Jan Dittberner
f0d279789a
- run migrations before start - register systemd unit - start service - define localhost as default listening address
133 lines
3.8 KiB
YAML
133 lines
3.8 KiB
YAML
---
|
|
- name: Create Hydra group
|
|
ansible.builtin.group:
|
|
name: "{{ hydra_os_group }}"
|
|
state: present
|
|
system: true
|
|
|
|
- name: Create Hydra user
|
|
ansible.builtin.user:
|
|
name: "{{ hydra_os_user }}"
|
|
group: "{{ hydra_os_group }}"
|
|
home: "{{ hydra_home }}"
|
|
state: present
|
|
system: true
|
|
|
|
|
|
- name: Create Hydra directories
|
|
ansible.builtin.file:
|
|
path: "{{hydra_home }}/{{ item.path }}"
|
|
owner: "{{ hydra_os_user }}"
|
|
group: "{{ hydra_os_group }}"
|
|
mode: "{{ item.mode }}"
|
|
state: directory
|
|
loop:
|
|
- { path: etc, mode: '0750' }
|
|
- { path: bin, mode: '0750' }
|
|
- { path: download, mode: '0750' }
|
|
|
|
|
|
- name: Download Hydra binary
|
|
ansible.builtin.get_url:
|
|
url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
|
dest: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
|
checksum: "sha256:{{ hydra_checksum }}"
|
|
owner: "{{ hydra_os_user }}"
|
|
group: "{{ hydra_os_group }}"
|
|
mode: '0640'
|
|
|
|
- name: Extract Hydra binary
|
|
ansible.builtin.unarchive:
|
|
remote_src: true
|
|
src: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
|
|
dest: "{{ hydra_home }}/bin"
|
|
owner: root
|
|
group: "{{ hydra_os_group }}"
|
|
include: 'hydra'
|
|
mode: '0750'
|
|
|
|
- name: Create Hydra configuration
|
|
ansible.builtin.template:
|
|
src: hydra.yml.j2
|
|
dest: "{{ hydra_home }}/etc/hydra.yml"
|
|
owner: root
|
|
group: "{{ hydra_os_group }}"
|
|
mode: '0640'
|
|
|
|
- name: Check whether certificate exists
|
|
ansible.builtin.stat:
|
|
path: "{{ hydra_tls.cert }}"
|
|
register: hydra_cert_st
|
|
|
|
- name: Create Hydra key and certificate with mkcert
|
|
block:
|
|
|
|
- name: Install mkcert CA
|
|
ansible.builtin.command:
|
|
cmd: mkcert -install
|
|
|
|
- name: Create temporary directory for Hydra key and certificate
|
|
ansible.builtin.tempfile:
|
|
prefix: "hydra-cert."
|
|
state: directory
|
|
register: hydra_cert_temp_dir
|
|
|
|
- name: Create Hydra key and certificate
|
|
ansible.builtin.command:
|
|
cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
|
|
|
|
- name: Move Hydra certificate and key to target
|
|
ansible.builtin.copy:
|
|
src: "{{ hydra_cert_temp_dir.path }}/{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: "{{ hydra_os_group }}"
|
|
mode: "{{ item.mode }}"
|
|
remote_src: true
|
|
loop:
|
|
- { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' }
|
|
- { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' }
|
|
become: true
|
|
|
|
- name: Remove temporary directory
|
|
ansible.builtin.file:
|
|
path: "{{ hydra_cert_temp_dir.path }}"
|
|
state: absent
|
|
|
|
when: use_mkcert and not hydra_cert_st.stat.exists
|
|
become: false
|
|
|
|
- name: Copy Hydra key and certificate from inventory
|
|
block:
|
|
|
|
- name: Copy Hydra certificate
|
|
ansible.builtin.copy:
|
|
dest: "{{ hydra_tls.cert }}"
|
|
owner: root
|
|
group: "{{ hydra_os_group }}"
|
|
mode: '0644'
|
|
content: "{{ hydra_tls.certdata }}"
|
|
|
|
- name: Copy Hydra key
|
|
ansible.builtin.copy:
|
|
dest: "{{ hydra_tls.key }}"
|
|
owner: root
|
|
group: "{{ hydra_os_group }}"
|
|
mode: '0640'
|
|
content: "{{ hydra_tls.keydata }}"
|
|
|
|
when: not use_mkcert
|
|
|
|
- name: Run Hydra SQL migrations
|
|
ansible.builtin.command:
|
|
cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml"
|
|
changed_when: false
|
|
|
|
- name: Create systemd unit file
|
|
ansible.builtin.template:
|
|
src: hydra.service.j2
|
|
dest: /etc/systemd/system/hydra.service
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
notify: hydra_systemd_reload
|