Start Hydra server role implementation
- Define localhost variant of Hydra parameters - Download and unpack Hydra - Create configuration file - Create certificates using mkcert
This commit is contained in:
parent
00c0d3de1a
commit
9791658838
5 changed files with 205 additions and 3 deletions
|
@ -1,2 +1,2 @@
|
||||||
---
|
---
|
||||||
hydra_db_password: hydra
|
hydra_home: /srv/hydra
|
||||||
|
|
33
deployment/inventory/host_vars/localhost.yml
Normal file
33
deployment/inventory/host_vars/localhost.yml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
# this is for a localhost deployment, database passwords for public servers
|
||||||
|
# must be different random values encrypted via ansible-vault
|
||||||
|
hydra_db_password: hydra
|
||||||
|
hydra_db_host: localhost
|
||||||
|
hydra_db_port: 5432
|
||||||
|
hydra_version: "1.11.9"
|
||||||
|
hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
|
||||||
|
hydra_tls:
|
||||||
|
cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
|
||||||
|
key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
|
||||||
|
# this is for a localhost deployment, secrets for public servers must be
|
||||||
|
# different random values encrypted via ansible-vault
|
||||||
|
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
||||||
|
|
||||||
|
oidc_urls:
|
||||||
|
hydra_admin:
|
||||||
|
host: hydra.cacert.localhost
|
||||||
|
port: 4445
|
||||||
|
hydra_public:
|
||||||
|
host: auth.cacert.localhost
|
||||||
|
port: 4444
|
||||||
|
idp:
|
||||||
|
host: login.cacert.localhost
|
||||||
|
port: 3000
|
||||||
|
demoapp:
|
||||||
|
host: app.cacert.localhost
|
||||||
|
port: 4000
|
||||||
|
register:
|
||||||
|
host: register.cacert.localhost
|
||||||
|
port: 5000
|
||||||
|
|
||||||
|
use_mkcert: true
|
|
@ -1,2 +1,8 @@
|
||||||
---
|
---
|
||||||
# defaults file for roles/hydra_server
|
hydra_db_name: hydra
|
||||||
|
hydra_db_user: hydra
|
||||||
|
hydra_os_group: hydra
|
||||||
|
hydra_os_user: hydra
|
||||||
|
hydra_home: /srv/hydra
|
||||||
|
|
||||||
|
use_mkcert: false
|
||||||
|
|
|
@ -1,2 +1,119 @@
|
||||||
---
|
---
|
||||||
# tasks file for roles/hydra_server
|
- name: Create Hydra group
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ hydra_os_group }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
|
||||||
|
- name: Create Hydra user
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ hydra_os_user }}"
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
home: "{{ hydra_home }}"
|
||||||
|
state: present
|
||||||
|
system: true
|
||||||
|
|
||||||
|
|
||||||
|
- name: Create Hydra directories
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{hydra_home }}/{{ item.path }}"
|
||||||
|
owner: "{{ hydra_os_user }}"
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- { path: etc, mode: '0750' }
|
||||||
|
- { path: bin, mode: '0750' }
|
||||||
|
- { path: download, mode: '0750' }
|
||||||
|
|
||||||
|
|
||||||
|
- name: Download Hydra binary
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
||||||
|
dest: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
||||||
|
checksum: "sha256:{{ hydra_checksum }}"
|
||||||
|
owner: "{{ hydra_os_user }}"
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
|
||||||
|
- name: Extract Hydra binary
|
||||||
|
ansible.builtin.unarchive:
|
||||||
|
remote_src: true
|
||||||
|
src: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
||||||
|
dest: "{{ hydra_home }}/bin"
|
||||||
|
owner: root
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
include: 'hydra'
|
||||||
|
mode: '0750'
|
||||||
|
|
||||||
|
- name: Create Hydra configuration
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: hydra.yml.j2
|
||||||
|
dest: "{{ hydra_home }}/etc/hydra.yml"
|
||||||
|
owner: root
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
|
||||||
|
- name: Check whether certificate exists
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ hydra_tls.cert }}"
|
||||||
|
register: hydra_cert_st
|
||||||
|
|
||||||
|
- name: Create Hydra key and certificate with mkcert
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: Install mkcert CA
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: mkcert -install
|
||||||
|
|
||||||
|
- name: Create temporary directory for Hydra key and certificate
|
||||||
|
ansible.builtin.tempfile:
|
||||||
|
prefix: "hydra-cert."
|
||||||
|
state: directory
|
||||||
|
register: hydra_cert_temp_dir
|
||||||
|
|
||||||
|
- name: Create Hydra key and certificate
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
||||||
|
|
||||||
|
- name: Move Hydra certificate and key to target
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ hydra_cert_temp_dir.path }}/{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
owner: root
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
remote_src: true
|
||||||
|
loop:
|
||||||
|
- { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' }
|
||||||
|
- { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' }
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Remove temporary directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hydra_cert_temp_dir.path }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
when: use_mkcert and not hydra_cert_st.stat.exists
|
||||||
|
become: false
|
||||||
|
|
||||||
|
- name: Copy Hydra key and certificate from inventory
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: Copy Hydra certificate
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ hydra_tls.cert }}"
|
||||||
|
owner: root
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: '0644'
|
||||||
|
content: "{{ hydra_tls.certdata }}"
|
||||||
|
|
||||||
|
- name: Copy Hydra key
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ hydra_tls.key }}"
|
||||||
|
owner: root
|
||||||
|
group: "{{ hydra_os_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
content: "{{ hydra_tls.keydata }}"
|
||||||
|
|
||||||
|
when: not use_mkcert
|
||||||
|
|
46
deployment/roles/hydra_server/templates/hydra.yml.j2
Normal file
46
deployment/roles/hydra_server/templates/hydra.yml.j2
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
---
|
||||||
|
serve:
|
||||||
|
admin:
|
||||||
|
host: {{ oidc_urls.hydra_admin.host }}
|
||||||
|
public:
|
||||||
|
host: {{ oidc_urls.hydra_public.host }}
|
||||||
|
tls:
|
||||||
|
cert:
|
||||||
|
path: {{ hydra_tls.cert }}
|
||||||
|
key:
|
||||||
|
path: {{ hydra_tls.key }}
|
||||||
|
dsn: 'postgres://{{ hydra_db_user }}:{{ hydra_db_password }}@{{ hydra_db_host }}:{{ hydra_db_port }}/{{ hydra_db_name }}'
|
||||||
|
|
||||||
|
webfinger:
|
||||||
|
oidc_discovery:
|
||||||
|
supported_claims:
|
||||||
|
- email
|
||||||
|
- email_verified
|
||||||
|
- given_name
|
||||||
|
- family_name
|
||||||
|
- middle_name
|
||||||
|
- name
|
||||||
|
- birthdate
|
||||||
|
- zoneinfo
|
||||||
|
- locale
|
||||||
|
- https://auth.cacert.org/groups
|
||||||
|
supported_scope:
|
||||||
|
- profile
|
||||||
|
- email
|
||||||
|
|
||||||
|
oauth2:
|
||||||
|
expose_internal_errors: false
|
||||||
|
|
||||||
|
urls:
|
||||||
|
login: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/login
|
||||||
|
consent: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/consent
|
||||||
|
logout: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout
|
||||||
|
error: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/error
|
||||||
|
post_logout_redirect: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout-successful
|
||||||
|
self:
|
||||||
|
public: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/
|
||||||
|
issuer: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
system:
|
||||||
|
- "{{ hydra_system_secret }}"
|
Loading…
Reference in a new issue