Finish IDP setup

This commit is contained in:
Jan Dittberner 2022-08-22 18:52:47 +02:00
parent e4b5a99147
commit f9ad2ba2b5
6 changed files with 65 additions and 11 deletions

View file

@ -0,0 +1,40 @@
---
# defaults to CAcert class 3 certificate
idp:
client_certificate_data: |
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
cSvOK6eB1kdGKLA8ymXxZp8=
-----END CERTIFICATE-----

View file

@ -11,10 +11,6 @@ hydra_tls:
# different random values encrypted via ansible-vault # different random values encrypted via ansible-vault
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
idp_tls:
cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
register_tls: register_tls:
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"

View file

@ -11,10 +11,6 @@ hydra_tls:
# different random values encrypted via ansible-vault # different random values encrypted via ansible-vault
hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
idp_tls:
cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
register_tls: register_tls:
cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"

View file

@ -81,7 +81,7 @@
owner: root owner: root
group: "{{ cacert_os_group }}" group: "{{ cacert_os_group }}"
mode: '0644' mode: '0644'
content: "{{ idp_tls.certdata }}" content: "{{ idp.server_certificate_data }}"
- name: Copy IDP key - name: Copy IDP key
ansible.builtin.copy: ansible.builtin.copy:
@ -89,9 +89,18 @@
owner: root owner: root
group: "{{ cacert_os_group }}" group: "{{ cacert_os_group }}"
mode: '0640' mode: '0640'
content: "{{ idp_tls.keydata }}" content: "{{ idp.server_key_data }}"
when: not use_mkcert when: not use_mkcert
- name: Copy client CA certificates
ansible.builtin.copy:
dest: "{{ idp_tls.client_cas }}"
owner: root
group: "{{ cacert_os_group }}"
mode: '0640'
content: "{{ idp.client_certificate_data }}"
- name: Create IDP configuration - name: Create IDP configuration
ansible.builtin.template: ansible.builtin.template:
src: idp_config.toml.j2 src: idp_config.toml.j2

View file

@ -1,2 +1,12 @@
[security] [security]
csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
client.ca-file = "{{ idp_tls.client_cas }}"
[server]
name = "{{ oidc_urls.idp.address | default(ansible_default_ipv4.address) }}"
port = {{ oidc_urls.idp.address | default("3000") }}
certificate = "{{ idp_tls.cert }}"
key = "{{ idp_tls.key }}"
[admin]
url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}"

View file

@ -1,2 +1,5 @@
--- ---
# vars file for roles/oidc_idp idp_tls:
cert: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}.pem"
key: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-key.pem"
client_cas: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-client-cas.pem"