Add local preconditions and Vagrantfile
This commit adds a role to ensure local preconditions (i.e. mkcert) and a Vagrantfile to test the ansible playbook in a local virtual machine.
This commit is contained in:
parent
bfa60b9288
commit
5daa87ca90
16 changed files with 180 additions and 13 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +1,2 @@
|
||||||
/.idea/
|
/.idea/
|
||||||
|
/.vagrant/
|
||||||
|
|
31
README.md
31
README.md
|
@ -19,3 +19,34 @@ git config submodule.recurse true
|
||||||
- setup IDP (provides login and consent screens)
|
- setup IDP (provides login and consent screens)
|
||||||
- setup demo application
|
- setup demo application
|
||||||
- setup setup OpenID Connect client registration application
|
- setup setup OpenID Connect client registration application
|
||||||
|
|
||||||
|
## Local development setup
|
||||||
|
|
||||||
|
Make sure you have the necessary prerequisites installed (tested on Debian 11
|
||||||
|
Bullseye) and `~/.local/bin` is in your `$PATH` variable:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo apt update
|
||||||
|
sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
|
||||||
|
python3 -m pip install --user -U pip
|
||||||
|
python3 -m pip install --user ansible
|
||||||
|
export PATH=$HOME/.local/bin:$PATH
|
||||||
|
```
|
||||||
|
|
||||||
|
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
|
||||||
|
`.zshenv`.
|
||||||
|
|
||||||
|
Use `make` to build the web app resources and applications:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
make
|
||||||
|
```
|
||||||
|
|
||||||
|
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
|
||||||
|
application:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
cd deployment
|
||||||
|
ansible-playbook 01_install_cacert_oidc.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
|
28
Vagrantfile
vendored
Normal file
28
Vagrantfile
vendored
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# -*- mode: ruby -*-
|
||||||
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
|
Vagrant.configure("2") do |config|
|
||||||
|
config.vm.box = "generic/debian11"
|
||||||
|
|
||||||
|
config.vm.define "oidcbox"
|
||||||
|
|
||||||
|
config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1"
|
||||||
|
config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1"
|
||||||
|
config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1"
|
||||||
|
config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1"
|
||||||
|
|
||||||
|
config.vm.provider "libvirt" do |lv|
|
||||||
|
lv.memory = "2048"
|
||||||
|
lv.cpus = 2
|
||||||
|
lv.machine_virtual_size = 10
|
||||||
|
end
|
||||||
|
config.vm.provision "ansible" do |ansible|
|
||||||
|
ansible.playbook = "deployment/01_install_cacert_oidc.yml"
|
||||||
|
ansible.verbose = true
|
||||||
|
ansible.groups = {
|
||||||
|
"pgsqlserver" => ["oidcbox"],
|
||||||
|
"authserver" => ["oidcbox"],
|
||||||
|
"demoserver" => ["oidcbox"]
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,15 +1,29 @@
|
||||||
---
|
---
|
||||||
|
- name: Install development tools
|
||||||
|
hosts: all
|
||||||
|
become: false
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- prepare_devtools
|
||||||
|
|
||||||
- name: Setup database
|
- name: Setup database
|
||||||
hosts: pgsqlserver
|
hosts: pgsqlserver
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
|
|
||||||
- name: Install python3-psycopg2
|
- name: Install package python3-psycopg2
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: python3-psycopg2
|
name: python3-psycopg2
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
# The ACL package is required to run commands as the postgres user
|
||||||
|
# See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
|
||||||
|
- name: Install package acl
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: acl
|
||||||
|
state: present
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- hydra_database
|
- hydra_database
|
||||||
|
|
|
@ -4,8 +4,6 @@
|
||||||
hydra_db_password: hydra
|
hydra_db_password: hydra
|
||||||
hydra_db_host: localhost
|
hydra_db_host: localhost
|
||||||
hydra_db_port: 5432
|
hydra_db_port: 5432
|
||||||
hydra_version: "1.11.9"
|
|
||||||
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
|
|
||||||
hydra_tls:
|
hydra_tls:
|
||||||
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
||||||
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
||||||
|
@ -18,6 +16,7 @@ oidc_urls:
|
||||||
host: hydra.cacert.localhost
|
host: hydra.cacert.localhost
|
||||||
port: 4445
|
port: 4445
|
||||||
hydra_public:
|
hydra_public:
|
||||||
|
address: localhost
|
||||||
host: auth.cacert.localhost
|
host: auth.cacert.localhost
|
||||||
port: 4444
|
port: 4444
|
||||||
idp:
|
idp:
|
31
deployment/host_vars/oidcbox.yml
Normal file
31
deployment/host_vars/oidcbox.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
# this is for a localhost deployment, database passwords for public servers
|
||||||
|
# must be different random values encrypted via ansible-vault
|
||||||
|
hydra_db_password: hydra
|
||||||
|
hydra_db_host: localhost
|
||||||
|
hydra_db_port: 5432
|
||||||
|
hydra_tls:
|
||||||
|
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
||||||
|
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
||||||
|
# this is for a localhost deployment, secrets for public servers must be
|
||||||
|
# different random values encrypted via ansible-vault
|
||||||
|
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
||||||
|
|
||||||
|
oidc_urls:
|
||||||
|
hydra_admin:
|
||||||
|
host: hydra.cacert.localhost
|
||||||
|
port: 4445
|
||||||
|
hydra_public:
|
||||||
|
host: auth.cacert.localhost
|
||||||
|
port: 4444
|
||||||
|
idp:
|
||||||
|
host: login.cacert.localhost
|
||||||
|
port: 3000
|
||||||
|
demoapp:
|
||||||
|
host: app.cacert.localhost
|
||||||
|
port: 4000
|
||||||
|
register:
|
||||||
|
host: register.cacert.localhost
|
||||||
|
port: 5000
|
||||||
|
|
||||||
|
use_mkcert: true
|
|
@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/).
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
The role expects a Debian system running Debian 10 or later.
|
The role expects a Debian system running Debian 11 or later.
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
author: Jan Dittberner
|
author: Jan Dittberner
|
||||||
description: ORY Hydra database setup
|
description: ORY Hydra database setup
|
||||||
|
@ -8,7 +9,6 @@ galaxy_info:
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- buster
|
|
||||||
- bullseye
|
- bullseye
|
||||||
- bookworm
|
- bookworm
|
||||||
|
|
||||||
|
|
|
@ -5,4 +5,7 @@ hydra_os_group: hydra
|
||||||
hydra_os_user: hydra
|
hydra_os_user: hydra
|
||||||
hydra_home: /srv/hydra
|
hydra_home: /srv/hydra
|
||||||
|
|
||||||
|
hydra_version: "1.11.9"
|
||||||
|
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
|
||||||
|
|
||||||
use_mkcert: false
|
use_mkcert: false
|
||||||
|
|
|
@ -62,10 +62,6 @@
|
||||||
- name: Create Hydra key and certificate with mkcert
|
- name: Create Hydra key and certificate with mkcert
|
||||||
block:
|
block:
|
||||||
|
|
||||||
- name: Install mkcert CA
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: mkcert -install
|
|
||||||
|
|
||||||
- name: Create temporary directory for Hydra key and certificate
|
- name: Create temporary directory for Hydra key and certificate
|
||||||
ansible.builtin.tempfile:
|
ansible.builtin.tempfile:
|
||||||
prefix: "hydra-cert."
|
prefix: "hydra-cert."
|
||||||
|
@ -74,7 +70,7 @@
|
||||||
|
|
||||||
- name: Create Hydra key and certificate
|
- name: Create Hydra key and certificate
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
||||||
|
|
||||||
- name: Move Hydra certificate and key to target
|
- name: Move Hydra certificate and key to target
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
|
|
|
@ -4,7 +4,7 @@ serve:
|
||||||
host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
|
host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
|
||||||
port: {{ oidc_urls.hydra_admin.port | default("4445") }}
|
port: {{ oidc_urls.hydra_admin.port | default("4445") }}
|
||||||
public:
|
public:
|
||||||
host: {{ oidc_urls.hydra_public.address | default("localhost") }}
|
host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
|
||||||
port: {{ oidc_urls.hydra_public.port | default("4444") }}
|
port: {{ oidc_urls.hydra_public.port | default("4444") }}
|
||||||
tls:
|
tls:
|
||||||
cert:
|
cert:
|
||||||
|
|
14
deployment/roles/prepare_devtools/README.md
Normal file
14
deployment/roles/prepare_devtools/README.md
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
Role Name
|
||||||
|
=========
|
||||||
|
|
||||||
|
Prepare development tools for the CAcert OIDC setup.
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPL-2.0-or-later
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Jan Dittberner <jandd@cacert.org>
|
3
deployment/roles/prepare_devtools/defaults/main.yml
Normal file
3
deployment/roles/prepare_devtools/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
mkcert_version: v1.4.4
|
||||||
|
mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52
|
19
deployment/roles/prepare_devtools/meta/main.yml
Normal file
19
deployment/roles/prepare_devtools/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
author: Jan Dittberner
|
||||||
|
description: Prepare development tools for the CAcert OIDC setup.
|
||||||
|
company: CAcert
|
||||||
|
|
||||||
|
license: GPL-2.0-or-later
|
||||||
|
|
||||||
|
min_ansible_version: 2.1
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- bullseye
|
||||||
|
- bookworm
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
|
||||||
|
dependencies: []
|
28
deployment/roles/prepare_devtools/tasks/main.yml
Normal file
28
deployment/roles/prepare_devtools/tasks/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: Create .local/bin for ansible user
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||||
|
group: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Prepare mkcert
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: Download mkcert binary
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
|
||||||
|
dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
|
||||||
|
checksum: "sha256:{{ mkcert_checksum }}"
|
||||||
|
owner: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||||
|
group: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Install mkcert CA
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
when: use_mkcert
|
||||||
|
become: false
|
Loading…
Reference in a new issue