Add local preconditions and Vagrantfile

This commit adds a role to ensure local preconditions (i.e. mkcert) and a Vagrantfile to test the ansible playbook in a local virtual machine.
2022-08-18 11:58:24 +02:00 · 2022-08-18 11:58:24 +02:00 · 5daa87ca90
commit 5daa87ca90
parent bfa60b9288
16 changed files with 180 additions and 13 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 /.idea/
+/.vagrant/
--- a/README.md
+++ b/README.md
@ -19,3 +19,34 @@ git config submodule.recurse true
 - setup IDP (provides login and consent screens)
 - setup demo application
 - setup setup OpenID Connect client registration application
+
+## Local development setup
+
+Make sure you have the necessary prerequisites installed (tested on Debian 11
+Bullseye) and `~/.local/bin` is in your `$PATH` variable:
+
+```shell
+sudo apt update
+sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
+python3 -m pip install --user -U pip
+python3 -m pip install --user ansible
+export PATH=$HOME/.local/bin:$PATH
+```
+
+*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
+`.zshenv`.
+
+Use `make` to build the web app resources and applications:
+
+```shell
+make
+```
+
+Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
+application:
+
+```shell
+cd deployment
+ansible-playbook 01_install_cacert_oidc.yml
+```
+
--- a/28
+++ b/28
@ -0,0 +1,28 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/debian11"
+
+  config.vm.define "oidcbox"
+
+  config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1"
+
+  config.vm.provider "libvirt" do |lv|
+    lv.memory = "2048"
+    lv.cpus = 2
+    lv.machine_virtual_size = 10
+  end
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "deployment/01_install_cacert_oidc.yml"
+    ansible.verbose = true
+    ansible.groups = {
+      "pgsqlserver" => ["oidcbox"],
+      "authserver" => ["oidcbox"],
+      "demoserver" => ["oidcbox"]
+    }
+  end
+end
--- a/deployment/playbooks/01_install_cacert_oidc.yml
+++ b/deployment/playbooks/01_install_cacert_oidc.yml
@ -1,15 +1,29 @@
 ---
+- name: Install development tools
+  hosts: all
+  become: false
+
+  roles:
+    - prepare_devtools
+
 - name: Setup database
  hosts: pgsqlserver
  become: true

  pre_tasks:

-    - name: Install python3-psycopg2
+    - name: Install package python3-psycopg2
      ansible.builtin.package:
        name: python3-psycopg2
        state: present

+    # The ACL package is required to run commands as the postgres user
+    # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
+    - name: Install package acl
+      ansible.builtin.package:
+        name: acl
+        state: present
+
  roles:
    - hydra_database

--- a/deployment/inventory/group_vars/all.yml
+++ b/deployment/inventory/group_vars/all.yml
--- a/deployment/inventory/host_vars/localhost.yml
+++ b/deployment/inventory/host_vars/localhost.yml
@ -4,8 +4,6 @@
 hydra_db_password: hydra
 hydra_db_host: localhost
 hydra_db_port: 5432
-hydra_version: "1.11.9"
-hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
 hydra_tls:
  cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
  key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
@ -18,6 +16,7 @@ oidc_urls:
    host: hydra.cacert.localhost
    port: 4445
  hydra_public:
+    address: localhost
    host: auth.cacert.localhost
    port: 4444
  idp:
--- a/deployment/host_vars/oidcbox.yml
+++ b/deployment/host_vars/oidcbox.yml
@ -0,0 +1,31 @@
+---
+# this is for a localhost deployment, database passwords for public servers
+# must be different random values encrypted via ansible-vault
+hydra_db_password: hydra
+hydra_db_host: localhost
+hydra_db_port: 5432
+hydra_tls:
+  cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
+  key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
+# this is for a localhost deployment, secrets for public servers must be
+# different random values encrypted via ansible-vault
+hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
+
+oidc_urls:
+  hydra_admin:
+    host: hydra.cacert.localhost
+    port: 4445
+  hydra_public:
+    host: auth.cacert.localhost
+    port: 4444
+  idp:
+    host: login.cacert.localhost
+    port: 3000
+  demoapp:
+    host: app.cacert.localhost
+    port: 4000
+  register:
+    host: register.cacert.localhost
+    port: 5000
+
+use_mkcert: true
--- a/deployment/roles/hydra_database/README.md
+++ b/deployment/roles/hydra_database/README.md
@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/).
 Requirements
 ------------

-The role expects a Debian system running Debian 10 or later.
+The role expects a Debian system running Debian 11 or later.

 Role Variables
 --------------
--- a/deployment/roles/hydra_database/meta/main.yml
+++ b/deployment/roles/hydra_database/meta/main.yml
@ -1,3 +1,4 @@
+---
 galaxy_info:
  author: Jan Dittberner
  description: ORY Hydra database setup
@ -8,7 +9,6 @@ galaxy_info:
  platforms:
    - name: Debian
      versions:
-        - buster
        - bullseye
        - bookworm

--- a/deployment/roles/hydra_server/defaults/main.yml
+++ b/deployment/roles/hydra_server/defaults/main.yml
@ -5,4 +5,7 @@ hydra_os_group: hydra
 hydra_os_user: hydra
 hydra_home: /srv/hydra

+hydra_version: "1.11.9"
+hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
+
 use_mkcert: false
--- a/deployment/roles/hydra_server/tasks/main.yml
+++ b/deployment/roles/hydra_server/tasks/main.yml
@ -62,10 +62,6 @@
 - name: Create Hydra key and certificate with mkcert
  block:

-    - name: Install mkcert CA
-      ansible.builtin.command:
-        cmd: mkcert -install
-
    - name: Create temporary directory for Hydra key and certificate
      ansible.builtin.tempfile:
        prefix: "hydra-cert."
@ -74,7 +70,7 @@

    - name: Create Hydra key and certificate
      ansible.builtin.command:
-        cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
+        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"

    - name: Move Hydra certificate and key to target
      ansible.builtin.copy:
--- a/deployment/roles/hydra_server/templates/hydra.yml.j2
+++ b/deployment/roles/hydra_server/templates/hydra.yml.j2
@ -4,7 +4,7 @@ serve:
    host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
    port: {{ oidc_urls.hydra_admin.port | default("4445") }}
  public:
-    host: {{ oidc_urls.hydra_public.address | default("localhost") }}
+    host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
    port: {{ oidc_urls.hydra_public.port | default("4444") }}
  tls:
    cert:
--- a/deployment/roles/prepare_devtools/README.md
+++ b/deployment/roles/prepare_devtools/README.md
@ -0,0 +1,14 @@
+Role Name
+=========
+
+Prepare development tools for the CAcert OIDC setup.
+
+License
+-------
+
+GPL-2.0-or-later
+
+Author Information
+------------------
+
+Jan Dittberner <jandd@cacert.org>
--- a/deployment/roles/prepare_devtools/defaults/main.yml
+++ b/deployment/roles/prepare_devtools/defaults/main.yml
@ -0,0 +1,3 @@
+---
+mkcert_version: v1.4.4
+mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52
--- a/deployment/roles/prepare_devtools/meta/main.yml
+++ b/deployment/roles/prepare_devtools/meta/main.yml
@ -0,0 +1,19 @@
+---
+galaxy_info:
+  author: Jan Dittberner
+  description: Prepare development tools for the CAcert OIDC setup.
+  company: CAcert
+
+  license: GPL-2.0-or-later
+
+  min_ansible_version: 2.1
+
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
+
+  galaxy_tags: []
+
+dependencies: []
--- a/deployment/roles/prepare_devtools/tasks/main.yml
+++ b/deployment/roles/prepare_devtools/tasks/main.yml
@ -0,0 +1,28 @@
+---
+- name: Create .local/bin for ansible user
+  ansible.builtin.file:
+    path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
+    state: directory
+    owner: "{{ ansible_user | default(ansible_env.USER) }}"
+    group: "{{ ansible_user | default(ansible_env.USER) }}"
+    mode: "0750"
+
+- name: Prepare mkcert
+  block:
+
+    - name: Download mkcert binary
+      ansible.builtin.get_url:
+        url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
+        dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
+        checksum: "sha256:{{ mkcert_checksum }}"
+        owner: "{{ ansible_user | default(ansible_env.USER) }}"
+        group: "{{ ansible_user | default(ansible_env.USER) }}"
+        mode: "0750"
+
+    - name: Install mkcert CA
+      ansible.builtin.command:
+        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
+      changed_when: false
+
+  when: use_mkcert
+  become: false