oidc-parent/deployment/roles/oidc_idp/tasks/main.yml

---
- name: Create CAcert group
  ansible.builtin.group:
    name: "{{ cacert_os_group }}"
    state: present
    system: true

- name: Create CAcert user
  ansible.builtin.user:
    name: "{{ cacert_os_user }}"
    group: "{{ cacert_os_group }}"
    home: "{{ cacert_home }}"
    state: present
    system: true

- name: Create CAcert directories
  ansible.builtin.file:
    path: "{{ cacert_home }}/{{ item.path }}"
    owner: "{{ cacert_os_user }}"
    group: "{{ cacert_os_group }}"
    mode: "{{ item.mode }}"
    state: directory
  loop:
    - { path: etc, mode: '0750' }
    - { path: bin, mode: '0750' }
    - { path: download, mode: '0750' }

- name: Copy IDP binary
  ansible.builtin.copy:
    src: ../oidc_idp/cacert-idp
    dest: "{{ cacert_home }}/bin/cacert-idp"
    owner: root
    group: "{{ cacert_os_group }}"
    mode: "0750"

- name: Check whether certificate exists
  ansible.builtin.stat:
    path: "{{ idp_tls.cert }}"
  register: idp_cert_st

- name: Create IDP key and certificate with mkcert
  block:

    - name: Create temporary directory for IDP key and certificate
      ansible.builtin.tempfile:
        prefix: "idp-cert."
        state: directory
      register: idp_cert_temp_dir

    - name: Create IDP key and certificate
      ansible.builtin.command:
        cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"
      environment:
        CAROOT: "{{ mkcert_caroot | default('') }}"

    - name: Move IDP certificate and key to target
      ansible.builtin.copy:
        src: "{{ idp_cert_temp_dir.path }}/{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: "{{ cacert_os_group }}"
        mode: "{{ item.mode }}"
        remote_src: true
      loop:
        - {src: idp.pem, dest: "{{ idp_tls.cert }}", mode: '0644'}
        - {src: idp.key.pem, dest: "{{ idp_tls.key }}", mode: '0640'}
      become: true

    - name: Remove temporary directory
      ansible.builtin.file:
        path: "{{ idp_cert_temp_dir.path }}"
        state: absent

  when: not idp_cert_st.stat.exists
  become: false

- name: Copy client CA certificates
  ansible.builtin.copy:
    dest: "{{ idp_tls.client_cas }}"
    owner: root
    group: "{{ cacert_os_group }}"
    mode: '0640'
    content: "{{ idp.client_certificate_data }}"

- name: Check whether configuration file exists
  ansible.builtin.stat:
    path: "{{ cacert_home }}/etc/cacert-idp.toml"
  register: idp_config_st

- name: Get credentials from existing file
  block:

    - name: fetch existing configuration file
      ansible.builtin.fetch:
        src: "{{ idp_config_st.stat.path }}"
        dest: idp_config-from-vagrant.toml
        flat: true

    - name: set credential facts
      ansible.builtin.set_fact:
        idp_csrf_key: "{{ lookup('ansible.builtin.ini', 'csrf.key', section='security', file='idp_config-from-vagrant.toml') | from_json }}"
        idp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='idp_config-from-vagrant.toml') | from_json }}"
        idp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='idp_config-from-vagrant.toml') | from_json }}"
      ignore_errors: true

  when: idp_config_st.stat.exists

- name: Create IDP configuration
  ansible.builtin.template:
    src: idp_config.toml.j2
    dest: "{{ cacert_home }}/etc/cacert-idp.toml"
    owner: root
    group: "{{ cacert_os_group }}"
    mode: '0640'
  notify: idp_systemd_reload

- name: Create IDP systemd unit file
  ansible.builtin.template:
    src: cacert-idp.service.j2
    dest: /etc/systemd/system/cacert-idp.service
    owner: root
    group: root
    mode: "0644"
  notify: idp_systemd_reload

- name: Ensure service is started
  ansible.builtin.systemd:
    state: started
    name: cacert-idp
    enabled: true
Create basic local playbook and roles - create ansible structure - create generated roles - add hydra_database role 2022-08-10 18:35:03 +00:00			`---`
Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service 2022-08-19 14:40:52 +00:00			`- name: Create CAcert group`
			`ansible.builtin.group:`
			`name: "{{ cacert_os_group }}"`
			`state: present`
			`system: true`

			`- name: Create CAcert user`
			`ansible.builtin.user:`
			`name: "{{ cacert_os_user }}"`
			`group: "{{ cacert_os_group }}"`
			`home: "{{ cacert_home }}"`
			`state: present`
			`system: true`

			`- name: Create CAcert directories`
			`ansible.builtin.file:`
			`path: "{{ cacert_home }}/{{ item.path }}"`
			`owner: "{{ cacert_os_user }}"`
			`group: "{{ cacert_os_group }}"`
			`mode: "{{ item.mode }}"`
			`state: directory`
			`loop:`
			`- { path: etc, mode: '0750' }`
			`- { path: bin, mode: '0750' }`
			`- { path: download, mode: '0750' }`

			`- name: Copy IDP binary`
			`ansible.builtin.copy:`
			`src: ../oidc_idp/cacert-idp`
			`dest: "{{ cacert_home }}/bin/cacert-idp"`
			`owner: root`
			`group: "{{ cacert_os_group }}"`
			`mode: "0750"`

			`- name: Check whether certificate exists`
			`ansible.builtin.stat:`
			`path: "{{ idp_tls.cert }}"`
			`register: idp_cert_st`

			`- name: Create IDP key and certificate with mkcert`
			`block:`

			`- name: Create temporary directory for IDP key and certificate`
			`ansible.builtin.tempfile:`
			`prefix: "idp-cert."`
			`state: directory`
			`register: idp_cert_temp_dir`

			`- name: Create IDP key and certificate`
			`ansible.builtin.command:`
Update to Debian 12 Bookworm - improve README.md add test scenarios - update Vagrant setup to Debian 12 - update dependency installation to be compatible with Debian 12 - use mkcert from Debian 12 package 2023-06-19 17:46:25 +00:00			`cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"`
Complete Vagrant deployment 2023-08-08 13:21:27 +00:00			`environment:`
Fix localhost ansible setup 2023-08-09 10:44:36 +00:00			`CAROOT: "{{ mkcert_caroot \| default('') }}"`
Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service 2022-08-19 14:40:52 +00:00
			`- name: Move IDP certificate and key to target`
			`ansible.builtin.copy:`
			`src: "{{ idp_cert_temp_dir.path }}/{{ item.src }}"`
			`dest: "{{ item.dest }}"`
			`owner: root`
			`group: "{{ cacert_os_group }}"`
			`mode: "{{ item.mode }}"`
			`remote_src: true`
			`loop:`
			`- {src: idp.pem, dest: "{{ idp_tls.cert }}", mode: '0644'}`
			`- {src: idp.key.pem, dest: "{{ idp_tls.key }}", mode: '0640'}`
			`become: true`

			`- name: Remove temporary directory`
			`ansible.builtin.file:`
			`path: "{{ idp_cert_temp_dir.path }}"`
			`state: absent`

Complete Vagrant deployment 2023-08-08 13:21:27 +00:00			`when: not idp_cert_st.stat.exists`
Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service 2022-08-19 14:40:52 +00:00			`become: false`

Finish IDP setup 2022-08-22 16:52:47 +00:00			`- name: Copy client CA certificates`
			`ansible.builtin.copy:`
			`dest: "{{ idp_tls.client_cas }}"`
			`owner: root`
			`group: "{{ cacert_os_group }}"`
			`mode: '0640'`
			`content: "{{ idp.client_certificate_data }}"`

Complete Vagrant deployment 2023-08-08 13:21:27 +00:00			`- name: Check whether configuration file exists`
			`ansible.builtin.stat:`
			`path: "{{ cacert_home }}/etc/cacert-idp.toml"`
			`register: idp_config_st`

			`- name: Get credentials from existing file`
			`block:`

			`- name: fetch existing configuration file`
			`ansible.builtin.fetch:`
			`src: "{{ idp_config_st.stat.path }}"`
			`dest: idp_config-from-vagrant.toml`
			`flat: true`

			`- name: set credential facts`
			`ansible.builtin.set_fact:`
			`idp_csrf_key: "{{ lookup('ansible.builtin.ini', 'csrf.key', section='security', file='idp_config-from-vagrant.toml') \| from_json }}"`
			`idp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='idp_config-from-vagrant.toml') \| from_json }}"`
			`idp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='idp_config-from-vagrant.toml') \| from_json }}"`
Fix handling of missing sections This commit makes sure that a missing section in an older toml configuration file does not break the deployment. 2023-08-09 10:10:24 +00:00			`ignore_errors: true`
Complete Vagrant deployment 2023-08-08 13:21:27 +00:00
			`when: idp_config_st.stat.exists`

Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service 2022-08-19 14:40:52 +00:00			`- name: Create IDP configuration`
			`ansible.builtin.template:`
			`src: idp_config.toml.j2`
			`dest: "{{ cacert_home }}/etc/cacert-idp.toml"`
			`owner: root`
			`group: "{{ cacert_os_group }}"`
			`mode: '0640'`
			`notify: idp_systemd_reload`

			`- name: Create IDP systemd unit file`
			`ansible.builtin.template:`
			`src: cacert-idp.service.j2`
			`dest: /etc/systemd/system/cacert-idp.service`
			`owner: root`
			`group: root`
Fix localhost ansible setup 2023-08-09 10:44:36 +00:00			`mode: "0644"`
Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service 2022-08-19 14:40:52 +00:00			`notify: idp_systemd_reload`
Fix localhost ansible setup 2023-08-09 10:44:36 +00:00
			`- name: Ensure service is started`
			`ansible.builtin.systemd:`
			`state: started`
			`name: cacert-idp`
			`enabled: true`