Finish IDP setup

2022-08-22 18:52:47 +02:00 · 2022-08-22 18:52:47 +02:00 · f9ad2ba2b5
commit f9ad2ba2b5
parent e4b5a99147
6 changed files with 65 additions and 11 deletions
--- a/deployment/group_vars/authserver.yml
+++ b/deployment/group_vars/authserver.yml
@ -0,0 +1,40 @@
+---
+# defaults to CAcert class 3 certificate
+idp:
+  client_certificate_data: |
+    -----BEGIN CERTIFICATE-----
+    MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
+    b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+    Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+    dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
+    MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+    Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+    AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+    iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+    aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+    jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+    pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+    FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+    XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+    oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+    R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+    rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+    LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+    BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
+    IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
+    hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
+    CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+    Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
+    cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
+    dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
+    hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
+    mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
+    eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
+    LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
+    /LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
+    qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
+    0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
+    i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
+    CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
+    cSvOK6eB1kdGKLA8ymXxZp8=
+    -----END CERTIFICATE-----
--- a/deployment/host_vars/localhost.yml
+++ b/deployment/host_vars/localhost.yml
@ -11,10 +11,6 @@ hydra_tls:
 # different random values encrypted via ansible-vault
 hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="

-idp_tls:
-  cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
-  key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
-
 register_tls:
  cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
  key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
--- a/deployment/host_vars/oidcbox.yml
+++ b/deployment/host_vars/oidcbox.yml
@ -11,10 +11,6 @@ hydra_tls:
 # different random values encrypted via ansible-vault
 hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="

-idp_tls:
-  cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem"
-  key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem"
-
 register_tls:
  cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem"
  key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem"
--- a/deployment/roles/oidc_idp/tasks/main.yml
+++ b/deployment/roles/oidc_idp/tasks/main.yml
@ -81,7 +81,7 @@
        owner: root
        group: "{{ cacert_os_group }}"
        mode: '0644'
-        content: "{{ idp_tls.certdata }}"
+        content: "{{ idp.server_certificate_data }}"

    - name: Copy IDP key
      ansible.builtin.copy:
@ -89,9 +89,18 @@
        owner: root
        group: "{{ cacert_os_group }}"
        mode: '0640'
-        content: "{{ idp_tls.keydata }}"
+        content: "{{ idp.server_key_data }}"

  when: not use_mkcert
+
+- name: Copy client CA certificates
+  ansible.builtin.copy:
+    dest: "{{ idp_tls.client_cas }}"
+    owner: root
+    group: "{{ cacert_os_group }}"
+    mode: '0640'
+    content: "{{ idp.client_certificate_data }}"
+
 - name: Create IDP configuration
  ansible.builtin.template:
    src: idp_config.toml.j2
--- a/deployment/roles/oidc_idp/templates/idp_config.toml.j2
+++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2
@ -1,2 +1,12 @@
 [security]
 csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}"
+client.ca-file = "{{ idp_tls.client_cas }}"
+
+[server]
+name = "{{ oidc_urls.idp.address | default(ansible_default_ipv4.address) }}"
+port = {{ oidc_urls.idp.address | default("3000") }}
+certificate = "{{ idp_tls.cert }}"
+key = "{{ idp_tls.key }}"
+
+[admin]
+url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}"
--- a/deployment/roles/oidc_idp/vars/main.yml
+++ b/deployment/roles/oidc_idp/vars/main.yml
@ -1,2 +1,5 @@
 ---
-# vars file for roles/oidc_idp
+idp_tls:
+  cert: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}.pem"
+  key: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-key.pem"
+  client_cas: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-client-cas.pem"