You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
174 lines
5.6 KiB
YAML
174 lines
5.6 KiB
YAML
---
|
|
- name: Manage /etc/hosts
|
|
blockinfile:
|
|
path: /etc/hosts
|
|
create: true
|
|
block: |
|
|
127.0.0.1 localhost
|
|
127.0.0.2 bookworm
|
|
::1 localhost ip6-localhost ip6-loopback
|
|
ff02::1 ip6-allnodes
|
|
ff02::2 ip6-allrouters
|
|
|
|
{{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} {{ oidc_urls.hydra_public.host }}
|
|
127.0.0.1 {{ oidc_urls.demoapp.host }}
|
|
|
|
- name: Create CAcert group
|
|
ansible.builtin.group:
|
|
name: "{{ cacert_os_group }}"
|
|
state: present
|
|
system: true
|
|
|
|
- name: Create CAcert user
|
|
ansible.builtin.user:
|
|
name: "{{ cacert_os_user }}"
|
|
group: "{{ cacert_os_group }}"
|
|
home: "{{ cacert_home }}"
|
|
state: present
|
|
system: true
|
|
|
|
- name: Create CAcert directories
|
|
ansible.builtin.file:
|
|
path: "{{ cacert_home }}/{{ item.path }}"
|
|
owner: "{{ cacert_os_user }}"
|
|
group: "{{ cacert_os_group }}"
|
|
mode: "{{ item.mode }}"
|
|
state: directory
|
|
loop:
|
|
- { path: etc, mode: '0750' }
|
|
- { path: bin, mode: '0750' }
|
|
- { path: download, mode: '0750' }
|
|
|
|
- name: Create session directory
|
|
ansible.builtin.file:
|
|
path: "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
|
|
owner: "{{ cacert_os_user }}"
|
|
group: "{{ cacert_os_group }}"
|
|
mode: "0750"
|
|
state: directory
|
|
|
|
- name: Copy demo application binary
|
|
ansible.builtin.copy:
|
|
src: ../oidc_app/demo-app
|
|
dest: "{{ cacert_home }}/bin/cacert-oidcdemo"
|
|
owner: root
|
|
group: "{{ cacert_os_group }}"
|
|
mode: "0750"
|
|
|
|
- name: Check whether certificate exists
|
|
ansible.builtin.stat:
|
|
path: "{{ demoapp_tls.cert }}"
|
|
register: demoapp_cert_st
|
|
|
|
- name: Create demo application key and certificate with mkcert
|
|
block:
|
|
|
|
- name: Create temporary directory for demo application key and certificate
|
|
ansible.builtin.tempfile:
|
|
prefix: "demoapp-cert."
|
|
state: directory
|
|
register: demoapp_cert_temp_dir
|
|
|
|
- name: Create demo application key and certificate
|
|
ansible.builtin.command:
|
|
cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}"
|
|
environment:
|
|
CAROOT: "{{ mkcert_caroot | default('') }}"
|
|
|
|
- name: Move demo application certificate and key to target
|
|
ansible.builtin.copy:
|
|
src: "{{ demoapp_cert_temp_dir.path }}/{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: "{{ cacert_os_group }}"
|
|
mode: "{{ item.mode }}"
|
|
remote_src: true
|
|
loop:
|
|
- {src: demoapp.pem, dest: "{{ demoapp_tls.cert }}", mode: '0644'}
|
|
- {src: demoapp.key.pem, dest: "{{ demoapp_tls.key }}", mode: '0640'}
|
|
become: true
|
|
|
|
- name: Remove temporary directory
|
|
ansible.builtin.file:
|
|
path: "{{ demoapp_cert_temp_dir.path }}"
|
|
state: absent
|
|
|
|
when: not demoapp_cert_st.stat.exists
|
|
become: false
|
|
|
|
- name: Check whether configuration file exists
|
|
ansible.builtin.stat:
|
|
path: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
|
register: demoapp_config_st
|
|
|
|
- name: Get credentials from existing file
|
|
block:
|
|
|
|
- name: fetch existing configuration file
|
|
ansible.builtin.fetch:
|
|
src: "{{ demoapp_config_st.stat.path }}"
|
|
dest: demoapp_config-from-vagrant.toml
|
|
flat: true
|
|
|
|
- name: set credential facts
|
|
ansible.builtin.set_fact:
|
|
demoapp_client_id: "{{ lookup('ansible.builtin.ini', 'client-id', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
|
demoapp_client_secret: "{{ lookup('ansible.builtin.ini', 'client-secret', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
|
demoapp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
|
demoapp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
|
|
ignore_errors: true
|
|
|
|
when: demoapp_config_st.stat.exists
|
|
|
|
- name: Generate new credentials
|
|
block:
|
|
|
|
- name: Create new client via Hydra admin API
|
|
ansible.builtin.uri:
|
|
url: "https://{{ oidc_urls.hydra_admin.host }}:{{ oidc_urls.hydra_admin.port }}/admin/clients"
|
|
method: "POST"
|
|
body:
|
|
client_name: "CAcert OIDC demo application"
|
|
redirect_uris:
|
|
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/callback"
|
|
post_logout_redirect_uris:
|
|
- "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/after-logout"
|
|
scope: "openid email profile groups"
|
|
body_format: "json"
|
|
headers:
|
|
Accept: "application/json"
|
|
Content-Type: "application/json"
|
|
status_code: [201]
|
|
register: hydra_response
|
|
|
|
- name: Set credential facts
|
|
ansible.builtin.set_fact:
|
|
demoapp_client_id: "{{ hydra_response.json.client_id }}"
|
|
demoapp_client_secret: "{{ hydra_response.json.client_secret }}"
|
|
|
|
when: not demoapp_config_st.stat.exists
|
|
|
|
- name: Create demo application configuration
|
|
ansible.builtin.template:
|
|
src: demoapp_config.toml.j2
|
|
dest: "{{ cacert_home }}/etc/cacert-demoapp.toml"
|
|
owner: root
|
|
group: "{{ cacert_os_group }}"
|
|
mode: '0640'
|
|
notify: demoapp_systemd_reload
|
|
|
|
- name: Create demoapp systemd unit file
|
|
ansible.builtin.template:
|
|
src: cacert-demoapp.service.j2
|
|
dest: /etc/systemd/system/cacert-demoapp.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: demoapp_systemd_reload
|
|
|
|
- name: Ensure service is started
|
|
ansible.builtin.systemd:
|
|
state: started
|
|
name: cacert-demoapp
|
|
enabled: true
|