Complete Vagrant deployment
parent
4a7e46f2ad
commit
372532c943
@ -1,3 +1,5 @@
|
||||
/.idea/
|
||||
/.vagrant/
|
||||
/deployment/*-from-vagrant.*
|
||||
/mkcert_ca/
|
||||
/tmp/
|
||||
|
@ -1,2 +1,16 @@
|
||||
---
|
||||
hydra_home: /srv/hydra
|
||||
|
||||
oidc_urls:
|
||||
hydra_admin:
|
||||
host: hydra.cacert.localhost
|
||||
port: 4445
|
||||
hydra_public:
|
||||
host: auth.cacert.localhost
|
||||
port: 4444
|
||||
idp:
|
||||
host: login.cacert.localhost
|
||||
port: 3000
|
||||
demoapp:
|
||||
host: app.cacert.localhost
|
||||
port: 4000
|
||||
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
demoapp_tls:
|
||||
cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem"
|
||||
key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem"
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: hydra_systemd_reload
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
state: restarted
|
||||
name: hydra
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
|
@ -1,2 +1,4 @@
|
||||
---
|
||||
# defaults file for roles/oidc_demo_application
|
||||
cacert_os_user: cacert
|
||||
cacert_os_group: cacert
|
||||
cacert_home: /srv/cacert
|
||||
|
@ -1,2 +1,7 @@
|
||||
---
|
||||
# handlers file for roles/oidc_demo_application
|
||||
- name: demoapp_systemd_reload
|
||||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
name: cacert-demoapp
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
|
@ -1,2 +1,166 @@
|
||||
---
|
||||
# tasks file for roles/oidc_demo_application
|
||||
- name: Manage /etc/hosts
|
||||
blockinfile:
|
||||
path: /etc/hosts
|
||||
create: true
|
||||
block: |
|
||||
127.0.0.1 localhost
|
||||
127.0.0.2 bookworm
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
|
||||
{{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} {{ oidc_urls.hydra_public.host }}
|
||||
127.0.0.1 {{ oidc_urls.demoapp.host }}
|
||||
|
||||
- name: Create CAcert group
|
||||
ansible.builtin.group:
|
||||
name: "{{ cacert_os_group }}"
|
||||
state: present
|
||||
system: true
|
||||
|
||||
- name: Create CAcert user
|
||||
ansible.builtin.user:
|
||||
name: "{{ cacert_os_user }}"
|
||||
group: "{{ cacert_os_group }}"
|
||||
home: "{{ cacert_home }}"
|
||||
state: present
|
||||
system: true
|
||||
|
||||
- name: Create CAcert directories
|
||||
ansible.builtin.file:
|
||||
path: "{{ cacert_home }}/{{ item.path }}"
|
||||
owner: "{{ cacert_os_user }}"
|
||||
group: "{{ cacert_os_group }}"
|
||||
mode: "{{ item.mode }}"
|
||||
state: directory
|
||||
loop:
|
||||
- { path: etc, mode: '0750' }
|
||||
- { path: bin, mode: '0750' }
|
||||
- { path: download, mode: '0750' }
|
||||
|
||||
- name: Create session directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
|
||||
owner: "{{ cacert_os_user }}"
|
||||
group: "{{ cacert_os_group }}"
|
||||
mode: "0750"
|
||||
state: directory
|
||||
|
||||
- name: Copy demo application binary
|
||||
ansible.builtin.copy:
|
||||
src: ../oidc_app/demo-app
|
||||
dest: "{{ cacert_home }}/bin/cacert-oidcdemo"
|
||||
owner: root
|
||||
group: "{{ cacert_os_group }}"
|
||||
mode: "0750"
|
||||
|
||||
- name: Check whether certificate exists
|
||||
ansible.builtin.stat:
|
||||
path: "{{ demoapp_tls.cert }}"
|
||||
register: demoapp_cert_st
|
||||
|
||||
- name: Create demo application key and certificate with mkcert
|
||||
block:
|
||||
|
||||
- name: Create temporary directory for demo application key and certificate
|
||||
ansible.builtin.tempfile:
|
||||
prefix: "demoapp-cert."
|
||||
state: directory
|
||||
register: demoapp_cert_temp_dir
|
||||
|
||||
- name: Create demo application key and certificate
|
||||
ansible.builtin.command:
|
||||
cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}"
|
||||
environment:
|
||||
CAROOT: "{{ mkcert_caroot | default(omit) }}"
|
||||
|
||||
- name: Move demo application certificate and key to target
|
||||
ansible.builtin.copy:
|
||||
src: "{{ demoapp_cert_temp_dir.path }}/{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: root
|
||||
group: "{{ cacert_os_group }}"
|
||||
mode: "{{ item.mode }}"
|
||||
remote_src: true
|
||||
loop:
|
||||
- {src: demoapp.pem, dest: "{{ demoapp_tls.cert }}", mode: '0644'}
|
||||
- {src: demoapp.key.pem, dest: "{{ demoapp_tls.key }}", mode: '0640'}
|
||||
become: true
|
||||
|
||||
- name: Remove temporary directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ demoapp_cert_temp_dir.path }}"
|
||||
state: absent
|
||||
|
||||
when: not demoapp_cert_st.stat.exists
|
||||
become: false
|
||||
|
||||
- name: Check whether configuration file exists
|
||||
ansible.builtin.stat:
|
||||
path: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||
register: demoapp_config_st
|
||||
|
||||
- name: Get credentials from existing file
|
||||
block:
|
||||
|
||||
- name: fetch existing configuration file
|
||||
ansible.builtin.fetch:
|
||||
src: "{{ demoapp_config_st.stat.path }}"
|
||||
dest: demoapp_config-from-vagrant.toml
|
||||
flat: true
|
||||
|
||||
- name: set credential facts
|
||||
ansible.builtin.set_fact:
|
||||
demoapp_client_id: "{{ lookup('ansible.builtin.ini', 'client-id', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||
demoapp_client_secret: "{{ lookup('ansible.builtin.ini', 'client-secret', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||
demoapp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||
demoapp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||
|
||||
when: demoapp_config_st.stat.exists
|
||||
|
||||
- name: Generate new credentials
|
||||
block:
|
||||
|
||||
- name: Create new client via Hydra admin API
|
||||
ansible.builtin.uri:
|
||||
url: "https://{{ oidc_urls.hydra_admin.host }}:{{ oidc_urls.hydra_admin.port }}/admin/clients"
|
||||
method: "POST"
|
||||
body:
|
||||
client_name: "CAcert OIDC demo application"
|
||||
redirect_uris:
|
||||
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/callback"
|
||||
post_logout_redirect_uris:
|
||||
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/after-logout"
|
||||
scope: "openid email profile groups"
|
||||
body_format: "json"
|
||||
headers:
|
||||
Accept: "application/json"
|
||||
Content-Type: "application/json"
|
||||
status_code: [201]
|
||||
register: hydra_response
|
||||
|
||||
- name: Set credential facts
|
||||
ansible.builtin.set_fact:
|
||||
demoapp_client_id: "{{ hydra_response.json.client_id }}"
|
||||
demoapp_client_secret: "{{ hydra_response.json.client_secret }}"
|
||||
|
||||
when: not demoapp_config_st.stat.exists
|
||||
|
||||
- name: Create demo application configuration
|
||||
ansible.builtin.template:
|
||||
src: demoapp_config.toml.j2
|
||||
dest: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||
owner: root
|
||||
group: "{{ cacert_os_group }}"
|
||||
mode: '0640'
|
||||
notify: demoapp_systemd_reload
|
||||
|
||||
- name: Create demoapp systemd unit file
|
||||
ansible.builtin.template:
|
||||
src: cacert-demoapp.service.j2
|
||||
dest: /etc/systemd/system/cacert-demoapp.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
notify: demoapp_systemd_reload
|
||||
|
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=CAcert OpenID Connect demo application
|
||||
After=network.target
|
||||
Documentation=https://code.cacert.org/cacert/oidc-demo-app
|
||||
|
||||
[Service]
|
||||
ExecStart={{ cacert_home }}/bin/cacert-oidcdemo --conf "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||
WorkingDirectory={{ cacert_home }}
|
||||
User={{ cacert_os_user }}
|
||||
Group={{ cacert_os_group }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -0,0 +1,19 @@
|
||||
[oidc]
|
||||
client-id = "{{ demoapp_client_id }}"
|
||||
client-secret = "{{ demoapp_client_secret }}"
|
||||
server = "https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/"
|
||||
|
||||
[server]
|
||||
name = "{{ oidc_urls.demoapp.host }}"
|
||||
address = "{{ oidc_urls.demoapp.address | default(ansible_default_ipv4.address) }}"
|
||||
port = {{ oidc_urls.demoapp.address | default("4000") }}
|
||||
certificate = "{{ demoapp_tls.cert }}"
|
||||
key = "{{ demoapp_tls.key }}"
|
||||
|
||||
[session]
|
||||
auth-key = "{{ demoapp_auth_key | default(lookup('community.general.random_string', length=64, base64=true)) }}"
|
||||
enc-key = "{{ demoapp_enc_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
|
||||
path = "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
|
||||
|
||||
[log]
|
||||
level = "trace"
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: idp_systemd_reload
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
state: restarted
|
||||
name: cacert-idp
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit a5c583f1f65cf5a09054ad7249c451551089cd0f
|
||||
Subproject commit 9aeca21faa2db96ecd359e26eb4dc392d7c6bf1a
|
Loading…
Reference in New Issue