Complete Vagrant deployment
parent
4a7e46f2ad
commit
372532c943
@ -1,3 +1,5 @@
|
|||||||
/.idea/
|
/.idea/
|
||||||
/.vagrant/
|
/.vagrant/
|
||||||
|
/deployment/*-from-vagrant.*
|
||||||
|
/mkcert_ca/
|
||||||
/tmp/
|
/tmp/
|
||||||
|
@ -1,2 +1,16 @@
|
|||||||
---
|
---
|
||||||
hydra_home: /srv/hydra
|
hydra_home: /srv/hydra
|
||||||
|
|
||||||
|
oidc_urls:
|
||||||
|
hydra_admin:
|
||||||
|
host: hydra.cacert.localhost
|
||||||
|
port: 4445
|
||||||
|
hydra_public:
|
||||||
|
host: auth.cacert.localhost
|
||||||
|
port: 4444
|
||||||
|
idp:
|
||||||
|
host: login.cacert.localhost
|
||||||
|
port: 3000
|
||||||
|
demoapp:
|
||||||
|
host: app.cacert.localhost
|
||||||
|
port: 4000
|
||||||
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
demoapp_tls:
|
||||||
|
cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem"
|
||||||
|
key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem"
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: hydra_systemd_reload
|
- name: hydra_systemd_reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
state: started
|
state: restarted
|
||||||
name: hydra
|
name: hydra
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
enabled: true
|
enabled: true
|
||||||
|
@ -1,2 +1,4 @@
|
|||||||
---
|
---
|
||||||
# defaults file for roles/oidc_demo_application
|
cacert_os_user: cacert
|
||||||
|
cacert_os_group: cacert
|
||||||
|
cacert_home: /srv/cacert
|
||||||
|
@ -1,2 +1,7 @@
|
|||||||
---
|
---
|
||||||
# handlers file for roles/oidc_demo_application
|
- name: demoapp_systemd_reload
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: restarted
|
||||||
|
name: cacert-demoapp
|
||||||
|
daemon_reload: true
|
||||||
|
enabled: true
|
||||||
|
@ -1,2 +1,166 @@
|
|||||||
---
|
---
|
||||||
# tasks file for roles/oidc_demo_application
|
- name: Manage /etc/hosts
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/hosts
|
||||||
|
create: true
|
||||||
|
block: |
|
||||||
|
127.0.0.1 localhost
|
||||||
|
127.0.0.2 bookworm
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
||||||
|
{{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} {{ oidc_urls.hydra_public.host }}
|
||||||
|
127.0.0.1 {{ oidc_urls.demoapp.host }}
|
||||||
|
|
||||||
|
- name: Create CAcert group
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ cacert_os_group }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
|
||||||
|
- name: Create CAcert user
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ cacert_os_user }}"
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
home: "{{ cacert_home }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
|
||||||
|
- name: Create CAcert directories
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ cacert_home }}/{{ item.path }}"
|
||||||
|
owner: "{{ cacert_os_user }}"
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- { path: etc, mode: '0750' }
|
||||||
|
- { path: bin, mode: '0750' }
|
||||||
|
- { path: download, mode: '0750' }
|
||||||
|
|
||||||
|
- name: Create session directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
|
||||||
|
owner: "{{ cacert_os_user }}"
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: "0750"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy demo application binary
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: ../oidc_app/demo-app
|
||||||
|
dest: "{{ cacert_home }}/bin/cacert-oidcdemo"
|
||||||
|
owner: root
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Check whether certificate exists
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ demoapp_tls.cert }}"
|
||||||
|
register: demoapp_cert_st
|
||||||
|
|
||||||
|
- name: Create demo application key and certificate with mkcert
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: Create temporary directory for demo application key and certificate
|
||||||
|
ansible.builtin.tempfile:
|
||||||
|
prefix: "demoapp-cert."
|
||||||
|
state: directory
|
||||||
|
register: demoapp_cert_temp_dir
|
||||||
|
|
||||||
|
- name: Create demo application key and certificate
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}"
|
||||||
|
environment:
|
||||||
|
CAROOT: "{{ mkcert_caroot | default(omit) }}"
|
||||||
|
|
||||||
|
- name: Move demo application certificate and key to target
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ demoapp_cert_temp_dir.path }}/{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
owner: root
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
remote_src: true
|
||||||
|
loop:
|
||||||
|
- {src: demoapp.pem, dest: "{{ demoapp_tls.cert }}", mode: '0644'}
|
||||||
|
- {src: demoapp.key.pem, dest: "{{ demoapp_tls.key }}", mode: '0640'}
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Remove temporary directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ demoapp_cert_temp_dir.path }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
when: not demoapp_cert_st.stat.exists
|
||||||
|
become: false
|
||||||
|
|
||||||
|
- name: Check whether configuration file exists
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||||
|
register: demoapp_config_st
|
||||||
|
|
||||||
|
- name: Get credentials from existing file
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: fetch existing configuration file
|
||||||
|
ansible.builtin.fetch:
|
||||||
|
src: "{{ demoapp_config_st.stat.path }}"
|
||||||
|
dest: demoapp_config-from-vagrant.toml
|
||||||
|
flat: true
|
||||||
|
|
||||||
|
- name: set credential facts
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
demoapp_client_id: "{{ lookup('ansible.builtin.ini', 'client-id', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||||
|
demoapp_client_secret: "{{ lookup('ansible.builtin.ini', 'client-secret', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||||
|
demoapp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||||
|
demoapp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
||||||
|
|
||||||
|
when: demoapp_config_st.stat.exists
|
||||||
|
|
||||||
|
- name: Generate new credentials
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: Create new client via Hydra admin API
|
||||||
|
ansible.builtin.uri:
|
||||||
|
url: "https://{{ oidc_urls.hydra_admin.host }}:{{ oidc_urls.hydra_admin.port }}/admin/clients"
|
||||||
|
method: "POST"
|
||||||
|
body:
|
||||||
|
client_name: "CAcert OIDC demo application"
|
||||||
|
redirect_uris:
|
||||||
|
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/callback"
|
||||||
|
post_logout_redirect_uris:
|
||||||
|
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/after-logout"
|
||||||
|
scope: "openid email profile groups"
|
||||||
|
body_format: "json"
|
||||||
|
headers:
|
||||||
|
Accept: "application/json"
|
||||||
|
Content-Type: "application/json"
|
||||||
|
status_code: [201]
|
||||||
|
register: hydra_response
|
||||||
|
|
||||||
|
- name: Set credential facts
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
demoapp_client_id: "{{ hydra_response.json.client_id }}"
|
||||||
|
demoapp_client_secret: "{{ hydra_response.json.client_secret }}"
|
||||||
|
|
||||||
|
when: not demoapp_config_st.stat.exists
|
||||||
|
|
||||||
|
- name: Create demo application configuration
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: demoapp_config.toml.j2
|
||||||
|
dest: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||||
|
owner: root
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
notify: demoapp_systemd_reload
|
||||||
|
|
||||||
|
- name: Create demoapp systemd unit file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: cacert-demoapp.service.j2
|
||||||
|
dest: /etc/systemd/system/cacert-demoapp.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0640"
|
||||||
|
notify: demoapp_systemd_reload
|
||||||
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=CAcert OpenID Connect demo application
|
||||||
|
After=network.target
|
||||||
|
Documentation=https://code.cacert.org/cacert/oidc-demo-app
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart={{ cacert_home }}/bin/cacert-oidcdemo --conf "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
||||||
|
WorkingDirectory={{ cacert_home }}
|
||||||
|
User={{ cacert_os_user }}
|
||||||
|
Group={{ cacert_os_group }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
@ -0,0 +1,19 @@
|
|||||||
|
[oidc]
|
||||||
|
client-id = "{{ demoapp_client_id }}"
|
||||||
|
client-secret = "{{ demoapp_client_secret }}"
|
||||||
|
server = "https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/"
|
||||||
|
|
||||||
|
[server]
|
||||||
|
name = "{{ oidc_urls.demoapp.host }}"
|
||||||
|
address = "{{ oidc_urls.demoapp.address | default(ansible_default_ipv4.address) }}"
|
||||||
|
port = {{ oidc_urls.demoapp.address | default("4000") }}
|
||||||
|
certificate = "{{ demoapp_tls.cert }}"
|
||||||
|
key = "{{ demoapp_tls.key }}"
|
||||||
|
|
||||||
|
[session]
|
||||||
|
auth-key = "{{ demoapp_auth_key | default(lookup('community.general.random_string', length=64, base64=true)) }}"
|
||||||
|
enc-key = "{{ demoapp_enc_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
|
||||||
|
path = "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "trace"
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: idp_systemd_reload
|
- name: idp_systemd_reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
state: started
|
state: restarted
|
||||||
name: cacert-idp
|
name: cacert-idp
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
enabled: true
|
enabled: true
|
||||||
|
@ -1 +1 @@
|
|||||||
Subproject commit a5c583f1f65cf5a09054ad7249c451551089cd0f
|
Subproject commit 9aeca21faa2db96ecd359e26eb4dc392d7c6bf1a
|
Loading…
Reference in New Issue