Setup Hydra systemd service

- run migrations before start
- register systemd unit
- start service
- define localhost as default listening address

deployment/playbooks/01_install_cacert_oidc.yml

@@ -3,6 +3,13 @@
   hosts: pgsqlserver
   become: true
 
+  pre_tasks:
+
+    - name: Install python3-psycopg2
+      ansible.builtin.package:
+        name: python3-psycopg2
+        state: present
+
   roles:
     - hydra_database
 

deployment/roles/hydra_server/handlers/main.yml

@@ -1,2 +1,7 @@
 ---
-# handlers file for roles/hydra_server
+- name: hydra_systemd_reload
+  ansible.builtin.systemd:
+    state: started
+    name: hydra
+    daemon_reload: true
+    enabled: true

deployment/roles/hydra_server/tasks/main.yml

@@ -117,3 +117,17 @@
         content: "{{ hydra_tls.keydata }}"
 
   when: not use_mkcert
+
+- name: Run Hydra SQL migrations
+  ansible.builtin.command:
+    cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml"
+  changed_when: false
+
+- name: Create systemd unit file
+  ansible.builtin.template:
+    src: hydra.service.j2
+    dest: /etc/systemd/system/hydra.service
+    owner: root
+    group: root
+    mode: "0640"
+  notify: hydra_systemd_reload

deployment/roles/hydra_server/templates/hydra.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=ORY Hydra OAuth2/OpenID Connect API server
+After=network.target
+Documentation=https://www.ory.sh/docs/hydra/
+
+[Service]
+ExecStart={{ hydra_home }}/bin/hydra serve all --config "{{ hydra_home }}/etc/hydra.yml"
+WorkingDirectory={{ hydra_home }}
+User={{ hydra_os_user }}
+Group={{ hydra_os_group }}
+
+[Install]
+WantedBy=multi-user.target

deployment/roles/hydra_server/templates/hydra.yml.j2

@@ -1,9 +1,11 @@
 ---
 serve:
   admin:
-    host: {{ oidc_urls.hydra_admin.host }}
+    host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
+    port: {{ oidc_urls.hydra_admin.port | default("4445") }}
   public:
-    host: {{ oidc_urls.hydra_public.host }}
+    host: {{ oidc_urls.hydra_public.address | default("localhost") }}
+    port: {{ oidc_urls.hydra_public.port | default("4444") }}
   tls:
     cert:
       path: {{ hydra_tls.cert }}