Add local preconditions and Vagrantfile
This commit adds a role to ensure local preconditions (i.e. mkcert) and a Vagrantfile to test the ansible playbook in a local virtual machine.
This commit is contained in:
parent
bfa60b9288
commit
5daa87ca90
16 changed files with 180 additions and 13 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +1,2 @@
|
|||
/.idea/
|
||||
/.vagrant/
|
||||
|
|
31
README.md
31
README.md
|
@ -19,3 +19,34 @@ git config submodule.recurse true
|
|||
- setup IDP (provides login and consent screens)
|
||||
- setup demo application
|
||||
- setup setup OpenID Connect client registration application
|
||||
|
||||
## Local development setup
|
||||
|
||||
Make sure you have the necessary prerequisites installed (tested on Debian 11
|
||||
Bullseye) and `~/.local/bin` is in your `$PATH` variable:
|
||||
|
||||
```shell
|
||||
sudo apt update
|
||||
sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
|
||||
python3 -m pip install --user -U pip
|
||||
python3 -m pip install --user ansible
|
||||
export PATH=$HOME/.local/bin:$PATH
|
||||
```
|
||||
|
||||
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
|
||||
`.zshenv`.
|
||||
|
||||
Use `make` to build the web app resources and applications:
|
||||
|
||||
```shell
|
||||
make
|
||||
```
|
||||
|
||||
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
|
||||
application:
|
||||
|
||||
```shell
|
||||
cd deployment
|
||||
ansible-playbook 01_install_cacert_oidc.yml
|
||||
```
|
||||
|
||||
|
|
28
Vagrantfile
vendored
Normal file
28
Vagrantfile
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
config.vm.box = "generic/debian11"
|
||||
|
||||
config.vm.define "oidcbox"
|
||||
|
||||
config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1"
|
||||
config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1"
|
||||
config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1"
|
||||
config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1"
|
||||
|
||||
config.vm.provider "libvirt" do |lv|
|
||||
lv.memory = "2048"
|
||||
lv.cpus = 2
|
||||
lv.machine_virtual_size = 10
|
||||
end
|
||||
config.vm.provision "ansible" do |ansible|
|
||||
ansible.playbook = "deployment/01_install_cacert_oidc.yml"
|
||||
ansible.verbose = true
|
||||
ansible.groups = {
|
||||
"pgsqlserver" => ["oidcbox"],
|
||||
"authserver" => ["oidcbox"],
|
||||
"demoserver" => ["oidcbox"]
|
||||
}
|
||||
end
|
||||
end
|
|
@ -1,15 +1,29 @@
|
|||
---
|
||||
- name: Install development tools
|
||||
hosts: all
|
||||
become: false
|
||||
|
||||
roles:
|
||||
- prepare_devtools
|
||||
|
||||
- name: Setup database
|
||||
hosts: pgsqlserver
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
|
||||
- name: Install python3-psycopg2
|
||||
- name: Install package python3-psycopg2
|
||||
ansible.builtin.package:
|
||||
name: python3-psycopg2
|
||||
state: present
|
||||
|
||||
# The ACL package is required to run commands as the postgres user
|
||||
# See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
|
||||
- name: Install package acl
|
||||
ansible.builtin.package:
|
||||
name: acl
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- hydra_database
|
||||
|
|
@ -4,8 +4,6 @@
|
|||
hydra_db_password: hydra
|
||||
hydra_db_host: localhost
|
||||
hydra_db_port: 5432
|
||||
hydra_version: "1.11.9"
|
||||
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
|
||||
hydra_tls:
|
||||
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
||||
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
||||
|
@ -18,6 +16,7 @@ oidc_urls:
|
|||
host: hydra.cacert.localhost
|
||||
port: 4445
|
||||
hydra_public:
|
||||
address: localhost
|
||||
host: auth.cacert.localhost
|
||||
port: 4444
|
||||
idp:
|
31
deployment/host_vars/oidcbox.yml
Normal file
31
deployment/host_vars/oidcbox.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# this is for a localhost deployment, database passwords for public servers
|
||||
# must be different random values encrypted via ansible-vault
|
||||
hydra_db_password: hydra
|
||||
hydra_db_host: localhost
|
||||
hydra_db_port: 5432
|
||||
hydra_tls:
|
||||
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
||||
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
||||
# this is for a localhost deployment, secrets for public servers must be
|
||||
# different random values encrypted via ansible-vault
|
||||
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
||||
|
||||
oidc_urls:
|
||||
hydra_admin:
|
||||
host: hydra.cacert.localhost
|
||||
port: 4445
|
||||
hydra_public:
|
||||
host: auth.cacert.localhost
|
||||
port: 4444
|
||||
idp:
|
||||
host: login.cacert.localhost
|
||||
port: 3000
|
||||
demoapp:
|
||||
host: app.cacert.localhost
|
||||
port: 4000
|
||||
register:
|
||||
host: register.cacert.localhost
|
||||
port: 5000
|
||||
|
||||
use_mkcert: true
|
|
@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/).
|
|||
Requirements
|
||||
------------
|
||||
|
||||
The role expects a Debian system running Debian 10 or later.
|
||||
The role expects a Debian system running Debian 11 or later.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Jan Dittberner
|
||||
description: ORY Hydra database setup
|
||||
|
@ -8,7 +9,6 @@ galaxy_info:
|
|||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- buster
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
|
|
|
@ -5,4 +5,7 @@ hydra_os_group: hydra
|
|||
hydra_os_user: hydra
|
||||
hydra_home: /srv/hydra
|
||||
|
||||
hydra_version: "1.11.9"
|
||||
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
|
||||
|
||||
use_mkcert: false
|
||||
|
|
|
@ -62,10 +62,6 @@
|
|||
- name: Create Hydra key and certificate with mkcert
|
||||
block:
|
||||
|
||||
- name: Install mkcert CA
|
||||
ansible.builtin.command:
|
||||
cmd: mkcert -install
|
||||
|
||||
- name: Create temporary directory for Hydra key and certificate
|
||||
ansible.builtin.tempfile:
|
||||
prefix: "hydra-cert."
|
||||
|
@ -74,7 +70,7 @@
|
|||
|
||||
- name: Create Hydra key and certificate
|
||||
ansible.builtin.command:
|
||||
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
||||
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
||||
|
||||
- name: Move Hydra certificate and key to target
|
||||
ansible.builtin.copy:
|
||||
|
|
|
@ -4,7 +4,7 @@ serve:
|
|||
host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
|
||||
port: {{ oidc_urls.hydra_admin.port | default("4445") }}
|
||||
public:
|
||||
host: {{ oidc_urls.hydra_public.address | default("localhost") }}
|
||||
host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
|
||||
port: {{ oidc_urls.hydra_public.port | default("4444") }}
|
||||
tls:
|
||||
cert:
|
||||
|
|
14
deployment/roles/prepare_devtools/README.md
Normal file
14
deployment/roles/prepare_devtools/README.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
Role Name
|
||||
=========
|
||||
|
||||
Prepare development tools for the CAcert OIDC setup.
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
GPL-2.0-or-later
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Jan Dittberner <jandd@cacert.org>
|
3
deployment/roles/prepare_devtools/defaults/main.yml
Normal file
3
deployment/roles/prepare_devtools/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
mkcert_version: v1.4.4
|
||||
mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52
|
19
deployment/roles/prepare_devtools/meta/main.yml
Normal file
19
deployment/roles/prepare_devtools/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Jan Dittberner
|
||||
description: Prepare development tools for the CAcert OIDC setup.
|
||||
company: CAcert
|
||||
|
||||
license: GPL-2.0-or-later
|
||||
|
||||
min_ansible_version: 2.1
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
galaxy_tags: []
|
||||
|
||||
dependencies: []
|
28
deployment/roles/prepare_devtools/tasks/main.yml
Normal file
28
deployment/roles/prepare_devtools/tasks/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
- name: Create .local/bin for ansible user
|
||||
ansible.builtin.file:
|
||||
path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
|
||||
state: directory
|
||||
owner: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||
group: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||
mode: "0750"
|
||||
|
||||
- name: Prepare mkcert
|
||||
block:
|
||||
|
||||
- name: Download mkcert binary
|
||||
ansible.builtin.get_url:
|
||||
url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
|
||||
dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
|
||||
checksum: "sha256:{{ mkcert_checksum }}"
|
||||
owner: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||
group: "{{ ansible_user | default(ansible_env.USER) }}"
|
||||
mode: "0750"
|
||||
|
||||
- name: Install mkcert CA
|
||||
ansible.builtin.command:
|
||||
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
|
||||
changed_when: false
|
||||
|
||||
when: use_mkcert
|
||||
become: false
|
Loading…
Reference in a new issue