diff --git a/.github/workflows/ci-runner.yml b/.github/workflows/ci-runner.yml
index acc3c400e..b5a7004ef 100644
--- a/.github/workflows/ci-runner.yml
+++ b/.github/workflows/ci-runner.yml
@@ -82,4 +82,3 @@ jobs:
echo ===netstat===; netstat -lnp;
'"
if: failure()
-
diff --git a/environments/ci/group_vars/all.yml b/environments/ci/group_vars/all.yml
index 1ef32cc42..fbc7bafa8 100644
--- a/environments/ci/group_vars/all.yml
+++ b/environments/ci/group_vars/all.yml
@@ -11,6 +11,7 @@ secrets_users_file: "environments/vm/secrets/users.yml"
admin_email: "admin@{{base_domain}}"
is_aws: false
+is_dev: true
experimental_features: true
debian_dist: "bookworm" # CI needs bookworm because of SSP
diff --git a/environments/docker/group_vars/all.yml b/environments/docker/group_vars/all.yml
index 0d5dc0f51..aeb6114db 100644
--- a/environments/docker/group_vars/all.yml
+++ b/environments/docker/group_vars/all.yml
@@ -12,6 +12,8 @@ secrets_users_file: "environments/docker/secrets/users.yml"
admin_email: "admin@{{base_domain}}"
is_aws: false
+is_dev: true
+sram_ansible_nolog: false
experimental_features: true
servers:
diff --git a/environments/docker/group_vars/container.yml b/environments/docker/group_vars/container.yml
index 02cabe12b..e2b879676 100644
--- a/environments/docker/group_vars/container.yml
+++ b/environments/docker/group_vars/container.yml
@@ -40,24 +40,25 @@ firewall_v4_incoming:
## Docker
####################################################
containers:
- db: sram-db
- redis: sram-redis
- sbs: sram-sbs
- sbs_server: sram-sbs-server
- ldap: sram-ldap
- metadata: sram-metadata
- pyff: sram-pyff
- plsc: sram-plsc
+ db: "sram-db"
+ redis: "sram-redis"
+ sbs: "sram-sbs"
+ sbs_server: "sram-sbs-server"
+ sbs_migration: "sram-sbs-migration"
+ ldap: "sram-ldap"
+ metadata: "sram-metadata"
+ pyff: "sram-pyff"
+ plsc: "sram-plsc"
images:
- db: mariadb:11
- redis: redis:7
- sbs: ghcr.io/surfscz/sram-sbs-client:main
- sbs_server: ghcr.io/surfscz/sram-sbs-server:main
- ldap: ghcr.io/surfscz/sram-ldap:main
- metadata: ghcr.io/surfscz/sram-metadata:main
- pyff: ghcr.io/surfscz/sram-pyff:main
- plsc: ghcr.io/surfscz/sram-plsc:main
+ db: "docker.io/library/mariadb:11"
+ redis: "docker.io/library/redis:7"
+ sbs: "ghcr.io/surfscz/sram-sbs-client:main"
+ sbs_server: "ghcr.io/surfscz/sram-sbs-server:main"
+ ldap: "ghcr.io/surfscz/sram-ldap:main"
+ metadata: "ghcr.io/openconext/openconext-basecontainers/apache2:latest"
+ pyff: "ghcr.io/surfscz/sram-pyff:main"
+ plsc: "ghcr.io/surfscz/sram-plsc:main"
traefik_network: traefik
internal_network: sram
diff --git a/environments/vm/group_vars/all.yml b/environments/vm/group_vars/all.yml
index 0e2c3b52b..63d8bde23 100644
--- a/environments/vm/group_vars/all.yml
+++ b/environments/vm/group_vars/all.yml
@@ -11,6 +11,8 @@ secrets_users_file: "environments/vm/secrets/users.yml"
admin_email: "admin@{{base_domain}}"
is_aws: false
+is_dev: true
+sram_ansible_nolog: false
experimental_features: true
servers:
diff --git a/group_vars/all.yml b/group_vars/all.yml
deleted file mode 100644
index 5a5e4c181..000000000
--- a/group_vars/all.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-sram_ansible_nolog: false
-is_docker: "{{environment_name=='vm' or environment_name=='ci'}}"
diff --git a/provision.yml b/provision.yml
index f4f49c8b2..91ccf090a 100644
--- a/provision.yml
+++ b/provision.yml
@@ -63,7 +63,7 @@
- { role: "users", tags: ["common","users"] }
- { role: "logging", tags: ["common","logging"] }
- { role: "firewall", tags: ["common","firewall"],
- when: "not is_docker" }
+ when: "not is_dev" }
- { role: "ntp", tags: ["common","ntp"] }
- { role: "aws-cleanup", tags: ["common","clean"] }
- { role: "mail", tags: ["common","mail"] }
@@ -82,7 +82,7 @@
- { role: "backup_collector", tags: ["bhr2","backup-collector"] }
- { role: "logging_collector", tags: ["bhr2","logging-collector"] }
- { role: "zabbix-server", tags: ["bhr2","zabbix-server"],
- when: "not is_docker" }
+ when: "not is_dev" }
- name: "bhr11"
hosts: "bhr11"
@@ -108,11 +108,11 @@
tasks:
- { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
roles:
- - { role: "docker_db", tags: ["db", "docker-db"] }
- - { role: "docker_pyff", tags: ["meta", "docker-pyff"] }
- - { role: "docker_metadata", tags: ["meta", "docker-metadata"] }
- - { role: "docker_plsc", tags: ["plsc", "docker-plsc"] }
- - { role: "docker_sbs", tags: ["sbs", "docker-sbs"] }
+ - { role: "docker_db", tags: ["db", "docker-db" ], when: is_dev }
+ - { role: "docker_redis", tags: ["redis", "docker-redis" ] }
+ - { role: "docker_sbs", tags: ["sbs", "docker-sbs" ] }
+ - { role: "docker_metadata", tags: ["meta", "docker-meta" ] }
+ - { role: "docker_plsc", tags: ["plsc", "docker-plsc" ] }
- name: "container_ldap"
hosts: "container_ldap"
@@ -191,17 +191,17 @@
- { role: "sram_monitor", tags: ["bhr13","sram-monitor"] }
- { role: "scim_monitor", tags: ["bhr13","scim-monitor"] }
-- name: "demo clients demo1"
- hosts: "demo1"
- tasks:
- - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
- roles:
- - { role: "docker", tags: ["demo1","demo-docker"] }
- - { role: "demo-apache", tags: ["demo1","demo-apache"] }
- - { role: "letsencrypt", tags: ["demo1","demo-letsencrypt"] }
- - { role: "demo-etherpad", tags: ["demo1","demo-etherpad"] }
- - { role: "demo-weblogin", tags: ["demo1","demo-weblogin"] }
- - { role: "demo-wordpress", tags: ["demo1","demo-wordpress"] }
+# - name: "demo clients demo1"
+# hosts: "demo1"
+# tasks:
+# - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
+# roles:
+# - { role: "docker", tags: ["demo1","demo-docker"] }
+# - { role: "demo-apache", tags: ["demo1","demo-apache"] }
+# - { role: "letsencrypt", tags: ["demo1","demo-letsencrypt"] }
+# - { role: "demo-etherpad", tags: ["demo1","demo-etherpad"] }
+# - { role: "demo-weblogin", tags: ["demo1","demo-weblogin"] }
+# - { role: "demo-wordpress", tags: ["demo1","demo-wordpress"] }
- name: "ci-runner"
hosts: "bhr12"
diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml
index 79abcc4d9..aa9e4e384 100644
--- a/roles/apt/tasks/main.yml
+++ b/roles/apt/tasks/main.yml
@@ -1,23 +1,23 @@
---
- name: set up apt repo
template:
- src: sources.list.j2
- dest: /etc/apt/sources.list
- force: yes
- register: apt_sources
+ src: "sources.list.j2"
+ dest: "/etc/apt/sources.list"
+ force: true
+ register: "apt_sources"
# we need to do this manually, because ansible's apt module doesn't handle the default-release
# setting correctly
- name: Update cache
command:
- cmd: apt-get update
- when: apt_sources.changed
+ cmd: "apt-get update"
+ when: "apt_sources.changed"
- name: regularly update package lists
copy:
- src: 00-scz-update
- dest: /etc/apt/apt.conf.d/00-scz-update
- when: "not is_docker"
+ src: "00-scz-update"
+ dest: "/etc/apt/apt.conf.d/00-scz-update"
+ when: "not is_dev"
- name: remove unneccessary packages
apt:
@@ -34,7 +34,7 @@
- name: Install common tools / clients
apt:
update_cache: yes
- state: present
+ state: "present"
name:
- "acl"
- "apt-transport-https"
@@ -70,7 +70,7 @@
cache_valid_time: 86400
update_cache: yes
autoclean: yes
- when: "not is_docker"
+ when: "not is_dev"
- name: install VMware clients
apt:
@@ -82,7 +82,7 @@
# apt module doesn't support autoremove very well, yet
- name: Remove obsolete packages
command: "/usr/bin/apt --yes --purge autoremove"
- register: result
+ register: "result"
changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in result.stdout"
- when: "not is_docker"
+ when: "not is_dev"
diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
index 2fa54f27d..f6311f3e3 100644
--- a/roles/certificates/tasks/main.yml
+++ b/roles/certificates/tasks/main.yml
@@ -4,13 +4,13 @@
- name: Create ssl_certs_dir
file:
path: "{{ ssl_certs_dir }}"
- state: directory
+ state: "directory"
mode: '0755'
- name: Ensure group "ssl-cert" exists
group:
- name: ssl-cert
- state: present
+ name: "ssl-cert"
+ state: "present"
system: true
- name: write backend wildcard key
@@ -45,7 +45,7 @@
owner: "root"
group: "root"
mode: "0644"
- when: "is_docker"
+ when: "is_dev"
notify: "update certificates"
- name: remove obsolete files
@@ -56,9 +56,9 @@
- "vm.scz-vm.crt"
- "scz-vm.crt"
- "sram-https.crt"
- when: "not is_docker"
+ when: "not is_dev"
notify: "update certificates"
# make sure all certificates are up to date after this role has run
- name: Flush handlers
- meta: flush_handlers
+ meta: "flush_handlers"
diff --git a/roles/docker/tasks/docker_setup.yml b/roles/docker/tasks/docker_setup.yml
new file mode 100644
index 000000000..28dbb0d81
--- /dev/null
+++ b/roles/docker/tasks/docker_setup.yml
@@ -0,0 +1,59 @@
+---
+# this role is used to install docker on the host
+# only used on dev hosts
+
+- name: Add Docker GPG key.
+ ansible.builtin.apt_key:
+ url: "https://download.docker.com/linux/debian/gpg"
+ state: "present"
+
+- name: Add Docker repository.
+ ansible.builtin.apt_repository:
+ repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
+ state: "present"
+
+- name: Create docker config directory
+ ansible.builtin.file:
+ path: "/etc/docker"
+ state: "directory"
+ owner: "root"
+ group: "root"
+ mode: "0755"
+
+- name: Install docker config
+ ansible.builtin.copy:
+ content: |
+ {
+ "log-driver": "journald",
+ "log-opts": {
+ }
+ }
+ dest: "/etc/docker/daemon.json"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+
+- name: Install docker
+ ansible.builtin.apt:
+ name: "docker-ce"
+ state: "present"
+ notify:
+ - "start docker"
+
+- name: Add ansible user to docker group
+ ansible.builtin.user:
+ name: "ansible"
+ groups: "docker"
+ append: true
+
+# hackish way to allow name resolution from the host
+# it watches the docker daemon and updates /etc/hosts on the host
+- name: Install name resolution container
+ docker_container:
+ name: "name-resolver"
+ image: "dvdarias/docker-hoster"
+ state: "started"
+ restart_policy: "always"
+ volumes:
+ - "/var/run/docker.sock:/tmp/docker.sock"
+ - "/etc/hosts:/tmp/hosts"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 16c2cad9f..417177298 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,64 +1,10 @@
---
- name: Install docker
- block:
- - name: Add Docker GPG key.
- ansible.builtin.apt_key:
- url: "https://download.docker.com/linux/debian/gpg"
- state: "present"
-
- - name: Add Docker repository.
- ansible.builtin.apt_repository:
- repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
- state: "present"
-
- - name: Create docker config directory
- ansible.builtin.file:
- path: "/etc/docker"
- state: "directory"
- owner: "root"
- group: "root"
- mode: "0755"
-
- - name: Install docker config
- ansible.builtin.copy:
- content: |
- {
- "log-driver": "journald",
- "log-opts": {
- }
- }
- dest: "/etc/docker/daemon.json"
- owner: "root"
- group: "root"
- mode: "0644"
-
- - name: Install docker
- ansible.builtin.apt:
- name: "docker-ce"
- state: "present"
- notify:
- - "start docker"
-
- - name: Add ansible user to docker group
- ansible.builtin.user:
- name: "ansible"
- groups: "docker"
- append: true
-
- # hackish way to allow name resolution from the host
- # it watches the docker daemon and updates /etc/hosts on the host
- - name: Install name resolution container
- docker_container:
- name: "name-resolver"
- image: "dvdarias/docker-hoster"
- state: "started"
- restart_policy: "always"
- volumes:
- - "/var/run/docker.sock:/tmp/docker.sock"
- - "/etc/hosts:/tmp/hosts"
-
- when: "environment_name=='vm'"
+ include_tasks: "docker_setup.yml"
+ when: "is_dev"
- name: Create the internal network
community.docker.docker_network:
name: "{{internal_network}}"
+ enable_ipv6: false
+ state: "present"
diff --git a/roles/docker_db/tasks/main.yml b/roles/docker_db/tasks/main.yml
index b3c381349..e8c7b9944 100644
--- a/roles/docker_db/tasks/main.yml
+++ b/roles/docker_db/tasks/main.yml
@@ -1,134 +1,9 @@
---
-# - name: Install mariadb repo key
-# apt_key:
-# data: |
-# -----BEGIN PGP PUBLIC KEY BLOCK-----
-#
-# xsFNBFb8EKsBEADwGmleOSVThrbCyCVUdCreMTKpmD5p5aPz/0jc66050MAb71Hv
-# TVcfuMqHYO8O66qXLpEdqZpuk4D+rw1oKyC+d8uPD2PSHRqBXnR0Qf+LVTZvtO92
-# 3R7pYnC2x6V6iVGpKQYFP8cwh2B1qgIa+9y/N8cQIqfD+0ghyiUjjTYek3YFBnqa
-# L/2h2V0Mt0DkBrDK80LqEY10PAFDfJjINAW9XNHZzi2KqUx5w1z8rItokXV6fYE5
-# ItyGMR6WVajJg5D4VCiZd0ymuQP2bGkrRbl6FH5vofVSkahKMJeHs2lbvMvNyS3c
-# n8vxoBvbbcwSAV1gvB1uzXXxv0kdkFZjhU1Tss4+Dak8qeEmIrC5qYycLxIdVEhT
-# Z8N8+P7Dll+QGOZKu9+OzhQ+byzpLFhUHKys53eXo/HrfWtw3DdP21yyb5P3QcgF
-# scxfZHzZtFNUL6XaVnauZM2lqquUW+lMNdKKGCBJ6co4QxjocsxfISyarcFj6ZR0
-# 5Hf6VU3Y7AyuFZdL0SQWPv9BSu/swBOimrSiiVHbtE49Nx1x/d1wn1peYl07WRUv
-# C10eF36ZoqEuSGmDz59mWlwB3daIYAsAAiBwgcmN7aSB8XD4ZPUVSEZvwSm/IwuS
-# Rkpde+kIhTLjyv5bRGqU2P/Mi56dB4VFmMJaF26CiRXatxhXOAIAF9dXCwARAQAB
-# zS1NYXJpYURCIFNpZ25pbmcgS2V5IDxzaWduaW5nLWtleUBtYXJpYWRiLm9yZz7C
-# wXgEEwEIACIFAlb8EKsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPFl
-# byTHTNHYJZ0P/2Z2RURRkSTHLKZ/GqSvPReReeB7AI+ZrDapkpG/26xp1Yw1isCO
-# y99pvQ7hjTFhdZQ7xSRUiT/e27wJxR7s4G/ck5VOVjuJzGnByNLmwMjdN1ONIO9P
-# hQAs2iF3uoIbVTxzXof2F8C0WSbKgEWbtqlCWlaapDpN8jKAWdsQsNMdXcdpJ2os
-# WiacQRxLREBGjVRkAiqdjYkegQ4BZ0GtPULKjZWCUNkaat51b7O7V19nSy/T7MM7
-# n+kqYQLMIHCF8LGd3QQsNppRnolWVRzXMdtR2+9iI21qv6gtHcMiAg6QcKA7halL
-# kCdIS2nWR8g7nZeZjq5XhckeNGrGX/3w/m/lwczYjMUer+qs2ww5expZJ7qhtSta
-# lE3EtL/l7zE4RlknqwDZ0IXtxCNPu2UovCzZmdZm8UWfMSKk/3VgL8HgzYRr8fo0
-# yj0XkckJ7snXvuhoviW2tjm46PyHPWRKgW4iEzUrB+hiXpy3ikt4rLRg/iMqKjyf
-# mvcE/VdmFVtsfbfRVvlaWiIWCndRTVBkAaTu8DwrGyugQsbjEcK+4E25/SaKIJIw
-# qfxpyBVhru21ypgEMAw1Y8KC7KntB7jzpFotE4wpv1jZKUZuy71ofr7g3/2O+7nW
-# LrR1mncbuT6yXo316r56dfKzOxQJBnYFwTjXfa65yBArjQBUCPNYOKr0wkYEEhEI
-# AAYFAlb8JFYACgkQy8sIKhu5Q9snYACgh3id41CYTHELOQ/ymj4tiuFt1lcAn3JU
-# 9wH3pihM9ISvoeuGnwwHhcKnwsFcBBIBCAAGBQJW/CSEAAoJEJFxGJmV5Fqe11cP
-# /A3QhvqleuRaXoS5apIY3lrDL79Wo0bkydM3u2Ft9EqVVG5zZvlmWaXbw5wkPhza
-# 7YUjrD7ylaE754lHI48jJp3KY7RosClY/Kuk56GJI/SoMKx4v518pAboZ4hjY9MY
-# gmiAuZEYx5Ibv1pj0+hkzRI78+f6+d5QTQ6y/35ZjSSJcBgCMAr/JRsmOkHu6cY6
-# qOpq4g8mvRAX5ivRm4UxE2gnxZyd2LjY2/S2kCZvHWVaZuiTD0EU1jYPoOo6fhc8
-# zjs5FWS56C1vp7aFOGBvsH3lwYAYi1K2S+/B4nqpitYJz/T0zFzzyYe7ZG77DXKD
-# /XajD22IzRGKjoeVPFBx+2V0YCCpWZkqkfZ2Dt3QVW//QIpVsOJnmaqolDg1sxoa
-# BEYBtCtovU0wh1pXWwfn7IgjIkPNl0AU8mW8Ll91WF+Lss/oMrUJMKVDenTJ6/ZO
-# 06c+JFlP7dS3YGMsifwgy5abA4Xy4GWpAsyEM68mqsJUc7ZANZcQAKr6+DryzSfI
-# Olsn3kJzOtb/c3JhVmblEO6XzdfZJK/axPOp3mF1oEBoJ56fGwO2usgVwQDyLt3J
-# iluJrCvMSBL9KtBZWrTZH5t3rTMN0NUALy4Etd6Y8V94i8c5NixMDyjRU7aKJAAw
-# tUvxLd12dqtaXsuvGyzLbR4EDT/Q5DfLC1DZWpgtUtCVwsFcBBIBCAAGBQJW/CS2
-# AAoJEEHdwLQNpW8iMUoP/AjFKyZ+inQTI2jJJBBtrLjxaxZSG5ggCovowWn8NWv6
-# bQBm2VurYVKhvY1xUyxoLY8KN+MvoeTdpB3u7z+M6x+CdfoTGqWQ2yapOC0eEJBF
-# O+GFho2WE0msiO0IaVJrzdFTPE0EYR2BHziLu0DDSZADe1WYEqkkrZsCNgi6EMng
-# mX2h+DK2GlC3W2tY9sc63DsgzjcMBO9uYmpHj6nizsIrETqouVNUCLT0t8iETa25
-# Mehq/I92I70Qfebv7R4eMrs+tWXKyPU0OjV+8b8saZsv1xn98UkeXwYx4JI04OTw
-# nBeJG8yPrGDBO5iucmtaCvwGQ3c76qBivrA8eFz3azRxQYWWiFrkElTg+C/E83JQ
-# WgqPvPZkI5UHvBwBqcoIXG15AJoXA/ZWIB8nPKWKaV5KDnY3DBuA4rh5Mhy3xwcC
-# /22E/CmZMXjUUvDnlPgXCYAYU0FBbGk7JpSYawtNfdAN2XBRPq5sDKLLxftx7D8u
-# ESJXXAlPxoRh7x1ArdGM+EowlJJ0xpINBaT0Z/Hk0jxNIFEak796/WeGqewdOIki
-# dAs4tppUfzosla5K+qXfWwmhcKmpwA4oynE8wIaoXptoi8+rxaw4N6wAXlSrVxeC
-# VTnb7+UY/BT2Wx6IQ10C9jrsj6XIffMvngIinCD9Czvadmr7BEIxKt1LP+gGA8Zg
-# wsFcBBIBCgAGBQJYE6oDAAoJEL7YRJ/O6NqIJ24P+QFNa2O+Q1rLKrQiuPw4Q73o
-# 7/blUpFNudZfeCDpDbUgJ01u1RHnWOyLcyknartAosFDJIpgcXY5I8jsBIO5IZPR
-# C/UKxZB3RYOhj49bySD9RNapHyq+Y56j9JUoz6tkKFBd+6g85Ej8d924xM1UnRCS
-# 9cfI9W0fSunbCi2CXLbXFF7V+m3Ou1SVYGIAxpMn4RXyYfuqeB5wROR2GA5Ef6T3
-# S5byh1dRSEgnrBToENtp5n7Jwsc9pDofjtaUkO854l45IqFarGjCHZwtNRKd2lcK
-# FMnd1jS0nfGkUbn3qNJam1qaGWx4gXaT845VsYYVTbxtkKi+qPUIoOyYx4NEm6fC
-# ZywH72oP+fmUT/fbfSHa5j137dRqokkR6RFjnEMBl6WHwgqqUqeIT6t9uV6WWzX9
-# lNroZFAFL/de7H31iIRuZcm38DUZOfjVf9glweu4yFvuJ7cQtyQydFQJV4LGDT/C
-# 8e9TWrV1/gWMyMGQlZsRWa+h+FfFUccQtfSdXpvSxtXfop+fVQmJgUUl92jh4K9j
-# c9a6rIp5v1Q1yEgs2iS50/V/NMSmEcE1XMOxFt9fX9T+XmKAWZ8L25lpILsHT3mB
-# VWrpHdbawUaiBp9elxhn6tFiTFR7qA7dlUyWrI+MMlINwSZ2AAXvmA2IajH/UIlh
-# xotxmSNiZYIQ6UbD3fk4wsFzBBABCgAdFiEEmy/52H2krRdju+d2+GQcuhDvLUgF
-# Ally44wACgkQ+GQcuhDvLUgkjQ//c3mBxfJm6yLAJD4s4OgsPv4pcp/EKmPcdztm
-# W0/glwopUZmq9oNo3VMMCGtusrQgpACzfUlesu9NWlPCB3olZkeGugygo0zuQBKs
-# 55eG7bPzMLyfSqLKyogYocaGc4lpf4lbvlvxy37YGVrGpwT9i8t2REtM6iPKDcMM
-# sgVtNlqFdq3Fs2Haqt0m1EksX6/GSIrjK4LZEcPklrGPvUS3S+qkwuaGE/jXxncE
-# 4jFQR9SYH6AHr6Vkt1CG9Dgpr+Ph0I9n0JRknBYoUZ1q51WdF946NplXkCskdzWG
-# RHgMUCz3ZehF1FzpKgfO9Zd0YZsmivV/g6frUw/TayP9gxKPt7z2Lsxzyh8X7cg6
-# TAvdG9JbG0PyPJT1TZ8qpjP/PtqPclHsHQQIbGSDFWzRM5znhS+5sgyw8FWInjw8
-# JjxoOWMa50464EfGeb2jZfwtRimJAJLWEf/JnvO779nXf5YbvUZgfXaX7k/cvCVk
-# U8M7oC7x8o6F0P2Lh6FgonklKEeIRtZBUNZ0Lk9OShVqlU9/v16MHq/Eyu/Mbs0D
-# en3vYgiYxOBR8czD1Wh4vsKiGfOzQ6oWti/DCURV+iTYhJc7mSWM6STzUFr0nCnF
-# x6W0j/zH6ZgiFAGOyIXW2DwfjFvYRcBL1RWAEKsiFwYrNV+MDonjKXjpVB1Ra90o
-# lLrZXAXCwHMEEgEKAB0WIQRMRw//78TT3Fl3hlXOGj3V48lPSQUCXAAgOgAKCRDO
-# Gj3V48lPSQxAB/43qoWteVZEiN3JW4FnHg+S60TnHSP69FKV+363XYKDa23pNpv4
-# tiJumo9Kvb4UoDft766/URHm5RKyPtrxy+wqotamrkGJUTtP2a68h7C31VX+pf6i
-# iQKmxRQz4zmW0pA5X01+AgpvcDH++Fv5NLBpnjqPdTh5b0gvr89E0zMNldNYOZu1
-# 0H/mukrnGlFDu/osBuy+XJtP2MeasazVMLvjKs+hr//E+iLI9DZOwFBK6AX5gkkI
-# UEHkSeb4//AHwvanUMin9un9+F9iR+qDuDEKxuevYzM0owuoVcK5pAsRnRQJlnHW
-# /0BQ6FtNGpmljhvUk8a/l3xFf3z/uJG5vVKVzsFNBFb8EKsBEADDfCMsu2U1CdJh
-# r4xp6z4J89/tMnpCQASC8DQhtZ6bWG/ksyKt2DnDQ050XBEng+7epzHWA2UgT0li
-# Y05zZmFs1X7QeZr16B7JANq6fnHOdZB0ThS7JEYbProkMxcqAFLAZJCpZT534Gpz
-# W7qHwzjV+d13IziCHdi6+DD5eavYzBqY8QzjlOXbmIlY7dJUCwXTECUfirc6kH86
-# CS8fXZTke4QYZ55VnrOomB4QGqP371kwBETnhlhi74+pvi3jW05Z5x1tVMwuugyz
-# zkseZp1VYmJq5SHNFZ/pnAQLE9gUDTb6UWcPBwQh9Sw+7ahSK74lJKYm3wktyvZh
-# zAxbNyzs1M56yeFP6uFwJTBfNByyMAa6TGUhNkxlLcYjxKbVmoAnKCVM8t41TlLv
-# /a0ki8iQxqvphVLufksR9IpN6d3F15j6GeyVtxBEv04iv4vbuKthWytb+gjX4bI8
-# CAo9jGHevmtdiw/SbeKx2YBM1MF6eua37rFMooOBj4X7VfQCyS+crNsOQn8nJGah
-# YbzUDCCgnX+pqN9iZvXisMS79wVyD5DyISFDvT/5jY7IXxPibxr10P/8lfW1d72u
-# xyI2UiZKZpyHCt4k47yMq4KQGLGuhxJ6q6O3bi2aXRuz8bLqTBLca9dmx9wZFvRh
-# 6jS/SKEg7eFcY0xbb6RVIv1UwGDYfQARAQABwsFfBBgBCAAJBQJW/BCrAhsMAAoJ
-# EPFlbyTHTNHYEBIQAJhFTh1u34Q+5bnfiM2dAdCr6T6w4Y1v9ePiIYdSImeseJS2
-# yRglpLcMjW0uEA9KXiRtC/Nm/ClnqYJzCKeIaweHqH6dIgJKaXZFt1Uaia7X9tDD
-# wqALGu97irUrrV1Kh9IkM0J29Vid5amakrdS4mwt2uEISSnCi7pfVoEro+S7tYQ9
-# iH6APVIwqWvcaty3cANdwKWfUQZ6a9IQ08xqzaMhMp2VzhVrWkq3B0j2aRoZR7BN
-# LH2I7Z0giIM8ARjZs99aTRL+SfMEQ3sUxNLb3KWP/n1lSFbrk4HGzqUBBfczESlN
-# c0970C6znK0H0HD11/3BTkMuPqww+Tzex4dpMQllMEKZ3wEyd9v6ba+nj/P1FHSE
-# y/VN6IXzd82s1lYOonKTdmXAIROcHnb0QUzwsd/mhB3jKhEDOV2ZcBTD3yHv8m7C
-# 9G9y4hV+7yQlnPlSg3DjBp3SS5r+sOObCIy2Ad32upoXkilWa9g7GZSuhY9kyKqe
-# Eba1lgXXaQykEeqx0pexkWavNnb9JaPrAZHDjUGcXrREmjEyXyElRoD4CrWXySe4
-# 6jCuNhVVlkLGo7osefynXa/+PNjQjURtx8en7M9A1FkQuRAxE8KIZgZzYxkGl5o5
-# POSFCA4JUoRPDcrl/sI3fuq2dIOE/BJ2r8dV+LddiR+iukhXRwJXH8RVVEUS
-# =mCOI
-# -----END PGP PUBLIC KEY BLOCK-----
-#
-# - name: Install mariadb repo
-# apt_repository:
-# filename: "mariadb"
-# repo: "deb https://mirror.rackspace.com/mariadb/repo/10.5/debian bullseye main"
-# update_cache: true
-#
-# - name: Create mariadb.service.d directory
-# file:
-# path: /etc/systemd/system/mariadb.service.d
-# state: directory
-# mode: '0755'
-#
-# - name: Set mysql systemd Type=exec
-# copy:
-# src: type.conf
-# dest: /etc/systemd/system/mariadb.service.d/type.conf
-#
- name: Ensure that packages are installed
apt:
name:
- - python3-pymysql
- state: present
+ - "python3-pymysql"
+ state: "present"
- name: Ensure that a number of directories exist
file:
@@ -165,32 +40,23 @@
- name: Install mariadb config
template:
- src: 60-sram.cnf.j2
- # dest: /etc/mysql/mariadb.conf.d/60-scz.cnf
+ src: "60-sram.cnf.j2"
dest: "{{mariadb_conf_dir}}/sram.cnf"
notify: "Restart the database container"
- # notify: restart MariaDB
-
-# - name: add mysql user to ssl-cert group
-# user:
-# name: mysql
-# groups: ssl-cert
-# append: yes
- name: Create the database container
docker_container:
name: "{{ containers.db }}"
image: "{{ images.db }}"
restart_policy: "always"
- state: started
- # pull: true
+ state: "started"
ports:
- - 3306:3306
+ - "3306:3306"
env:
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "1"
MARIADB_ROOT_PASSWORD: ""
mounts:
- - type: bind
+ - type: "bind"
source: "{{ mariadb_conf_dir }}/sram.cnf"
target: "/etc/mysql/conf.d/60-sram.cnf"
volumes:
@@ -216,5 +82,5 @@
host: '%'
password: '{{ db_admin_password }}'
priv: '*.*:ALL,GRANT'
- state: present
+ state: "present"
diff --git a/roles/docker_ldap/tasks/main.yml b/roles/docker_ldap/tasks/main.yml
index b64fef5ad..230d6e371 100644
--- a/roles/docker_ldap/tasks/main.yml
+++ b/roles/docker_ldap/tasks/main.yml
@@ -101,7 +101,7 @@
remote_src: true
dest: "{{ldap_certs_dir}}/frontend.crt"
mode: "0644"
- when: "is_docker" # TODO: wrong name; we mean: "is local dev env"
+ when: "is_dev"
notify: Restart the ldap container
- name: Create the ldap container
@@ -229,7 +229,7 @@
bind_dn: "cn=admin,cn=config"
bind_pw: "{{ services_ldap_password }}"
server_uri: "{{ ldap_uri }}"
- when: "is_docker"
+ when: "is_dev" # TODO: check this.
# - name: Ensure the schemas are added to LDAP
diff --git a/roles/docker_metadata/defaults/main.yml b/roles/docker_metadata/defaults/main.yml
index 3c35a1cda..ae7bbb12d 100644
--- a/roles/docker_metadata/defaults/main.yml
+++ b/roles/docker_metadata/defaults/main.yml
@@ -1,10 +1,75 @@
---
-# meta_port: 80
metadata_basedir: "{{sram_conf_dir}}/metadata"
-metadata_dirs:
- web: "{{metadata_basedir}}/web"
-# metadata_documentroot: "/var/www/metadata"
-# mdparser_repo_url: "https://github.com/SURFscz/mdparser.git"
-# mdparser_version: "master"
-# mdparser_dir: "/opt/mdparser"
-# mdparser_venv_dir: "{{mdparser_dir}}/venv"
+
+metadata_server_name: "sram-metadata"
+
+metadata_user: "sram-metadata"
+metadata_group: "sram-metadata"
+
+# metadata_idps_source: "https://metadata.surfconext.nl/idps-metadata.xml"
+# metadata_idps_cert: |
+# -----BEGIN CERTIFICATE-----
+# MIIEKjCCAhICEG12w6QqayYAWntxDN59dU0wDQYJKoZIhvcNAQELBQAwPDELMAkG
+# A1UEBhMCTkwxEDAOBgNVBAoMB1NVUkZuZXQxGzAZBgNVBAMMElNVUkZjb25leHQg
+# Um9vdCBDQTAeFw0xOTAxMTQxNjM5MDVaFw0yNDAxMTgxNjM5MDVaMGsxCzAJBgNV
+# BAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQKDAdTVVJGbmV0MRMwEQYD
+# VQQLDApTVVJGY29uZXh0MSMwIQYDVQQDDBpTVVJGY29uZXh0IG1ldGFkYXRhIHNp
+# Z25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMckFyqXzW7dbMt4
+# wDdSLaAjFAbNziUgQaivu4dl9Uf/cZ4f36a9DfQBUSraNoIR76ruwK3TPfFalemp
+# xmWTsoVSQpb3AOsWbU+i0YKS1cmcqMUC1fef2j1IbuK4B4nEu9S5saGNVGNvUJ+Y
+# jDUpC5vyyp7boW9E1md2jIBI6Mw+ZhlmkPucqaphxurWnm0KbxTZrYLOBZ1IXj6r
+# yrRoFwwtjEH+CW8cRn8OATK0q4yb0BVr2gY2tp/lTpASHZ3WVWBK0prwK0KkusY6
+# ck+/vvlk46IdEr803NB0Dm3ECh3i65mfCaWzVTtd/md874paK+65f1JeVyd5I5al
+# M2KEpvkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAjvJXXkxOqh3K0k2NdDG5EOTy
+# bA+koRbAqhdY/qJoSnqTzwBxJc6aPs+L4q2PIoLo0gNJj1Nm1taLusaaK+CBx3ar
+# 1kxEika5FM0dqFjD3i7Y5U0FMeDB5cReo8TNdo31VGoY7CbRjtqHLRTuKzNmIfEm
+# ahLnHIBtarE82b7Mpg0aLxjrRR+t8wSCriy+e9AEPzC5bWxtPJA+OhU8U9hMuOs5
+# SzKmHwYue4WY3q1rRaDpK3fqgXRDRfznNn9/RDDbBos7CRMSAPEmAO28qLKBW/1z
+# a2TKQLddZ3uoCurFNbToSTueKYVEnveQNO2P5X6uy4rcYkjeSiwbmHo7jYuHAxx4
+# uGzHMpoqoGNx+2iYjtUo3dJUXzcZai3X+RuuMKXXvqGzrxJsoKayNVAE1dWoUHJl
+# RouPhDLTdZq/pblORhFS8r10rKhSScgrNuN9LTTV7EPFeVr8trocNwl8IruH+eNL
+# 6/7b5Y7fb7rvpxeHjWrTz8a9BXAIAv+bgyrg4OHGRcNIQb0XF438HD9r8Zb92B6Z
+# VCR3aVS5496+1td+8aN/Blzo59LhKPiHyGZCPHFV/oBqG7nxp603kcWmJOcG+AgB
+# 9bFiAimF5LLk/LnMfplK9w0vvxWVcdQkDgVPYvEGNtttj0QC7/jM4ZeihGb6Oyzy
+# DZA6aeg73/ygOATQ13A=
+# -----END CERTIFICATE-----
+metadata_idps_filters: []
+
+metadata_idps_files:
+ - name: "dummy-idp"
+ metadata: |
+
+
+
+
+
+
+ SRAM VM Dummy IdP
+ SRAM VM Dummy IdP
+ https://test-idp.sram.example.org/
+
+
+ Administrator
+ mailto:sinterklaas@example.nl
+
+
+
+# metadata_idps_xrd: "{{metadata_basedir}}/certs/surfconext.xrd"
+# metadata_idps_source_dir: "/opt/metadata-src"
+# metadata_idps_feed: "{{ metadata_basedir }}/idps_feed.fd"
+# metadata_idps_file: "idps.xml"
+##
+# metadata_proxy_frontend_source: "https://satosa.local/frontend.xml"
+# metadata_proxy_frontend_feed: "{{ metadata_basedir }}/frontend_feed.fd"
+# metadata_proxy_frontend_file: "proxy_idp.xml"
+#
+# metadata_proxy_backend_source: "https://satosa.local/metadata/backend.xml"
+# metadata_proxy_backend_feed: "{{ metadata_basedir }}/backend_feed.fd"
+# metadata_proxy_backend_file: "proxy_sp.xml"
diff --git a/roles/docker_pyff/files/01_idps.fd b/roles/docker_metadata/files/01_idps.fd
similarity index 100%
rename from roles/docker_pyff/files/01_idps.fd
rename to roles/docker_metadata/files/01_idps.fd
diff --git a/roles/docker_pyff/files/02_backend.fd b/roles/docker_metadata/files/02_backend.fd
similarity index 100%
rename from roles/docker_pyff/files/02_backend.fd
rename to roles/docker_metadata/files/02_backend.fd
diff --git a/roles/docker_pyff/files/03_frontend.fd b/roles/docker_metadata/files/03_frontend.fd
similarity index 100%
rename from roles/docker_pyff/files/03_frontend.fd
rename to roles/docker_metadata/files/03_frontend.fd
diff --git a/roles/docker_metadata/files/idps.xsl b/roles/docker_metadata/files/idps.xsl
deleted file mode 100644
index 714000873..000000000
--- a/roles/docker_metadata/files/idps.xsl
+++ /dev/null
@@ -1,22 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_metadata/files/nohide.xsl b/roles/docker_metadata/files/nohide.xsl
deleted file mode 100644
index 6f2d897ce..000000000
--- a/roles/docker_metadata/files/nohide.xsl
+++ /dev/null
@@ -1,18 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_metadata/files/nologo.xsl b/roles/docker_metadata/files/nologo.xsl
deleted file mode 100644
index 9b9a8ac60..000000000
--- a/roles/docker_metadata/files/nologo.xsl
+++ /dev/null
@@ -1,23 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_metadata/files/nosc.xsl b/roles/docker_metadata/files/nosc.xsl
deleted file mode 100644
index b4a08c676..000000000
--- a/roles/docker_metadata/files/nosc.xsl
+++ /dev/null
@@ -1,17 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_metadata/files/rs_coco_nosc.xsl b/roles/docker_metadata/files/rs_coco_nosc.xsl
deleted file mode 100644
index d628a544a..000000000
--- a/roles/docker_metadata/files/rs_coco_nosc.xsl
+++ /dev/null
@@ -1,22 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_metadata/files/sps.xsl b/roles/docker_metadata/files/sps.xsl
deleted file mode 100644
index 30bb1d1d5..000000000
--- a/roles/docker_metadata/files/sps.xsl
+++ /dev/null
@@ -1,15 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/roles/docker_pyff/files/surfconext.crt b/roles/docker_metadata/files/surfconext.crt
similarity index 100%
rename from roles/docker_pyff/files/surfconext.crt
rename to roles/docker_metadata/files/surfconext.crt
diff --git a/roles/docker_pyff/files/transform.xslt b/roles/docker_metadata/files/transform.xslt
similarity index 100%
rename from roles/docker_pyff/files/transform.xslt
rename to roles/docker_metadata/files/transform.xslt
diff --git a/roles/docker_pyff/files/transform_proxy.xslt b/roles/docker_metadata/files/transform_proxy.xslt
similarity index 100%
rename from roles/docker_pyff/files/transform_proxy.xslt
rename to roles/docker_metadata/files/transform_proxy.xslt
diff --git a/roles/docker_metadata/handlers/main.yml b/roles/docker_metadata/handlers/main.yml
index 6bf2d5a19..b892df198 100644
--- a/roles/docker_metadata/handlers/main.yml
+++ b/roles/docker_metadata/handlers/main.yml
@@ -1,14 +1,19 @@
---
-# - name: restart nginx
-# service:
-# name: nginx
-# state: restarted
-
-# - name: "systemd daemon-reload"
+# - name: "enable pyff-metadata job"
# systemd:
+# name: "pyff-metadata.timer"
+# enabled: true
+# state: "started"
# daemon_reload: true
-# - name: "restart zabbix-agent"
+# - name: "run pyff-metadata job"
# systemd:
-# name: "zabbix-agent2.service"
-# state: "restarted"
+# name: "pyff-metadata.service"
+# state: "started"
+# daemon_reload: true
+
+- name: Restart the pyFF container
+ docker_container:
+ name: "{{ containers.pyff }}"
+ restart: true
+ state: started
diff --git a/roles/docker_metadata/tasks/http.yml b/roles/docker_metadata/tasks/http.yml
new file mode 100644
index 000000000..fc624f5e3
--- /dev/null
+++ b/roles/docker_metadata/tasks/http.yml
@@ -0,0 +1,48 @@
+---
+- name: "Install index page"
+ template:
+ src: "index.html.j2"
+ dest: "{{metadata_basedir}}/web/index.html"
+ mode: "0644"
+
+- name: "Install legacy link"
+ file:
+ src: "."
+ dest: "{{metadata_basedir}}/web/metadata"
+ state: "link"
+
+- name: "Install logos"
+ copy:
+ src: "{{item}}"
+ dest: "{{metadata_basedir}}/web"
+ mode: "0644"
+ with_items:
+ - "surf.svg"
+ - "surf.png"
+ - "surf_bimi.svg"
+
+- name: "Create the metadata-server container"
+ community.docker.docker_container:
+ name: "{{ containers.metadata }}"
+ image: "{{ images.metadata }}"
+ restart_policy: "always"
+ state: "started"
+ pull: true
+ mounts:
+ - source: "{{metadata_basedir}}/web"
+ target: "/var/www/html"
+ type: "bind"
+ read_only: true
+ networks:
+ - name: "{{traefik_network}}"
+ labels:
+ traefik.http.routers.metadata.rule: "Host(`{{ hostnames.meta }}`)"
+ traefik.http.routers.metadata.tls: "true"
+ traefik.enable: "true"
+ healthcheck:
+ test: [ "CMD", "curl", "-fail", "http://localhost/" ]
+ interval: "10s"
+ timeout: "5s"
+ retries: 3
+ start_period: "5s"
+
diff --git a/roles/docker_metadata/tasks/main.yml b/roles/docker_metadata/tasks/main.yml
index 53b21c6c7..41855eb36 100644
--- a/roles/docker_metadata/tasks/main.yml
+++ b/roles/docker_metadata/tasks/main.yml
@@ -1,152 +1,49 @@
---
-# - include_role:
-# name: "nginx"
-#
-# - name: Ensure that packages are installed
-# apt:
-# name:
-# - xalan
-# - wget
-# - xmlsec1
-# state: present
-
-# - name: Create directories
- # file:
- # path: "{{item.path}}"
- # state: "directory"
- # mode: "{{item.mode}}"
- # owner: "root"
- # group: "{{item.group}}"
- # with_items:
- # - { path: "{{metadata_documentroot}}", group: "root", mode: "0755" }
- # - { path: "{{metadata_documentroot}}/metadata", group: "{{metadata_group}}", mode: "0775" }
-
-- name: Create metadata directories
+- name: "Create metadata group"
+ group:
+ name: "{{ metadata_group }}"
+ state: "present"
+ register: "result"
+
+- name: "Save metadata group gid"
+ set_fact:
+ metadata_group_gid: "{{ result.gid }}"
+
+- name: "Create metadata user"
+ user:
+ name: "{{ metadata_user }}"
+ group: "{{ metadata_group }}"
+ comment: "User to run metadata service"
+ shell: "/bin/false"
+ password: "!"
+ home: "{{ metadata_basedir }}"
+ create_home: false
+ state: "present"
+ register: "result"
+
+- name: "Save metadata user uid"
+ set_fact:
+ metadata_user_uid: "{{ result.uid }}"
+
+
+- name: "Create metadata directories"
file:
- path: "{{ item.value }}"
+ path: "{{ item.dir }}"
state: "directory"
- mode: "0755"
+ mode: "{{ item.mode }}"
owner: "root"
- loop: "{{ lookup('ansible.builtin.dict', metadata_dirs, wantlist=True) }}"
-
-# - name: Check if obsolete job exists
-# command:
-# cmd: "systemctl list-timers --all --output=json"
-# register: "systemd_timers"
-# changed_when: false
-
-# - name: Disable obsolete systemd job
-# systemd:
-# name: "metadata.timer"
-# state: "stopped"
-# enabled: false
-# when: '"\"metadata.timer\"" in systemd_timers.stdout'
-
-# - name: Remove obsolete files
-# file:
-# path: "{{item}}"
-# state: "absent"
-# with_items:
-# - "/opt/metadata/create_metadata"
-# - "/opt/metadata/edugain.crt"
-# - "/opt/metadata/idps.xsl"
-# - "/opt/metadata/nohide.xsl"
-# - "/opt/metadata/nologo.xsl"
-# - "/opt/metadata/nosc.xsl"
-# - "/etc/systemd/system/metadata.service"
-# - "/etc/systemd/system/metadata.timer"
-# notify: "systemd daemon-reload"
-
-# - name: Copy metadata nginx configuration
-# template:
-# src: metadata.nginx.j2
-# dest: "/etc/nginx/sites-available/metadata"
-# mode: "0644"
-# notify: restart nginx
-#
-# - name: Create symlink to metadata in /etc/nginx/sites-enabled
-# file:
-# src: "/etc/nginx/sites-available/metadata"
-# dest: "/etc/nginx/sites-enabled/00-metadata"
-# state: link
-# notify: restart nginx
-
-- name: Install index page
- template:
- src: "index.html.j2"
- # dest: "{{metadata_documentroot}}/index.html"
- dest: "{{metadata_dirs.web}}/index.html"
- mode: "0644"
-
-- name: Install logo
- copy:
- src: "{{item}}"
- # dest: "{{metadata_documentroot}}/"
- dest: "{{metadata_dirs.web}}/"
- mode: "0644"
+ group: "{{ metadata_group }}"
with_items:
- - "surf.svg"
- - "surf.png"
- - "surf_bimi.svg"
-
-# - name: Install symlinks
-# file:
-# path: "{{metadata_documentroot}}/{{item}}"
-# src: "metadata/{{item}}"
-# state: "link"
-# force: true
-# with_items:
-# - "idps.xml"
-# - "proxy_idp.xml"
-# - "proxy_sp.xml"
-
-# - name: Remove obsolete files
-# file:
-# path: "{{metadata_documentroot}}/{{item}}"
-# state: "absent"
-# with_items:
-# - "Light-Bulb_icon_by_Till_Teenck.svg"
-# - "Light-Bulb_icon_by_Till_Teenck_1000px.png"
-# - "Light-Bulb_icon_by_Till_Teenck_200px.png"
-# - "sc_edugain.xml"
-# - "sc_edugain_idps.xml"
-# - "sc_edugain_idps_nologo.xml"
-# - "sc_edugain_idps_nologo_nohide.xml"
-# - "sc_edugain_idps_nologo_nohide_nosc.xml"
-
-# - name: Fetch mdparser from {{ mdparser_repo_url }}, version {{ mdparser_version }}
-# git:
-# repo: "{{ mdparser_repo_url }}"
-# dest: "{{ mdparser_dir }}"
-# version: "{{ mdparser_version }}"
-# accept_hostkey: "yes"
-# force: "yes"
+ - { dir: "{{metadata_basedir}}/web", mode: "0775" }
+ - { dir: "{{metadata_basedir}}/feeds", mode: "0755" }
+ - { dir: "{{metadata_basedir}}/src", mode: "0755" }
+ - { dir: "{{metadata_basedir}}/certs", mode: "0755" }
+ - { dir: "{{metadata_basedir}}/xslt", mode: "0755" }
+ notify: "Restart the pyFF container"
-# - name: Create python3 virtualenv
-# import_role:
-# name: "python-venv"
-# vars:
-# python_venv_dir: "{{ mdparser_venv_dir }}"
-# python_venv_requirements: "{{ mdparser_dir }}/requirements.txt"
-# - name: Copy zabbix agent mdparser key
-# template:
-# src: sram-mdparser.conf.j2
-# dest: "/etc/zabbix/zabbix_agent2.d/sram-mdparser.conf"
-# notify: "restart zabbix-agent"
+- name: "Start pyff container"
+ include_tasks: "pyff.yml"
-- name: Create the metadata-server container
- docker_container:
- name: "{{ containers.metadata }}"
- image: "{{ images.metadata }}"
- restart_policy: "always"
- state: started
- # pull: true
- volumes:
- - "{{ metadata_dirs.web }}:/opt/web"
- networks:
- - name: "{{traefik_network}}"
- labels:
- traefik.http.routers.metadata.rule: "Host(`{{ hostnames.meta }}`)"
- traefik.http.routers.metadata.tls: "true"
- traefik.enable: "true"
+- name: "Start http container"
+ include_tasks: "http.yml"
diff --git a/roles/docker_metadata/tasks/pyff.yml b/roles/docker_metadata/tasks/pyff.yml
new file mode 100644
index 000000000..e8f738b67
--- /dev/null
+++ b/roles/docker_metadata/tasks/pyff.yml
@@ -0,0 +1,104 @@
+---
+- name: "create self-signed Metadata Signing SSL certs"
+ shell:
+ cmd: '
+ openssl genrsa -out "{{ metadata_basedir }}/certs/signing.key" 2048;
+ openssl req -new -nodes -x509 -subj "/C=NL/CN=signing"
+ -days 3650 -key "{{ metadata_basedir }}/certs/signing.key"
+ -out "{{ metadata_basedir }}/certs/signing.crt" -extensions v3_ca
+ '
+ creates: "{{ metadata_basedir }}/certs/signing.crt"
+ when: "metadata_signing_cert is not defined"
+ notify: "Restart the pyFF container"
+
+- name: "Write fixed Metadata signing certificates"
+ copy:
+ dest: "{{ metadata_basedir }}/certs/{{ item.file }}"
+ content: "{{item.contents}}"
+ mode: "{{item.mode}}"
+ owner: "root"
+ group: "{{metadata_group}}"
+ with_items:
+ - { file: "signing.key", mode: "0640", contents: "{{metadata_signing_cert.priv}}" }
+ - { file: "signing.crt", mode: "0644", contents: "{{metadata_signing_cert.pub}}" }
+ when: "metadata_signing_cert is defined"
+ notify: "Restart the pyFF container"
+
+
+- name: "Copy source certificates"
+ copy:
+ src: "{{ item }}"
+ dest: "{{ metadata_basedir }}/certs"
+ mode: "0644"
+ with_items:
+ - "surfconext.crt"
+ notify: "Restart the pyFF container"
+
+- name: "Install IdP metadata"
+ copy:
+ content: "{{item.metadata}}"
+ dest: "{{ metadata_basedir }}/src/{{item.name}}.xml"
+ mode: "0644"
+ with_items: "{{ metadata_idps_files }}"
+ notify: "Restart the pyFF container"
+
+- name: "Copy pyFF xslt transformations"
+ copy:
+ src: "{{item}}"
+ dest: "{{metadata_basedir}}/xslt"
+ mode: "0644"
+ with_items:
+ - "transform_proxy.xslt"
+ - "transform.xslt"
+ notify: "Restart the pyFF container"
+
+- name: "Copy pyFF feeds"
+ copy:
+ src: "{{item}}"
+ dest: "{{metadata_basedir}}/feeds"
+ mode: "0644"
+ with_items:
+ - "01_idps.fd"
+ - "02_backend.fd"
+ - "03_frontend.fd"
+ notify: "Restart the pyFF container"
+
+- name: "Create the pyFF container"
+ community.docker.docker_container:
+ name: "{{ containers.pyff }}"
+ image: "{{ images.pyff }}"
+ restart_policy: "always"
+ state: "started"
+ pull: true
+ init: true
+ env:
+ USER: "{{ metadata_user_uid }}"
+ GROUP: "{{ metadata_group_gid }}"
+ SLEEP_TIME: "60s"
+ mounts:
+ - source: "{{ metadata_basedir }}/web"
+ target: "/opt/pyff/web"
+ type: "bind"
+ - source: "{{ metadata_basedir }}/feeds"
+ target: "/opt/pyff/feeds"
+ type: "bind"
+ read_only: true
+ - source: "{{ metadata_basedir }}/src"
+ target: "/opt/pyff/src"
+ type: "bind"
+ read_only: true
+ - source: "{{ metadata_basedir }}/certs"
+ target: "/opt/pyff/certs"
+ type: "bind"
+ read_only: true
+ - source: "{{ metadata_basedir }}/xslt"
+ target: "/opt/pyff/xslt"
+ type: "bind"
+ read_only: true
+ healthcheck:
+ test: >
+ [[ $(($(date +%s)-$(date -r /opt/pyff/web/idps.xml +%s))) -lt $$SLEEP_TIME ]]
+ interval: "10s"
+ timeout: "5s"
+ retries: 3
+ start_period: "5s"
diff --git a/roles/docker_metadata/templates/index.html.j2 b/roles/docker_metadata/templates/index.html.j2
index 5aad8ec86..f0e40b22b 100644
--- a/roles/docker_metadata/templates/index.html.j2
+++ b/roles/docker_metadata/templates/index.html.j2
@@ -3,9 +3,9 @@
SRAM metadata
-SRAM IdP proxy metadata
+
SRAM IdP proxy metadata
(for use by Service Providers)
-SRAM SP proxy metadata
+
SRAM SP proxy metadata
(for use by Identity Providers)