From 0c6a9e4accbd6a92e0c6e37066359f4746a8cda6 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 20 Jun 2024 13:56:59 +0200 Subject: [PATCH] Stepupapps: Remove vm based tasks. Everything is docker now --- roles/stepupazuremfa/tasks/docker.yml | 78 ------------- roles/stepupazuremfa/tasks/main.yml | 83 +++++++++++++- roles/stepupazuremfa/tasks/vm.yml | 62 ---------- roles/stepupgateway/tasks/docker.yml | 135 ---------------------- roles/stepupgateway/tasks/main.yml | 140 ++++++++++++++++++++++- roles/stepupgateway/tasks/vm.yml | 125 -------------------- roles/stepupra/tasks/docker.yml | 81 ------------- roles/stepupra/tasks/main.yml | 86 +++++++++++++- roles/stepupra/tasks/vm.yml | 55 --------- roles/stepupselfservice/tasks/docker.yml | 83 -------------- roles/stepupselfservice/tasks/main.yml | 88 +++++++++++++- roles/stepupselfservice/tasks/vm.yml | 55 --------- roles/stepuptiqr/tasks/docker.yml | 87 -------------- roles/stepuptiqr/tasks/main.yml | 92 ++++++++++++++- roles/stepuptiqr/tasks/vm.yml | 85 -------------- roles/stepupwebauthn/tasks/docker.yml | 121 -------------------- roles/stepupwebauthn/tasks/main.yml | 126 +++++++++++++++++++- roles/stepupwebauthn/tasks/vm.yml | 77 ------------- 18 files changed, 579 insertions(+), 1080 deletions(-) delete mode 100644 roles/stepupazuremfa/tasks/docker.yml delete mode 100644 roles/stepupazuremfa/tasks/vm.yml delete mode 100644 roles/stepupgateway/tasks/docker.yml delete mode 100644 roles/stepupgateway/tasks/vm.yml delete mode 100644 roles/stepupra/tasks/docker.yml delete mode 100644 roles/stepupra/tasks/vm.yml delete mode 100644 roles/stepupselfservice/tasks/docker.yml delete mode 100644 roles/stepupselfservice/tasks/vm.yml delete mode 100644 roles/stepuptiqr/tasks/docker.yml delete mode 100644 roles/stepuptiqr/tasks/vm.yml delete mode 100644 roles/stepupwebauthn/tasks/docker.yml delete mode 100644 roles/stepupwebauthn/tasks/vm.yml diff --git a/roles/stepupazuremfa/tasks/docker.yml b/roles/stepupazuremfa/tasks/docker.yml deleted file mode 100644 index a7935e775..000000000 --- a/roles/stepupazuremfa/tasks/docker.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: azuremfa_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: azuremfa_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install the GSSP certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Place parameters.yml - ansible.builtin.template: - src: parameters.yaml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yaml" - mode: "0640" - owner: root - group: "{{ appname }}" - notify: restart azuremfa - -- name: Put institutions.yaml from environment - ansible.builtin.template: - src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2" - dest: "{{ current_release_config_dir_name }}/institutions.yaml" - mode: "0640" - owner: root - group: "{{ appname }}" - notify: restart azuremfa - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-azuremfa/stepup-azuremfa:{{ azuremfa_version }} - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.azuremfa.rule: "Host(`azuremfa.{{ base_domain }}`)" - traefik.http.routers.azuremfa.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ azuremfa_uid.uid }}" - APACHE_GUID: "#{{ azuremfa_guid.gid }}" - mounts: - - source: /opt/openconext/azuremfa/public/images/header-logo.png - target: /var/www/html/public/build/images/header-logo.png - type: bind - - source: /opt/openconext/azuremfa - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepupazuremfa/tasks/main.yml b/roles/stepupazuremfa/tasks/main.yml index d55b2e516..a7935e775 100644 --- a/roles/stepupazuremfa/tasks/main.yml +++ b/roles/stepupazuremfa/tasks/main.yml @@ -1,7 +1,78 @@ -- name: Include docker tasks when running docker - include_tasks: docker.yml - when: "'docker' in group_names" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include vm tasks when running on a vm - include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: azuremfa_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: azuremfa_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install the GSSP certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copygsspidpcerts + +- name: Place parameters.yml + ansible.builtin.template: + src: parameters.yaml.j2 + dest: "{{ current_release_config_dir_name }}/parameters.yaml" + mode: "0640" + owner: root + group: "{{ appname }}" + notify: restart azuremfa + +- name: Put institutions.yaml from environment + ansible.builtin.template: + src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2" + dest: "{{ current_release_config_dir_name }}/institutions.yaml" + mode: "0640" + owner: root + group: "{{ appname }}" + notify: restart azuremfa + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-azuremfa/stepup-azuremfa:{{ azuremfa_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.azuremfa.rule: "Host(`azuremfa.{{ base_domain }}`)" + traefik.http.routers.azuremfa.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ azuremfa_uid.uid }}" + APACHE_GUID: "#{{ azuremfa_guid.gid }}" + mounts: + - source: /opt/openconext/azuremfa/public/images/header-logo.png + target: /var/www/html/public/build/images/header-logo.png + type: bind + - source: /opt/openconext/azuremfa + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepupazuremfa/tasks/vm.yml b/roles/stepupazuremfa/tasks/vm.yml deleted file mode 100644 index d76f1035f..000000000 --- a/roles/stepupazuremfa/tasks/vm.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install the GSSP certificates - include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Place parameters.yml - template: - src: parameters.yaml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yaml" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Put institutions.yaml from environment - template: - src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2" - dest: "{{ current_release_config_dir_name }}/institutions.yaml" - mode: 0640 - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Place .env file - template: - src: env.j2 - dest: "{{ current_release_appdir }}/.env.local" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}/" - dest: "{{ current_release_symlink }}" - state: link - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall diff --git a/roles/stepupgateway/tasks/docker.yml b/roles/stepupgateway/tasks/docker.yml deleted file mode 100644 index c4d604fec..000000000 --- a/roles/stepupgateway/tasks/docker.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: gateway_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: gateway_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install second factor images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copysfimages - -- name: Place config parameterfiles - ansible.builtin.template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: "0640" - owner: root - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - restart {{ appname }} - - # Writing all the SAML keys and certificates. Since the gateway is special no need to include it from other roles -- name: Write GateWay SAML SP private key - ansible.builtin.copy: - content: "{{ gateway_saml_sp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/sp.key" - owner: "{{ appname }}" - mode: "0400" - -- name: Write SAML SP certificate - ansible.builtin.copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_sp.crt" - dest: "{{ current_release_config_file_dir_name }}/sp.crt" - group: "{{ appname }}" - mode: "0640" - -- name: Write GSSP SP private key - ansible.builtin.copy: - content: "{{ gateway_gssp_sp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/sp_gssp.key" - owner: "{{ appname }}" - mode: "0400" - -- name: Write GSSP SP certificate - ansible.builtin.copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_sp.crt" - dest: "{{ current_release_config_file_dir_name }}/sp_gssp.crt" - group: "{{ appname }}" - mode: "0640" - -- name: Write SAML IdP private key - ansible.builtin.copy: - content: "{{ gateway_saml_idp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/idp.key" - owner: "{{ appname }}" - mode: "0400" - -- name: Write SAML IdP public key - ansible.builtin.copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_idp.crt" - dest: "{{ current_release_config_file_dir_name }}/idp.crt" - group: "{{ appname }}" - mode: "0640" - -- name: Write GSSP IdP cert - ansible.builtin.copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_idp.crt" - dest: "{{ current_release_config_file_dir_name }}/idp_gssp.crt" - owner: "{{ appname }}" - mode: "0600" - -- name: Write GSSP IdP key - ansible.builtin.copy: - content: "{{ gateway_gssp_idp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/idp_gssp.key" - owner: "{{ appname }}" - mode: "0600" - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }} - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)" - traefik.http.routers.gateway.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ gateway_uid.uid }}" - APACHE_GUID: "#{{ gateway_guid.gid }}" - APP_ENV: prod - HTTPD_CSP: "" - mounts: - - source: /opt/openconext/gateway/public/images/header-logo.png - target: /var/www/html/public/images/header-logo.png - type: bind - - source: /opt/openconext/gateway/ - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepupgateway/tasks/main.yml b/roles/stepupgateway/tasks/main.yml index d55b2e516..c4d604fec 100644 --- a/roles/stepupgateway/tasks/main.yml +++ b/roles/stepupgateway/tasks/main.yml @@ -1,7 +1,135 @@ -- name: Include docker tasks when running docker - include_tasks: docker.yml - when: "'docker' in group_names" +--- +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include vm tasks when running on a vm - include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: gateway_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: gateway_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install second factor images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copysfimages + +- name: Place config parameterfiles + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + owner: root + group: "{{ appname }}" + with_items: + - parameters + - samlstepupproviders + - samlstepupproviders_parameters + - global_view_parameters + notify: + - restart {{ appname }} + + # Writing all the SAML keys and certificates. Since the gateway is special no need to include it from other roles +- name: Write GateWay SAML SP private key + ansible.builtin.copy: + content: "{{ gateway_saml_sp_privatekey }}" + dest: "{{ current_release_config_file_dir_name }}/sp.key" + owner: "{{ appname }}" + mode: "0400" + +- name: Write SAML SP certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_sp.crt" + dest: "{{ current_release_config_file_dir_name }}/sp.crt" + group: "{{ appname }}" + mode: "0640" + +- name: Write GSSP SP private key + ansible.builtin.copy: + content: "{{ gateway_gssp_sp_privatekey }}" + dest: "{{ current_release_config_file_dir_name }}/sp_gssp.key" + owner: "{{ appname }}" + mode: "0400" + +- name: Write GSSP SP certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_sp.crt" + dest: "{{ current_release_config_file_dir_name }}/sp_gssp.crt" + group: "{{ appname }}" + mode: "0640" + +- name: Write SAML IdP private key + ansible.builtin.copy: + content: "{{ gateway_saml_idp_privatekey }}" + dest: "{{ current_release_config_file_dir_name }}/idp.key" + owner: "{{ appname }}" + mode: "0400" + +- name: Write SAML IdP public key + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_idp.crt" + dest: "{{ current_release_config_file_dir_name }}/idp.crt" + group: "{{ appname }}" + mode: "0640" + +- name: Write GSSP IdP cert + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_idp.crt" + dest: "{{ current_release_config_file_dir_name }}/idp_gssp.crt" + owner: "{{ appname }}" + mode: "0600" + +- name: Write GSSP IdP key + ansible.builtin.copy: + content: "{{ gateway_gssp_idp_privatekey }}" + dest: "{{ current_release_config_file_dir_name }}/idp_gssp.key" + owner: "{{ appname }}" + mode: "0600" + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)" + traefik.http.routers.gateway.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ gateway_uid.uid }}" + APACHE_GUID: "#{{ gateway_guid.gid }}" + APP_ENV: prod + HTTPD_CSP: "" + mounts: + - source: /opt/openconext/gateway/public/images/header-logo.png + target: /var/www/html/public/images/header-logo.png + type: bind + - source: /opt/openconext/gateway/ + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepupgateway/tasks/vm.yml b/roles/stepupgateway/tasks/vm.yml deleted file mode 100644 index 52f24b95a..000000000 --- a/roles/stepupgateway/tasks/vm.yml +++ /dev/null @@ -1,125 +0,0 @@ -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install second factor images - include_role: - name: stepupapp - tasks_from: copysfimages - -- name: Place config parameterfiles - template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: 0640 - owner: root - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Place .env file - template: - src: env.j2 - dest: "{{ current_release_appdir }}/.env.local" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -# Writing all the SAML keys and certificates. Since the gateway is special no need to include it from other roles -- name: Write GateWay SAML SP private key - copy: - content: "{{ gateway_saml_sp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/sp.key" - owner: "{{ appname }}" - mode: 0400 - -- name: Write SAML SP certificate - copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_sp.crt" - dest: "{{ current_release_config_file_dir_name }}/sp.crt" - group: "{{ appname }}" - mode: 0640 - -- name: Write GSSP SP private key - copy: - content: "{{ gateway_gssp_sp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/sp_gssp.key" - owner: "{{ appname }}" - mode: 0400 - -- name: Write GSSP SP certificate - copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_sp.crt" - dest: "{{ current_release_config_file_dir_name }}/sp_gssp.crt" - group: "{{ appname }}" - mode: 0640 - -- name: Write SAML IdP private key - copy: - content: "{{ gateway_saml_idp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/idp.key" - owner: "{{ appname }}" - mode: 0400 - -- name: Write SAML IdP public key - copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_saml_idp.crt" - dest: "{{ current_release_config_file_dir_name }}/idp.crt" - group: "{{ appname }}" - mode: 0640 - -- name: Write GSSP IdP cert - copy: - src: "{{ inventory_dir }}/files/certs/stepup/gateway_gssp_idp.crt" - dest: "{{ current_release_config_file_dir_name }}/idp_gssp.crt" - owner: "{{ appname }}" - mode: 0600 - -- name: Write GSSP IdP key - copy: - content: "{{ gateway_gssp_idp_privatekey }}" - dest: "{{ current_release_config_file_dir_name }}/idp_gssp.key" - owner: "{{ appname }}" - mode: 0600 - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}/" - dest: "{{ current_release_symlink }}" - state: link - -- name: Remove gateway database db_migrate script from /root/ - file: - path: "/root/01-gateway-db_migrate.sh" - state: absent - -- name: Put logout.php in public - template: - src: "logout.php.j2" - dest: "{{ current_release_appdir }}/public/logout.php" - mode: "444" - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall diff --git a/roles/stepupra/tasks/docker.yml b/roles/stepupra/tasks/docker.yml deleted file mode 100644 index db580ef93..000000000 --- a/roles/stepupra/tasks/docker.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: ra_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: ra_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install GSSP SP key and certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copygsspspcerts - -- name: Install SAML SP key and certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyspcerts - -- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config - ansible.builtin.template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: "0640" - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - restart {{ appname }} - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-ra/stepup-ra:{{ ra_version }} - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.ra.rule: "Host(`{{ ra_vhost_name }}`)" - traefik.http.routers.ra.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ ra_uid.uid }}" - APACHE_GUID: "#{{ ra_guid.gid }}" - APP_ENV: prod - mounts: - - source: /opt/openconext/ra/public/images/header-logo.png - target: /var/www/html/public/build/images/header-logo.png - type: bind - - source: /opt/openconext/ra - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepupra/tasks/main.yml b/roles/stepupra/tasks/main.yml index d55b2e516..db580ef93 100644 --- a/roles/stepupra/tasks/main.yml +++ b/roles/stepupra/tasks/main.yml @@ -1,7 +1,81 @@ -- name: Include docker tasks when running docker - include_tasks: docker.yml - when: "'docker' in group_names" +--- +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include vm tasks when running on a vm - include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: ra_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: ra_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install GSSP SP key and certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copygsspspcerts + +- name: Install SAML SP key and certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyspcerts + +- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + group: "{{ appname }}" + with_items: + - parameters + - samlstepupproviders + - samlstepupproviders_parameters + - global_view_parameters + notify: + - restart {{ appname }} + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-ra/stepup-ra:{{ ra_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.ra.rule: "Host(`{{ ra_vhost_name }}`)" + traefik.http.routers.ra.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ ra_uid.uid }}" + APACHE_GUID: "#{{ ra_guid.gid }}" + APP_ENV: prod + mounts: + - source: /opt/openconext/ra/public/images/header-logo.png + target: /var/www/html/public/build/images/header-logo.png + type: bind + - source: /opt/openconext/ra + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepupra/tasks/vm.yml b/roles/stepupra/tasks/vm.yml deleted file mode 100644 index e3e4e242d..000000000 --- a/roles/stepupra/tasks/vm.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install GSSP SP key and certificates - include_role: - name: stepupapp - tasks_from: copygsspspcerts - -- name: Install SAML SP key and certificates - include_role: - name: stepupapp - tasks_from: copyspcerts - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install second factor images - include_role: - name: stepupapp - tasks_from: copysfimages - -- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config - template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: 0640 - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}/" - dest: "{{ current_release_symlink }}" - state: link - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall diff --git a/roles/stepupselfservice/tasks/docker.yml b/roles/stepupselfservice/tasks/docker.yml deleted file mode 100644 index 77855882c..000000000 --- a/roles/stepupselfservice/tasks/docker.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: selfservice_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: selfservice_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install GSSP SP key and certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copygsspspcerts - -- name: Install SAML SP key and certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyspcerts - -- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config - ansible.builtin.template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: "0640" - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - restart {{ appname }} - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-selfservice/stepup-selfservice:{{ selfservice_version }} - etc_hosts: - host.docker.internal: host-gateway - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.selfservice.rule: "Host(`{{ selfservice_vhost_name }}`)" - traefik.http.routers.selfservice.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ selfservice_uid.uid }}" - APACHE_GUID: "#{{ selfservice_guid.gid }}" - APP_ENV: prod - mounts: - - source: /opt/openconext/selfservice/public/images/header-logo.png - target: /var/www/html/public/build/images/logo/header-logo.png - type: bind - - source: /opt/openconext/selfservice - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepupselfservice/tasks/main.yml b/roles/stepupselfservice/tasks/main.yml index 99c08d6a4..77855882c 100644 --- a/roles/stepupselfservice/tasks/main.yml +++ b/roles/stepupselfservice/tasks/main.yml @@ -1,7 +1,83 @@ -- name: Include docker tasks when running docker - include_tasks: docker.yml - when: "'docker' in group_names" +--- +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include docker tasks when running docker - include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: selfservice_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: selfservice_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install GSSP SP key and certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copygsspspcerts + +- name: Install SAML SP key and certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyspcerts + +- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + group: "{{ appname }}" + with_items: + - parameters + - samlstepupproviders + - samlstepupproviders_parameters + - global_view_parameters + notify: + - restart {{ appname }} + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-selfservice/stepup-selfservice:{{ selfservice_version }} + etc_hosts: + host.docker.internal: host-gateway + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.selfservice.rule: "Host(`{{ selfservice_vhost_name }}`)" + traefik.http.routers.selfservice.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ selfservice_uid.uid }}" + APACHE_GUID: "#{{ selfservice_guid.gid }}" + APP_ENV: prod + mounts: + - source: /opt/openconext/selfservice/public/images/header-logo.png + target: /var/www/html/public/build/images/logo/header-logo.png + type: bind + - source: /opt/openconext/selfservice + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepupselfservice/tasks/vm.yml b/roles/stepupselfservice/tasks/vm.yml deleted file mode 100644 index c8f38280f..000000000 --- a/roles/stepupselfservice/tasks/vm.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install GSSP SP key and certificates - include_role: - name: stepupapp - tasks_from: copygsspspcerts - -- name: Install SAML SP key and certificates - include_role: - name: stepupapp - tasks_from: copyspcerts - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install images - include_role: - name: stepupapp - tasks_from: copysfimages - -- name: Put parameters, samlstepupproviders, samlstepupproviders_parameters and global_view_parameters YAML config - template: - src: "{{ item }}.yml.j2" - dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" - mode: 0640 - group: "{{ appname }}" - with_items: - - parameters - - samlstepupproviders - - samlstepupproviders_parameters - - global_view_parameters - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}/" - dest: "{{ current_release_symlink }}" - state: link - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall diff --git a/roles/stepuptiqr/tasks/docker.yml b/roles/stepuptiqr/tasks/docker.yml deleted file mode 100644 index 7095cffab..000000000 --- a/roles/stepuptiqr/tasks/docker.yml +++ /dev/null @@ -1,87 +0,0 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: tiqr_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: tiqr_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install GSSP IdP key and certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Write tiqr APNS certificate - ansible.builtin.copy: - content: "{{ tiqr_apns_pemfile }}" - dest: "{{ current_release_config_file_dir_name }}/apns.pem" - owner: "{{ appname }}" - mode: "0400" - when: tiqr_apns_pemfile is defined - -- name: Write tiqr Firebase service json - copy: - src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json" - dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" - owner: "{{ appname }}" - mode: 0400 - when: tiqr_firebase_credentialsfile is defined - -- name: Place parameters.yml - ansible.builtin.template: - src: parameters.yaml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yaml" - mode: "0640" - owner: root - group: "{{ appname }}" - notify: - - restart tiqr - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }} - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)" - traefik.http.routers.tiqr.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ tiqr_uid.uid }}" - APACHE_GUID: "#{{ tiqr_guid.gid }}" - APP_ENV: prod - mounts: - - source: /opt/openconext/tiqr/public/images/header-logo.png - target: /var/www/html/public/build/images/logo/header-logo.png - type: bind - - source: /opt/openconext/tiqr - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index a91ecdb8c..7095cffab 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -1,7 +1,87 @@ -- name: Include docker tasks when running docker - ansible.builtin.include_tasks: docker.yml - when: "'docker' in group_names" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include vm tasks when running on a vm - ansible.builtin.include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: tiqr_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: tiqr_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install GSSP IdP key and certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copygsspidpcerts + +- name: Write tiqr APNS certificate + ansible.builtin.copy: + content: "{{ tiqr_apns_pemfile }}" + dest: "{{ current_release_config_file_dir_name }}/apns.pem" + owner: "{{ appname }}" + mode: "0400" + when: tiqr_apns_pemfile is defined + +- name: Write tiqr Firebase service json + copy: + src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json" + dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" + owner: "{{ appname }}" + mode: 0400 + when: tiqr_firebase_credentialsfile is defined + +- name: Place parameters.yml + ansible.builtin.template: + src: parameters.yaml.j2 + dest: "{{ current_release_config_dir_name }}/parameters.yaml" + mode: "0640" + owner: root + group: "{{ appname }}" + notify: + - restart tiqr + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)" + traefik.http.routers.tiqr.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ tiqr_uid.uid }}" + APACHE_GUID: "#{{ tiqr_guid.gid }}" + APP_ENV: prod + mounts: + - source: /opt/openconext/tiqr/public/images/header-logo.png + target: /var/www/html/public/build/images/logo/header-logo.png + type: bind + - source: /opt/openconext/tiqr + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepuptiqr/tasks/vm.yml b/roles/stepuptiqr/tasks/vm.yml deleted file mode 100644 index 4bbb1dd74..000000000 --- a/roles/stepuptiqr/tasks/vm.yml +++ /dev/null @@ -1,85 +0,0 @@ -- debug: - msg: "{{ tiqr_statestorage }}" - -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install the GSSP certificates - include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Write tiqr APNS certificate - copy: - content: "{{ tiqr_apns_pemfile }}" - dest: "{{ current_release_config_file_dir_name }}/apns.pem" - owner: "{{ appname }}" - mode: 0400 - when: tiqr_apns_pemfile is defined - -- name: Place parameters.yml - template: - src: parameters.yaml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yaml" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Place .env file - template: - src: env.j2 - dest: "{{ current_release_appdir }}/.env.local" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: clear cache {{ appname }} - -- name: Install assets - command: php72 {{ current_release_appdir }}/bin/console assets:install - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}" - dest: "{{ current_release_symlink }}" - state: link - -- name: Put tiqr configuration script in /root/ - template: - src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root - mode: "0500" - with_items: - - "01-tiqr-db_init.sh" - -- name: Put tiqr keyserver migration script in /root/ - template: - src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root - mode: "500" - with_items: - - "02-tiqr-migrate-to-keyserver.php" - when: keyserver_consumerkey is defined - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall diff --git a/roles/stepupwebauthn/tasks/docker.yml b/roles/stepupwebauthn/tasks/docker.yml deleted file mode 100644 index ec04bc7d6..000000000 --- a/roles/stepupwebauthn/tasks/docker.yml +++ /dev/null @@ -1,121 +0,0 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - -- name: Add group {{ appname }} - ansible.builtin.group: - name: "{{ appname }}" - state: present - register: webauthn_guid - -- name: Add user {{ appname }} - ansible.builtin.user: - name: "{{ appname }}" - group: "{{ appname }}" - createhome: no - state: present - register: webauthn_uid - -- name: Create some dirs - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - group: root - mode: "0755" - with_items: - - "{{ current_release_config_dir_name }}" - - "{{ current_release_appdir }}/public/images" - -- name: Install images - ansible.builtin.include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install the GSSP certificates - ansible.builtin.include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Create the metadata service dir - ansible.builtin.file: - state: directory - dest: "{{ item }}" - owner: root - mode: "0755" - with_items: - - "{{ current_release_config_file_dir_name }}/mds" - -- name: Create and empty the metadata service cache dir - ansible.builtin.file: - state: "{{ item }}" - path: "{{ current_release_config_file_dir_name }}/var/mds/" - owner: root - group: "{{ appname }}" - mode: "0774" - with_items: - - absent - - directory - -- name: Download metadata service blob - ansible.builtin.get_url: - url: https://mds3.fidoalliance.org/ - dest: "{{ current_release_config_file_dir_name }}/mds/blob.jwt" - mode: '0744' - force: true - -- name: Download metadata service signing certificate - ansible.builtin.get_url: - url: http://secure.globalsign.com/cacert/root-r3.crt - dest: "{{ current_release_config_file_dir_name }}/mds/fido2-mds.cer" - mode: '0744' - force: true - -- name: Place parameters.yml - ansible.builtin.template: - src: parameters.yml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yaml" - mode: "0640" - owner: root - group: "{{ appname }}" - notify: restart webauthn - -# - name: Copy trusted certificates -# ansible.builtin.copy: -# src: "{{ item }}" -# dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/" -# mode: "444" -# with_fileglob: -# - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*" - -- name: Put webauthn configuration script in /root/ - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root - mode: "0500" - with_items: - - "01-webauthn-db_init.sh" - -- name: Create the container - community.docker.docker_container: - name: "{{ appname }}" - image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }} - pull: true - restart_policy: "always" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)" - traefik.http.routers.webauthn.tls: "true" - traefik.enable: "true" - env: - APACHE_UID: "#{{ webauthn_uid.uid }}" - APACHE_GUID: "#{{ webauthn_guid.gid }}" - mounts: - - source: /opt/openconext/webauthn/public/images/header-logo.png - target: /var/www/html/public/build/images/logo/header-logo.png - type: bind - - source: /opt/openconext/webauthn - target: /var/www/html/config/openconext - type: bind diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index 99c08d6a4..ec04bc7d6 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -1,7 +1,121 @@ -- name: Include docker tasks when running docker - include_tasks: docker.yml - when: "'docker' in group_names" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml -- name: Include docker tasks when running docker - include_tasks: vm.yml - when: "'docker' not in group_names" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" + state: present + register: webauthn_guid + +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: no + state: present + register: webauthn_uid + +- name: Create some dirs + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + group: root + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_appdir }}/public/images" + +- name: Install images + ansible.builtin.include_role: + name: stepupapp + tasks_from: copyimages + +- name: Install the GSSP certificates + ansible.builtin.include_role: + name: stepupapp + tasks_from: copygsspidpcerts + +- name: Create the metadata service dir + ansible.builtin.file: + state: directory + dest: "{{ item }}" + owner: root + mode: "0755" + with_items: + - "{{ current_release_config_file_dir_name }}/mds" + +- name: Create and empty the metadata service cache dir + ansible.builtin.file: + state: "{{ item }}" + path: "{{ current_release_config_file_dir_name }}/var/mds/" + owner: root + group: "{{ appname }}" + mode: "0774" + with_items: + - absent + - directory + +- name: Download metadata service blob + ansible.builtin.get_url: + url: https://mds3.fidoalliance.org/ + dest: "{{ current_release_config_file_dir_name }}/mds/blob.jwt" + mode: '0744' + force: true + +- name: Download metadata service signing certificate + ansible.builtin.get_url: + url: http://secure.globalsign.com/cacert/root-r3.crt + dest: "{{ current_release_config_file_dir_name }}/mds/fido2-mds.cer" + mode: '0744' + force: true + +- name: Place parameters.yml + ansible.builtin.template: + src: parameters.yml.j2 + dest: "{{ current_release_config_dir_name }}/parameters.yaml" + mode: "0640" + owner: root + group: "{{ appname }}" + notify: restart webauthn + +# - name: Copy trusted certificates +# ansible.builtin.copy: +# src: "{{ item }}" +# dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/" +# mode: "444" +# with_fileglob: +# - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*" + +- name: Put webauthn configuration script in /root/ + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/root/{{ item }}" + group: root + owner: root + mode: "0500" + with_items: + - "01-webauthn-db_init.sh" + +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)" + traefik.http.routers.webauthn.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ webauthn_uid.uid }}" + APACHE_GUID: "#{{ webauthn_guid.gid }}" + mounts: + - source: /opt/openconext/webauthn/public/images/header-logo.png + target: /var/www/html/public/build/images/logo/header-logo.png + type: bind + - source: /opt/openconext/webauthn + target: /var/www/html/config/openconext + type: bind diff --git a/roles/stepupwebauthn/tasks/vm.yml b/roles/stepupwebauthn/tasks/vm.yml deleted file mode 100644 index cd4e8e993..000000000 --- a/roles/stepupwebauthn/tasks/vm.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: Install Apache and FPM config - include_role: - name: apachefpm - -- name: Install the symfony app - include_role: - name: stepupapp - -- name: Install images - include_role: - name: stepupapp - tasks_from: copyimages - -- name: Install the GSSP certificates - include_role: - name: stepupapp - tasks_from: copygsspidpcerts - -- name: Create the trusted certificate dir - file: - state: directory - dest: "{{ item }}" - with_items: - - "{{ current_release_config_file_dir_name }}/trusted_certificates" - -- name: Place parameters.yml - template: - src: parameters.yml.j2 - dest: "{{ current_release_config_dir_name }}/parameters.yml" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Place .env file - template: - src: env.j2 - dest: "{{ current_release_appdir }}/.env.local" - mode: 0640 - owner: root - group: "{{ appname }}" - notify: - - clear cache {{ appname }} - - reload php72-fpm {{ appname }} - -- name: Copy trusted certificates - copy: - src: "{{ item }}" - dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/" - mode: "444" - with_fileglob: - - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*" - -- name: Activate the symlink - file: - src: "{{ current_release_appdir }}" - dest: "{{ current_release_symlink }}" - state: link - -- name: Put webauthn configuration script in /root/ - template: - src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root - mode: "0500" - with_items: - - "01-webauthn-db_init.sh" - -- meta: flush_handlers - -- name: Include post installation tasks - include_role: - name: stepupapp - tasks_from: postinstall