Finish IDP setup
This commit is contained in:
parent
e4b5a99147
commit
f9ad2ba2b5
6 changed files with 65 additions and 11 deletions
40
deployment/group_vars/authserver.yml
Normal file
40
deployment/group_vars/authserver.yml
Normal file
|
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
# defaults to CAcert class 3 certificate
|
||||||
|
idp:
|
||||||
|
client_certificate_data: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
|
||||||
|
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
|
||||||
|
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
|
||||||
|
dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
|
||||||
|
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
|
||||||
|
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
|
||||||
|
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
|
||||||
|
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
|
||||||
|
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
|
||||||
|
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
|
||||||
|
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
|
||||||
|
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
|
||||||
|
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
|
||||||
|
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
|
||||||
|
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
|
||||||
|
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
|
||||||
|
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
|
||||||
|
BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
|
||||||
|
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
|
||||||
|
hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
|
||||||
|
CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
|
||||||
|
Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
|
||||||
|
cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
|
||||||
|
dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
|
||||||
|
hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
|
||||||
|
mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
|
||||||
|
eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
|
||||||
|
LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
|
||||||
|
/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
|
||||||
|
qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
|
||||||
|
0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
|
||||||
|
i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
|
||||||
|
CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
|
||||||
|
cSvOK6eB1kdGKLA8ymXxZp8=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
@ -11,10 +11,6 @@ hydra_tls:
|
||||||
# different random values encrypted via ansible-vault
|
# different random values encrypted via ansible-vault
|
||||||
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
||||||
|
|
||||||
idp_tls:
|
|
||||||
cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
|
|
||||||
key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
|
|
||||||
|
|
||||||
register_tls:
|
register_tls:
|
||||||
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
|
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
|
||||||
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
|
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
|
||||||
|
|
|
||||||
|
|
@ -11,10 +11,6 @@ hydra_tls:
|
||||||
# different random values encrypted via ansible-vault
|
# different random values encrypted via ansible-vault
|
||||||
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
|
||||||
|
|
||||||
idp_tls:
|
|
||||||
cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
|
|
||||||
key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
|
|
||||||
|
|
||||||
register_tls:
|
register_tls:
|
||||||
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
|
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
|
||||||
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
|
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
|
||||||
|
|
|
||||||
|
|
@ -81,7 +81,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ cacert_os_group }}"
|
group: "{{ cacert_os_group }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
content: "{{ idp_tls.certdata }}"
|
content: "{{ idp.server_certificate_data }}"
|
||||||
|
|
||||||
- name: Copy IDP key
|
- name: Copy IDP key
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
|
|
@ -89,9 +89,18 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ cacert_os_group }}"
|
group: "{{ cacert_os_group }}"
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
content: "{{ idp_tls.keydata }}"
|
content: "{{ idp.server_key_data }}"
|
||||||
|
|
||||||
when: not use_mkcert
|
when: not use_mkcert
|
||||||
|
|
||||||
|
- name: Copy client CA certificates
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ idp_tls.client_cas }}"
|
||||||
|
owner: root
|
||||||
|
group: "{{ cacert_os_group }}"
|
||||||
|
mode: '0640'
|
||||||
|
content: "{{ idp.client_certificate_data }}"
|
||||||
|
|
||||||
- name: Create IDP configuration
|
- name: Create IDP configuration
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: idp_config.toml.j2
|
src: idp_config.toml.j2
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,12 @@
|
||||||
[security]
|
[security]
|
||||||
csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
|
csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
|
||||||
|
client.ca-file = "{{ idp_tls.client_cas }}"
|
||||||
|
|
||||||
|
[server]
|
||||||
|
name = "{{ oidc_urls.idp.address | default(ansible_default_ipv4.address) }}"
|
||||||
|
port = {{ oidc_urls.idp.address | default("3000") }}
|
||||||
|
certificate = "{{ idp_tls.cert }}"
|
||||||
|
key = "{{ idp_tls.key }}"
|
||||||
|
|
||||||
|
[admin]
|
||||||
|
url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}"
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,5 @@
|
||||||
---
|
---
|
||||||
# vars file for roles/oidc_idp
|
idp_tls:
|
||||||
|
cert: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}.pem"
|
||||||
|
key: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-key.pem"
|
||||||
|
client_cas: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-client-cas.pem"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue