diff --git a/deployment/group_vars/authserver.yml b/deployment/group_vars/authserver.yml new file mode 100644 index 0000000..043cada --- /dev/null +++ b/deployment/group_vars/authserver.yml @@ -0,0 +1,40 @@ +--- +# defaults to CAcert class 3 certificate +idp: + client_certificate_data: | + -----BEGIN CERTIFICATE----- + MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv + b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ + Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y + dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU + MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 + Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN + AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a + iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 + aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C + jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia + pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 + FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt + XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL + oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 + R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp + rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ + LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA + BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw + IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC + hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG + CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y + Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v + cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9 + dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3 + hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/ + mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq + eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh + LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5 + /LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU + qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5 + 0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq + i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE + CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87 + cSvOK6eB1kdGKLA8ymXxZp8= + -----END CERTIFICATE----- diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml index 44f326f..52104d1 100644 --- a/deployment/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -11,10 +11,6 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -idp_tls: - cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" - register_tls: cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml index 0c987fd..76330ea 100644 --- a/deployment/host_vars/oidcbox.yml +++ b/deployment/host_vars/oidcbox.yml @@ -11,10 +11,6 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -idp_tls: - cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" - register_tls: cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 6f022ba..32e1070 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -81,7 +81,7 @@ owner: root group: "{{ cacert_os_group }}" mode: '0644' - content: "{{ idp_tls.certdata }}" + content: "{{ idp.server_certificate_data }}" - name: Copy IDP key ansible.builtin.copy: @@ -89,9 +89,18 @@ owner: root group: "{{ cacert_os_group }}" mode: '0640' - content: "{{ idp_tls.keydata }}" + content: "{{ idp.server_key_data }}" when: not use_mkcert + +- name: Copy client CA certificates + ansible.builtin.copy: + dest: "{{ idp_tls.client_cas }}" + owner: root + group: "{{ cacert_os_group }}" + mode: '0640' + content: "{{ idp.client_certificate_data }}" + - name: Create IDP configuration ansible.builtin.template: src: idp_config.toml.j2 diff --git a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 index ddec0f4..15ecba1 100644 --- a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 +++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 @@ -1,2 +1,12 @@ [security] csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" +client.ca-file = "{{ idp_tls.client_cas }}" + +[server] +name = "{{ oidc_urls.idp.address | default(ansible_default_ipv4.address) }}" +port = {{ oidc_urls.idp.address | default("3000") }} +certificate = "{{ idp_tls.cert }}" +key = "{{ idp_tls.key }}" + +[admin] +url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}" diff --git a/deployment/roles/oidc_idp/vars/main.yml b/deployment/roles/oidc_idp/vars/main.yml index 7533e99..0dc4e9f 100644 --- a/deployment/roles/oidc_idp/vars/main.yml +++ b/deployment/roles/oidc_idp/vars/main.yml @@ -1,2 +1,5 @@ --- -# vars file for roles/oidc_idp +idp_tls: + cert: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}.pem" + key: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-key.pem" + client_cas: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-client-cas.pem"