oidc-parent/deployment/roles/hydra_server/tasks/main.yml

115 lines
3.4 KiB
YAML

---
- name: Create Hydra group
ansible.builtin.group:
name: "{{ hydra_os_group }}"
state: present
system: true
- name: Create Hydra user
ansible.builtin.user:
name: "{{ hydra_os_user }}"
group: "{{ hydra_os_group }}"
home: "{{ hydra_home }}"
state: present
system: true
- name: Create Hydra directories
ansible.builtin.file:
path: "{{hydra_home }}/{{ item.path }}"
owner: "{{ hydra_os_user }}"
group: "{{ hydra_os_group }}"
mode: "{{ item.mode }}"
state: directory
loop:
- { path: etc, mode: '0750' }
- { path: bin, mode: '0750' }
- { path: download, mode: '0750' }
- name: Download Hydra binary
ansible.builtin.get_url:
url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
dest: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
checksum: "sha256:{{ hydra_checksum }}"
owner: "{{ hydra_os_user }}"
group: "{{ hydra_os_group }}"
mode: '0640'
- name: Extract Hydra binary
ansible.builtin.unarchive:
remote_src: true
src: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
dest: "{{ hydra_home }}/bin"
owner: root
group: "{{ hydra_os_group }}"
include: 'hydra'
mode: '0750'
- name: Create Hydra configuration
ansible.builtin.template:
src: hydra.yml.j2
dest: "{{ hydra_home }}/etc/hydra.yml"
owner: root
group: "{{ hydra_os_group }}"
mode: '0640'
notify: hydra_systemd_reload
- name: Check whether certificate exists
ansible.builtin.stat:
path: "{{ hydra_tls.cert }}"
register: hydra_cert_st
- name: Create Hydra key and certificate with mkcert
block:
- name: Create temporary directory for Hydra key and certificate
ansible.builtin.tempfile:
prefix: "hydra-cert."
state: directory
register: hydra_cert_temp_dir
- name: Create Hydra key and certificate
ansible.builtin.command:
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
environment:
CAROOT: "{{ mkcert_caroot | default('') }}"
- name: Move Hydra certificate and key to target
ansible.builtin.copy:
src: "{{ hydra_cert_temp_dir.path }}/{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: "{{ hydra_os_group }}"
mode: "{{ item.mode }}"
remote_src: true
loop:
- {src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644'}
- {src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640'}
become: true
- name: Remove temporary directory
ansible.builtin.file:
path: "{{ hydra_cert_temp_dir.path }}"
state: absent
when: not hydra_cert_st.stat.exists
become: false
- name: Run Hydra SQL migrations
ansible.builtin.command:
cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml"
changed_when: false
- name: Create systemd unit file
ansible.builtin.template:
src: hydra.service.j2
dest: /etc/systemd/system/hydra.service
owner: root
group: root
mode: "0640"
notify: hydra_systemd_reload
- name: Ensure service is started
ansible.builtin.systemd:
state: started
name: hydra
enabled: true