Docker deploy of webauthn and azuremfa

provision.yml

@@ -167,6 +167,7 @@
     - { role: stepupgateway,                             tags: ['stepupgateway' , 'stepup'] }
     - { role: stepupselfservice,                         tags: ['stepupselfservice' , 'stepup'] }
     - { role: stepupra        ,                          tags: ['stepupra' , 'stepup'] }
+    - { role: stepupgateway        ,                     tags: ['stepupgateway' , 'stepup'] }
 
 - hosts: docker
   become: true

roles/rsyslog/templates/sc_ruleset.conf.j2

@@ -50,6 +50,8 @@ if $programname == "gateway" and $msg startswith ' {"message":"Intrinsic Loa Req
 
 {% for stepupapp in stepupapps %}
 :programname, isequal, "stepup-{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop }
+if $programname == "{{ stepupapp }}" and $msg startswith " {{ stepupapp }}" then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop }
+:programname, isequal, "{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop }
 :programname, isequal, "Apache-{{ stepupapp }}" { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop }
 if $programname == "{{ stepupapp }}" and $msg startswith " {{ stepupapp }}" then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop }
 :programname, isequal, "{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop }

roles/stepupapp/tasks/copyspcerts.yml

@@ -5,11 +5,11 @@
     dest: "{{ current_release_config_file_dir_name }}/sp.key"
     owner: "{{ appname}}"
     group: "{{ appname }}"
-    mode: 400
+    mode: "0440"
 
 - name: Write SP certificate | {{ appname }}
   copy:
     src: "{{ inventory_dir }}/files/certs/stepup/{{ appname }}_saml_sp.crt"
     dest: "{{ current_release_config_file_dir_name }}/sp.crt"
     group: "{{ appname }}"
-    mode: 400
+    mode: "0440"

roles/stepupazuremfa/handlers/main.yml

@@ -6,3 +6,9 @@
   service:
     name: php72-php-fpm
     state: reloaded
+
+- name: restart azuremfa
+  community.docker.docker_container:
+    name: azuremfa
+    state: started
+    restart: true

roles/stepupazuremfa/tasks/main.yml

@@ -1,62 +1,78 @@
-- name: Install Apache and FPM config
-  include_role:
-    name: apachefpm
+- name: Include docker vars
+  ansible.builtin.include_vars: docker.yml
 
-- name: Install the symfony app
-  include_role:
-    name: stepupapp
+- name: Add group {{ appname }}
+  ansible.builtin.group:
+    name: "{{ appname }}"
+    state: present
+  register: azuremfa_guid
+
+- name: Add user {{ appname }}
+  ansible.builtin.user:
+    name: "{{ appname }}"
+    group: "{{ appname }}"
+    createhome: no
+    state: present
+  register: azuremfa_uid
+
+- name: Create some dirs
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - "{{ current_release_config_dir_name }}"
+    - "{{ current_release_appdir }}/public/images"
 
 - name: Install images
-  include_role:
+  ansible.builtin.include_role:
     name: stepupapp
     tasks_from: copyimages
 
 - name: Install the GSSP certificates
-  include_role:
+  ansible.builtin.include_role:
     name: stepupapp
     tasks_from: copygsspidpcerts
 
 - name: Place parameters.yml
-  template:
+  ansible.builtin.template:
     src: parameters.yaml.j2
     dest: "{{ current_release_config_dir_name }}/parameters.yaml"
-    mode: 0640
+    mode: "0640"
     owner: root
     group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
+  notify: restart azuremfa
 
 - name: Put institutions.yaml from environment
-  template:
+  ansible.builtin.template:
     src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2"
     dest: "{{ current_release_config_dir_name }}/institutions.yaml"
-    mode: 0640
-    group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Place .env file
-  template:
-    src: env.j2
-    dest: "{{ current_release_appdir }}/.env.local"
-    mode: 0640
+    mode: "0640"
     owner: root
     group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Activate the symlink
-  file:
-    src: "{{ current_release_appdir }}/"
-    dest: "{{ current_release_symlink }}"
-    state: link
+  notify: restart azuremfa
 
-- meta: flush_handlers
-
-- name: Include post installation tasks
-  include_role:
-    name: stepupapp
-    tasks_from: postinstall
+- name: Create the container
+  community.docker.docker_container:
+    name: "{{ appname }}"
+    image: ghcr.io/openconext/stepup-azuremfa/stepup-azuremfa:{{ azuremfa_version }}
+    pull: true
+    restart_policy: "always"
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.azuremfa.rule: "Host(`azuremfa.{{ base_domain }}`)"
+      traefik.http.routers.azuremfa.tls: "true"
+      traefik.enable: "true"
+    env:
+      APACHE_UID: "#{{ azuremfa_uid.uid }}"
+      APACHE_GUID: "#{{ azuremfa_guid.gid }}"
+    mounts:
+      - source: /opt/openconext/azuremfa/public/images/header-logo.png
+        target: /var/www/html/public/build/images/header-logo.png
+        type: bind
+      - source: /opt/openconext/azuremfa
+        target: /var/www/html/config/openconext
+        type: bind

roles/stepupazuremfa/templates/parameters.yaml.j2

@@ -1,16 +1,21 @@
 parameters:
+{% if 'docker' in group_names %}
+    app_env: prod
+    app_debug: false 
+    app_secret: {{ azuremfa_secret }}
+{% endif %}
     # All locales supported by the application
     locales: [{{ enabled_locales | join(",") }}]
 
     # SAML configuration
-    saml_idp_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_idp_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_idp_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_idp_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
     # NOTE: same key used for metadata and response/assertion signing
-    saml_metadata_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_metadata_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_metadata_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_metadata_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
 
     saml_remote_sp_entity_id: 'https://{{ gateway_vhost_name }}/gssp/azuremfa/metadata'
-    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name }}/gateway.crt'
+    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name_in_config }}/gateway.crt'
     saml_remote_sp_acs: 'https://{{ gateway_vhost_name }}/gssp/azuremfa/consume-assertion'
 
     # View parameters

roles/stepupazuremfa/vars/docker.yml

@@ -0,0 +1,4 @@
+current_release_appdir: /opt/openconext/azuremfa
+current_release_config_file_dir_name: /opt/openconext/azuremfa
+current_release_config_file_dir_name_in_config: /var/www/html/config/openconext
+current_release_config_dir_name: /opt/openconext/azuremfa

roles/stepupazuremfa/vars/main.yml

@@ -7,6 +7,7 @@ stepup_gh_appname: "Azure-MFA"
 current_release_symlink: "/opt/openconext/OpenConext-{{ appname }}" 
 current_release_appdir: "{{current_release_symlink }}-{{ appversion }}" 
 current_release_config_file_dir_name: "{{ current_release_appdir }}/app/files"
+#current_release_config_file_dir_name_in_config: "{{ current_release_config_file_dir_name }}"
 current_release_config_dir_name: "{{ current_release_appdir }}/config/packages"
 gssp_idp_private_key: "{{ lookup('file', inventory_dir+'/files/certs/stepup/azuremfa_idp.key') }}"
 fpmmemory: 128M

roles/stepupgateway/handlers/main.yml

@@ -6,3 +6,6 @@
   service:
     name: php72-php-fpm
     state: reloaded
+
+- name: restart gateway
+  command: docker restart gateway