Add local preconditions and Vagrantfile

This commit adds a role to ensure local preconditions (i.e. mkcert) and
a Vagrantfile to test the ansible playbook in a local virtual machine.
This commit is contained in:
Jan Dittberner 2022-08-18 11:58:24 +02:00
parent bfa60b9288
commit 5daa87ca90
16 changed files with 180 additions and 13 deletions

1
.gitignore vendored
View file

@ -1 +1,2 @@
/.idea/
/.vagrant/

View file

@ -19,3 +19,34 @@ git config submodule.recurse true
- setup IDP (provides login and consent screens)
- setup demo application
- setup setup OpenID Connect client registration application
## Local development setup
Make sure you have the necessary prerequisites installed (tested on Debian 11
Bullseye) and `~/.local/bin` is in your `$PATH` variable:
```shell
sudo apt update
sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
python3 -m pip install --user -U pip
python3 -m pip install --user ansible
export PATH=$HOME/.local/bin:$PATH
```
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
`.zshenv`.
Use `make` to build the web app resources and applications:
```shell
make
```
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
application:
```shell
cd deployment
ansible-playbook 01_install_cacert_oidc.yml
```

28
Vagrantfile vendored Normal file
View file

@ -0,0 +1,28 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "generic/debian11"
config.vm.define "oidcbox"
config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1"
config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1"
config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1"
config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1"
config.vm.provider "libvirt" do |lv|
lv.memory = "2048"
lv.cpus = 2
lv.machine_virtual_size = 10
end
config.vm.provision "ansible" do |ansible|
ansible.playbook = "deployment/01_install_cacert_oidc.yml"
ansible.verbose = true
ansible.groups = {
"pgsqlserver" => ["oidcbox"],
"authserver" => ["oidcbox"],
"demoserver" => ["oidcbox"]
}
end
end

View file

@ -1,15 +1,29 @@
---
- name: Install development tools
hosts: all
become: false
roles:
- prepare_devtools
- name: Setup database
hosts: pgsqlserver
become: true
pre_tasks:
- name: Install python3-psycopg2
- name: Install package python3-psycopg2
ansible.builtin.package:
name: python3-psycopg2
state: present
# The ACL package is required to run commands as the postgres user
# See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
- name: Install package acl
ansible.builtin.package:
name: acl
state: present
roles:
- hydra_database

View file

@ -4,8 +4,6 @@
hydra_db_password: hydra
hydra_db_host: localhost
hydra_db_port: 5432
hydra_version: "1.11.9"
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
hydra_tls:
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
@ -18,6 +16,7 @@ oidc_urls:
host: hydra.cacert.localhost
port: 4445
hydra_public:
address: localhost
host: auth.cacert.localhost
port: 4444
idp:

View file

@ -0,0 +1,31 @@
---
# this is for a localhost deployment, database passwords for public servers
# must be different random values encrypted via ansible-vault
hydra_db_password: hydra
hydra_db_host: localhost
hydra_db_port: 5432
hydra_tls:
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
# this is for a localhost deployment, secrets for public servers must be
# different random values encrypted via ansible-vault
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
oidc_urls:
hydra_admin:
host: hydra.cacert.localhost
port: 4445
hydra_public:
host: auth.cacert.localhost
port: 4444
idp:
host: login.cacert.localhost
port: 3000
demoapp:
host: app.cacert.localhost
port: 4000
register:
host: register.cacert.localhost
port: 5000
use_mkcert: true

View file

@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/).
Requirements
------------
The role expects a Debian system running Debian 10 or later.
The role expects a Debian system running Debian 11 or later.
Role Variables
--------------

View file

@ -1,3 +1,4 @@
---
galaxy_info:
author: Jan Dittberner
description: ORY Hydra database setup
@ -8,7 +9,6 @@ galaxy_info:
platforms:
- name: Debian
versions:
- buster
- bullseye
- bookworm

View file

@ -5,4 +5,7 @@ hydra_os_group: hydra
hydra_os_user: hydra
hydra_home: /srv/hydra
hydra_version: "1.11.9"
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
use_mkcert: false

View file

@ -62,10 +62,6 @@
- name: Create Hydra key and certificate with mkcert
block:
- name: Install mkcert CA
ansible.builtin.command:
cmd: mkcert -install
- name: Create temporary directory for Hydra key and certificate
ansible.builtin.tempfile:
prefix: "hydra-cert."
@ -74,7 +70,7 @@
- name: Create Hydra key and certificate
ansible.builtin.command:
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
- name: Move Hydra certificate and key to target
ansible.builtin.copy:
@ -85,8 +81,8 @@
mode: "{{ item.mode }}"
remote_src: true
loop:
- { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' }
- { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' }
- {src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644'}
- {src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640'}
become: true
- name: Remove temporary directory

View file

@ -4,7 +4,7 @@ serve:
host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
port: {{ oidc_urls.hydra_admin.port | default("4445") }}
public:
host: {{ oidc_urls.hydra_public.address | default("localhost") }}
host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
port: {{ oidc_urls.hydra_public.port | default("4444") }}
tls:
cert:

View file

@ -0,0 +1,14 @@
Role Name
=========
Prepare development tools for the CAcert OIDC setup.
License
-------
GPL-2.0-or-later
Author Information
------------------
Jan Dittberner <jandd@cacert.org>

View file

@ -0,0 +1,3 @@
---
mkcert_version: v1.4.4
mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52

View file

@ -0,0 +1,19 @@
---
galaxy_info:
author: Jan Dittberner
description: Prepare development tools for the CAcert OIDC setup.
company: CAcert
license: GPL-2.0-or-later
min_ansible_version: 2.1
platforms:
- name: Debian
versions:
- bullseye
- bookworm
galaxy_tags: []
dependencies: []

View file

@ -0,0 +1,28 @@
---
- name: Create .local/bin for ansible user
ansible.builtin.file:
path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
state: directory
owner: "{{ ansible_user | default(ansible_env.USER) }}"
group: "{{ ansible_user | default(ansible_env.USER) }}"
mode: "0750"
- name: Prepare mkcert
block:
- name: Download mkcert binary
ansible.builtin.get_url:
url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
checksum: "sha256:{{ mkcert_checksum }}"
owner: "{{ ansible_user | default(ansible_env.USER) }}"
group: "{{ ansible_user | default(ansible_env.USER) }}"
mode: "0750"
- name: Install mkcert CA
ansible.builtin.command:
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
changed_when: false
when: use_mkcert
become: false