Start with Debian 12

When you create your machine create two other DNS entries using your base Domain Name.  They will be "authserver" and "idp."

APT-Install git openssl mkcert postgresql nginx vim make python3-pip python3-venv curl sudo
Apt-Install php-bz2 php-curl php-gd php-intl php-mbstring php-mcrypt php-pdo php-pgsql php-xml php-zip php-fpm
Apt-Install certbot python3-certbot-nginx golang-go 

If necessary create a "normal" user and give them "sudo" access in /etc/group

Become that user.

Create a working directory

cmd: cd <Working Directory>

cmd: git clone https://code.cacert.org/cacert/oidc-registration-php.git

cmd: cd oidc-registration-php

cmd: cp cacert.ini.sample cacert.ini

Edit cacert.ini and set the Database User and Password that you wish to use.
Also set the Domain and Host name in the URL variables.

cmd: cd misc

Edit oidc_db_v2.sql and insert the Database User name chosen above in place of "<Your User>".

As Root: cmd: cp oidc_db_v2.sql /var/lib/postgresql
As Root: cmd: su - postgres
cmd: createuser -s -d -e -r -P <DB User> ( Pwd: <DB Password> )
cmd: createdb oidc_db -O <DB User>
cmd: psql oidc_db < oidc_db_v2.sql
Ctrl-D

cmd: cd ..

cmd: mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
cmd: python3 -m venv $HOME/.local/share/virtualenvs/ansible
cmd: $HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
cmd: ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
cmd: export PATH=$HOME/.local/bin:$HOME/go/bin:$PATH

Edit your ~/.profile to include the preceeding PATH changes

cmd: . ~/.profile
cmd: go install github.com/nicksnyder/go-i18n/v2/goi18n@latest

cmd: cd ..

cmd: git clone --recurse-submodules https://code.cacert.org/cacert/oidc-parent.git
cmd: cd oidc-parent
# cause pull, fetch and other git commands to consider submodules
cmd: git config submodule.recurse true

cmd: make
Answer the password question for your "normal" user.

Change into the "deployment" sub-directory
cmd: cd deployment

Edit two files here.  "host_vars/localhost.yml" and "group_vars/all.yml".
In both files, search for "hydra_public" and change "auth.cacert.localhost" into the "authserver" DNS name that you created at the top.
Then, in both files, search for "idp" and change "login.cacert.localhost" into the "idp" DNS name that you created at the top.


Continue by:
cmd: ansible-playbook -K 01_install_cacert_oidc.yml
Answer the password question for your "normal" user.

cmd: cd ../..

As Root: cmd: certbot --nginx -d <your domain name> -d <your authserver domain name> -d <your idp domain name>

Edit misc/reverse-proxy.conf and change "<My Domain Name>" to the correct value.
Also change "<Host IP>" to the correct value for your machine.

From your working directory, do the following As Root:
	cmd: cd oidc-registration-php
	cmd: cp -r * /var/www/html
	cmd: cp ssl-certs/* /usr/local/share/ca-certificates
	cmd: update-ca-certificates -f
	cmd: cp misc/reverse-proxy.conf /etc/nginx/conf.d
	cmd: mkdir -p /etc/nginx/certs
	cmd: cp misc/cas.pem /etc/nginx/certs
	cmd: chmod 751 /srv/hydra/bin
	cmd: chmod 751 /srv/hydra/bin/hydra
	cmd: cp -i  /etc/letsencrypt/live/registercacert.buadh-brath.com/cert.pem idp.buadh-brath.com.pem
	cmd: cp -i /etc/letsencrypt/live/registercacert.buadh-brath.com/privkey.pem idp.buadh-brath.com-key.pem
	cmd: cd /srv/cacert/etc
	cmd: chown root:cacert *
	cmd: chmod 640 idp.buadh-brath.com-key.pem
	cmd: systemd restart cacert-idp.service

Exit Root, if necessary


Once you are finished, you may change the Background Image, the Logo and the Favicon, as you wish.