "info": "The URL to the Privacy Statement of the service."
+        },
         "^contacts:([0-3]{1}):surName$": {
           "type": "string",
           "multiplicity": 4,
diff --git a/roles/manage-server/files/metadata_configuration/single_tenant_template.schema.json.j2 b/roles/manage-server/files/metadata_configuration/single_tenant_template.schema.json.j2
index 46f2ee61b..2d3a93a12 100644
--- a/roles/manage-server/files/metadata_configuration/single_tenant_template.schema.json.j2
+++ b/roles/manage-server/files/metadata_configuration/single_tenant_template.schema.json.j2
@@ -427,6 +427,18 @@
           "type": "string",
           "info": "Explains why the SP answered no on the subject of the SURFmarket DPA."
         },
+        "coin:privacy:dpa_type": {
+          "type": "string",
+          "enum": [
+            "dpa_not_applicable",
+            "dpa_in_surf_agreement",
+            "dpa_model_surf",
+            "dpa_supplied_by_service",
+            "other"
+          ],
+          "default": "dpa_supplied_by_service",
+          "info": "Determines what DPA this service has to offer"
+        },
         "coin:privacy:privacy_policy": {
           "type": "boolean",
           "info": "Does the SP publish an applicable privacy policy on a web page?"

From 6c5b975f0b507f4fb40a35abdba66ad52abd31b3 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Wed, 15 Sep 2021 12:10:52 +0200
Subject: [PATCH 02/19] Github actions docker build: Add Teams to the list of
 apps This is added to facilitate the SPdashboard development proces

---
 tests/githubactions-build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 1c44ead69..289dd6ac9 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -77,7 +77,7 @@ echo "================================================================="
 echo "================================================================="
 echo
 
-./provision github $ANSIBLE_USER $ANSIBLE_SECRETS -e springboot_service_to_deploy=manage,mujina-sp,mujina-idp -e @tests/github.yml -t core
+./provision github $ANSIBLE_USER $ANSIBLE_SECRETS -e springboot_service_to_deploy=teams,manage,mujina-sp,mujina-idp -e @tests/github.yml -t core
 
 # Make the image a bit smaller
 docker exec ansible-test-ga systemctl stop mysql mongod

From cd12c7eb1e9696143c1770f55866aaa7b45c69b0 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Wed, 15 Sep 2021 20:03:26 +0200
Subject: [PATCH 03/19] Add oidcng and voot to the OpenConext docker image, as
 Teams needs those

---
 tests/githubactions-build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 289dd6ac9..70802d4b2 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -77,7 +77,7 @@ echo "================================================================="
 echo "================================================================="
 echo
 
-./provision github $ANSIBLE_USER $ANSIBLE_SECRETS -e springboot_service_to_deploy=teams,manage,mujina-sp,mujina-idp -e @tests/github.yml -t core
+./provision github $ANSIBLE_USER $ANSIBLE_SECRETS -e springboot_service_to_deploy=teams,voot,oidcng,manage,mujina-sp,mujina-idp -e @tests/github.yml -t core
 
 # Make the image a bit smaller
 docker exec ansible-test-ga systemctl stop mysql mongod

From 5e44fc7acbc8fbda34467909afce8ccc10e6dc80 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Thu, 16 Sep 2021 09:00:13 +0200
Subject: [PATCH 04/19] GH actions: To enable oidcng, we also need to enable
 the push to oidcng from manage

---
 tests/githubactions-build.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 70802d4b2..670f619e8 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -57,7 +57,6 @@ mkdir -p environments-external
 /bin/mv environments-external/github/group_vars/vm.yml environments-external/github/group_vars/github.yml
 sed -i 's/192.168.66.98/0.0.0.0/g' environments-external/github/group_vars/github.yml
 sed -i 's/192.168.66.99/127.0.0.1/g' environments-external/github/group_vars/github.yml
-sed -i 's/oidc_push_enabled: true/oidc_push_enabled: false/g' environments-external/github/group_vars/github.yml
 # Change the hostname in the inventory
 /bin/cp environments/template/inventory environments-external/github/
 sed -i 's/%env%/github/g' environments-external/github/inventory

From 43b72cd2f54d4dd261cee46a2d98a7bf4d1377d7 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Fri, 22 Apr 2022 10:29:03 +0200
Subject: [PATCH 05/19] Teams -> 8.5.3

---
 environments/template/group_vars/template.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml
index 7f6fc3301..bb92aa3d6 100644
--- a/environments/template/group_vars/template.yml
+++ b/environments/template/group_vars/template.yml
@@ -39,6 +39,7 @@ account_gui_version: "6.0.2"
 dashboard_server_version: "12.3.4"
 dashboard_gui_version: "12.3.4"
 
+
 statistics_version: "1.1.7"
 
 databases:

From 1b54bbddc873dfd87fa73b3fae5c6edfaded5a9b Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 9 May 2022 11:21:35 +0200
Subject: [PATCH 06/19] Fix systemd error for mongo on docker This fixes an
 issue when starting mongo on docker. See
 https://access.redhat.com/solutions/4420581

---
 tests/githubactions-build.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 670f619e8..12c0cd8e3 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -67,7 +67,6 @@ sed -i 's/%target_host%/ansible-test-ga ansible_connection=docker/g' environment
 
 # Remove ipv6 listening address in Haproxy
 sed -i '/haproxy_sni_ip\.ipv6/d' roles/haproxy/templates/haproxy_frontend.cfg.j2
-
 echo
 echo "================================================================="
 echo "================================================================="
@@ -83,6 +82,11 @@ docker exec ansible-test-ga systemctl stop mysql mongod
 docker exec ansible-test-ga yum -y remove mongodb-org-mongos mongodb-org-tools
 docker exec ansible-test-ga rm -rf /var/lib/mongo/journal/*
 docker exec ansible-test-ga rm -rf /var/lib/mysql/ib_logfile*
+
+# The latest systemd update breaks mongo on docker (systemd[1]: New main PID 951 does not belong to service, and PID file is not owned by root. Refusing)
+# dowgrading it fixes the issue
+docker exec ansible-test-ga yum -y downgrade http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-libs-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-sysv-219-62.el7_6.9.x86_64.rpm
+
 docker stop ansible-test-ga ansible-test-ga
 
 exit $status

From e7fdd701f3e46df23f2d04769d3c67815b9ed5d0 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 9 May 2022 16:29:58 +0200
Subject: [PATCH 07/19] VOOT -> 5.0.0

---
 roles/springboot/defaults/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml
index e8e5173a6..21a5ae544 100644
--- a/roles/springboot/defaults/main.yml
+++ b/roles/springboot/defaults/main.yml
@@ -87,6 +87,7 @@ springboot_server_services:
     type: server
     min_heapsize: "{{ voot_min_heapsize | default('128m') }}"
     max_heapsize: "{{ voot_max_heapsize | default('128m') }}"
+    java_binary: "/usr/lib/jvm/jre-11-openjdk/bin/java"
     config:
       "{{ voot }}"
   - name: teams

From 9a2c5374a8a3f05cb5e31414372c915e13a237f9 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 10 May 2022 11:56:11 +0200
Subject: [PATCH 08/19] manage -> 7.0.0

---
 roles/springboot/defaults/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml
index 21a5ae544..2f89c0e58 100644
--- a/roles/springboot/defaults/main.yml
+++ b/roles/springboot/defaults/main.yml
@@ -65,6 +65,7 @@ springboot_server_services:
     port: "{{ manage_springapp_tcpport }}"
     min_heapsize: "{{ manage_min_heapsize | default('512m') }}"
     max_heapsize: "{{ manage_max_heapsize | default('512m') }}"
+    java_binary: "/usr/lib/jvm/jre-11-openjdk/bin/java"
     config:
       "{{ manage }}"
   - name: oidcng

From 77bf0e5f1c2668d28f5b8778e9a22e72fb6872dd Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 10 May 2022 13:26:33 +0200
Subject: [PATCH 09/19] Manage: Config update

---
 roles/manage-gui/templates/manage.conf.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/manage-gui/templates/manage.conf.j2 b/roles/manage-gui/templates/manage.conf.j2
index 0e2a92723..bdd6e46bb 100644
--- a/roles/manage-gui/templates/manage.conf.j2
+++ b/roles/manage-gui/templates/manage.conf.j2
@@ -76,10 +76,11 @@ Listen {{ apache_app_listen_address.manage }}:{{ loadbalancing.manage.port }}
       Require all granted
     </Location>
 
-    <Location ~ "(.*)(eot|svg|ttf|woff2|woff|html|js|js\.map|css|css\.map|png|jpg|ico)$">
+
+    <Location ~ "(.*)(eot|svg|ttf|woff2|woff|html|js|css|png|jpg|ico)$">
       Require all granted
     </Location>
-
+    
     <Location ~ "/(asset-)?manifest.json$">
       Require all granted
     </Location>

From 979c9eb9434f33537928b7da10c4512161e39d0e Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 10 May 2022 16:12:51 +0200
Subject: [PATCH 10/19] Environments: allow teams spd access

---
 environments/template/group_vars/template.yml | 2 ++
 environments/vm/group_vars/vm.yml             | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml
index bb92aa3d6..9c16a6a1f 100644
--- a/environments/template/group_vars/template.yml
+++ b/environments/template/group_vars/template.yml
@@ -268,6 +268,8 @@ teams:
     - "nl:surfnet:diensten:teams_super_users"
     - "nl:surfnet:diensten:teams_super_admin_users"
 
+teams_allow_spd_api: '.'
+
 engineblock:
   idp_url: https://engine.{{ base_domain }}/authentication/idp/single-sign-on
   idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata
diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml
index 10549abba..22fd79758 100644
--- a/environments/vm/group_vars/vm.yml
+++ b/environments/vm/group_vars/vm.yml
@@ -156,6 +156,8 @@ teams:
     - "nl:surfnet:diensten:teams_super_users"
     - "nl:surfnet:diensten:teams_super_admin_users"
 
+teams_allow_spd_api: '.'
+
 engineblock:
   idp_url: https://engine.{{ base_domain }}/authentication/idp/single-sign-on
   idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata

From b6fbb9f4c873d31d4b962ac17c86e63b1b2140ec Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Thu, 25 Aug 2022 11:42:29 +0200
Subject: [PATCH 11/19] Some version updates to support new manage and oidcng

---
 environments/vm/group_vars/vm.yml | 1 -
 tests/Dockerfile.centos-7-ga      | 4 +++-
 tests/githubactions-build.sh      | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml
index 22fd79758..848e12ffd 100644
--- a/environments/vm/group_vars/vm.yml
+++ b/environments/vm/group_vars/vm.yml
@@ -30,7 +30,6 @@ pdp_gui_version: "4.0.1"
 profile_version: "3.1.4"
 teams_gui_version: "9.1.1"
 teams_server_version: "9.1.1"
-voot_version: "5.0.0"
 myconext_server_version: "6.0.2"
 myconext_gui_version: "6.0.2"
 account_gui_version: "6.0.2"
diff --git a/tests/Dockerfile.centos-7-ga b/tests/Dockerfile.centos-7-ga
index 5189e2892..0942486a3 100644
--- a/tests/Dockerfile.centos-7-ga
+++ b/tests/Dockerfile.centos-7-ga
@@ -16,7 +16,9 @@ rm -f /lib/systemd/system/anaconda.target.wants/*;
 
 RUN yum clean all && \
     yum -y update && \
-    yum -y install python3
+    yum -y install python3 wget && \
+    wget https://copr.fedorainfracloud.org/coprs/jsynacek/systemd-backports-for-centos-7/repo/epel-7/jsynacek-systemd-backports-for-centos-7-epel-7.repo -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo && \
+    yum -y update systemd
 
 VOLUME [ "/sys/fs/cgroup" ]
 
diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 12c0cd8e3..6ca184fff 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -13,8 +13,9 @@ ANSIBLE_USER=root
 
 # start docker container
 docker run --detach                                         \
-	-v /sys/fs/cgroup:/sys/fs/cgroup:ro                     \
+	-v /sys/fs/cgroup:/sys/fs/cgroup:rw                     \
 	-t                                                      \
+	--cgroupns=host                                         \
 	--privileged                                            \
 	--publish 443:443                                       \
 	--name ansible-test-ga                                  \

From ade920709a0eb3cc6c88afb8c90ba9d9d4f8b518 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Fri, 9 Dec 2022 16:40:16 +0100
Subject: [PATCH 12/19] Systemd changes

---
 roles/mongo/tasks/main.yml | 171 +++++++++++++++++++++++++++++++++++++
 1 file changed, 171 insertions(+)

diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml
index 6cda0f417..cd197a4fa 100644
--- a/roles/mongo/tasks/main.yml
+++ b/roles/mongo/tasks/main.yml
@@ -2,6 +2,177 @@
 - name: Use temporarily python3 as remote interpreter, this fixes pymongo
   ansible.builtin.set_fact:
     ansible_python_interpreter: "/usr/bin/python3"
+
+- name: Install pymongo
+  pip:
+    name: pymongo
+
+- name: Install kernel settings script
+  copy:
+    src: "mongo_kernel_settings.sh"
+    dest: "/usr/local/sbin/mongo_kernel_settings.sh"
+    mode: 0700
+    owner: root
+    group: root
+  register: mongo_kernel_settings
+
+- name: Set kernel parameters
+  command: /usr/local/sbin/mongo_kernel_settings.sh
+  when:
+    - mongo_kernel_settings.changed
+
+- name: Add mongo kernel settings script to rc.local
+  lineinfile:
+    dest: "/etc/rc.d/rc.local"
+    state: present
+    line: "/usr/local/sbin/mongo_kernel_settings.sh"
+    create: true
+
+- name: Make rc.local executable
+  file:
+    dest: "/etc/rc.d/rc.local"
+    mode: 0744
+
+- name: Create directory to keep mongo key material
+  file:
+    dest: "/etc/pki/mongo/"
+    state: directory
+    owner: root
+    group: root
+    mode: 775
+  when:
+    - mongo_tls | bool
+
+- name: copy ca certificate
+  copy:
+    src: "{{ inventory_dir }}/files/certs/mongo/{{ mongo_tls_ca }}"
+    dest: "/etc/pki/mongo/{{ mongo_tls_ca }}"
+  when:
+    - mongo_tls | bool
+
+- name: Create combined key and certificate file for mongo
+  copy:
+    content: "{{ mongo_tls_key }}{{lookup('file', '{{ inventory_dir }}/files/certs/mongo/mongo.{{ base_domain }}.crt')}}"
+    dest: "/etc/pki/mongo/mongo.{{ base_domain }}.pem"
+    mode: 0600
+    owner: mongod
+  when:
+    - mongo_tls | bool
+
+- name: Create the backup directory
+  file:
+    path: /home/backup
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+  when:
+    - mongo_cluster | bool
+
+- name: Install the backup script
+  template:
+    src: "backup_mongo.pl.j2"
+    dest: "/usr/local/sbin/backup_mongo.pl"
+    mode: 0700
+    owner: root
+  when:
+    - mongo_cluster | bool
+
+- name: Create cron symlink for backup script
+  file:
+    src: "/usr/local/sbin/backup_mongo.pl"
+    dest: "/etc/cron.daily/mongodb_backup"
+    state: link
+    mode: 0700
+    owner: root
+  when:
+    - mongo_cluster | bool
+
+- name: Install mongod.conf file without configuration on the primary host
+  template:
+    src: "mongod_standalone.conf.j2"
+    dest: "/etc/mongod.conf"
+  when:
+     - mongo_primary | bool
+     - mongo_present.stat.exists == False
+
+- name: Enable and start mongod on the primary host
+  service:
+    name: mongod.service
+    enabled: yes
+    state: started
+  when:
+    - mongo_primary | bool
+
+- name: Add the admin user
+  mongodb_user:
+    database: admin
+    name: admin
+    password: "{{ mongo_admin_password }}"
+    login_port: "{{ mongod_port }}"
+    roles: root
+    state: present
+  no_log: true
+  when:
+     - mongo_primary | bool
+     - mongo_present.stat.exists == False
+
+- name: Install mongodb.conf file  with authorisation enabled
+  template:
+    src: "mongod.conf.j2"
+    dest: "/etc/mongod.conf"
+  register: mongo_conf_changed
+
+- name: Add logrotate snippet
+  copy:
+    src: "mongodb.logrotate"
+    dest: "/etc/logrotate.d/mongodb"
+
+- name: Restart Mongo
+  service:
+    name: mongod.service
+    enabled: yes
+    state: restarted
+  when:
+    - mongo_conf_changed.changed
+
+- name: Install replica set initialization file
+  template:
+    src: "repset_init.j2"
+    dest: "/tmp/repset_init.js"
+  when:
+    - mongo_primary | bool
+
+- name: Initialize the replication set on the primary, tls enabled
+  shell: /usr/bin/mongo  -u admin -p {{ mongo_admin_pass }} --ssl --sslCAFile /etc/pki/mongo/mongo.{{ base_domain }}_ca.pem --authenticationDatabase admin /tmp/repset_init.js --host "{{mongo_hostname }}"
+  when:
+    - mongo_primary | bool
+    - mongo_tls | bool
+  changed_when: false
+
+- name: Initialize the replication set on the primary
+  shell: /usr/bin/mongo  -u admin -p {{ mongo_admin_pass }} --authenticationDatabase admin /tmp/repset_init.js --host 127.0.0.1
+  when:
+    - mongo_primary | bool
+    - not mongo_tls | bool
+  changed_when: false
+
+- name: Create mongo database users
+  mongodb_user:
+    login_database: admin
+    database: "{{ item.db_name }}"
+    login_user: admin
+    login_password: "{{ mongo_admin_pass }}"
+    name: "{{ item.name }}"
+    password: "{{ item.password }}"
+    roles: readWrite
+    replica_set: "{{ replica_set_name }}"
+  no_log: true
+  when:
+    - mongo_primary | bool
+    - not mongo_tls | bool
+  with_items: "{{ mongo.users }}"
+  changed_when: False
   tags: mongo_users
 
 - name: Include CA tasks

From ad803877b0005f70c1914d34b950fa994501542a Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 12 Dec 2022 13:48:01 +0100
Subject: [PATCH 13/19] Docker: No need anymore to downgrade systemd

---
 tests/githubactions-build.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 6ca184fff..2ee60f9aa 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -84,10 +84,6 @@ docker exec ansible-test-ga yum -y remove mongodb-org-mongos mongodb-org-tools
 docker exec ansible-test-ga rm -rf /var/lib/mongo/journal/*
 docker exec ansible-test-ga rm -rf /var/lib/mysql/ib_logfile*
 
-# The latest systemd update breaks mongo on docker (systemd[1]: New main PID 951 does not belong to service, and PID file is not owned by root. Refusing)
-# dowgrading it fixes the issue
-docker exec ansible-test-ga yum -y downgrade http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-libs-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-sysv-219-62.el7_6.9.x86_64.rpm
-
 docker stop ansible-test-ga ansible-test-ga
 
 exit $status

From 24af36880a9fdd982ca84b6c087abe4392da31d1 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 12 Dec 2022 21:08:11 +0100
Subject: [PATCH 14/19] Revert "Docker: No need anymore to downgrade systemd"

This reverts commit 6815adaf98078573cfa1a16f084debcd69ffe864.
---
 tests/githubactions-build.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/githubactions-build.sh b/tests/githubactions-build.sh
index 2ee60f9aa..6ca184fff 100644
--- a/tests/githubactions-build.sh
+++ b/tests/githubactions-build.sh
@@ -84,6 +84,10 @@ docker exec ansible-test-ga yum -y remove mongodb-org-mongos mongodb-org-tools
 docker exec ansible-test-ga rm -rf /var/lib/mongo/journal/*
 docker exec ansible-test-ga rm -rf /var/lib/mysql/ib_logfile*
 
+# The latest systemd update breaks mongo on docker (systemd[1]: New main PID 951 does not belong to service, and PID file is not owned by root. Refusing)
+# dowgrading it fixes the issue
+docker exec ansible-test-ga yum -y downgrade http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-libs-219-62.el7_6.9.x86_64.rpm http://vault.centos.org/7.6.1810/updates/x86_64/Packages/systemd-sysv-219-62.el7_6.9.x86_64.rpm
+
 docker stop ansible-test-ga ansible-test-ga
 
 exit $status

From 8829bad8eb0d3df84ac5c6f3fa4ca5305546d4f7 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 12 Dec 2022 21:08:26 +0100
Subject: [PATCH 15/19] Revert "Systemd changes"

This reverts commit 1d8d6a65dc175cf120b7b6d81be9e1876aebfd00.
---
 roles/mongo/tasks/main.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml
index cd197a4fa..5a93cd135 100644
--- a/roles/mongo/tasks/main.yml
+++ b/roles/mongo/tasks/main.yml
@@ -23,10 +23,9 @@
 
 - name: Add mongo kernel settings script to rc.local
   lineinfile:
-    dest: "/etc/rc.d/rc.local"
+    dest: "/etc/rc.local"
     state: present
     line: "/usr/local/sbin/mongo_kernel_settings.sh"
-    create: true
 
 - name: Make rc.local executable
   file:

From ddf1a2e363af0bec09c47937724a42d633eb7d66 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 13 Dec 2022 10:24:51 +0100
Subject: [PATCH 16/19] GHA: Build on Ubuntu 20.04, which supports cgroups v2

---
 tests/Dockerfile.centos-7-ga | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/Dockerfile.centos-7-ga b/tests/Dockerfile.centos-7-ga
index 0942486a3..250787fba 100644
--- a/tests/Dockerfile.centos-7-ga
+++ b/tests/Dockerfile.centos-7-ga
@@ -16,9 +16,7 @@ rm -f /lib/systemd/system/anaconda.target.wants/*;
 
 RUN yum clean all && \
     yum -y update && \
-    yum -y install python3 wget && \
-    wget https://copr.fedorainfracloud.org/coprs/jsynacek/systemd-backports-for-centos-7/repo/epel-7/jsynacek-systemd-backports-for-centos-7-epel-7.repo -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo && \
-    yum -y update systemd
+    yum -y install python3 
 
 VOLUME [ "/sys/fs/cgroup" ]
 

From b78d958b02a65e5663a4a1b4d5999e2d71f1b3a2 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 7 Feb 2023 10:18:24 +0100
Subject: [PATCH 17/19] VM: Add voot version which got lost in a rebase

---
 environments/vm/group_vars/vm.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml
index 848e12ffd..22fd79758 100644
--- a/environments/vm/group_vars/vm.yml
+++ b/environments/vm/group_vars/vm.yml
@@ -30,6 +30,7 @@ pdp_gui_version: "4.0.1"
 profile_version: "3.1.4"
 teams_gui_version: "9.1.1"
 teams_server_version: "9.1.1"
+voot_version: "5.0.0"
 myconext_server_version: "6.0.2"
 myconext_gui_version: "6.0.2"
 account_gui_version: "6.0.2"

From b0ad328876df6af11b89834ab4cd0eff3dab7b96 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Tue, 7 Feb 2023 11:58:37 +0100
Subject: [PATCH 18/19] Manage expects at least 12 characters

---
 environments/vm/secrets/vm.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml
index b30cdcc63..061371b1c 100644
--- a/environments/vm/secrets/vm.yml
+++ b/environments/vm/secrets/vm.yml
@@ -30,7 +30,7 @@ engine_parameters_secret: secret
 
 profile_secret: secret
 
-teams_authz_client_secret: secret
+teams_authz_client_secret: secretsecret
 teams_migration_secret_key: secret
 
 engine_api_metadata_push_password: secret
@@ -46,7 +46,7 @@ myconext_geo2lite_license_key: secret
 engine_api_profile_password: secret
 engine_api_deprovision_password: secret
 
-voot_oidcng_checkToken_secret: secret
+voot_oidcng_checkToken_secret: secretsecret
 
 external_group_provider_secrets:
   teams: secret

From 8d6e5c4239f490a32a8e24a42bec84c7f90683b5 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Wed, 21 Jun 2023 13:00:13 +0200
Subject: [PATCH 19/19] Mongo: Fix b0rked main.yml, now same as master

---
 roles/mongo/tasks/main.yml | 170 -------------------------------------
 1 file changed, 170 deletions(-)

diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml
index 5a93cd135..6cda0f417 100644
--- a/roles/mongo/tasks/main.yml
+++ b/roles/mongo/tasks/main.yml
@@ -2,176 +2,6 @@
 - name: Use temporarily python3 as remote interpreter, this fixes pymongo
   ansible.builtin.set_fact:
     ansible_python_interpreter: "/usr/bin/python3"
-
-- name: Install pymongo
-  pip:
-    name: pymongo
-
-- name: Install kernel settings script
-  copy:
-    src: "mongo_kernel_settings.sh"
-    dest: "/usr/local/sbin/mongo_kernel_settings.sh"
-    mode: 0700
-    owner: root
-    group: root
-  register: mongo_kernel_settings
-
-- name: Set kernel parameters
-  command: /usr/local/sbin/mongo_kernel_settings.sh
-  when:
-    - mongo_kernel_settings.changed
-
-- name: Add mongo kernel settings script to rc.local
-  lineinfile:
-    dest: "/etc/rc.local"
-    state: present
-    line: "/usr/local/sbin/mongo_kernel_settings.sh"
-
-- name: Make rc.local executable
-  file:
-    dest: "/etc/rc.d/rc.local"
-    mode: 0744
-
-- name: Create directory to keep mongo key material
-  file:
-    dest: "/etc/pki/mongo/"
-    state: directory
-    owner: root
-    group: root
-    mode: 775
-  when:
-    - mongo_tls | bool
-
-- name: copy ca certificate
-  copy:
-    src: "{{ inventory_dir }}/files/certs/mongo/{{ mongo_tls_ca }}"
-    dest: "/etc/pki/mongo/{{ mongo_tls_ca }}"
-  when:
-    - mongo_tls | bool
-
-- name: Create combined key and certificate file for mongo
-  copy:
-    content: "{{ mongo_tls_key }}{{lookup('file', '{{ inventory_dir }}/files/certs/mongo/mongo.{{ base_domain }}.crt')}}"
-    dest: "/etc/pki/mongo/mongo.{{ base_domain }}.pem"
-    mode: 0600
-    owner: mongod
-  when:
-    - mongo_tls | bool
-
-- name: Create the backup directory
-  file:
-    path: /home/backup
-    state: directory
-    owner: root
-    group: root
-    mode: 0700
-  when:
-    - mongo_cluster | bool
-
-- name: Install the backup script
-  template:
-    src: "backup_mongo.pl.j2"
-    dest: "/usr/local/sbin/backup_mongo.pl"
-    mode: 0700
-    owner: root
-  when:
-    - mongo_cluster | bool
-
-- name: Create cron symlink for backup script
-  file:
-    src: "/usr/local/sbin/backup_mongo.pl"
-    dest: "/etc/cron.daily/mongodb_backup"
-    state: link
-    mode: 0700
-    owner: root
-  when:
-    - mongo_cluster | bool
-
-- name: Install mongod.conf file without configuration on the primary host
-  template:
-    src: "mongod_standalone.conf.j2"
-    dest: "/etc/mongod.conf"
-  when:
-     - mongo_primary | bool
-     - mongo_present.stat.exists == False
-
-- name: Enable and start mongod on the primary host
-  service:
-    name: mongod.service
-    enabled: yes
-    state: started
-  when:
-    - mongo_primary | bool
-
-- name: Add the admin user
-  mongodb_user:
-    database: admin
-    name: admin
-    password: "{{ mongo_admin_password }}"
-    login_port: "{{ mongod_port }}"
-    roles: root
-    state: present
-  no_log: true
-  when:
-     - mongo_primary | bool
-     - mongo_present.stat.exists == False
-
-- name: Install mongodb.conf file  with authorisation enabled
-  template:
-    src: "mongod.conf.j2"
-    dest: "/etc/mongod.conf"
-  register: mongo_conf_changed
-
-- name: Add logrotate snippet
-  copy:
-    src: "mongodb.logrotate"
-    dest: "/etc/logrotate.d/mongodb"
-
-- name: Restart Mongo
-  service:
-    name: mongod.service
-    enabled: yes
-    state: restarted
-  when:
-    - mongo_conf_changed.changed
-
-- name: Install replica set initialization file
-  template:
-    src: "repset_init.j2"
-    dest: "/tmp/repset_init.js"
-  when:
-    - mongo_primary | bool
-
-- name: Initialize the replication set on the primary, tls enabled
-  shell: /usr/bin/mongo  -u admin -p {{ mongo_admin_pass }} --ssl --sslCAFile /etc/pki/mongo/mongo.{{ base_domain }}_ca.pem --authenticationDatabase admin /tmp/repset_init.js --host "{{mongo_hostname }}"
-  when:
-    - mongo_primary | bool
-    - mongo_tls | bool
-  changed_when: false
-
-- name: Initialize the replication set on the primary
-  shell: /usr/bin/mongo  -u admin -p {{ mongo_admin_pass }} --authenticationDatabase admin /tmp/repset_init.js --host 127.0.0.1
-  when:
-    - mongo_primary | bool
-    - not mongo_tls | bool
-  changed_when: false
-
-- name: Create mongo database users
-  mongodb_user:
-    login_database: admin
-    database: "{{ item.db_name }}"
-    login_user: admin
-    login_password: "{{ mongo_admin_pass }}"
-    name: "{{ item.name }}"
-    password: "{{ item.password }}"
-    roles: readWrite
-    replica_set: "{{ replica_set_name }}"
-  no_log: true
-  when:
-    - mongo_primary | bool
-    - not mongo_tls | bool
-  with_items: "{{ mongo.users }}"
-  changed_when: False
   tags: mongo_users
 
 - name: Include CA tasks