diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 00000000..d7b2f251
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,9 @@
+exclude_paths:
+ - .pre-commit-config.yaml
+ - icingaagents.yml
+ - roles/common/handlers/main.yml
+ - authzkeys.yml
+ - inventories
+offline: false
+skip_list:
+ - role-name
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 00000000..0d53aefa
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,13 @@
+# .github/workflows/ansible-lint.yml
+name: ansible-lint
+on:
+ pull_request:
+ branches: ["main"]
+jobs:
+ build:
+ name: Ansible Lint
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - name: Run ansible-lint
+ uses: ansible/ansible-lint@v6.22.2
diff --git a/.gitignore b/.gitignore
index c3cb7c0b..d72fc806 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,8 @@
.LSOverride
# Icon must end with two \r
-Icon
+Icon
+
# Thumbnails
._*
@@ -25,3 +26,6 @@ Network Trash Folder
Temporary Items
.apdisk
# END OSX.gitignore
+
+# ignore editor cruft
+.vscode
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..6bd8c584
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,44 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.5.0
+ hooks:
+ - id: trailing-whitespace
+ - id: end-of-file-fixer
+ - id: check-yaml
+ - id: check-added-large-files
+ - id: requirements-txt-fixer
+
+- repo: https://github.com/Yelp/detect-secrets
+ rev: v1.4.0
+ hooks:
+ - id: detect-secrets
+ args:
+ - --baseline
+ - .secrets.baseline
+
+- repo: https://github.com/ansible-community/ansible-lint
+ rev: v24.2.1
+ hooks:
+ - id: ansible-lint
+ always_run: false
+ files: ^.*.yml
+ exclude: .github
+ additional_dependencies:
+ - ansible-core>=2.16.0
+ args:
+ - --exclude
+ - .pre-commit-config.yaml
+ - icingaagents.yml
+ # For some reason noqa is not being picked up on these files
+ - roles/common/handlers/main.yml
+ - authzkeys.yml
+ # ssp-modules is a bad name for a role
+ - roles/ssp-modules
+
+- repo: https://github.com/python-jsonschema/check-jsonschema
+ rev: 0.28.0
+ hooks:
+ - id: check-github-workflows
+ - id: check-dependabot
diff --git a/.secrets.baseline b/.secrets.baseline
new file mode 100644
index 00000000..9e4ba683
--- /dev/null
+++ b/.secrets.baseline
@@ -0,0 +1,479 @@
+{
+ "version": "1.4.0",
+ "plugins_used": [
+ {
+ "name": "ArtifactoryDetector"
+ },
+ {
+ "name": "AWSKeyDetector"
+ },
+ {
+ "name": "AzureStorageKeyDetector"
+ },
+ {
+ "name": "Base64HighEntropyString",
+ "limit": 4.5
+ },
+ {
+ "name": "BasicAuthDetector"
+ },
+ {
+ "name": "CloudantDetector"
+ },
+ {
+ "name": "DiscordBotTokenDetector"
+ },
+ {
+ "name": "GitHubTokenDetector"
+ },
+ {
+ "name": "HexHighEntropyString",
+ "limit": 3.0
+ },
+ {
+ "name": "IbmCloudIamDetector"
+ },
+ {
+ "name": "IbmCosHmacDetector"
+ },
+ {
+ "name": "JwtTokenDetector"
+ },
+ {
+ "name": "KeywordDetector",
+ "keyword_exclude": ""
+ },
+ {
+ "name": "MailchimpDetector"
+ },
+ {
+ "name": "NpmDetector"
+ },
+ {
+ "name": "PrivateKeyDetector"
+ },
+ {
+ "name": "SendGridDetector"
+ },
+ {
+ "name": "SlackDetector"
+ },
+ {
+ "name": "SoftlayerDetector"
+ },
+ {
+ "name": "SquareOAuthDetector"
+ },
+ {
+ "name": "StripeDetector"
+ },
+ {
+ "name": "TwilioKeyDetector"
+ }
+ ],
+ "filters_used": [
+ {
+ "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+ },
+ {
+ "path": "detect_secrets.filters.common.is_baseline_file",
+ "filename": ".secrets.baseline"
+ },
+ {
+ "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+ "min_level": 2
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_lock_file"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_sequential_string"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_swagger_file"
+ },
+ {
+ "path": "detect_secrets.filters.heuristic.is_templated_secret"
+ }
+ ],
+ "results": {
+ "roles/apache/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/apache/defaults/main.yml",
+ "hashed_secret": "de8aa86286dbb8eb74d2748c7b6d4486d0458203",
+ "is_verified": false,
+ "line_number": 19,
+ "is_secret": false
+ }
+ ],
+ "roles/comanage-registry/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/comanage-registry/defaults/main.yml",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 45,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/comanage-registry/defaults/main.yml",
+ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+ "is_verified": false,
+ "line_number": 75,
+ "is_secret": true
+ }
+ ],
+ "roles/comanage-registry/templates/core.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/comanage-registry/templates/core.php.j2",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 322,
+ "is_secret": true
+ }
+ ],
+ "roles/federation-registry/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/federation-registry/defaults/main.yml",
+ "hashed_secret": "011228a1c7888a9c99379c1e6bce9328ca6153ea",
+ "is_verified": false,
+ "line_number": 14,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/federation-registry/defaults/main.yml",
+ "hashed_secret": "fc4ba7249ac2f9430f9f2de2f8bf2c37c5345fa4",
+ "is_verified": false,
+ "line_number": 16,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/federation-registry/defaults/main.yml",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 46,
+ "is_secret": false
+ }
+ ],
+ "roles/keycloak/templates/13.0.0/standalone-ha.xml.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/keycloak/templates/13.0.0/standalone-ha.xml.j2",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 47,
+ "is_secret": true
+ }
+ ],
+ "roles/keycloak/templates/14.0.0/standalone-ha.xml.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/keycloak/templates/14.0.0/standalone-ha.xml.j2",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 47,
+ "is_secret": true
+ }
+ ],
+ "roles/keycloak/templates/15.0.2/standalone-ha.xml.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/keycloak/templates/15.0.2/standalone-ha.xml.j2",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 47,
+ "is_secret": true
+ }
+ ],
+ "roles/openldap/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/openldap/defaults/main.yml",
+ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+ "is_verified": false,
+ "line_number": 28,
+ "is_secret": true
+ }
+ ],
+ "roles/rciam-metrics/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-metrics/defaults/main.yml",
+ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+ "is_verified": false,
+ "line_number": 84,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-metrics/defaults/main.yml",
+ "hashed_secret": "a0281cd072cea8e80e7866b05dc124815760b6c9",
+ "is_verified": false,
+ "line_number": 87,
+ "is_secret": true
+ }
+ ],
+ "roles/rciam-oidc-client/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-oidc-client/defaults/main.yml",
+ "hashed_secret": "ea06090a0b9590add823ade2334090fa216acb2b",
+ "is_verified": false,
+ "line_number": 21,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-oidc-client/defaults/main.yml",
+ "hashed_secret": "4843cf9994fed3db0cf15d935bbc743937c1e692",
+ "is_verified": false,
+ "line_number": 32,
+ "is_secret": false
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-oidc-client/defaults/main.yml",
+ "hashed_secret": "a09c557bb9fb354eabbac43eb4053d31e10412b2",
+ "is_verified": false,
+ "line_number": 33,
+ "is_secret": false
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-oidc-client/defaults/main.yml",
+ "hashed_secret": "eca7926596fd7cefdcd6912449bd7e63172fb87e",
+ "is_verified": false,
+ "line_number": 34,
+ "is_secret": false
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/rciam-oidc-client/defaults/main.yml",
+ "hashed_secret": "97cdbdc7feff827efb082a6b6dd2727237cd49fd",
+ "is_verified": false,
+ "line_number": 41,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp-module-proxystatistics/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp-module-proxystatistics/defaults/main.yml",
+ "hashed_secret": "e350d5ce0153f3e22d5db21cf2a4eff00f3ee877",
+ "is_verified": false,
+ "line_number": 29,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp-modules/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp-modules/defaults/main.yml",
+ "hashed_secret": "0936a636d6995e987e4c3fe4afe7af211ff08a70",
+ "is_verified": false,
+ "line_number": 59,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp-modules/defaults/main.yml",
+ "hashed_secret": "0b874f84abac95c4ee5127ce67333745c6c77098",
+ "is_verified": false,
+ "line_number": 71,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp-modules/defaults/main.yml",
+ "hashed_secret": "e350d5ce0153f3e22d5db21cf2a4eff00f3ee877",
+ "is_verified": false,
+ "line_number": 136,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp/defaults/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/defaults/main.yml",
+ "hashed_secret": "35552f5865f33c688eff5f7e958b7074a3ddf3dc",
+ "is_verified": false,
+ "line_number": 79,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/defaults/main.yml",
+ "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+ "is_verified": false,
+ "line_number": 116,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp/templates/config/authsources-1.14.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/config/authsources-1.14.php.j2",
+ "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b",
+ "is_verified": false,
+ "line_number": 45,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp/templates/config/authsources-1.17.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/config/authsources-1.17.php.j2",
+ "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b",
+ "is_verified": false,
+ "line_number": 45,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/config/authsources-1.18.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/config/authsources-1.18.php.j2",
+ "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b",
+ "is_verified": false,
+ "line_number": 45,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/config/authsources-2.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/config/authsources-2.php.j2",
+ "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b",
+ "is_verified": false,
+ "line_number": 45,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/config/config-2.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/config/config-2.php.j2",
+ "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+ "is_verified": false,
+ "line_number": 148,
+ "is_secret": true
+ }
+ ],
+ "roles/ssp/templates/metadata/saml20-idp-hosted-1.14.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.14.php.j2",
+ "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f",
+ "is_verified": false,
+ "line_number": 19,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/metadata/saml20-idp-hosted-1.17.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.17.php.j2",
+ "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f",
+ "is_verified": false,
+ "line_number": 20,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/metadata/saml20-idp-hosted-1.18.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.18.php.j2",
+ "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f",
+ "is_verified": false,
+ "line_number": 21,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/metadata/shib13-idp-hosted-1.14.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/metadata/shib13-idp-hosted-1.14.php.j2",
+ "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f",
+ "is_verified": false,
+ "line_number": 19,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/templates/metadata/shib13-idp-hosted-1.17.php.j2": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/templates/metadata/shib13-idp-hosted-1.17.php.j2",
+ "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f",
+ "is_verified": false,
+ "line_number": 20,
+ "is_secret": false
+ }
+ ],
+ "roles/ssp/vars/main.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/vars/main.yml",
+ "hashed_secret": "8c07302345e837d007eecc23871809d291b9bac1",
+ "is_verified": false,
+ "line_number": 3,
+ "is_secret": true
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "roles/ssp/vars/main.yml",
+ "hashed_secret": "8152bc582f58c854f580cb101d3182813dec4afe",
+ "is_verified": false,
+ "line_number": 4,
+ "is_secret": true
+ }
+ ],
+ "secrets.yml": [
+ {
+ "type": "Secret Keyword",
+ "filename": "secrets.yml",
+ "hashed_secret": "8b16dae36b11d73264c343f2a5d84c8b6d87c99b",
+ "is_verified": false,
+ "line_number": 7,
+ "is_secret": false
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "secrets.yml",
+ "hashed_secret": "99689e42a4cfd02871e085b5af75fdfe3ac04ccf",
+ "is_verified": false,
+ "line_number": 8,
+ "is_secret": false
+ },
+ {
+ "type": "Secret Keyword",
+ "filename": "secrets.yml",
+ "hashed_secret": "54053db99b49b4cc046f7b4854a80de3d6dfae71",
+ "is_verified": false,
+ "line_number": 78,
+ "is_secret": true
+ }
+ ]
+ },
+ "generated_at": "2024-03-28T14:50:35Z"
+}
diff --git a/ansible.cfg b/ansible.cfg
index 4cc0e3e5..42943103 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -6,7 +6,7 @@ remote_user = root
# Alternatively, connect as user with sudo privileges
#remote_user = bob
#[privilege_escalation]
-#become_ask_pass = True
+#become_ask_pass = True
# The comment inserted into files written by Ansible’s config templating system
#ansible_managed = Ansible managed: Modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
@@ -16,13 +16,13 @@ stdout_callback = yaml
[ssh_connection]
# Reduce the number of SSH operations required to execute a module on the remote
-# server to improve performance.
+# server to improve performance.
# Note: When using “sudo:” operations you must first disable ‘requiretty’ in
# /etc/sudoers on all managed hosts.
# See also http://docs.ansible.com/ansible/intro_configuration.html#pipelining
pipelining = True
-# Increase the ControlPersist time to encourage performance. A value of 30
-# minutes should be appropriate.
+# Increase the ControlPersist time to encourage performance. A value of 30
+# minutes should be appropriate.
# See also http://docs.ansible.com/ansible/intro_configuration.html#ssh-args
ssh_args = -o ControlMaster=auto -o ControlPersist=1800s
diff --git a/apiservers.yml b/apiservers.yml
index f90f145f..090374c9 100644
--- a/apiservers.yml
+++ b/apiservers.yml
@@ -1,13 +1,13 @@
# file: apiservers.yml
#
---
-
-- hosts: api
+- name: Deploy API servers
+ hosts: api
roles:
- # ansible-galaxy install geerlingguy.nodejs
- - { role: geerlingguy.nodejs, become: yes }
- # ansible-galaxy install Oefenweb.yarn
- - { role: Oefenweb.yarn, become: yes }
+ - role: geerlingguy.nodejs
+ become: true
+ - role: Oefenweb.yarn
+ become: true
vars:
nodejs_version: "10.x"
nodejs_npm_global_packages:
@@ -25,51 +25,54 @@
gecos: "RCIAM COmanage Registry API Server,,,"
shell: /bin/bash
home: /srv/comanage-registry-simple-membership-api
-
+
tasks:
- name: Ensure RCIAM API dependencies are installed
- apt:
- name:
- - git
+ become: true
+ ansible.builtin.apt:
+ name: git
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+
- name: Ensure RCIAM COmanage Registry API group exists
- group:
+ become: true
+ ansible.builtin.group:
name: "{{ rciam_api.user.group }}"
- system: yes
- become: yes
+ system: true
- name: Ensure RCIAM COmanage Registry API user exists
- user:
+ become: true
+ ansible.builtin.user:
name: "{{ rciam_api.user.name }}"
groups: "{{ rciam_api.user.group }}"
- comment: "{{ rciam_api.user.gecos }}"
+ comment: "{{ rciam_api.user.gecos }}"
shell: "{{ rciam_api.user.shell }}"
home: "{{ rciam_api.user.home }}"
- system: yes
- create_home: yes
+ system: true
+ create_home: true
skeleton: "/empty"
- become: yes
+
- name: Ensure RCIAM COmanage Registry API code checkout directory exists
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ rciam_api.path }}"
owner: "{{ rciam_api.user.name }}"
group: "{{ rciam_api.user.group }}"
state: directory
- become: yes
+ mode: "0775"
+
- name: Ensure RCIAM COmanage Registry API code checkout is up-to-date
- git:
+ become: true
+ become_user: "{{ rciam_api.user.name }}"
+ ansible.builtin.git:
repo: "{{ rciam_api.repo_url }}"
dest: "{{ rciam_api.path }}"
version: "{{ rciam_api.repo_version }}"
- become: yes
- become_user: "{{ rciam_api.user.name }}"
notify: Restart RCIAM COmanage Registry API processes
# TODO- name: Ensure RCIAM COmanage Registry API current symlink to code checkout directory exists
@@ -82,52 +85,55 @@
# become: yes
- name: Ensure RCIAM COmanage Registry API is configured
- template:
+ become: true
+ ansible.builtin.template:
src: "{{ playbook_dir }}/templates/comanage-registry-simple-membership-api/settings.js.j2"
dest: "{{ rciam_api.path }}/settings.js"
owner: "{{ rciam_api.user.name }}"
group: "{{ rciam_api.user.group }}"
- mode: 0400
- backup: yes
- become: yes
+ mode: "0400"
+ backup: true
notify: Restart RCIAM COmanage Registry API processes
- name: Ensure RCIAM COmanage Registry API packages are installed
- yarn:
- path: "{{ rciam_api.path }}"
- production: yes
- become: yes
+ become: true
become_user: "{{ rciam_api.user.name }}"
+ community.general.yarn:
+ path: "{{ rciam_api.path }}"
+ production: true
handlers:
-
- name: Delete existing RCIAM COmanage Registry API pm2 processes if running
- command:
+ become: true
+ become_user: "{{ rciam_api.user.name }}"
+ ansible.builtin.command: # noqa: no-changed-when
cmd: "/usr/local/lib/npm/bin/pm2 delete {{ rciam_api.name }}"
chdir: "{{ rciam_api.path }}"
- ignore_errors: yes
- become: yes
- become_user: "{{ rciam_api.user.name }}"
+ ignore_errors: true # noqa: ignore-errors
+ # failed_when: # Add acceptable failure conditions
listen: Restart RCIAM COmanage Registry API processes
- name: Ensure RCIAM COmanage Registry API pm2 processes are running
- command:
+ become: true
+ become_user: "{{ rciam_api.user.name }}"
+ ansible.builtin.command: # noqa: no-changed-when
cmd: "/usr/local/lib/npm/bin/pm2 start server.js -i 2 --name {{ rciam_api.name }}"
chdir: "{{ rciam_api.path }}"
- become: yes
- become_user: "{{ rciam_api.user.name }}"
+ # changed_when: # Add acceptable change conditions to ensure idempotency
listen: Restart RCIAM COmanage Registry API processes
- name: Ensure RCIAM COmanage Registry API init script exists
- command:
+ become: true
+ ansible.builtin.command: # noqa: no-changed-when
cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 startup systemd -u {{ rciam_api.user.name }} --hp {{ rciam_api.user.home }}"
- become: yes
+ # changed_when: # Add acceptable change conditions to ensure idempotency
listen: Restart RCIAM COmanage Registry API processes
-
+
- name: Ensure RCIAM COmanage Registry API process list is saved
- command:
+ become: true
+ become_user: "{{ rciam_api.user.name }}"
+ ansible.builtin.command: # noqa: no-changed-when
cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 save"
chdir: "{{ rciam_api.path }}"
- become: yes
- become_user: "{{ rciam_api.user.name }}"
listen: Restart RCIAM COmanage Registry API processes
+ # changed_when: # Add acceptable change conditions to ensure idempotency
diff --git a/attrauthservers.yml b/attrauthservers.yml
index 3915054c..dee34936 100644
--- a/attrauthservers.yml
+++ b/attrauthservers.yml
@@ -1,9 +1,11 @@
+# filename: attrauthservers.yml
+# Deploys attribute authority servers
---
-
-- hosts: attrauth
+- name: Deploy Attribute Authority Servers
+ hosts: attrauth
roles:
- apache
- php
- shibboleth-sp
- comanage-registry
- #- cm-role-ui
+ # - cm-role-ui
diff --git a/authservers.yml b/authservers.yml
index fa83360a..343a2c1f 100644
--- a/authservers.yml
+++ b/authservers.yml
@@ -1,6 +1,8 @@
---
-
-- hosts: authservers
+# File: authservers.yml
+# Deployes authentication servers
+- name: Deploy authentication servers
+ hosts: authservers
roles:
- common
- ssp
diff --git a/authzkeys.yml b/authzkeys.yml
index fd8f8916..68918514 100644
--- a/authzkeys.yml
+++ b/authzkeys.yml
@@ -1,7 +1,7 @@
# file: authzkeys.yml
#
# Playbook for managing SSH authorized keys in ~/.ssh/authorized_keys.
-#
+#
# The `authz_keys_paths` variable needs to be defined to specify the paths
# to files containing the public keys. You can include keys based on matching
# files or specifying individual paths.
@@ -15,26 +15,27 @@
# authz_keys_paths:
# - "{{ inventory_dir }}/files/authorized_keys/devs/alice.pub"
# - "{{ inventory_dir }}/files/authorized_keys/ops/bob.pub"
-#
+#
# N.B. The playbook will *remove* all other non-specified keys from the
# authorized_keys file. Defining authz_keys_paths as an empty list
# will result in an *empty* authorized_keys file
#
---
-
-- hosts: all
-
+- name: Create authorized keys
+ hosts: all
tasks:
-
- - set_fact:
+ - name: Set list fact
+ ansible.builtin.set_fact:
authzkeys_list: "{{ lookup('file', item) }}"
register: authzkeys
with_fileglob: "{{ authz_keys_paths }}"
- - set_fact:
+ - name: Set string fact
+ ansible.builtin.set_fact:
authzkeys_string: "{{ authzkeys.results | map(attribute='ansible_facts.authzkeys_list') | join('\n') }}"
- - ansible.posix.authorized_key:
+ - name: Create key
+ ansible.posix.authorized_key: # noqa syntax-check[unknown-module]
user: "{{ ansible_user }}"
key: "{{ authzkeys_string }}"
exclusive: true
diff --git a/cacheservers.yml b/cacheservers.yml
index cfd9dcf5..5781edc2 100644
--- a/cacheservers.yml
+++ b/cacheservers.yml
@@ -1,5 +1,6 @@
---
-
-- hosts: cache
+# cacheservers.yml
+- name: Provision Cache Servers
+ hosts: cache
roles:
- memcached
diff --git a/cert2samlservers.yml b/cert2samlservers.yml
index 35d12838..6e9b22e5 100644
--- a/cert2samlservers.yml
+++ b/cert2samlservers.yml
@@ -1,8 +1,8 @@
# file: cert2samlservers.yml
-#
+#
---
-
-- hosts: cert2saml
+- name: Deploy Certificate to SML servers
+ hosts: cert2saml
roles:
- { role: apache, tags: apache }
- { role: php, tags: php }
diff --git a/cmrolesuiservers.yml b/cmrolesuiservers.yml
index 182cd548..4cbe790e 100644
--- a/cmrolesuiservers.yml
+++ b/cmrolesuiservers.yml
@@ -1,11 +1,10 @@
# file: cmrolesuiservers.yml
-
---
-
-- hosts: registry
+- name: Deploy Comanage registry UI
+ hosts: registry
roles:
- { role: git, tags: git }
- { role: apache, tags: apache }
- { role: php, tags: php }
- { role: shibboleth-sp, tags: shibboleth-sp }
- - { role: cm-role-ui, tags: cm-role-ui }
\ No newline at end of file
+ - { role: cm-role-ui, tags: cm-role-ui }
diff --git a/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER b/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER
index d17addec..d83c816b 100644
--- a/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER
+++ b/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER
@@ -43,7 +43,7 @@ ssp_authsources_saml:
ssp_idp_hosts:
# The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`,
- # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
+ # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
# automatically.
- entity_id: "__DYNAMIC:1__"
# The hostname for this IdP. One of the IdPs can also have its `host` set
@@ -92,5 +92,3 @@ vault_ssp_idp_hosts:
- entity_id: "__DYNAMIC:2__"
ssl_certificate_key: |
idp_key_CHANGEME
-
-
diff --git a/d4science2samlservers.yml b/d4science2samlservers.yml
index a28206cd..b567a63d 100644
--- a/d4science2samlservers.yml
+++ b/d4science2samlservers.yml
@@ -1,22 +1,28 @@
# file: d4science2samlservers.yml
-#
+#
---
-
-- hosts: d4science2saml
+- name: Deploy D4Science servers
+ hosts: d4science2saml
roles:
# - { role: apache, tags: apache }
# - { role: php, tags: php }
- { role: ssp, tags: ssp }
- { role: ssp-modules, tags: ssp-modules }
tasks:
- - name: Install Keycloak Provicer library v2.2.2
- shell: php composer.phar require stevenmaguire/oauth2-keycloak:v2.2.2 --ignore-platform-reqs --no-interaction --no-scripts --no-update
+ # Keycloak provider library version should be a variable.
+ - name: Install Keycloak Provider library v2.2.2
+ ansible.builtin.shell: |-
+ php composer.phar require stevenmaguire/oauth2-keycloak:v2.2.2 \
+ --ignore-platform-reqs \
+ --no-interaction \
+ --no-scripts \
+ --no-update
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
register: composer_results
changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr
- when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0
+ when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0
become: true
tags:
- install
diff --git a/dbservers.yml b/dbservers.yml
index f28fd914..5f8f1087 100644
--- a/dbservers.yml
+++ b/dbservers.yml
@@ -1,5 +1,6 @@
---
-
-- hosts: db
+# dbservers.yml
+- name: Provision Database servers
+ hosts: db
roles:
- postgresql
diff --git a/deep2samlservers.yml b/deep2samlservers.yml
index f3df69b7..a4c5e657 100644
--- a/deep2samlservers.yml
+++ b/deep2samlservers.yml
@@ -1,8 +1,8 @@
# file: deep2samlservers.yml
-#
+#
---
-
-- hosts: deep2saml
+- name: Provision Deep2saml servers
+ hosts: deep2saml
roles:
# - { role: apache, tags: apache }
# - { role: php, tags: php }
@@ -10,13 +10,19 @@
- { role: ssp-modules, tags: ssp-modules }
tasks:
- name: Install SSP mod authoauth2 v3.1.0
- shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 --ignore-platform-reqs --no-interaction --no-scripts
+ ansible.builtin.shell: >
+ set -o pipefail
+ php composer.phar \
+ require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 \
+ --ignore-platform-reqs \
+ --no-interaction \
+ --no-scripts
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
register: composer_results
changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr
- when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0
+ when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0
become: true
tags:
- install
diff --git a/egi-igtf.yml b/egi-igtf.yml
index 64f582ec..aeebaa33 100644
--- a/egi-igtf.yml
+++ b/egi-igtf.yml
@@ -1,5 +1,6 @@
---
-
-- hosts: all
+# egi-igtf.yml
+- name: Provision EGI-IGTF certs
+ hosts: all
roles:
- - egi-igtf
+ - egi-igtf
diff --git a/federation-registry.yml b/federation-registry.yml
index 25166652..532d3889 100644
--- a/federation-registry.yml
+++ b/federation-registry.yml
@@ -1,8 +1,14 @@
---
-- hosts: federation-registry
- become: yes
+- name: Provision Federation Registry
+ hosts: federation-registry
+ become: true
roles:
- - {role: federation-registry, task: configure-environment}
- - {role: federation-registry, task: postgres,tags: ['never','postgres']}
- - {role: federation-registry, task: configure-ams}
- - {role: federation-registry, task: deploy}
+ - role: federation-registry
+ task: configure-environment
+ - role: federation-registry
+ task: postgres
+ tags: ['never', 'postgres']
+ - role: federation-registry
+ task: configure-ams
+ - role: federation-registry
+ task: deploy
diff --git a/fedregagents.yml b/fedregagents.yml
index 49bdf97f..f588d9dd 100644
--- a/fedregagents.yml
+++ b/fedregagents.yml
@@ -1,16 +1,13 @@
---
-
-# This playbook deploy the RCIAM federation registry agent.
-
-
+# This playbook deploys the RCIAM federation registry agent.
- name: RCIAM federation registry agent demo
hosts: fedreg_agents_demo
roles:
- - { role: fedreg-agent, tags: agent_demo }
-
+ - role: fedreg-agent
+ tags: agent_demo
- name: RCIAM federation registry agent production
hosts: fedreg_agents_prod
roles:
- - { role: fedreg-agent, tags: agent_prod }
-
+ - role: fedreg-agent
+ tags: agent_prod
diff --git a/firewallservers.yml b/firewallservers.yml
index 4f4344a2..2809afb1 100644
--- a/firewallservers.yml
+++ b/firewallservers.yml
@@ -1,7 +1,8 @@
# file: firewallservers.yml
#
---
-
-- hosts: all
+- name: Deploy Firewall
+ hosts: all
roles:
- - { role: ipr-cnrs.nftables, become: yes }
+ - role: ipr-cnrs.nftables
+ become: true
diff --git a/google2samlservers.yml b/google2samlservers.yml
index f823060b..69e2fac1 100644
--- a/google2samlservers.yml
+++ b/google2samlservers.yml
@@ -1,22 +1,30 @@
# file: google2samlservers.yml
-#
+#
---
-
-- hosts: google2saml
+- name: Provision Google2Samle hosts
+ hosts: google2saml
roles:
# - { role: apache, tags: apache }
# - { role: php, tags: php }
- - { role: ssp, tags: ssp }
- - { role: ssp-modules, tags: ssp-modules }
+ - role: ssp
+ tags: ssp
+ - role: ssp-modules
+ tags: ssp-modules
tasks:
- name: Install modules using composer
- shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 league/oauth2-google --ignore-platform-reqs --no-interaction --no-scripts
+ ansible.builtin.shell: >
+ php composer.phar
+ require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0
+ league/oauth2-google
+ --ignore-platform-reqs
+ --no-interaction
+ --no-scripts
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
register: composer_results
changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr
- when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0
+ when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0
become: true
tags:
- install
diff --git a/inventories/example/group_vars/authservers.yml b/inventories/example/group_vars/authservers.yml
index 676c7e1d..f4e6632a 100644
--- a/inventories/example/group_vars/authservers.yml
+++ b/inventories/example/group_vars/authservers.yml
@@ -16,7 +16,7 @@ ssp_alias: proxy
# Select where to store session information:
# `phpsession` Uses the built-in session management in PHP (default).
-# `memcache` Uses memcached to cache sessions in memory.
+# `memcache` Uses memcached to cache sessions in memory.
# Sessions can be distributed and replicated among several
# memcached servers, enabling both load-balancing and fail-over.
# `sql` Stores session information in a SQL database (WIP).
@@ -74,7 +74,7 @@ ssp_authsources_saml:
# Whether logout requests and logout responses received received by
# this SP should be validated. Default is false.
redirect_validate: true
- # Whether to sign authentication requests sent from this SP. Default is
+ # Whether to sign authentication requests sent from this SP. Default is
# false.
sign_authnrequest: true
# Whether to sign logout messages sent from this SP. Default is false.
@@ -118,7 +118,7 @@ ssp_authsources_saml:
attribute_values:
- "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
- "http://refeds.org/category/research-and-scholarship"
- # Optional list of contacts in addition to the technical contact configured
+ # Optional list of contacts in addition to the technical contact configured
# through config/config.php
contacts:
# The type of contact. The possible values are `technical`, `support`,
@@ -136,7 +136,7 @@ ssp_authsources_saml:
#telephone_numbers: "+31(0)12345678"
# List of attributes this SP requests from the IdP. This list will be added
# to the generated metadata.
- # The attributes will be added without a `NameFormat` by default. Use the
+ # The attributes will be added without a `NameFormat` by default. Use the
# name_format option to specify the `NameFormat` for the attributes.
attributes:
name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
@@ -153,7 +153,7 @@ ssp_authsources_saml:
mail: "urn:oid:0.9.2342.19200300.100.1.3"
#eduPersonEntitlement: "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
#eduPersonAssurance: "urn:oid:1.3.6.1.4.1.5923.1.1.1.11"
- # The format of the NameID we request from the IdP. Defaults to the
+ # The format of the NameID we request from the IdP. Defaults to the
# transient format if unspecified.
#name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
@@ -165,7 +165,7 @@ ssp_idp_shib13_enabled: false
# Hosted IdP metadata
ssp_idp_hosts:
# The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`,
- # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
+ # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
# automatically.
- entity_id: "__DYNAMIC:1__"
# The hostname for this IdP. One of the IdPs can also have its `host` set
@@ -189,7 +189,7 @@ ssp_idp_hosts:
redirect_validate: true
# The authentication source to be used to authenticate users on this IdP.
auth: sso
- # Optional list of contacts in addition to the technical contact configured
+ # Optional list of contacts in addition to the technical contact configured
# through config/config.php
contacts:
# The type of contact. The possible values are `technical`, `support`,
@@ -205,20 +205,20 @@ ssp_idp_hosts:
email_address: "bob.builder@aai.example.eu"
# Optional telephone number of the contact person.
#telephone_numbers: "+31(0)12345678"
- # A list with scopes for this IdP. The scopes will be added to the
+ # A list with scopes for this IdP. The scopes will be added to the
# generated XML metadata. A scope can either be a domain name or a regular
# expression matching a number of domains.
scopes:
- example.eu
# Localised names of the organisation responsible for this IdP.
- organization_name:
+ organization_name:
en: Example.eu
# Localised user-friendly names of the organisation responsible for this
# IdP.
- organization_display_name:
+ organization_display_name:
en: Example.eu
# Localised URLs of the organisation responsible for this IdP.
- organization_url:
+ organization_url:
en: "https://www.example.eu/"
# SAML V2.0 Metadata Extensions for Login and Discovery
# UIInfo Items
@@ -255,7 +255,7 @@ ssp_idp_hosts:
privacy_statement_url:
en: "https://aai.example.eu/privacy/en"
# DiscoHints items
- # List of IPv4 and IPv6 addresses in CIDR notation serviced by or
+ # List of IPv4 and IPv6 addresses in CIDR notation serviced by or
# associated with this IdP.
#ip_hints:
# - "83.212.96.0/19"
@@ -286,41 +286,41 @@ ssp_idp_hosts:
# from authentication sources.
authproc:
- "89":
- # Maps attribute OIDs to names.
+ # Maps attribute OIDs to names.
class: "core:AttributeMap"
oid2name:
- "90":
# Requires `consent` in `ssp_mods_enabled`.
class: "consent:Consent"
- # The Consent storage backend. Currently only `consent:Cookie` is
+ # The Consent storage backend. Currently only `consent:Cookie` is
# supported. This option is optional. If omitted, the user is still
# asked to consent, but the decision is not saved.
store: "consent:Cookie"
# Optional flag that indicates whether the values of the attributes
# should be used in calculating the unique hashes that identify the
- # consent. If includeValues is set and the value of an attribute
+ # consent. If includeValues is set and the value of an attribute
# changes, then the consent becomes invalid. Defaults to false.
includeValues: true
- # Optional flag that indicates whether the "Remember" consent
+ # Optional flag that indicates whether the "Remember" consent
# checkbox is checkd by default. Defaults to false.
#checked: false
# Indicates whether the "Yes" or "No" button is in fucus by default.
- # This option is optional and can take the value 'yes' or 'no'.
+ # This option is optional and can take the value 'yes' or 'no'.
# If omitted, neither will recive focus.
focus: "no"
# Optional list of attributes whose values should be hidden.
# Default behaviour is that all attribute values are shown.
#hiddenAttributes:
- "91":
- # Maps attribute names to OIDs.
+ # Maps attribute names to OIDs.
# Usually combined with SAML:2.0:attrname-format:uri
class: "core:AttributeMap"
name2oid:
extra_parameters: |
'attributeencodings' => array(
// eduPersonTargetedID with oid NameFormat.
- 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw',
- ),
+ 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw',
+ ),
# List of SSP modules to enable
ssp_mods_enabled:
@@ -329,11 +329,11 @@ ssp_mods_enabled:
- discopower
- consent
- smartattributes
- - memcacheMonitor
+ - memcacheMonitor
#- authfacebook
# Configuration options for automated SAML metadata management.
-# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`.
+# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`.
#
# Global blacklist: Optional list of entityIDs that should be excluded from ALL
# metadata sets.
@@ -349,7 +349,7 @@ ssp_mod_metarefresh_sets:
sources:
# The URL where the metadata will be fetched from.
- url: "https://md.aai.example.eu/aggregates/edugain-metadata.xml"
- # The fingerprint of the certificate used to sign the metadata.
+ # The fingerprint of the certificate used to sign the metadata.
# You can omit this option if you don't want to validate the signature
# on the metadata.
#validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01"
@@ -411,4 +411,3 @@ apache_vhosts_ssl:
Require all granted
-
diff --git a/inventories/example/group_vars/cacheservers.yml b/inventories/example/group_vars/cacheservers.yml
index dcff113f..a4426aec 100644
--- a/inventories/example/group_vars/cacheservers.yml
+++ b/inventories/example/group_vars/cacheservers.yml
@@ -3,12 +3,12 @@
#
# See memcached default values in roles/memcached/defaults/main.yml
#
-# Log verbosity levels:
+# Log verbosity levels:
# `""` Don't log anything (Default)
# `-v` Be verbose during the event loop; print out errors and warnings.
# `-vv` Be even more verbose; same as -v but also print client commands and
# responses.
-# `-vvv` Be extremely verbose; same as -vv but also print internal state
+# `-vvv` Be extremely verbose; same as -vv but also print internal state
# transitions.
#memcached_log_verbosity: ""
diff --git a/keycloakservers.yml b/keycloakservers.yml
index 69b820b3..ff15b034 100644
--- a/keycloakservers.yml
+++ b/keycloakservers.yml
@@ -1,7 +1,7 @@
# file: keycloakservers.yml
#
---
-
-- hosts: keycloak
+- name: Provision keycloak
+ hosts: keycloak
roles:
- - keycloak
\ No newline at end of file
+ - keycloak
diff --git a/logrotateservers.yml b/logrotateservers.yml
index bc9e4170..43b7cc88 100644
--- a/logrotateservers.yml
+++ b/logrotateservers.yml
@@ -1,7 +1,7 @@
# file: logrotateservers.yml
#
---
-
-- hosts: all
+- name: Deploy logrotate
+ hosts: all
roles:
- { role: arillso.logrotate, tags: logrotate }
diff --git a/metricsservers.yml b/metricsservers.yml
index 919c3de9..ddcf5530 100644
--- a/metricsservers.yml
+++ b/metricsservers.yml
@@ -2,6 +2,7 @@
#
---
-- hosts: rciam-metrics
+- name: Deploy Metrics Servers
+ hosts: rciam-metrics
roles:
- { role: rciam-metrics, tags: rciam-metrics }
diff --git a/monservers.yml b/monservers.yml
index c7e0c4de..cd4620de 100644
--- a/monservers.yml
+++ b/monservers.yml
@@ -1,14 +1,13 @@
#
---
-- hosts: monservers
-
+- name: Deploy monitoring servers
+ hosts: monservers
vars:
extra_yum_repositories:
- "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
extra_yum_keys:
- "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
-
roles:
- { role: apache, tags: apache }
- { role: php, tags: php }
@@ -16,7 +15,7 @@
tasks:
- name: Ensure Repositories are installed (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
loop: "{{ extra_yum_repositories }}"
@@ -27,7 +26,7 @@
- never
- name: Import repositories GPG key (RedHat).
- rpm_key:
+ ansible.builtin.rpm_key:
key: "{{ item }}"
state: present
loop: "{{ extra_yum_keys }}"
@@ -38,9 +37,9 @@
- never
- name: Upgrade all
- yum:
+ ansible.builtin.yum:
name: '*'
- state: latest
+ state: latest # noqa package-latest
update_cache: true
become: true
when: ansible_os_family == 'RedHat'
@@ -49,7 +48,7 @@
- upgrade
- name: Ensure common packages are installed (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
update_cache: true
@@ -59,36 +58,38 @@
- ca-certificates
- vim-enhanced
- yum-utils
- become: yes
+ become: true
when: ansible_os_family == 'RedHat'
tags:
- common
- never
- - name: Configure timezone
- timezone:
+ - name: Configure timezone # noqa syntax-check[unknown-module]
+ community.general.timezone:
name: "{{ timezone }}"
- become: yes
+ become: true
notify: restart crond
tags:
- common
- never
- name: Register private connection uuid (RedHat)
- command: "nmcli -g GENERAL.CON-UUID d show {{item}}"
+ ansible.builtin.command: "nmcli -g GENERAL.CON-UUID d show {{ item }}"
loop: "{{ firewall_private_interfaces | default([]) }}"
register: firewall_private_uuids
when: ansible_os_family == 'RedHat'
+ changed_when: false
tags: firewall
- name: Set zone internal to connections on network managed private interfaces (RedHat)
- command: "nmcli connection modify {{ item.stdout }} connection.zone internal"
+ ansible.builtin.command: "nmcli connection modify {{ item.stdout }} connection.zone internal"
loop: "{{ firewall_private_uuids.results }}"
+ changed_when: false
when: ansible_os_family == 'RedHat'
tags: firewall
- name: Clear firewall state (RedHat)
- file:
+ ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
@@ -103,7 +104,7 @@
notify: restart firewall
- name: Add default services to public zone (RedHat)
- firewalld:
+ ansible.posix.firewalld:
zone: public
service: "{{ item }}"
permanent: true
@@ -115,35 +116,39 @@
when: ansible_os_family == 'RedHat'
notify: restart firewall
- - meta: flush_handlers
+ - name: Flush handlers
+ ansible.builtin.meta: flush_handlers
when: ansible_os_family == 'RedHat'
- name: Create firewall new zones (RedHat)
- command: firewall-cmd --permanent --new-zone="{{ item }}"
+ ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
loop: "{{ firewall_zones | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
- ignore_errors: true
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
- name: Create firewall new services (RedHat)
- command: firewall-cmd --permanent --new-service="{{item.name}}"
+ ansible.builtin.command: firewall-cmd --permanent --new-service="{{ item.name }}"
loop: "{{ firewall_services | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
- ignore_errors: true
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
- name: Add port to services (RedHat)
- command: firewall-cmd --permanent --service="{{ item.name }}" --add-port={{ item.port }}
+ ansible.builtin.command: firewall-cmd --permanent --service="{{ item.name }}" --add-port={{ item.port }}
loop: "{{ firewall_services | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
- ignore_errors: true
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
- name: Firewall add services to zones (RedHat)
- firewalld:
+ ansible.posix.firewalld:
zone: "{{ item.zone }}"
service: "{{ item.service }}"
permanent: true
@@ -154,7 +159,7 @@
notify: restart firewall
- name: Add sources to zones (RedHat)
- firewalld:
+ ansible.posix.firewalld:
zone: "{{ item.zone }}"
source: "{{ item.source }}"
permanent: true
@@ -165,7 +170,7 @@
notify: restart firewall
- name: Add interfaces to zones (RedHat)
- firewalld:
+ ansible.posix.firewalld:
zone: "{{ item.zone }}"
interface: "{{ item.interface }}"
permanent: true
@@ -176,16 +181,17 @@
notify: restart firewall
handlers:
- - name: reload firewall
- command: "firewall-cmd --reload"
+ - name: Reload firewall
+ ansible.builtin.command: "firewall-cmd --reload"
+ changed_when: false
- - name: restart firewall
- service:
+ - name: Restart firewall
+ ansible.builtin.service:
name: firewalld
state: restarted
- - name: restart crond
- service:
+ - name: Restart crond
+ ansible.builtin.service:
name: crond
state: restarted
- become: yes
+ become: true
diff --git a/oauth2samlservers.yml b/oauth2samlservers.yml
index ea03cc9e..158b4460 100644
--- a/oauth2samlservers.yml
+++ b/oauth2samlservers.yml
@@ -1,21 +1,29 @@
# file: oauth2samlservers.yml
-#
+#
---
-- hosts: oauth2saml
+- name: Deploy Oauth2Saml
+ hosts: oauth2saml
roles:
- { role: ssp, tags: ssp }
- { role: ssp-modules, tags: ssp-modules }
tasks:
- name: Install modules using composer
# shell: php composer.phar require oakhope/oauth2-wechat --ignore-platform-reqs --no-interaction --no-scripts
- shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 league/oauth2-google oakhope/oauth2-wechat --ignore-platform-reqs --no-interaction --no-scripts
+ ansible.builtin.shell: >- # Better to declare dependencies here
+ php composer.phar require \
+ cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 \
+ league/oauth2-google \
+ oakhope/oauth2-wechat \
+ --ignore-platform-reqs \
+ --no-interaction \
+ --no-scripts
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
register: composer_results
changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr
- when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0
+ when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0
become: true
tags:
- install
diff --git a/openldapservers.yml b/openldapservers.yml
index 6b5a75a6..8edcb85d 100644
--- a/openldapservers.yml
+++ b/openldapservers.yml
@@ -1,3 +1,5 @@
-- hosts: openldap
+---
+- name: Deploy openldap
+ hosts: openldap
roles:
- - { role: openldap }
\ No newline at end of file
+ - { role: openldap }
diff --git a/orcid2samlservers.yml b/orcid2samlservers.yml
index d1557d82..e680ff9d 100644
--- a/orcid2samlservers.yml
+++ b/orcid2samlservers.yml
@@ -1,8 +1,9 @@
# file: orcid2samlservers.yml
-#
+#
---
-- hosts: orcid2saml
+- name: Deploy ORCID 2 SAML hosts
+ hosts: orcid2saml
roles:
# - { role: apache, tags: apache }
# - { role: php, tags: php }
diff --git a/rciam-keycloak.yml b/rciam-keycloak.yml
index 6e5ca9f5..b09edc48 100644
--- a/rciam-keycloak.yml
+++ b/rciam-keycloak.yml
@@ -2,10 +2,14 @@
# RCIAM deployment based on Keycloak
---
-- import_playbook: firewallservers.yml
+- name: Run Firewall Servers
+ ansible.builtin.import_playbook: firewallservers.yml
-- import_playbook: dbservers.yml
+- name: Deploy DBN Servers
+ ansible.builtin.import_playbook: dbservers.yml
-- import_playbook: keycloakservers.yml
+- name: Deploy Keycloak servers
+ ansible.builtin.import_playbook: keycloakservers.yml
-- import_playbook: webproxyservers.yml
+- name: Deploy Web Proxy Servers
+ ansible.builtin.import_playbook: webproxyservers.yml
diff --git a/rciam-oidc-client.yml b/rciam-oidc-client.yml
index 5ae5f6f1..e838a3b4 100644
--- a/rciam-oidc-client.yml
+++ b/rciam-oidc-client.yml
@@ -1,6 +1,7 @@
# file: rciam-oidc-client.yml
#
---
-- hosts: web
+- name: Deploy OIDC client
+ hosts: web
roles:
- { role: rciam-oidc-client, tags: rciam-oidc-client }
diff --git a/registryservers-roles-ui.yml b/registryservers-roles-ui.yml
index f0fb4a48..c5d29c2b 100644
--- a/registryservers-roles-ui.yml
+++ b/registryservers-roles-ui.yml
@@ -2,9 +2,18 @@
#
---
-- hosts: registry
+- name: Deploy Regitry Server UI
+ hosts: registry
roles:
- { role: cm-role-ui, tags: cm-role-ui }
# Deploy CM Roles simple UI
-# ansible-playbook -v -u user --ask-become-pass -i inventories/openaire-dev/hosts.ini registryservers-roles-ui.yml --tags "cm-role-ui:configure" --ask-vault-pass --diff --extra-vars "git_user= git_pass="
\ No newline at end of file
+# ansible-playbook \
+# -v -u user \
+# --ask-become-pass \
+# -i inventories/openaire-dev/hosts.ini \
+# registryservers-roles-ui.yml \
+# --tags "cm-role-ui:configure" \
+# --ask-vault-pass \
+# --diff \
+# --extra-vars "git_user= git_pass="
diff --git a/registryservers.yml b/registryservers.yml
index 2f1b57c9..4e52d236 100644
--- a/registryservers.yml
+++ b/registryservers.yml
@@ -2,7 +2,8 @@
#
---
-- hosts: registry
+- name: Deploy Registry Servers
+ hosts: registry
roles:
- { role: git, tags: git }
- { role: apache, tags: apache }
@@ -15,4 +16,6 @@
# Deploy clean COmanage environment
# ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml --tags "comanage-registry" --ask-vault-pass
# Deploy changes.
-# ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml --tags [comanage-registry,comanage-registry:install,comanage-registry:config,] --ask-vault-pass
+# ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml \
+# --tags [comanage-registry,comanage-registry:install,comanage-registry:config,] \
+# --ask-vault-pass
diff --git a/requirements.txt b/requirements.txt
index 6b934edf..31b99066 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,39 @@
-ansible==2.10.7
-dnspython==2.1.0
-passlib==1.7.4
+ansible==9.3.0
+ansible-base==2.10.17
+ansible-compat==4.1.11
+ansible-core==2.17.6
+ansible-lint==24.2.1
+attrs==23.2.0
+black==24.3.0
+bracex==2.4
+cffi==1.16.0
+click==8.1.7
+cryptography==43.0.1
+dnspython==2.6.1
+filelock==3.13.1
+Jinja2==3.1.4
jmespath==0.10.0
+jsonschema==4.21.1
+jsonschema-specifications==2023.12.1
+markdown-it-py==3.0.0
+MarkupSafe==2.1.5
+mdurl==0.1.2
+mypy-extensions==1.0.0
+packaging==24.0
+passlib==1.7.4
+pathspec==0.12.1
+platformdirs==4.2.0
+pycparser==2.21
+Pygments==2.17.2
+PyYAML==6.0.1
+referencing==0.34.0
+resolvelib==1.0.1
+rich==13.7.1
+rpds-py==0.18.0
+ruamel.yaml==0.18.6
+ruamel.yaml.clib==0.2.8
+subprocess-tee==0.4.1
+tomli==2.0.1
+typing_extensions==4.10.0
+wcmatch==8.5.1
+yamllint==1.35.1
diff --git a/requirements.yml b/requirements.yml
new file mode 100644
index 00000000..b5f2a282
--- /dev/null
+++ b/requirements.yml
@@ -0,0 +1,10 @@
+- name: ipr-cnrs.nftables
+ version: v2.2.1
+- name: arillso.logrotate
+ version: 1.6.1
+- name: geerlingguy.nodejs
+ version: 7.0.0
+- name: Oefenweb.yarn
+ version: v1.0.52
+- name: infOpen.openjdk-jdk
+ version: 0.4.0
diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
index f90655fe..c1c4d5b5 100644
--- a/roles/apache/defaults/main.yml
+++ b/roles/apache/defaults/main.yml
@@ -16,15 +16,15 @@ apache_listen_directives: |
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
-apache_server_tokens: "OS"
-# Set to one of: On | Off | EMail
+apache_server_tokens: OS
+# Set to one of: On | Off | EMail
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
apache_server_signature: "On"
# Set to one of: On | Off | extended
apache_trace_enable: "Off"
apache_create_vhosts: true
-apache_vhosts_filename: "vhosts.conf"
+apache_vhosts_filename: vhosts.conf
# On RedHat/Centos, a default Welcome Screen is included in Apache's configuration.
# Set this to `true` to remove that default; otherwise `false`.
apache_remove_default_page: false
@@ -34,46 +34,45 @@ apache_remove_default_page: false
apache_remove_default_vhost: true
apache_vhosts:
- # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`,
+ # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`,
# `extra_parameters`.
- servername: "{{ inventory_hostname }}"
- documentroot: "/var/www/html"
+ documentroot: /var/www/html
apache_vhosts_ssl: []
- # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`,
- # `extra_parameters`.
- # - servername: "www.example.com"
- # documentroot: "/var/www/html"
- # certificate_file: "/path/to/certificate.crt"
- # certificate_key_file: "/path/to/certificate.key"
- # # Optional.
- # certificate_chain_file: "/path/to/certificate_chain.crt"
+# Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`,
+# `extra_parameters`.
+# - servername: "www.example.com"
+# documentroot: "/var/www/html"
+# certificate_file: "/path/to/certificate.crt"
+# certificate_key_file: "/path/to/certificate.key"
+# # Optional.
+# certificate_chain_file: "/path/to/certificate_chain.crt"
# Name of the user that should own the file containing the SSL certificate
-apache_ssl_certificate_file_owner: "root"
+apache_ssl_certificate_file_owner: root
# Name of the group that should own the file containing the SSL certificate
-apache_ssl_certificate_file_group: "root"
+apache_ssl_certificate_file_group: root
# Permissions of the file containing the SSL certificate
apache_ssl_certificate_file_mode: "0644"
# Name of the user that should own the file containing the SSL certificate key
-apache_ssl_certificate_key_file_owner: "root"
+apache_ssl_certificate_key_file_owner: root
# Name of the group that should own the file containing the SSL certificate key
-apache_ssl_certificate_key_file_group: "root"
+apache_ssl_certificate_key_file_group: root
# Permissions of the file containing the SSL certificate key
apache_ssl_certificate_key_file_mode: "0600"
apache_ignore_missing_ssl_certificate: true
-#apache_ssl_protocol: "All -SSLv2 -SSLv3"
-#apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
+# apache_ssl_protocol: "All -SSLv2 -SSLv3"
+# apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
# Initial apache state, i.e. `started`, `stopped`, `restarted`, or `reloaded`
-apache_state: "started"
+apache_state: started
-#install additional modules
+# install additional modules
apache_mods_installed: []
-
# Only used on Debian/Ubuntu.
apache_mods_enabled:
- ssl
diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml
index fc6b5f67..88812ae5 100644
--- a/roles/apache/handlers/main.yml
+++ b/roles/apache/handlers/main.yml
@@ -1,7 +1,6 @@
---
-
-- name: restart apache
- service:
+- name: Restart apache
+ become: true
+ ansible.builtin.service:
name: "{{ apache_service }}"
state: restarted
- become: yes
diff --git a/roles/apache/tasks/configure-Debian.yml b/roles/apache/tasks/configure-Debian.yml
index f163a61c..5bbdbd7f 100644
--- a/roles/apache/tasks/configure-Debian.yml
+++ b/roles/apache/tasks/configure-Debian.yml
@@ -1,78 +1,77 @@
---
-
- name: Enable required Apache modules (Debian)
- apache2_module:
+ become: true
+ community.general.apache2_module:
state: present
name: "{{ item }}"
with_items: "{{ apache_mods_enabled }}"
- become: yes
notify:
- - restart apache
+ - Restart apache
- name: Disable unnecessary Apache modules (Debian)
- apache2_module:
- state: absent
+ become: true
+ community.general.apache2_module:
+ state: absent
name: "{{ item }}"
with_items: "{{ apache_mods_disabled }}"
- become: yes
notify:
- - restart apache
+ - Restart apache
- name: Remove default vhost from sites-enabled (Debian)
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}"
state: absent
- become: yes
- notify: restart apache
+ notify: Restart apache
when: apache_remove_default_vhost
- name: Configure Apache ports (Debian)
- template:
- src: "ports.conf.j2"
+ become: true
+ ansible.builtin.template:
+ src: ports.conf.j2
dest: "{{ apache_conf_path }}/ports.conf"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
- name: Configure Apache security settings (Debian)
- template:
- src: "security.conf.j2"
+ become: true
+ ansible.builtin.template:
+ src: security.conf.j2
dest: "{{ apache_conf_path }}/conf-available/security.conf"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
- name: Enable Apache security configuration (Debian)
- file:
+ become: true
+ ansible.builtin.file:
src: "{{ apache_conf_path }}/conf-available/security.conf"
dest: "{{ apache_conf_path }}/conf-enabled/security.conf"
state: link
- become: yes
- notify: restart apache
+ notify: Restart apache
- name: Add Apache vhosts configuration (Debian)
- template:
- src: "vhosts.conf.j2"
+ become: true
+ ansible.builtin.template:
+ src: vhosts.conf.j2
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
when: apache_create_vhosts
- name: Enable Apache vhosts configuration (Debian)
- file:
+ become: true
+ ansible.builtin.file:
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
state: link
- become: yes
- notify: restart apache
+ notify: Restart apache
when: apache_create_vhosts
diff --git a/roles/apache/tasks/configure-RedHat.yml b/roles/apache/tasks/configure-RedHat.yml
index 2635b762..2a9afe83 100644
--- a/roles/apache/tasks/configure-RedHat.yml
+++ b/roles/apache/tasks/configure-RedHat.yml
@@ -1,88 +1,87 @@
---
-
- name: Ensure sites-available and sites-enabled directories exist (RedHat)
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
+ mode: "0775"
loop:
- "{{ apache_conf_path }}/sites-available"
- - "{{ apache_conf_path }}/sites-enabled/"
- become: yes
+ - "{{ apache_conf_path }}/sites-enabled"
- name: Append extra parameters into Apache httpd.conf (RedHat)
- blockinfile:
+ become: true
+ ansible.builtin.blockinfile:
path: "{{ apache_conf_path }}/conf/httpd.conf"
block: |
IncludeOptional sites-enabled/*.conf
IncludeOptional conf.d/security.conf
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
- name: Configure Apache security settings (RedHat)
- template:
- src: "security.conf.j2"
+ become: true
+ ansible.builtin.template:
+ src: security.conf.j2
dest: "{{ apache_conf_path }}/conf.d/security.conf"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
# Configure Virtual Host SSL certificates
- name: Include vhost SSL certificates configuration
- include: configure-ssl-cert.yml
+ become: true
+ ansible.builtin.include_tasks: configure-ssl-cert.yml
when: apache_create_vhosts and apache_vhosts_ssl is defined and apache_vhosts_ssl|length > 0
- name: Add Apache vhosts configuration (RedHat)
- template:
- src: "vhosts.conf.j2"
+ become: true
+ ansible.builtin.template:
+ src: vhosts.conf.j2
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
- notify: restart apache
+ mode: "0644"
+ backup: true
+ notify: Restart apache
when: apache_create_vhosts
- name: Enable Apache vhosts configuration (RedHat)
- file:
+ become: true
+ ansible.builtin.file:
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
state: link
- become: yes
- notify: restart apache
+ notify: Restart apache
when: apache_create_vhosts
- name: Disable default welcome page (RedHat)
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ apache_conf_path }}/conf.d/welcome.conf"
state: absent
- become: yes
when: apache_remove_default_page
- notify: restart apache
+ notify: Restart apache
- name: Enable required Apache modules (RedHat)
- apache2_module:
+ become: true
+ community.general.apache2_module:
state: present
name: "{{ item }}"
with_items: "{{ apache_mods_enabled }}"
- become: yes
- notify:
- - restart apache
+ notify: Restart apache
- name: Disable unnecessary Apache modules (RedHat)
- apache2_module:
+ become: true
+ community.general.apache2_module:
state: absent
name: "{{ item }}"
with_items: "{{ apache_mods_disabled }}"
- become: yes
- notify:
- - restart apache
\ No newline at end of file
+ notify: Restart apache
diff --git a/roles/apache/tasks/configure-ssl-cert.yml b/roles/apache/tasks/configure-ssl-cert.yml
index 1545e29a..04428f0d 100644
--- a/roles/apache/tasks/configure-ssl-cert.yml
+++ b/roles/apache/tasks/configure-ssl-cert.yml
@@ -1,54 +1,53 @@
---
-
- name: Ensure apache SSL certificate directories exist
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ item.certificate_file | dirname }}"
owner: "{{ apache_ssl_certificate_file_owner }}"
group: "{{ apache_ssl_certificate_file_group }}"
state: directory
+ mode: "0775"
with_items:
- "{{ apache_vhosts_ssl }}"
when: item.certificate_file is defined and item.certificate is defined
- become: yes
- name: Ensure apache SSL certificates are copied
- copy:
+ become: true
+ ansible.builtin.copy:
dest: "{{ item.certificate_file }}"
content: "{{ item.certificate }}"
owner: "{{ apache_ssl_certificate_file_owner }}"
group: "{{ apache_ssl_certificate_file_group }}"
mode: "{{ apache_ssl_certificate_file_mode }}"
- backup: yes
+ backup: true
with_items:
- "{{ apache_vhosts_ssl }}"
when: item.certificate_file is defined and item.certificate is defined
- become: yes
- notify:
- - restart apache
+ notify: Restart apache
- name: Ensure apache SSL certificate key directories exist
- file:
+ become: true
+ ansible.builtin.file:
path: "{{ item.certificate_key_file | dirname }}"
owner: "{{ apache_ssl_certificate_key_file_owner }}"
group: "{{ apache_ssl_certificate_key_file_group }}"
state: directory
+ mode: "0775"
with_items:
- "{{ apache_vhosts_ssl }}"
when: item.certificate_key_file is defined and item.certificate_key is defined
- become: yes
- name: Ensure apache SSL certificate keys are copied
- copy:
+ become: true
+ ansible.builtin.copy:
dest: "{{ item.certificate_key_file }}"
- content: '{{ item.certificate_key }}'
+ content: "{{ item.certificate_key }}"
owner: "{{ apache_ssl_certificate_key_file_owner }}"
group: "{{ apache_ssl_certificate_key_file_group }}"
mode: "{{ apache_ssl_certificate_key_file_mode }}"
- backup: yes
+ backup: true
with_items:
- "{{ apache_vhosts_ssl }}"
when: item.certificate_key_file is defined and item.certificate_key is defined
- become: yes
- no_log: yes
- notify:
- - restart apache
+ no_log: true
+ notify: Restart apache
diff --git a/roles/apache/tasks/install-Debian.yml b/roles/apache/tasks/install-Debian.yml
index 6d64e8e8..8b7482b6 100644
--- a/roles/apache/tasks/install-Debian.yml
+++ b/roles/apache/tasks/install-Debian.yml
@@ -1,19 +1,16 @@
---
-
- name: Ensure Apache HTTP server is installed (Debian)
- apt:
+ ansible.builtin.apt:
name: apache2
- state: present
- install_recommends: no
- update_cache: yes
+ state: present
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
- name: Install Modules for Apache
- apt:
+ ansible.builtin.apt:
name: "{{ apache_mods_installed }}"
- state: present
- become: yes
- notify:
- - restart apache
-
\ No newline at end of file
+ state: present
+ become: true
+ notify: Restart apache
diff --git a/roles/apache/tasks/install-RedHat.yml b/roles/apache/tasks/install-RedHat.yml
index 92df6373..bf10c648 100644
--- a/roles/apache/tasks/install-RedHat.yml
+++ b/roles/apache/tasks/install-RedHat.yml
@@ -1,20 +1,17 @@
---
-
- name: Ensure Apache HTTP server is installed (Redhat)
- yum:
+ ansible.builtin.yum:
name: httpd
state: present
- update_cache: yes
- become: yes
- notify:
- - restart apache
+ update_cache: true
+ become: true
+ notify: Restart apache
- name: Ensure Apache ssl module is installed (Redhat)
- yum:
+ ansible.builtin.yum:
name: mod_ssl
state: present
- update_cache: yes
- become: yes
+ update_cache: true
+ become: true
when: apache_vhosts_ssl is defined and apache_vhosts_ssl|length > 0
- notify:
- - restart apache
\ No newline at end of file
+ notify: Restart apache
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 17746231..7e03f929 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -1,23 +1,33 @@
---
-
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Ensure Debian Installation
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-- include: install-RedHat.yml
+
+- name: Ensure RedHat Installation
+ ansible.builtin.include_tasks: install-RedHat.yml
when: ansible_os_family == 'RedHat'
+# Could be refactored as:
+# - name: Include install tasks
+# ansible.builtin.include_tasks: "install-{{ ansible_os_family }}.yml"
+
# Apply OS-specific configuration
-- include: configure-Debian.yml
+- name: Include Debian Configuration Tasks
+ ansible.builtin.include_tasks: configure-Debian.yml
when: ansible_os_family == 'Debian'
-- include: configure-RedHat.yml
+- name: Include RedHat Configuration tasks
+ ansible.builtin.include_tasks: configure-RedHat.yml
when: ansible_os_family == 'RedHat'
+# Could be refactored as:
+# - name: Include Configuration tasks
+# ansible.builtin.include_tasks: "configure-{{ ansible_os_family }}.yml"
- name: Ensure Apache service is at selected state and enabled on boot
- service:
+ become: true
+ ansible.builtin.service:
name: "{{ apache_service }}"
state: "{{ apache_state }}"
- enabled: yes
- become: yes
+ enabled: true
diff --git a/roles/apache/vars/Debian.yml b/roles/apache/vars/Debian.yml
index 1e1a1133..b62452b6 100644
--- a/roles/apache/vars/Debian.yml
+++ b/roles/apache/vars/Debian.yml
@@ -2,7 +2,7 @@
apache_service: apache2
apache_conf_path: /etc/apache2
-apache_user: "www-data"
-apache_group: "www-data"
+apache_user: www-data
+apache_group: www-data
-apache_default_vhost_filename: 000-default.conf
+apache_default_vhost_filename: "000-default.conf"
diff --git a/roles/apache/vars/RedHat.yml b/roles/apache/vars/RedHat.yml
index 2dea2476..caeffec5 100644
--- a/roles/apache/vars/RedHat.yml
+++ b/roles/apache/vars/RedHat.yml
@@ -2,5 +2,5 @@
apache_service: httpd
apache_conf_path: /etc/httpd
-apache_user: "apache"
-apache_group: "apache"
+apache_user: apache
+apache_group: apache
diff --git a/roles/cm-role-ui/defaults/main.yml b/roles/cm-role-ui/defaults/main.yml
index 780b48fd..f8b71dc0 100644
--- a/roles/cm-role-ui/defaults/main.yml
+++ b/roles/cm-role-ui/defaults/main.yml
@@ -6,13 +6,13 @@ roles_repo: "https://github.com/rciam/comanage-registry-roles-portal.git"
roles_root_dir: "/srv"
roles_path: "{{ roles_root_dir }}/{{ roles_src }}"
-#roles_api_base_url: "https://example.org/registry"
-#roles_api_username: "api_user"
-#roles_api_password: "api_pass"
+# roles_api_base_url: "https://example.org/registry"
+# roles_api_username: "api_user"
+# roles_api_password: "api_pass"
roles_db_host: "localhost"
-#roles_db_username: "db_user"
-#roles_db_password: "db_pass"
+# roles_db_username: "db_user"
+# roles_db_password: "db_pass"
roles_db_name: "registry"
roles_uid_key: "eduPersonPrincipalName"
@@ -21,7 +21,7 @@ roles_username_key: "displayName"
roles_email_host: "localhost"
roles_email_port: 25
# leave blank the rest of the email options if not needed
-# "", "ssl" or "tls"
+# "", "ssl" or "tls"
roles_email_security: ""
roles_email_username: ""
roles_email_password: ""
diff --git a/roles/cm-role-ui/tasks/configure-common.yml b/roles/cm-role-ui/tasks/configure-common.yml
index 53d36e2a..4069756c 100644
--- a/roles/cm-role-ui/tasks/configure-common.yml
+++ b/roles/cm-role-ui/tasks/configure-common.yml
@@ -1,14 +1,14 @@
---
-
+# cm-role-ui/tasks/configure-common.yml
- name: Configure cm-role-ui
- template:
+ ansible.builtin.template:
src: configuration.php.j2
dest: "{{ roles_path }}/configuration.php"
owner: root
group: root
- mode: 0644
- backup: yes
- force: yes
- become: yes
+ mode: "0644"
+ backup: true
+ force: true
+ become: true
tags:
- cm-role-ui:configure
diff --git a/roles/cm-role-ui/tasks/install-common.yml b/roles/cm-role-ui/tasks/install-common.yml
index 47f58194..b78d6f16 100644
--- a/roles/cm-role-ui/tasks/install-common.yml
+++ b/roles/cm-role-ui/tasks/install-common.yml
@@ -1,34 +1,36 @@
---
-
+# cm-role-ui
- name: Ensure Roles root directory exists
- file:
+ ansible.builtin.file:
path: "{{ roles_root_dir }}"
state: directory
owner: root
group: root
- become: yes
+ mode: "0644"
+ become: true
tags:
- cm-role-ui:install
- name: Ensure Roles source is cloned under root directory
- git:
+ ansible.builtin.git:
repo: "{{ roles_repo }}"
dest: "{{ roles_root_dir }}/{{ roles_src }}-{{ roles_version }}"
version: "{{ roles_version }}"
- accept_hostkey: yes
- ignore_errors: yes
- become: yes
+ accept_hostkey: true
+ # ignore_errors: true
+ failed_when: false # noqa ignore-errors
+ become: true
tags:
- cm-role-ui:install
- name: Ensure symbolic link to current Roles installation exists
- file:
+ ansible.builtin.file:
src: "{{ roles_root_dir }}/{{ roles_src }}-{{ roles_version }}"
dest: "{{ roles_path }}"
- force: yes
+ force: true
state: link
owner: root
group: root
- become: yes
+ become: true
tags:
- - cm-role-ui:install
\ No newline at end of file
+ - cm-role-ui:install
diff --git a/roles/cm-role-ui/tasks/main.yml b/roles/cm-role-ui/tasks/main.yml
index 830bdf3e..7f58f4fe 100644
--- a/roles/cm-role-ui/tasks/main.yml
+++ b/roles/cm-role-ui/tasks/main.yml
@@ -1,16 +1,17 @@
---
+# cm-role-ui/tasks/main.yml
-#- name: Include OS-specific variables
-# include_vars: "{{ item }}"
-# with_first_found:
-# - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
-# - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
-# - "{{ ansible_distribution }}.yml"
-# - "{{ ansible_os_family }}.yml"
+# - name: Include OS-specific variables
+# include_vars: "{{ item }}"
+# with_first_found:
+# - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
+# - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+# - "{{ ansible_distribution }}.yml"
+# - "{{ ansible_os_family }}.yml"
# Run OS-independent installation tasks
- name: Include Installation tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: install-common.yml
apply:
tags:
@@ -20,7 +21,7 @@
# Apply OS-independent configuration
- name: Include Configure tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: configure-common.yml
apply:
tags:
diff --git a/roles/comanage-registry-plugins/defaults/main.yml b/roles/comanage-registry-plugins/defaults/main.yml
index faa96279..c90dec2d 100644
--- a/roles/comanage-registry-plugins/defaults/main.yml
+++ b/roles/comanage-registry-plugins/defaults/main.yml
@@ -1,14 +1,14 @@
---
comanage_registry_plugins: []
-#comanage_registry_plugins:
+# comanage_registry_plugins:
# - name: ExamplePluginFolderName
# version: master
# repository: "https://github.com/project/examplePluginName"
# status: init
-#comanage_plugins_cron_jobs:
+# comanage_plugins_cron_jobs:
# - name: "Action Name"
# minute: "0"
# filename: "PluginName"
@@ -16,9 +16,9 @@ comanage_registry_plugins: []
# job: |
# cd {{ path_to_registry }}/app && Console/cake PluginName.action
-#comanage_symlinks:
+# comanage_symlinks:
# - target: "/path/to/target"
# link: "/path/to/symlink"
# Whether to install COmanage plugins cron jobs; Enabled by default
-comanage_plugins_cron_jobs_enabled: yes
\ No newline at end of file
+comanage_plugins_cron_jobs_enabled: true
diff --git a/roles/comanage-registry-plugins/tasks/configure.yml b/roles/comanage-registry-plugins/tasks/configure.yml
index c4ea5c60..671b0b2f 100644
--- a/roles/comanage-registry-plugins/tasks/configure.yml
+++ b/roles/comanage-registry-plugins/tasks/configure.yml
@@ -1,11 +1,10 @@
---
-
- name: Add ENV vars in cron.d file
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
user: "{{ item.user }}"
- env: yes
+ env: true
cron_file: "{{ item.filename }}"
state: present
loop: "{{ comanage_plugins_cron_env | default([]) }}"
@@ -13,7 +12,7 @@
when: comanage_plugins_cron_env is defined and comanage_plugins_cron_jobs is defined and comanage_plugins_cron_jobs_enabled
- name: Ensure COmanage Registry Plugins cron jobs are installed
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
minute: "{{ item.minute | default(omit) }}"
hour: "{{ item.hour | default(omit) }}"
@@ -29,13 +28,13 @@
when: comanage_plugins_cron_jobs is defined and comanage_plugins_cron_jobs_enabled
- name: Create Symbolic links
- file:
+ ansible.builtin.file:
src: "{{ item.target }}"
dest: "{{ item.link }}"
- force: yes
+ force: true
state: link
owner: root
group: root
loop: "{{ comanage_plugins_symlinks | default([]) }}"
become: true
- when: comanage_plugins_symlinks is defined
\ No newline at end of file
+ when: comanage_plugins_symlinks is defined
diff --git a/roles/comanage-registry-plugins/tasks/install.yml b/roles/comanage-registry-plugins/tasks/install.yml
index 10a5b507..cb389642 100644
--- a/roles/comanage-registry-plugins/tasks/install.yml
+++ b/roles/comanage-registry-plugins/tasks/install.yml
@@ -1,31 +1,40 @@
---
- name: Clear cache of COmanage
- command: su {{ comanage_registry_plugins_webuser }} -s /bin/sh -c ./Console/clearcache
+ ansible.builtin.command: su {{ comanage_registry_plugins_webuser }} -s /bin/sh -c ./Console/clearcache
args:
chdir: "{{ comanage_path }}/app"
- become: yes
+ changed_when: false
+ become: true
+ become_user: "{{ comanage_registry_plugins_webuser }}"
- name: Ensure COmanage Registry local/Plugins directory exists
- file:
+ ansible.builtin.file:
path: "{{ comanage_path }}/local/Plugin"
state: directory
owner: root
group: root
- become: yes
+ mode: "0644"
+ become: true
-- name: Ensure {{ item.name }} is cloned under local/Plugins directory
- git:
+- name: "Ensure is cloned under local/Plugins directory - {{ item.name }}"
+ ansible.builtin.git:
repo: "{{ item.repository }}"
dest: "{{ comanage_path }}/local/Plugin/{{ item.name }}"
version: "{{ item.version }}"
- accept_hostkey: yes
- become: yes
+ accept_hostkey: true
+ become: true
- name: Create COmanage Registry Plugins schemata
- shell: |
- ./Console/cake schema create --file schema.php --path "{{ comanage_path }}/local/Plugin/{{ item.name }}/Config/Schema" -y
+ ansible.builtin.shell: |
+ set -o pipefail
+ ./Console/cake \
+ schema create \
+ --file schema.php \
+ --path "{{ comanage_path }}/local/Plugin/{{ item.name }}/Config/Schema" \
+ -y
args:
chdir: "{{ comanage_path }}/app"
executable: /bin/sh
when: item.status is defined and item.status == "init"
- become: yes
+ changed_when: false # TODO Define change conditions
+ become: true
diff --git a/roles/comanage-registry-plugins/tasks/main.yml b/roles/comanage-registry-plugins/tasks/main.yml
index 3c5b5b5a..ae3b9727 100644
--- a/roles/comanage-registry-plugins/tasks/main.yml
+++ b/roles/comanage-registry-plugins/tasks/main.yml
@@ -1,36 +1,35 @@
---
-
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- - always
+ - always
- name: Define COmanage Registry Plugins web user
- set_fact:
- comanage_registry_plugins_webuser: "{{ comanage_registry_plugins_default_webuser }}"
+ ansible.builtin.set_fact:
+ comanage_registry_plugins_webuser: "{{ comanage_registry_plugins_default_webuser }}"
when: comanage_registry_plugins_webserver is not defined
tags:
- - always
+ - always
# Include installation tasks
- name: Include Installation tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: install.yml
apply:
tags:
- comanage-registry-plugins:install
- loop: "{{ comanage_registry_plugins|flatten(levels=1) }}"
+ loop: "{{ comanage_registry_plugins | flatten(levels=1) }}"
tags:
- - comanage-registry-plugins:install
+ - comanage-registry-plugins:install
# Include configuration tasks
- name: Include Configure tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: configure.yml
apply:
tags:
diff --git a/roles/comanage-registry/defaults/main.yml b/roles/comanage-registry/defaults/main.yml
index bb9dd172..474aa215 100644
--- a/roles/comanage-registry/defaults/main.yml
+++ b/roles/comanage-registry/defaults/main.yml
@@ -2,150 +2,150 @@
# See https://spaces.internet2.edu/display/COmanage/Organizational+Identity+Pooling
comanage_org_identity_pooling: "No"
-#comanage_admin:
-# given_name: "Pat"
-# family_name: "Jones Smith"
-# username: "pat.jones.smith@university.edu"
+# comanage_admin:
+# given_name: "Pat"
+# family_name: "Jones Smith"
+# username: "pat.jones.smith@university.edu"
# Override comanage_version with a tag name. This will result to a new directory name comanage-registry-
# COmanage will be checked out under {{ comanage_root_dir }}/comanage-registry-{{ comanage_version }}
-comanage_version: "rciam24-3.1.x"
-comanage_repo: "https://github.com/rciam/comanage-registry.git"
-comanage_root_dir: "/srv/comanage"
+comanage_version: rciam24-3.1.x
+comanage_repo: https://github.com/rciam/comanage-registry.git
+comanage_root_dir: /srv/comanage
comanage_path: "{{ comanage_root_dir }}/comanage-registry-current"
-comanage_webroot: "/var/www/html/registry"
-comanage_temp_dir: "/var/cache/registry"
-comanage_app_base: "/registry"
+comanage_webroot: /var/www/html/registry
+comanage_temp_dir: /var/cache/registry
+comanage_app_base: /registry
comanage_log_engine:
error:
# Allowed values for handler: "FileLog" | "SyslogLog"
- handler: "FileLog"
- size: "10MB"
+ handler: FileLog
+ size: 10MB
rotate: 10
# prefix: "comanage"
debug:
- handler: "FileLog"
- size: "10MB"
+ handler: FileLog
+ size: 10MB
rotate: 10
# prefix: "comanage"
info:
- handler: "FileLog"
- size: "10MB"
+ handler: FileLog
+ size: 10MB
rotate: 10
# prefix: "comanage"
comanage_databases:
- - instance: "default"
+ - instance: default
# Either "Database/Postgres" or "Database/Mysql"
- vendor: "Database/Mysql"
- persistent: no
- host: "localhost"
- user: "user"
- password: "password"
- name: "database_name"
- prefix: "cm_"
- #encoding: "utf8"
- - instance: "test"
- vendor: "Database/Mysql"
- persistent: no
- host: "localhost"
- user: "user"
- password: "password"
- name: "test_database_name"
- prefix: "cm_"
- #encoding: "utf8"
+ vendor: Database/Mysql
+ persistent: false
+ host: localhost
+ user: user
+ password: password
+ name: database_name
+ prefix: cm_
+ # encoding: "utf8"
+ - instance: test
+ vendor: Database/Mysql
+ persistent: false
+ host: localhost
+ user: user
+ password: password
+ name: test_database_name
+ prefix: cm_
+ # encoding: "utf8"
comanage_mailers:
- - instance: "default"
+ - instance: default
# Transport configuration name
- transport: "Mail"
+ transport: Mail
# Email or array of sender
- from: "you@localhost"
- #charset: "utf-8"
- #header_charset: "utf-8"
- - instance: "smtp"
- transport: "Smtp"
+ from: you@localhost
+ # charset: "utf-8"
+ # header_charset: "utf-8"
+ - instance: smtp
+ transport: Smtp
from:
- site@localhost: "My Site"
- host: "localhost"
+ site@localhost: My Site
+ host: localhost
port: 25
timeout: 30
- username: "user"
- password: "secret"
- client: null
- log: no
- #charset: "utf-8"
- #header_charset: "utf-8"
- - instance: "fast"
- from: "you@localhost"
- sender: null
- to: null
- cc: null
- bcc: null
- reply_to: null
+ username: user
+ password: secret
+ client:
+ log: false
+ # charset: "utf-8"
+ # header_charset: "utf-8"
+ - instance: fast
+ from: you@localhost
+ sender:
+ to:
+ cc:
+ bcc:
+ reply_to:
# Email address(es) to receive the receipt of read
- read_receipt: null
+ read_receipt:
# Email address(es) to return in case of error
- return_path: null
+ return_path:
messageId: true
- subject: null
- message: null
- headers: null
- view_render: null
- template: no
- layout: no
- view_vars: null
- attachments: null
- email_format: null
- transport: "Smtp"
- host: "localhost"
+ subject:
+ message:
+ headers:
+ view_render:
+ template: false
+ layout: false
+ view_vars:
+ attachments:
+ email_format:
+ transport: Smtp
+ host: localhost
port: 25
timeout: 30
- username: "user"
- password: "secret"
- client: null
- log: yes
- #charset: "utf-8"
- #header_charset: "utf-8"
+ username: user
+ password: secret
+ client:
+ log: true
+ # charset: "utf-8"
+ # header_charset: "utf-8"
# Used in login.php and logout.php
-comanage_session_name: "CAKEPHP"
+comanage_session_name: CAKEPHP
comanage_core_session_conf:
- defaults: "php"
+ defaults: php
# Ldap Provisioner Entitlements Configuration
comanage_ldap_provisioner_entitlements:
enable_vo_whitelist: false
- vo_whitelist: '' # comma seperated list
- vo_roles: '' # comma seperated roles
- urn_namespace: ''
- urn_authority: ''
- vo_group_prefix: ''
+ vo_whitelist: "" # comma seperated list
+ vo_roles: "" # comma seperated roles
+ urn_namespace: ""
+ urn_authority: ""
+ vo_group_prefix: ""
# Dis/Enable COmanage cache
-#comanage_core_cache: true
+# comanage_core_cache: true
# Dis/Enable COmanage debug mode
-#comanage_core_debug: 1
+# comanage_core_debug: 1
-#comanage_logout_location: "/registry.sso/Logout?return=%2Fregistry%2Fpages%2Fpublic%2Floggedout"
+# comanage_logout_location: "/registry.sso/Logout?return=%2Fregistry%2Fpages%2Fpublic%2Floggedout"
# Used in Controller/AppController.php, View/Layout/default.ctp, View/Layout/lightbox.ctp
-#comanage_timezone_cookie_name: "cookie_tz_auto"
+# comanage_timezone_cookie_name: "cookie_tz_auto"
-#comanage_memcache_hosts:
-# - ip: '127.0.0.1'
-# port: 11211
-# - ip: '127.0.0.1'
-# port: 11212
+# comanage_memcache_hosts:
+# - ip: '127.0.0.1'
+# port: 11211
+# - ip: '127.0.0.1'
+# port: 11212
-#comanage_memcache_options:
-# - key: "Memcached::OPT_NO_BLOCK"
-# value: true
-# - key: "Memcached::OPT_DISTRIBUTION"
-# value: true
+# comanage_memcache_options:
+# - key: "Memcached::OPT_NO_BLOCK"
+# value: true
+# - key: "Memcached::OPT_DISTRIBUTION"
+# value: true
# Backup the Comanage directory
-#comanage_backup: yes
+# comanage_backup: yes
# Security.cipherSeed is a random numeric string (digits only) used to encrypt/decrypt strings.
# It is read from the file app/Config/security.seed and should be at least 29
@@ -161,7 +161,7 @@ comanage_ldap_provisioner_entitlements:
# Salt: cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1 | xargs echo -n
# comanage_security_salt: "defaultsecretsalt"
-#comanage_cron_jobs:
+# comanage_cron_jobs:
# - name: "Action Name"
# minute: "0"
# filename: "registry"
@@ -170,4 +170,4 @@ comanage_ldap_provisioner_entitlements:
# cd {{ path_to_registry }}/app && Console/cake action
# Whether to install COmanage cron jobs; Enabled by default
-comanage_cron_jobs_enabled: yes
\ No newline at end of file
+comanage_cron_jobs_enabled: true
diff --git a/roles/comanage-registry/tasks/configure.yml b/roles/comanage-registry/tasks/configure.yml
index 5af7a99e..fdcfeaae 100644
--- a/roles/comanage-registry/tasks/configure.yml
+++ b/roles/comanage-registry/tasks/configure.yml
@@ -1,51 +1,51 @@
---
-
- name: Configure COmanage Registry database connections
- template:
- src: "database.php.j2"
+ ansible.builtin.template:
+ src: database.php.j2
dest: "{{ comanage_path }}/local/Config/database.php"
owner: "{{ comanage_webserver_user }}"
group: "{{ comanage_webserver_group }}"
- mode: 0600
- backup: yes
- become: yes
+ mode: "0600"
+ backup: true
+ become: true
tags:
- - comanage-registry:config:db
+ - comanage-registry:config:db
- name: Configure COmanage Registry email settings
- template:
- src: "email.php.j2"
+ ansible.builtin.template:
+ src: email.php.j2
dest: "{{ comanage_path }}/local/Config/email.php"
owner: "{{ comanage_webserver_user }}"
group: "{{ comanage_webserver_group }}"
- mode: 0600
- backup: yes
- become: yes
+ mode: "0600"
+ backup: true
+ become: true
tags:
- - comanage-registry:config:email
+ - comanage-registry:config:email
- name: Configure COmanage Registry ldap entitlement settings
- template:
- src: "ldap.php.j2"
+ ansible.builtin.template:
+ src: ldap.php.j2
dest: "{{ comanage_path }}/local/Config/ldap.php"
owner: "{{ comanage_webserver_user }}"
group: "{{ comanage_webserver_group }}"
- mode: 0600
- backup: yes
- become: yes
+ mode: "0600"
+ backup: true
+ become: true
tags:
- - comanage-registry:config:ldap
+ - comanage-registry:config:ldap
# Seed: cat /dev/urandom | tr -dc '0-9' | fold -w 29 | head -n 1 | xargs echo -n
# Salt: cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1 | xargs echo -n
- name: Configure COmanage Registry security.salt and security.seed
- template:
+ ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ comanage_path }}/local/Config/{{ item }}"
owner: "{{ comanage_webserver_user }}"
group: "{{ comanage_webserver_group }}"
- backup: yes
- become: yes
+ mode: "0600"
+ backup: true
+ become: true
loop:
- security.salt
- security.seed
@@ -53,82 +53,84 @@
- comanage-registry:config:security
- name: Configure COmanage Registry app/webroot/.htaccess
- blockinfile:
+ ansible.builtin.blockinfile:
dest: "{{ comanage_path }}/app/webroot/.htaccess"
- backup: yes
+ backup: true
marker: "# {mark} ANSIBLE MANAGED BLOCK"
- insertafter: "EOF"
+ insertafter: EOF
block: "{{ comanage_app_webroot_htaccess }}"
when: comanage_app_webroot_htaccess is defined
- become: yes
+ become: true
tags:
- - comanage-registry:config:webroot
+ - comanage-registry:config:webroot
- name: Configure COmanage Registry auth session name
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ item }}"
- regexp: "^session_name"
- line: 'session_name("{{ comanage_session_name }}");'
+ regexp: ^session_name
+ line: session_name("{{ comanage_session_name }}");
with_items:
- - "{{ comanage_path }}/app/webroot/auth/login/index.php"
- - "{{ comanage_path }}/app/webroot/auth/logout/index.php"
- become: yes
+ - "{{ comanage_path }}/app/webroot/auth/login/index.php"
+ - "{{ comanage_path }}/app/webroot/auth/logout/index.php"
+ become: true
tags:
- - comanage-registry:config:webroot
+ - comanage-registry:config:webroot
- name: Configure COmanage Registry logout location
- replace:
+ ansible.builtin.replace:
dest: "{{ comanage_path }}/app/webroot/auth/logout/index.php"
- backup: yes
- regexp: '\/registry\/users\/logout'
+ backup: true
+ regexp: \/registry\/users\/logout
replace: "{{ comanage_logout_location }}"
when: comanage_logout_location is defined
- become: yes
+ become: true
tags:
- - comanage-registry:config:webroot
+ - comanage-registry:config:webroot
- name: Configure COmanage Registry timezone cookie name
- replace:
+ ansible.builtin.replace:
dest: "{{ item }}"
- backup: yes
- regexp: "cm_registry_tz_auto"
+ backup: true
+ regexp: cm_registry_tz_auto
replace: "{{ comanage_timezone_cookie_name }}"
with_items:
- - "{{ comanage_path }}/app/Controller/AppController.php"
- - "{{ comanage_path }}/app/View/Layouts/default.ctp"
- - "{{ comanage_path }}/app/View/Layouts/lightbox.ctp"
+ - "{{ comanage_path }}/app/Controller/AppController.php"
+ - "{{ comanage_path }}/app/View/Layouts/default.ctp"
+ - "{{ comanage_path }}/app/View/Layouts/lightbox.ctp"
when: comanage_timezone_cookie_name is defined
- become: yes
+ become: true
# According to COmanage this is not a mandatory step for the setup
- name: Configure COmanage Registry core.php
- template:
- src: "core.php.j2"
+ ansible.builtin.template:
+ src: core.php.j2
dest: "{{ comanage_path }}/app/Config/core.php"
owner: root
group: root
- backup: yes
- become: yes
+ backup: true
+ mode: "0600"
+ become: true
tags:
- - comanage-registry:config:core
+ - comanage-registry:config:core
- name: Configure COmanage Registry bootstrap.php
- template:
- src: "bootstrap.php.j2"
+ ansible.builtin.template:
+ src: bootstrap.php.j2
dest: "{{ comanage_path }}/app/Config/bootstrap.php"
owner: root
group: root
- backup: yes
- become: yes
+ mode: "0600"
+ backup: true
+ become: true
tags:
- - comanage-registry:config:bootstrap
+ - comanage-registry:config:bootstrap
- name: Add ENV vars in cron.d file
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
user: "{{ item.user }}"
- env: yes
+ env: true
cron_file: "{{ item.filename }}"
state: present
loop: "{{ comanage_cron_env | default([]) }}"
@@ -136,7 +138,7 @@
when: comanage_cron_env is defined and comanage_cron_jobs is defined and comanage_cron_jobs_enabled
- name: Ensure COmanage Registry cron jobs are installed
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
minute: "{{ item.minute | default(omit) }}"
hour: "{{ item.hour | default(omit) }}"
@@ -153,10 +155,10 @@
# Tasks adding/copying/replacing files
- name: Update/Copy tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: static_files.yml
apply:
tags:
- - comanage-registry:config:staticfiles
+ - comanage-registry:config:staticfiles
tags:
- - comanage-registry:config:staticfiles
\ No newline at end of file
+ - comanage-registry:config:staticfiles
diff --git a/roles/comanage-registry/tasks/initialize.yml b/roles/comanage-registry/tasks/initialize.yml
index 01728ecf..7e578de6 100644
--- a/roles/comanage-registry/tasks/initialize.yml
+++ b/roles/comanage-registry/tasks/initialize.yml
@@ -1,18 +1,24 @@
---
-
- name: Configure COmanage Registry database schema
- shell: Console/cake database
+ ansible.builtin.command: Console/cake database
args:
chdir: "{{ comanage_path }}/app"
- become: yes
+ become: true
+ changed_when: false
become_user: "{{ comanage_webserver_user }}"
tags:
- comanage-registry:init:db
- name: Configure COmanage Registry platform admin and org identity pooling
- shell: Console/cake setup --admin-given-name "{{ comanage_admin.given_name }}" --admin-family-name "{{ comanage_admin.family_name }}" --admin-username "{{ comanage_admin.username }}" --enable-pooling={{ comanage_org_identity_pooling }}
+ ansible.builtin.command: |-
+ Console/cake setup \
+ --admin-given-name "{{ comanage_admin.given_name }}" \
+ --admin-family-name "{{ comanage_admin.family_name }}" \
+ --admin-username "{{ comanage_admin.username }}" \
+ --enable-pooling={{ comanage_org_identity_pooling }}
+ changed_when: false
args:
chdir: "{{ comanage_path }}/app"
- become: yes
+ become: true
tags:
- - comanage-registry:init:admin
\ No newline at end of file
+ - comanage-registry:init:admin
diff --git a/roles/comanage-registry/tasks/install.yml b/roles/comanage-registry/tasks/install.yml
index 025dc481..9e167296 100644
--- a/roles/comanage-registry/tasks/install.yml
+++ b/roles/comanage-registry/tasks/install.yml
@@ -1,64 +1,64 @@
---
-
- name: Ensure COmanage Registry root directory exists
- file:
+ ansible.builtin.file:
path: "{{ comanage_root_dir }}"
state: directory
owner: root
group: root
- become: yes
+ mode: "0755"
+ become: true
- name: Ensure COmanage Registry source is cloned under root directory
- git:
+ ansible.builtin.git:
repo: "{{ comanage_repo }}"
dest: "{{ comanage_root_dir }}/comanage-registry-{{ comanage_version }}"
version: "{{ comanage_version }}"
- accept_hostkey: yes
- ignore_errors: yes
- become: yes
+ accept_hostkey: true
+ ignore_errors: true # noqa ignore-errors
+ become: true
- name: Ensure symbolic link to current COmanage Registry installation exists
- file:
+ ansible.builtin.file:
src: "{{ comanage_root_dir }}/comanage-registry-{{ comanage_version }}"
dest: "{{ comanage_path }}"
- force: yes
+ force: true
state: link
owner: root
group: root
- become: yes
+ become: true
- name: Ensure COmanage Registry webroot directory exists
- file:
+ ansible.builtin.file:
src: "{{ comanage_path }}/app/webroot"
dest: "{{ comanage_webroot }}"
state: link
- force: yes
+ force: true
owner: root
group: root
- become: yes
+ become: true
- name: Ensure COmanage Registry temp directory tree is initialised
- command: "cp -r {{ comanage_path }}/app/tmp.dist {{ comanage_temp_dir }}"
+ ansible.builtin.command: cp -r {{ comanage_path }}/app/tmp.dist {{ comanage_temp_dir }}
args:
creates: "{{ comanage_temp_dir }}"
- become: yes
+ become: true
- name: Ensure COmanage Registry temp directory exists and is writable by webserver only
- file:
+ ansible.builtin.file:
path: "{{ comanage_temp_dir }}"
state: directory
owner: "{{ comanage_webserver_user }}"
group: "{{ comanage_webserver_group }}"
- mode: 0700
- recurse: yes
- become: yes
+ mode: "0700"
+ recurse: true
+ become: true
- name: Ensure link to COmanage Registry temp directory exists
- file:
+ ansible.builtin.file:
src: "{{ comanage_temp_dir }}"
dest: "{{ comanage_path }}/local/tmp"
state: link
owner: root
group: root
- follow: no
- become: yes
+ follow: false
+ become: true
diff --git a/roles/comanage-registry/tasks/main.yml b/roles/comanage-registry/tasks/main.yml
index e74a8315..28868d2d 100644
--- a/roles/comanage-registry/tasks/main.yml
+++ b/roles/comanage-registry/tasks/main.yml
@@ -1,55 +1,54 @@
---
-
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- - always
+ - always
# Check if COmanage current is available
- name: Check if COmanage Current directory is present
- stat:
+ ansible.builtin.stat:
path: "{{ comanage_path }}"
register: comanage_current_dir
tags:
- always
- name: COmanage Current directory exists?
- debug:
- msg: "COmanage Current Exists: {{comanage_current_dir.stat.exists}}"
+ ansible.builtin.debug:
+ msg: "COmanage Current Exists: {{ comanage_current_dir.stat.exists }}"
tags:
- always
-#Create a task to take backup of the directory first
+# Create a task to take backup of the directory first
- name: Backup comanage directory
- copy:
+ ansible.builtin.copy:
src: "{{ comanage_current_dir.stat.lnk_target }}"
dest: "{{ comanage_current_dir.stat.lnk_target }}.{{ ansible_date_time.iso8601 }}"
- remote_src: yes
- force: yes
+ remote_src: true
+ force: true
owner: root
mode: preserve
backup: true
- become: yes
+ become: true
when:
- comanage_backup is defined
- comanage_backup|bool
- comanage_current_dir.stat.exists
tags:
- - always
+ - always
-- name: COmanage clear cache
- shell: Console/clearcache
+- name: COmanage clear cache # noqa no-changed-when
+ ansible.builtin.shell: Console/clearcache
args:
executable: /bin/bash
chdir: "{{ comanage_path }}/app"
- become: yes
+ become: true
become_user: "{{ comanage_webserver_user }}"
- ignore_errors: yes
+ ignore_errors: true # noqa ignore-errors
when:
- comanage_current_dir.stat.exists
tags:
@@ -57,17 +56,17 @@
# Tasks deploying COmanage framework. There is none conditional task.
- name: Include OS-independent installation tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: install.yml
apply:
tags:
- - comanage-registry:install
+ - comanage-registry:install
tags:
- - comanage-registry:install
+ - comanage-registry:install
- # Tasks required for basic Framework functionality
+# Tasks required for basic Framework functionality
- name: Include OS-independent initialize tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: initialize.yml
apply:
tags:
@@ -77,10 +76,10 @@
# Tasks that are Deployment Specific
- name: Include OS-independent configuration tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: configure.yml
apply:
tags:
- - comanage-registry:config
+ - comanage-registry:config
tags:
- - comanage-registry:config
+ - comanage-registry:config
diff --git a/roles/comanage-registry/tasks/static_files.yml b/roles/comanage-registry/tasks/static_files.yml
index 5c1f4b41..de658173 100644
--- a/roles/comanage-registry/tasks/static_files.yml
+++ b/roles/comanage-registry/tasks/static_files.yml
@@ -1,36 +1,35 @@
---
-
- name: Register COmanage files to be copied
- find:
+ ansible.builtin.find:
paths: "{{ inventory_dir }}/files/comanage-registry"
file_type: file
- recurse: yes
+ recurse: true
register: comanage_files
- ignore_errors: yes
+ ignore_errors: true
delegate_to: 127.0.0.1
vars:
ansible_connection: local
- name: Display files to be copied
- debug:
+ ansible.builtin.debug:
msg: "{{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}"
verbosity: 1
loop: "{{ comanage_files.files }}"
loop_control:
- label: "Copied file {{ item.path }}"
+ label: Copied file {{ item.path }}
when: comanage_files is defined
- name: Copy COmanage files
- copy:
+ ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}"
- force: yes
+ force: true
owner: root
- mode: 0664
+ mode: "0664"
backup: true
loop: "{{ comanage_files.files }}"
loop_control:
- label: "Added file {{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}"
- become: yes
- ignore_errors: yes
+ label: Added file {{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\2') }}
+ become: true
+ ignore_errors: true # noqa ignore-errors
when: comanage_files is defined
diff --git a/roles/comanage-registry/templates/bootstrap.php.j2 b/roles/comanage-registry/templates/bootstrap.php.j2
index 90aac8b7..3421b376 100644
--- a/roles/comanage-registry/templates/bootstrap.php.j2
+++ b/roles/comanage-registry/templates/bootstrap.php.j2
@@ -2,7 +2,7 @@
/**
* This file is loaded automatically by the app/webroot/index.php file after core.php
*
- * This file should load/create any application wide configuration settings, such as
+ * This file should load/create any application wide configuration settings, such as
* Caching, Logging, loading additional configuration files.
*
* You should also use this file to include any files that provide global functions/constants
@@ -163,5 +163,3 @@ CakeLog::config('error', array(
'rotate' => {{ comanage_log_engine.error.rotate }},
{% endif %}
));
-
-
diff --git a/roles/comanage-registry/vars/Debian.yml b/roles/comanage-registry/vars/Debian.yml
index 3a7bb5ed..dae8a17e 100644
--- a/roles/comanage-registry/vars/Debian.yml
+++ b/roles/comanage-registry/vars/Debian.yml
@@ -1,4 +1,4 @@
---
-comanage_webserver_user: "www-data"
-comanage_webserver_group: "www-data"
+comanage_webserver_user: www-data
+comanage_webserver_group: www-data
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index 53aa9a00..cf182dd6 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -1,3 +1,2 @@
---
-
-common_tz: "Europe/Amsterdam"
+common_tz: Europe/Amsterdam
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 66bbab2f..cdc96ea5 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,5 +1,5 @@
---
-
-- name: Update timezone
- command: "{{ common_set_tz_cmd }}"
- become: yes
+- name: Update timezone # noqa syntax-check[unknown-module]
+ community.general.timezone: # noqa syntax-check[unknown-module]
+ name: "{{ common_tz }}"
+ become: true
diff --git a/roles/common/tasks/configure-Debian.yml b/roles/common/tasks/configure-Debian.yml
index e64ecf85..ad1d316d 100644
--- a/roles/common/tasks/configure-Debian.yml
+++ b/roles/common/tasks/configure-Debian.yml
@@ -1,12 +1,11 @@
---
-
- name: Configure timezone
- template:
+ ansible.builtin.template:
src: etc/timezone.j2
dest: /etc/timezone
owner: root
- group: root
- mode: 0644
- become: yes
+ group: root
+ mode: "0644"
+ become: true
notify:
- - Update timezone
+ - Update timezone
diff --git a/roles/common/tasks/configure-common.yml b/roles/common/tasks/configure-common.yml
index b06f073e..08f4eee7 100644
--- a/roles/common/tasks/configure-common.yml
+++ b/roles/common/tasks/configure-common.yml
@@ -1,10 +1,9 @@
---
-
- name: Configure Vim system-wide defaults
- template:
+ ansible.builtin.template:
src: etc/vim/vimrc.j2
dest: /etc/vim/vimrc
owner: root
group: root
- mode: 0644
- become: yes
+ mode: "0644"
+ become: true
diff --git a/roles/common/tasks/install-Debian.yml b/roles/common/tasks/install-Debian.yml
index 6f68fd64..e00aebe6 100644
--- a/roles/common/tasks/install-Debian.yml
+++ b/roles/common/tasks/install-Debian.yml
@@ -1,17 +1,16 @@
---
-
- name: Update package cache (Debian)
- apt:
- update_cache: yes
+ ansible.builtin.apt:
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
- name: Ensure common packages are installed (Debian)
- apt:
+ ansible.builtin.apt:
pkg:
- aptitude
- ca-certificates
- vim-nox
state: present
- install_recommends: no
+ install_recommends: false
become: true
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index aff77b66..4af47137 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,22 +1,21 @@
---
-
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Include Debian-specific tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
+# - include: install-CentOS.yml
# when: ansible_os_family == 'CentOS'
# Run OS-independent installation tasks
-#- include: install-common.yml
+# - include: install-common.yml
-# Apply OS-specific configuration
-- include: configure-Debian.yml
+- name: Apply OS-specific configuration
+ ansible.builtin.include_tasks: configure-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: configure-CentOS.yml
+# - include: configure-CentOS.yml
# when: ansible_os_family == 'CentOS'
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
diff --git a/roles/common/vars/Debian.yml b/roles/common/vars/Debian.yml
index 7d0c449b..d3c04433 100644
--- a/roles/common/vars/Debian.yml
+++ b/roles/common/vars/Debian.yml
@@ -1,3 +1,2 @@
---
-
-common_set_tz_cmd: "dpkg-reconfigure --frontend noninteractive tzdata"
+common_set_tz_cmd: dpkg-reconfigure --frontend noninteractive tzdata
diff --git a/roles/dirmngr/tasks/install-Debian.yml b/roles/dirmngr/tasks/install-Debian.yml
index 974a99ae..0972c15a 100644
--- a/roles/dirmngr/tasks/install-Debian.yml
+++ b/roles/dirmngr/tasks/install-Debian.yml
@@ -1,11 +1,16 @@
---
- name: Update package cache (Debian)
- apt: update_cache=yes cache_valid_time=86400
- become: yes
+ ansible.builtin.apt:
+ update_cache: true
+ cache_valid_time: 86400
+ become: true
- name: Ensure dirmngr is installed (Debian)
- apt: name={{ item }} state=present install_recommends=no
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ install_recommends: false
with_items:
- dirmngr
- become: yes
+ become: true
diff --git a/roles/dirmngr/tasks/main.yml b/roles/dirmngr/tasks/main.yml
index d4cdedb6..270496d5 100644
--- a/roles/dirmngr/tasks/main.yml
+++ b/roles/dirmngr/tasks/main.yml
@@ -1,7 +1,6 @@
---
-
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-RedHat.yml
+# - include: install-RedHat.yml
# when: ansible_os_family == 'RedHat'
diff --git a/roles/egi-igtf/handlers/main.yml b/roles/egi-igtf/handlers/main.yml
new file mode 100644
index 00000000..914b3a32
--- /dev/null
+++ b/roles/egi-igtf/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Update /etc/ssl/certs and certificates.crt with EGI Trust Anchors (Debian) # noqa no-changed-when
+ ansible.builtin.command: "/usr/sbin/update-ca-certificates -f"
+ become: true
+ listen: Update certs
diff --git a/roles/egi-igtf/tasks/configure-Debian.yml b/roles/egi-igtf/tasks/configure-Debian.yml
index 967000fe..747a6ae6 100644
--- a/roles/egi-igtf/tasks/configure-Debian.yml
+++ b/roles/egi-igtf/tasks/configure-Debian.yml
@@ -1,21 +1,25 @@
---
-
+# egi-igtf/tasks/configure-Debian.yml
- name: Ensure dir for EGI Trust Anchor symlinks exists (Debian)
- file: path="/usr/local/share/ca-certificates/egi-igtf" state=directory
- become: yes
+ ansible.builtin.file:
+ path: /usr/local/share/ca-certificates/egi-igtf
+ state: directory
+ mode: "0755"
+ owner: root
+ group: root
+ become: true
- name: Register EGI Trust Anchors to symlink (Debian)
- shell: "ls /etc/grid-security/certificates/*.0"
+ ansible.builtin.shell: "ls /etc/grid-security/certificates/*.0" # noqa
register: egi_igtf_certs
changed_when: false
- name: Ensure symlinks to EGI Trust Anchors exist (Debian)
- file: path="/usr/local/share/ca-certificates/egi-igtf/{{ item | basename}}.crt" src="{{ item }}" state=link
+ ansible.builtin.file:
+ path: "/usr/local/share/ca-certificates/egi-igtf/{{ item | basename }}.crt"
+ src: "{{ item }}"
+ state: link
with_items: "{{ egi_igtf_certs.stdout_lines }}"
register: egi_igtf_cert_symlinks
- become: yes
-
-- name: Update /etc/ssl/certs and certificates.crt with EGI Trust Anchors (Debian)
- command: "/usr/sbin/update-ca-certificates -f"
- when: egi_igtf_cert_symlinks is changed
- become: yes
+ become: true
+ notify: Update certs
diff --git a/roles/egi-igtf/tasks/install-Debian.yml b/roles/egi-igtf/tasks/install-Debian.yml
index fc7ce639..64db212b 100644
--- a/roles/egi-igtf/tasks/install-Debian.yml
+++ b/roles/egi-igtf/tasks/install-Debian.yml
@@ -1,19 +1,19 @@
---
- name: Ensure EUGridPMA apt key is installed (Debian)
- apt_key:
+ ansible.builtin.apt_key:
url: "{{ egi_igtf_repo_key_url }}"
- state: present
- become: yes
+ state: present
+ become: true
- name: Ensure EGI Trust Anchor repository is included (Debian)
- apt_repository:
- repo: "deb {{ egi_igtf_repo_url }} egi-igtf {{ egi_igtf_components }}"
- state: present
- become: yes
+ ansible.builtin.apt_repository:
+ repo: "deb {{ egi_igtf_repo_url }} egi-igtf {{ egi_igtf_components }}"
+ state: present
+ become: true
- name: Ensure latest versions of EGI Trust Anchors are installed (Debian)
- apt:
- name: ca-policy-egi-core
- state: latest
- update_cache: yes
- become: yes
+ ansible.builtin.apt:
+ name: ca-policy-egi-core # This really needs a version attached to it!
+ state: present
+ update_cache: true
+ become: true
diff --git a/roles/egi-igtf/tasks/main.yml b/roles/egi-igtf/tasks/main.yml
index 817b6083..59b53fdf 100644
--- a/roles/egi-igtf/tasks/main.yml
+++ b/roles/egi-igtf/tasks/main.yml
@@ -1,12 +1,12 @@
---
-
+# egi-igtf/tasks/main.yml
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Run OS-specific installation tasks
-- include: install-Debian.yml
+- name: Run OS-specific installation tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-# Apply OS-specific configuration
-- include: configure-Debian.yml
+- name: Apply OS-specific configuration
+ ansible.builtin.include_tasks: configure-Debian.yml
when: ansible_os_family == 'Debian'
diff --git a/roles/federation-registry/README.md b/roles/federation-registry/README.md
index 3f185a1a..6af1d7a3 100644
--- a/roles/federation-registry/README.md
+++ b/roles/federation-registry/README.md
@@ -1,35 +1,35 @@
### Description
-This role deploys the [Federation Registry](https://github.com/rciam/rciam-federation-registry) project.
+This role deploys the [Federation Registry](https://github.com/rciam/rciam-federation-registry) project.
### Task Analysis
- **configure-environment** :
+ **configure-environment** :
- Installs necessary packages
- Set's up github ssh key to clone repo (Can do it manually beforehand or Change to Https)
-
-**postgres** : (To run this tast include the postgres tag when running the playbook)
-- Runs initialization script that creates the necessary SQL tables
+
+**postgres** : (To run this tast include the postgres tag when running the playbook)
+- Runs initialization script that creates the necessary SQL tables
- Runs initialization script for tenants
-**configure-ams:**
+**configure-ams:**
- Creates Deployment Result Topic and Push Subscription in the Ams Messaging Service
-
-**deploy**:
-- Clones Repo
-- Runs Express Backend instance with pm2 serving at http://localhost:5000
-- Builds React Frontend
-- Runs Ams Agent node.js agent with pm2
+
+**deploy**:
+- Clones Repo
+- Runs Express Backend instance with pm2 serving at http://localhost:5000
+- Builds React Frontend
+- Runs Ams Agent node.js agent with pm2
- Activates Push Subscription for Deployment Result Topic
### Configuring the Inventory


- **main.yml:**
+ **main.yml:**
- Ams Configuration (federation_registry_ams):
- - Set host of the AMS instance
+ - Set host of the AMS instance
- A preconfigured project and an admin user is needed. Set project name and admin_token accordingly
- agent_key is the Authorisation Key used for the communitation of the Ams Agent and the Federation Registry Backend
- - Folder Paths:
+ - Folder Paths:
- Set deployment Path for each component
- Git (federation_registry_git):
- Set url for ssh or https
@@ -38,6 +38,6 @@ This role deploys the [Federation Registry](https://github.com/rciam/rciam-feder
**config.json:** Configure the file based on the tenant information and instance requirements
- **hosts.ini:**
+ **hosts.ini:**
- federation-registry: Federation Registry Backend and Frontend gets deployed for hosts in this group
- ams-agent: Ams Agent Instance is deployed for hosts in this group (maximun of 1 instance)
diff --git a/roles/federation-registry/defaults/config.json b/roles/federation-registry/defaults/config.json
index ece87fac..2af4e079 100644
--- a/roles/federation-registry/defaults/config.json
+++ b/roles/federation-registry/defaults/config.json
@@ -14,7 +14,7 @@
"service_integration_notification": {
"enabled": false,
"email": "ticketing-system@mail.com",
- "integration_environments": ["devel"],
+ "integration_environments": ["devel"],
"template": ""
},
"restricted_env": ["production"],
@@ -155,7 +155,7 @@
"tag":"coc",
"error": "The service must comply with this policy"
}
-
+
}
}
},
@@ -170,4 +170,3 @@
"deployment_fields":["service_name","service_description","client_id","allow_introspection","code_challenge_method","device_code_validity_seconds","access_token_validity_seconds","refresh_token_validity_seconds","client_secret","reuse_refresh_token","clear_access_tokens_on_refresh","id_token_timeout_seconds","entity_id","metadata_url","grant_types","scope","contacts","redirect_uris","token_endpoint_auth_method","token_endpoint_auth_signing_alg","jwks","jwks_uri","website_url","aup_uri","policy_uri","country","logo_uri","application_type","requested_attributes","post_logout_redirect_uris"],
"multivalue_fields": ["grant_types","scope","contacts","redirect_uris","post_logout_redirect_uris"]
}
-
\ No newline at end of file
diff --git a/roles/federation-registry/defaults/main.yml b/roles/federation-registry/defaults/main.yml
index b70aac49..f044fa1a 100644
--- a/roles/federation-registry/defaults/main.yml
+++ b/roles/federation-registry/defaults/main.yml
@@ -6,12 +6,12 @@ federation_registry_known_hosts_path: "~/.ssh/known_hosts"
# Ams Configuration
federation_registry_ams:
# Consumer/Publisher for deployment tasks and deployment results topics
- authorized_users :
+ authorized_users:
- username: "ams-user"
# Authentication key for the ams agent process
- agent_key : "authentication_key_for_ams_agent"
+ agent_key: "authentication_key_for_ams_agent"
# Admin User token for setting the topics, subscriptions and ACL
- admin_token : "ams-admin-token"
+ admin_token: "ams-admin-token"
# Consumer/Publisher User Token
token: "ams-users-token"
# Base Url of the Ams
@@ -22,16 +22,16 @@ federation_registry_ams:
federation_registry_pm2_conf_path: "/home/debian"
federation_registry_react_folder: "federation-registry-frontend"
federation_registry_project_path: "/var/www/rciam-federation-registry"
-federation_registry_react_path: "{{federation_registry_project_path}}/{{federation_registry_react_folder}}"
+federation_registry_react_path: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}"
federation_registry_express_folder: "federation-registry-backend-api"
-federation_registry_express_path: "{{federation_registry_project_path}}/{{federation_registry_express_folder}}"
+federation_registry_express_path: "{{ federation_registry_project_path }}/{{ federation_registry_express_folder }}"
federation_registry_ams_agent_folder: "federation-registry-backend-ams-agent"
-federation_registry_ams_agent_path: "{{federation_registry_project_path}}/{{federation_registry_ams_agent_folder}}"
+federation_registry_ams_agent_path: "{{ federation_registry_project_path }}/{{ federation_registry_ams_agent_folder }}"
federation_registry_git:
git_repo: "https://github.com/rciam/rciam-federation-registry.git"
git_branch: "devel"
clone_dest: "/var/www/rciam-federation-registry"
-federation_registry_deployment_env : "dev/demo/production"
+federation_registry_deployment_env: "dev/demo/production"
federation_registry_key_title: "env-vm"
federation_registry_init_script: "setup_tenant.sql"
federation_registry_admin_key: "authentication_for_admin_endpoints"
@@ -52,5 +52,3 @@ federation_registry_tenant_config:
backend_uri: "https://tenant1/federation-backend/"
- name: "tenant2_name"
backend_uri: "https://tenant2/federation-backend/"
-
-
diff --git a/roles/federation-registry/defaults/setup_tenant.sql b/roles/federation-registry/defaults/setup_tenant.sql
index 506c2833..c59231b3 100644
--- a/roles/federation-registry/defaults/setup_tenant.sql
+++ b/roles/federation-registry/defaults/setup_tenant.sql
@@ -45,7 +45,7 @@ VALUES(1 , 'get_user'),
INSERT INTO tenant_deployer_agents (tenant,integration_environment,type,entity_type,hostname,entity_protocol,deployer_name)
-VALUES
+VALUES
('tenant_name', 'production', 'keycloak', 'service', 'test_deployer','oidc',null ),
('tenant_name', 'demo', 'keycloak', 'service', 'test_deployer','oidc',null ),
('tenant_name', 'development', 'keycloak', 'service', 'test_deployer','oidc',null ),
@@ -54,4 +54,3 @@ VALUES
('tenant_name', 'demo', 'ssp', 'service', 'test_deployer','saml','1' ),
('tenant_name', 'demo', 'ssp', 'service', 'test_deployer','saml','2'),
('tenant_name', 'development', 'ssp', 'service', 'test_deployer','saml',null );
-
diff --git a/roles/federation-registry/tasks/configure-ams.yml b/roles/federation-registry/tasks/configure-ams.yml
index 9f303557..049f7c35 100644
--- a/roles/federation-registry/tasks/configure-ams.yml
+++ b/roles/federation-registry/tasks/configure-ams.yml
@@ -1,87 +1,88 @@
---
- - name: Create deployment_response topic
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}"
- method: PUT
- return_content: yes
- headers:
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- register: response
- run_once: true
- failed_when: response.status != 409 and response.status != 200
+- name: Create deployment_response topic
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}"
+ method: PUT
+ return_content: true
+ headers:
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ register: response
+ run_once: true
+ failed_when: response.status != 409 and response.status != 200
- - name: Modify acl for topic
- run_once: true
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}:modifyAcl"
- body: "{{lookup('template','ams_authorized_users.j2')}}"
- method: POST
- return_content: yes
- headers:
- Content-Type: "application/json"
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- body_format: json
+- name: Modify acl for topic
+ run_once: true
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}:modifyAcl"
+ body: "{{ lookup('template', 'ams_authorized_users.j2') }}"
+ method: POST
+ return_content: true
+ headers:
+ Content-Type: "application/json"
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ body_format: json
- - name: Delete express push subscription
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
- method: DELETE
- return_content: yes
- headers:
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- register: response
- run_once: true
- failed_when: response.status != 409 and response.status != 200 and response.status != 404
+- name: Delete express push subscription
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
+ method: DELETE
+ return_content: true
+ headers:
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ register: response
+ run_once: true
+ failed_when: response.status != 409 and response.status != 200 and response.status != 404
- - name: Create express push subscription
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
- method: PUT
- body: "{{lookup('template','ams_push_body.j2')}}"
- headers:
- Content-Type: "application/json"
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- body_format: json
- return_content: yes
- run_once: true
- register: post_ams_push_config_response
+- name: Create express push subscription
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
+ method: PUT
+ body: "{{ lookup('template', 'ams_push_body.j2') }}"
+ headers:
+ Content-Type: "application/json"
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ body_format: json
+ return_content: true
+ run_once: true
+ register: post_ams_push_config_response
- - name: Get express push subscription
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
- method: GET
- return_content: yes
- headers:
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- register: get_ams_push_response
- ignore_errors: yes
- run_once: true
- when: "post_ams_push_config_response is defined"
+- name: Get express push subscription
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}"
+ method: GET
+ return_content: true
+ headers:
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ register: get_ams_push_response
+ ignore_errors: true
+ run_once: true
+ when: "post_ams_push_config_response is defined"
- - name: Modify Acl for Push Subscription
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:modifyAcl"
- body: "{{lookup('template','ams_authorized_users.j2')}}"
- method: POST
- headers:
- Content-Type: "application/json"
- x-api-key: "{{ federation_registry_ams.admin_token }}"
- body_format: json
- run_once: true
+- name: Modify Acl for Push Subscription
+ ansible.builtin.uri:
+ url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:modifyAcl"
+ body: "{{ lookup('template', 'ams_authorized_users.j2') }}"
+ method: POST
+ headers:
+ Content-Type: "application/json"
+ x-api-key: "{{ federation_registry_ams.admin_token }}"
+ body_format: json
+ run_once: true
- - name: Save Ams Facts
- run_once: true
- set_fact:
- ams_auth_key: "{{get_ams_push_response.json.pushConfig.authorizationHeader.value}}"
- ams_verif_hash: "{{get_ams_push_response.json.pushConfig.verificationHash}}"
- when:
- - "get_ams_push_response.json.pushConfig.authorizationHeader.value is defined"
- - "get_ams_push_response.json.pushConfig.verificationHash is defined"
-
- - debug:
- var: ams_verif_hash
- - name: Save Ams verified
- run_once: true
- set_fact:
- ams_is_verif: "{{get_ams_push_response.json.pushConfig.verified}}"
- when: "get_ams_push_response.json.pushConfig.verified is defined"
+- name: Save Ams Facts
+ run_once: true
+ ansible.builtin.set_fact:
+ ams_auth_key: "{{ get_ams_push_response.json.pushConfig.authorizationHeader.value }}"
+ ams_verif_hash: "{{ get_ams_push_response.json.pushConfig.verificationHash }}"
+ when:
+ - "get_ams_push_response.json.pushConfig.authorizationHeader.value is defined"
+ - "get_ams_push_response.json.pushConfig.verificationHash is defined"
+
+- name: Debug
+ ansible.builtin.debug:
+ var: ams_verif_hash
+- name: Save Ams verified
+ run_once: true
+ ansible.builtin.set_fact:
+ ams_is_verif: "{{ get_ams_push_response.json.pushConfig.verified }}"
+ when: "get_ams_push_response.json.pushConfig.verified is defined"
diff --git a/roles/federation-registry/tasks/configure-environment.yml b/roles/federation-registry/tasks/configure-environment.yml
index 1d7dc293..0a4172de 100644
--- a/roles/federation-registry/tasks/configure-environment.yml
+++ b/roles/federation-registry/tasks/configure-environment.yml
@@ -1,27 +1,26 @@
---
+- name: Install dependencies
+ ansible.builtin.apt:
+ pkg:
+ - curl
+ - git
+ - nginx
- - name: Install dependencies
- apt:
- pkg:
- - curl
- - git
- - nginx
-
- - name: Add node repository
- shell: curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
- args:
- warn: no
-
- - name: Install node and npm
- apt:
- pkg:
- - build-essential
- - nodejs
- - npm
-
- - name: Install pm2
- npm:
- name: pm2
- global: yes
+- name: Add node repository # noqa no-changed-when
+ ansible.builtin.shell: >
+ set -o pipefail
+ curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
+ args:
+ warn: false
+- name: Install node and npm
+ ansible.builtin.apt:
+ pkg:
+ - build-essential
+ - nodejs
+ - npm
+- name: Install pm2
+ community.general.npm:
+ name: pm2
+ global: true
diff --git a/roles/federation-registry/tasks/deploy.yml b/roles/federation-registry/tasks/deploy.yml
index 126342f3..5d68515b 100644
--- a/roles/federation-registry/tasks/deploy.yml
+++ b/roles/federation-registry/tasks/deploy.yml
@@ -1,169 +1,210 @@
---
- - name: Check if project exists
- stat:
- path: "{{ federation_registry_git.clone_dest }}"
- register: project_stat
-
- - name: Clean clone directory
- file:
- state: absent
- path: "{{ federation_registry_git.clone_dest }}"
- when: project_stat.stat.exists
-
- - name: Clean Frontend Folder
- file:
- state: absent
- path: "{{federation_registry_project_path}}/{{federation_registry_react_folder}}"
- ignore_errors: true
-
- - name: Clean Backend Folder
- file:
- state: absent
- path: "{{federation_registry_project_path}}/{{federation_registry_express_folder}}"
- ignore_errors: true
-
- - name: Clean Ams Agent Folder
- file:
- state: absent
- path: "{{federation_registry_project_path}}/{{federation_registry_ams_agent_folder}}"
- ignore_errors: true
-
- - name: Clone the repository
- git:
- repo: "{{federation_registry_git.git_repo}}"
- version: "{{federation_registry_git.git_branch}}"
- dest: "{{federation_registry_git.clone_dest}}"
- force: yes
-
- - name: Move Federation Backend to /var/www
- shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_express_folder}} {{federation_registry_project_path}}
-
- - name: Move Ams Agent to /var/www
- shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_ams_agent_folder}} {{federation_registry_project_path}}
-
- - name: Move Swagger File to /var/www
- shell: mv {{federation_registry_git.clone_dest}}/swagger.json {{federation_registry_project_path}}
-
- - name: Create React Folder
- shell: mkdir {{federation_registry_project_path}}/{{federation_registry_react_folder}}
- ignore_errors: True
-
- - name: Load package.json contents to package variable
- slurp:
- src: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/package.json"
- register: imported_var
-
- - name: Append homepage value to package variable
- set_fact:
- imported_var: "{{ imported_var.content|b64decode|from_json | default([]) | combine({ 'homepage': federation_registry_react_base_url}) }}"
-
- - name: Write package variable to package.json
- copy:
- content: "{{ imported_var | to_nice_json }}"
- dest: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/package.json"
-
- - name: Install node modules for react
- npm:
- path: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}"
-
- - name: Install node modules for express
- npm:
- path: "{{federation_registry_express_path}}"
-
- - name: Install node modules for ams-agent
- npm:
- path: "{{federation_registry_ams_agent_path}}"
-
- - name: React config
- template:
- src: react-config.j2
- dest: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/src/config.json"
- backup: yes
-
- - name: Configure express db_config
- template:
- src: db_config.j2
- dest: "{{federation_registry_express_path}}/db-config/db-config.json"
- backup: yes
-
- - name: Copy Tenant Configuration
- copy:
- src: "{{ inventory_dir }}/files/config.json"
- dest: "{{federation_registry_express_path}}/JavaScript/config.json"
- force: yes
- owner: root
- mode: 0664
- backup: true
-
- - name: Agent env
- template:
- src: ams-env.j2
- dest: "{{federation_registry_ams_agent_path}}/.env"
- backup: yes
-
- - name: Agent config
- template:
- src: ams_authorized_users.j2
- dest: "{{federation_registry_ams_agent_path}}/config.json"
- backup: yes
-
- - name: delete existing pm2 processes if running
- command: "pm2 delete all"
- ignore_errors: True
-
- - name: Create pm2 ecosystem
- template:
- src: pm2_config.j2
- dest: "{{federation_registry_pm2_conf_path}}/ecosystem.config.js"
- backup: yes
-
- - name: react build
- shell: "npm run build"
- args:
- chdir: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}"
- executable: /bin/bash
-
- - name: Creates federation directory
- file:
- path: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}}"
- state: directory
- when: federation_registry_react_base_url != "/"
-
- - name: Move files from build folder to base folder
- shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/build/* {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}}
- when: federation_registry_react_base_url != "/"
-
- - name: Move base folder inside build folder
- shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}} {{federation_registry_project_path}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}}
- when: federation_registry_react_base_url != "/"
-
- - name: Move base folder inside build folder
- shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/build/* {{federation_registry_project_path}}/{{federation_registry_react_folder}}
- when: federation_registry_react_base_url == "/"
-
- - name: Express env
- template:
- src: express-env.j2
- dest: "{{federation_registry_express_path}}/JavaScript/.env"
- backup: yes
-
- - name: start Pm2 processes
- command: "pm2 start ecosystem.config.js"
-
- - name: restart Pm2 processes
- command: "pm2 restart all"
-
- - debug:
- msg: ams_is_verif
-
- - name: Verify push endpoint if not verified
- run_once: true
- uri:
- url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:verifyPushEndpoint?key={{ federation_registry_ams.admin_token }}"
- method: POST
- return_content: yes
- headers:
- Content-Type: "application/json"
- body_format: json
- when:
- - "not ams_is_verif"
+- name: Check if project exists
+ ansible.builtin.stat:
+ path: "{{ federation_registry_git.clone_dest }}"
+ register: project_stat
+
+- name: Clean clone directory
+ ansible.builtin.file:
+ state: absent
+ path: "{{ federation_registry_git.clone_dest }}"
+ when: project_stat.stat.exists
+
+- name: Clean Frontend Folder
+ ansible.builtin.file:
+ state: absent
+ path: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}"
+ ignore_errors: false
+
+- name: Clean Backend Folder
+ ansible.builtin.file:
+ state: absent
+ path: "{{ federation_registry_project_path }}/{{ federation_registry_express_folder }}"
+ ignore_errors: false
+
+- name: Clean Ams Agent Folder
+ ansible.builtin.file:
+ state: absent
+ path: "{{ federation_registry_project_path }}/{{ federation_registry_ams_agent_folder }}"
+ ignore_errors: false
+
+- name: Clone the repository
+ ansible.builtin.git:
+ repo: "{{ federation_registry_git.git_repo }}"
+ version: "{{ federation_registry_git.git_branch }}"
+ dest: "{{ federation_registry_git.clone_dest }}"
+ force: true
+
+- name: Move things to /var/www
+ ansible.builtin.shell: |-
+ "mv {{ federation_registry_git.clone_dest }}/{{ item }} \
+ {{ federation_registry_project_path }}"
+ loop:
+ - "{{ federation_registry_express_folder }}"
+ - "{{ federation_registry_ams_agent_folder }}"
+ - swagger.json
+
+# Refactored by task above
+# - name: Move Federation Backend to /var/www # noqa command-instead-of-shell no-changed-when
+# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_express_folder }} {{ federation_registry_project_path }}"
+# changed_when: false
+
+# - name: Move Ams Agent to /var/www # noqa command-instead-of-shell no-changed-when
+# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_ams_agent_folder }} {{ federation_registry_project_path }}"
+# changed_when: false
+
+# - name: Move Swagger File to /var/www # noqa command-instead-of-shell no-changed-when
+# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/swagger.json {{ federation_registry_project_path }}"
+
+- name: Create React Folder
+ ansible.bultin.file:
+ dest: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}"
+ state: directory
+ mode: "0755"
+
+- name: Load package.json contents to package variable
+ ansible.builtin.slurp:
+ src: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/package.json"
+ register: imported_var
+
+- name: Append homepage value to package variable
+ ansible.builtin.set_fact:
+ imported_var: "{{ imported_var.content | b64decode | from_json | default([]) | combine({'homepage': federation_registry_react_base_url}) }}"
+
+- name: Write package variable to package.json
+ ansible.builtin.copy:
+ content: "{{ imported_var | to_nice_json }}"
+ dest: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/package.json"
+ mode: "0644"
+
+- name: Install node modules for react
+ community.general.npm:
+ path: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}"
+
+- name: Install node modules for express
+ community.general.npm:
+ path: "{{ federation_registry_express_path }}"
+
+- name: Install node modules for ams-agent
+ community.general.npm:
+ path: "{{ federation_registry_ams_agent_path }}"
+
+- name: React config
+ ansible.builtin.template:
+ src: react-config.j2
+ dest: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/src/config.json"
+ backup: true
+ mode: "0644"
+
+- name: Configure express db_config
+ ansible.builtin.template:
+ src: db_config.j2
+ dest: "{{ federation_registry_express_path }}/db-config/db-config.json"
+ backup: true
+ mode: "0644"
+
+- name: Copy Tenant Configuration
+ ansible.builtin.copy:
+ src: "{{ inventory_dir }}/files/config.json"
+ dest: "{{ federation_registry_express_path }}/JavaScript/config.json"
+ force: true
+ owner: root
+ mode: "0664"
+ backup: true
+
+- name: Agent env
+ ansible.builtin.template:
+ src: ams-env.j2
+ dest: "{{ federation_registry_ams_agent_path }}/.env"
+ backup: true
+ mode: "0600"
+
+- name: Agent config
+ ansible.builtin.template:
+ src: ams_authorized_users.j2
+ dest: "{{ federation_registry_ams_agent_path }}/config.json"
+ backup: true
+ mode: "0644"
+
+- name: Delete existing pm2 processes if running
+ ansible.builtin.command: "pm2 delete all"
+ changed_when: false
+
+- name: Create pm2 ecosystem
+ ansible.builtin.template:
+ src: pm2_config.j2
+ dest: "{{ federation_registry_pm2_conf_path }}/ecosystem.config.js"
+ backup: true
+ mode: "0644"
+
+- name: React build
+ ansible.builtin.shell: "npm run build"
+ args:
+ chdir: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}"
+ executable: /bin/bash
+ changed_when: false
+
+- name: Creates federation directory
+ ansible.builtin.file:
+ path: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}{{ federation_registry_react_base_url }}"
+ state: directory
+ mode: "0644"
+ when: federation_registry_react_base_url != "/"
+
+# this should be a loop
+- name: Move files from build folder to base folder
+ ansible.builtin.shell: >-
+ mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/build/*
+ {{ federation_registry_git.clone_dest }}/
+ {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }}
+ when: federation_registry_react_base_url != "/"
+ changed_when: false
+
+- name: Move base folder inside build folder # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ mv {{ federation_registry_git.clone_dest }}/
+ {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }}
+ {{ federation_registry_project_path }}/\
+ {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }}
+ when: federation_registry_react_base_url != "/"
+ changed_when: false
+
+- name: Move base folder inside build folder
+ ansible.builtin.shell: >-
+ mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/build/*
+ {{ federation_registry_project_path }}/{{ federation_registry_react_folder }}
+ when: federation_registry_react_base_url == "/"
+ changed_when: false
+
+- name: Template Express env
+ ansible.builtin.template:
+ src: express-env.j2
+ dest: "{{ federation_registry_express_path }}/JavaScript/.env"
+ backup: true
+ mode: "0644"
+
+- name: Start Pm2 processes
+ ansible.builtin.command: "pm2 start ecosystem.config.js"
+ changed_when: false
+
+- name: Restart Pm2 processes
+ ansible.builtin.command: "pm2 restart all"
+ changed_when: false
+
+- name: Debug
+ ansible.builtin.debug:
+ msg: ams_is_verif
+
+- name: Verify push endpoint if not verified
+ run_once: true
+ ansible.builtin.uri:
+ url: >-
+ "{{ federation_registry_ams.host }}/projects/
+ {{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:verifyPushEndpoint?key={{ federation_registry_ams.admin_token }}"
+ method: POST
+ return_content: true
+ headers:
+ Content-Type: "application/json"
+ body_format: json
+ when:
+ - "not ams_is_verif"
diff --git a/roles/federation-registry/tasks/main.yml b/roles/federation-registry/tasks/main.yml
index f6ed3892..1d11bffb 100644
--- a/roles/federation-registry/tasks/main.yml
+++ b/roles/federation-registry/tasks/main.yml
@@ -1,3 +1,5 @@
---
- - include: "{{task}}.yml"
- become: yes
+# this has got to be the weirdest way I've seen tasks included.
+- name: "Include {{ task }}"
+ ansible.builtin.include_tasks: "{{ task }}.yml"
+ # become: true
diff --git a/roles/federation-registry/tasks/postgres.yml b/roles/federation-registry/tasks/postgres.yml
index 654efc7f..993204c4 100644
--- a/roles/federation-registry/tasks/postgres.yml
+++ b/roles/federation-registry/tasks/postgres.yml
@@ -1,46 +1,49 @@
---
- name: Make sure psycopg2 is installed
- command: pip install psycopg2==2.7.5 --ignore-installed
+ ansible.builtin.pip:
+ name: psycopg2
+ version: 2.7.5
run_once: true
- name: Send Create Tables SQL File
- copy:
+ ansible.builtin.copy:
src: create_tables.sql
- dest: "{{rciam_dbs.federation.script_path}}"
+ dest: "{{ rciam_dbs.federation.script_path }}"
+ mode: "0644"
run_once: true
- name: Create PostgreSQL tables for Federation Registry via SQL scripts
run_once: true
- postgresql_query:
+ community.postgresql.postgresql_script:
db: "{{ rciam_dbs.federation.name }}"
login_user: "{{ rciam_dbs.federation.owner_username }}"
login_password: "{{ rciam_dbs.federation.owner_password }}"
- path_to_script: "{{ rciam_dbs.federation.script_path }}"
+ path: "{{ rciam_dbs.federation.script_path }}"
login_host: "{{ rciam_dbs.federation.host }}"
register: postgresql_result
failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg"
- name: Send Tenant Initialization Data
run_once: true
- copy:
- src: private_files/{{federation_registry_init_script}}
- dest: "{{rciam_dbs.federation.script_path}}"
+ ansible.builtin.copy:
+ src: private_files/{{ federation_registry_init_script }}
+ dest: "{{ rciam_dbs.federation.script_path }}"
+ mode: "0644"
- name: Initialise Tenant Data via SQL scripts
run_once: true
- postgresql_query:
+ community.postgresql.postgresql_script:
db: "{{ rciam_dbs.federation.name }}"
login_user: "{{ rciam_dbs.federation.owner_username }}"
login_password: "{{ rciam_dbs.federation.owner_password }}"
- path_to_script: "{{ rciam_dbs.federation.script_path }}"
- login_host: "{{ rciam_dbs.federation.host }}"
- path_to_script: "{{rciam_dbs.federation.script_path}}"
login_host: "{{ rciam_dbs.federation.host }}"
+ path: "{{ rciam_dbs.federation.script_path }}"
register: postgresql_result
failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg"
- name: Delete database configuration file
run_once: true
- file:
- path: "{{rciam_dbs.federation.script_path}}"
+ ansible.builtin.file:
+ path: "{{ rciam_dbs.federation.script_path }}"
state: absent
+ mode: "0644"
diff --git a/roles/federation-registry/templates/ams_authorized_users.j2 b/roles/federation-registry/templates/ams_authorized_users.j2
index 0b51eb1a..3e8b5cd4 100644
--- a/roles/federation-registry/templates/ams_authorized_users.j2
+++ b/roles/federation-registry/templates/ams_authorized_users.j2
@@ -1,7 +1,7 @@
{
"authorized_users": [
{% for user in federation_registry_ams.authorized_users %}
- "{{ user.username }}" {% if federation_registry_ams.authorized_users|length != loop.index %} , {% endif %}
+ "{{ user.username }}" {% if federation_registry_ams.authorized_users|length != loop.index %} , {% endif %}
{% endfor %}
]
}
diff --git a/roles/federation-registry/templates/react-config.j2 b/roles/federation-registry/templates/react-config.j2
index d15dd50f..dc4a790b 100644
--- a/roles/federation-registry/templates/react-config.j2
+++ b/roles/federation-registry/templates/react-config.j2
@@ -1,7 +1,7 @@
{
"host": {
{% for tenant in federation_registry_tenant_config %}
- "{{ tenant.name }}":"{{tenant.backend_uri}}" {% if federation_registry_tenant_config|length != loop.index %} , {% endif %}
+ "{{ tenant.name }}":"{{tenant.backend_uri}}" {% if federation_registry_tenant_config|length != loop.index %} , {% endif %}
{% endfor %}
},
"basename": "{{federation_registry_react_base_url}}"
diff --git a/roles/fedreg-agent/defaults/main.yml b/roles/fedreg-agent/defaults/main.yml
index 743735cc..cca18a98 100644
--- a/roles/fedreg-agent/defaults/main.yml
+++ b/roles/fedreg-agent/defaults/main.yml
@@ -17,9 +17,9 @@ fedreg_agent_registry_requirements_url: "https://raw.githubusercontent.com/rciam
# Service
fedreg_agent_services_path: /etc/systemd/system
fedreg_agent_log_conf: "{{ fedreg_agent_conf_dir }}/logger.conf"
-fedreg_agent_enable_ssp: no
-fedreg_agent_enable_mitreid: no
-fedreg_agent_enable_keycloak: no
+fedreg_agent_enable_ssp: false
+fedreg_agent_enable_mitreid: false
+fedreg_agent_enable_keycloak: false
## Federation registry agent parameters
# fedreg_agent_ams:
diff --git a/roles/fedreg-agent/handlers/main.yml b/roles/fedreg-agent/handlers/main.yml
index ae97cc84..f0fcd77b 100644
--- a/roles/fedreg-agent/handlers/main.yml
+++ b/roles/fedreg-agent/handlers/main.yml
@@ -1,2 +1,10 @@
---
# handlers file for fedreg-agent
+- name: Reload systemd
+ ansible.builtin.systemd:
+ daemon_reload: true
+ become: true
+ tags:
+ - agent
+ - service
+ - daemon-reload
diff --git a/roles/fedreg-agent/tasks/configure-common.yml b/roles/fedreg-agent/tasks/configure-common.yml
index 3f21bb87..841dbdd4 100644
--- a/roles/fedreg-agent/tasks/configure-common.yml
+++ b/roles/fedreg-agent/tasks/configure-common.yml
@@ -1,35 +1,34 @@
---
# tasks file for fedreg-agent
-
- name: Install basic common utils
- package:
+ ansible.builtin.package:
name: "{{ item }}"
- state: latest
+ state: preset
loop:
- git
- python3-pip
- become: yes
+ become: true
tags:
- agent
- basic_common_utils
- name: Upgrade pip3
- pip:
+ ansible.builtin.pip:
name: pip
- state: latest
+ state: present
extra_args: --upgrade --user
executable: pip3
- become: yes
+ become: true
tags:
- agent
- python
- name: Install Virtualenv via pip3
- pip:
+ ansible.builtin.pip:
name: virtualenv
- state: latest
+ state: present
executable: pip3
- become: yes
+ become: true
tags:
- agent
- python
diff --git a/roles/fedreg-agent/tasks/deploy.yml b/roles/fedreg-agent/tasks/deploy.yml
index c7469cb7..d2af24f0 100644
--- a/roles/fedreg-agent/tasks/deploy.yml
+++ b/roles/fedreg-agent/tasks/deploy.yml
@@ -1,70 +1,73 @@
---
# tasks file for fedreg-agent
-
- name: Download only the requirements.txt from rciam-federation-registry-agent repository
- get_url:
+ ansible.builtin.get_url:
url: "{{ fedreg_agent_registry_requirements_url }}"
dest: /tmp/requirements_{{ build_branch }}.txt
- become: yes
+ mode: "0644"
+ become: true
tags:
- agent
- python
- requirements
- name: Install python requirements
- pip:
+ ansible.builtin.pip:
requirements: /tmp/requirements_{{ build_branch }}.txt
virtualenv: "{{ fedreg_agent_venv_path }}"
virtualenv_python: "{{ fedreg_agent_venv_python }}"
- become: yes
+ become: true
tags:
- agent
- python
- requirements
+# This should be packaged as a release instead of a branch
- name: Install rciam-federation-registry-agent (test.pypi.org)
when: build_branch == "devel"
- pip:
+ ansible.builtin.pip:
name: rciam-federation-registry-agent
virtualenv: "{{ fedreg_agent_venv_path }}"
virtualenv_python: "{{ fedreg_agent_venv_python }}"
extra_args: -i https://test.pypi.org/simple/
- state: latest
- become: yes
+ state: present
+ become: true
tags:
- agent
- python
- requirements
+# This should be packaged as a release instead of a branch
- name: Install rciam-federation-registry-agent
when: build_branch == "master"
- pip:
+ ansible.builtin.pip:
name: rciam-federation-registry-agent
virtualenv: "{{ fedreg_agent_venv_path }}"
virtualenv_python: "{{ fedreg_agent_venv_python }}"
- state: latest
- become: yes
+ state: present
+ become: true
tags:
- - agent
- - python
- - requirements
-
+ - agent
+ - python
+ - requirements
-- name: "Ensure {{ fedreg_agent_conf_dir }} dir exists"
- file:
+- name: "Ensure dir exists: {{ fedreg_agent_conf_dir }}"
+ ansible.builtin.file:
path: "{{ fedreg_agent_conf_dir }}"
state: directory
- become: yes
+ mode: "0755"
+ become: true
tags:
- agent
- config
- name: Copy logger.conf file
- copy:
+ ansible.builtin.copy:
src: logger.conf
dest: "{{ fedreg_agent_conf_dir }}/logger.conf"
- force: no
- become: yes
+ force: false
+ mode: "0644"
+ become: true
tags:
- agent
- config
diff --git a/roles/fedreg-agent/tasks/main.yml b/roles/fedreg-agent/tasks/main.yml
index 7d351e77..7bd93b88 100644
--- a/roles/fedreg-agent/tasks/main.yml
+++ b/roles/fedreg-agent/tasks/main.yml
@@ -1,12 +1,10 @@
---
# tasks file for fedreg-agent
-
- name: Configuration tasks
- include: "configure-common.yml"
+ ansible.builtin.include_tasks: "configure-common.yml"
- name: Deploy tasks
- include: "deploy.yml"
+ ansible.builtin.include_tasks: "deploy.yml"
- name: Setup services
- include: "services.yml"
-
+ ansible.builtin.include_tasks: "services.yml"
diff --git a/roles/fedreg-agent/tasks/services.yml b/roles/fedreg-agent/tasks/services.yml
index e9cee049..597d9bc2 100644
--- a/roles/fedreg-agent/tasks/services.yml
+++ b/roles/fedreg-agent/tasks/services.yml
@@ -1,91 +1,90 @@
- name: Create deployer configuration file
- template:
+ ansible.builtin.template:
src: deployers.config.json.j2
dest: "{{ fedreg_agent_conf_dir }}/{{ deployers_config_name }}"
- backup: yes
+ backup: true
+ mode: "0644"
when: fedreg_agent_enable_ssp or fedreg_agent_enable_mitreid or fedreg_agent_enable_keycloak
- become: yes
+ become: true
tags:
- agent
- config
+ notify: Reload systemd
- name: Create MITREid deployer service file
- template:
+ ansible.builtin.template:
src: deployer_mitreid.service.j2
dest: "{{ fedreg_agent_services_path }}/{{ deployer_mitreid_name }}.service"
- backup: yes
+ backup: true
+ mode: "0644"
register: mitreid_service
when: fedreg_agent_enable_mitreid
- become: yes
+ become: true
tags:
- agent
- service
+ notify: Reload systemd
- name: Create Keycloak deployer service file
- template:
+ ansible.builtin.template:
src: deployer_keycloak.service.j2
dest: "{{ fedreg_agent_services_path }}/{{ deployer_keycloak_name }}.service"
- backup: yes
+ backup: true
+ mode: "0644"
register: keycloak_service
when: fedreg_agent_enable_keycloak
- become: yes
+ become: true
tags:
- agent
- service
+ notify: Reload systemd
- name: Create SSP deployer service file
- template:
+ ansible.builtin.template:
src: deployer_ssp.service.j2
dest: "{{ fedreg_agent_services_path }}/{{ deployer_ssp_name }}.service"
- backup: yes
+ backup: true
+ mode: "0644"
register: ssp_service
when: fedreg_agent_enable_ssp
- become: yes
+ become: true
tags:
- agent
- service
-
-- name: Reload systemd
- command: systemctl daemon-reload
- when: mitreid_service.changed or ssp_service.changed or keycloak_service.changed
- become: yes
- tags:
- - agent
- - service
- - daemon-reload
+ notify: Reload systemd
- name: MitreId federation registry service enable
- service:
+ ansible.builtin.service:
name: '{{ deployer_mitreid_name }}'
- enabled: yes
+ enabled: true
state: restarted
when: fedreg_agent_enable_mitreid
- become: yes
+ become: true
tags:
- agent
- service
- service_enable
- name: Keycloak deployer service enable
- service:
+ ansible.builtin.service:
name: '{{ deployer_keycloak_name }}'
- enabled: yes
+ enabled: true
state: restarted
when: fedreg_agent_enable_keycloak
- become: yes
+ become: true
tags:
- agent
- service
- service_enable
- name: SSP federation registry service enable
- service:
+ ansible.builtin.service:
name: '{{ deployer_ssp_name }}'
- enabled: yes
+ enabled: true
state: restarted
when: fedreg_agent_enable_ssp
- become: yes
+ become: true
tags:
- agent
- service
diff --git a/roles/git/tasks/install-Debian.yml b/roles/git/tasks/install-Debian.yml
index fed08aa7..442bf7d4 100644
--- a/roles/git/tasks/install-Debian.yml
+++ b/roles/git/tasks/install-Debian.yml
@@ -1,9 +1,14 @@
---
-
+# git/tasks/install-Debian.yml
- name: Update package cache (Debian)
- apt: update_cache=yes cache_valid_time=86400
- become: yes
+ ansible.builtin.apt:
+ update_cache: true
+ cache_valid_time: 86400
+ become: true
- name: Ensure latest Git is installed (Debian)
- apt: name=git state=present install_recommends=no
- become: yes
+ ansible.builtin.apt:
+ name: git
+ state: present
+ install_recommends: false
+ become: true
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
index e6daa2e5..c2640203 100644
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -1,7 +1,7 @@
---
-
-# Install OS-specific packages
-- include: install-Debian.yml
+# git/tasks/main.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
-# when: ansible_os_family == 'CentOS'
+# - include: install-CentOS.yml
+# when: ansible_os_family == 'CentOS'
diff --git a/roles/jq/tasks/install-Debian.yml b/roles/jq/tasks/install-Debian.yml
index a9f22b4a..71887eb2 100644
--- a/roles/jq/tasks/install-Debian.yml
+++ b/roles/jq/tasks/install-Debian.yml
@@ -1,11 +1,15 @@
---
-
- name: Update package cache (Debian)
- apt: update_cache=yes cache_valid_time=86400
- become: yes
+ ansible.builtin.apt:
+ update_cache: true
+ cache_valid_time: 86400
+ become: true
- name: Ensure jq is installed (Debian)
- apt: name={{ item }} state=present install_recommends=no
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ install_recommends: false
with_items:
- - jq
- become: yes
+ - jq # TODO - define in defaults
+ become: true
diff --git a/roles/jq/tasks/main.yml b/roles/jq/tasks/main.yml
index e6daa2e5..0755941b 100644
--- a/roles/jq/tasks/main.yml
+++ b/roles/jq/tasks/main.yml
@@ -1,7 +1,6 @@
---
-
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
+# - include: install-CentOS.yml
# when: ansible_os_family == 'CentOS'
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
index 8623c77e..044761a8 100644
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -1,5 +1,5 @@
---
-##in format X.Y.Z
+## in format X.Y.Z
## make sure the corresponding templates/X.Y.Z folder and vars/keycloak/X.Y.Z.yml exist
keycloak_version: "18.0.0"
@@ -8,12 +8,13 @@ keycloak_archive_url: "https://github.com/keycloak/keycloak/releases/download/{{
keycloak_service_user: "keycloak"
-# Extra run params used in the keycloak systemd service. Multiple `-D` params can be specified. E.g. uncomment the following to enable technology preview features
-#keycloak_extra_run_params: "-Dkeycloak.profile=preview"
+# Extra run params used in the keycloak systemd service.
+# Multiple `-D` params can be specified.
+# E.g. uncomment the following to enable technology preview features
+# keycloak_extra_run_params: "-Dkeycloak.profile=preview"
keycloak_base_url_path: "auth" # The base URL path for frontend and backend requests. Note that this cannot be empty.
-
keycloak_admin:
user: ""
pass: ""
@@ -38,15 +39,15 @@ keycloak_syslog_identifier: "keycloak"
keycloak_logs_folder: "/var/log/keycloak"
-keycloak_logs_max_days: 548 # that's ~18 months
+keycloak_logs_max_days: 548 # that's ~18 months
keycloak_log_level:
saml: INFO
keycloak_keystores: "/srv/keycloak-keys"
-# If the server should expose health check endpoints. Defaults to false
-keycloak_health_enabled: no
+# If the server should expose health check endpoints. Defaults to false
+keycloak_health_enabled: false
# Themes to apply to all realms defined under 'keycloak_config.realms'.
# You can override theme settings for specific realms by defining
@@ -54,11 +55,10 @@ keycloak_health_enabled: no
keycloak_themes:
login: "rciam"
account: "rciam"
- #email: "keycloak" # Uncomment and customise if necessary
-
+ # email: "keycloak" # Uncomment and customise if necessary
### plugins
### wayf plugin works ONLY with "stage" branch of keycloak (need to have commit fe055820980dbcb79d5aae2b4dce78b840b912b0)
-#keycloak_plugins:
+# keycloak_plugins:
# wayf:
# enabled: true
# name: "keycloak-theme-vanilla" #PLEASE, do not change this
@@ -106,7 +106,7 @@ keycloak_themes:
### Remaining configuration (enc keys, social IdPs, AUP config, SMTP config, etc)
### you can have more than one realms configured here (if it doesn't exist, it will be created). just copy the format of the master and add it in the list.
### also, you can just comment out any of the {key, aup, smtp} sub trees and let the remaining get configured
-#keycloak_config:
+# keycloak_config:
# realms:
# - name: master
# defaultIdPAlias: "" #setting this to an IdP's name, will skip the WAYF and redirect to that IdP
@@ -142,8 +142,11 @@ keycloak_themes:
# eventsExpiration: 47347200 # this is 548 days in seconds
# adminEventsDetailsEnabled: false
# adminEventsEnabled: true
-# eventsListeners: ["jboss-logging"] # optional. if you want you can override with the array with the desired ones. Add "metrics-communication" for metrics plugin
-# enabledEventTypes: ["UPDATE_CONSENT_ERROR", "SEND_RESET_PASSWORD", "GRANT_CONSENT",…] # optional. if you want you can override with the array with the desired ones
+# eventsListeners: ["jboss-logging"]
+# optional. if you want you can override with the array with the desired ones.
+# Add "metrics-communication" for metrics plugin
+# enabledEventTypes: ["UPDATE_CONSENT_ERROR", "SEND_RESET_PASSWORD", "GRANT_CONSENT",…]
+# optional. if you want you can override with the array with the desired ones
# client_registration_policies:
# create_update:
# - name: "Allowed Client Scopes"
@@ -189,11 +192,17 @@ keycloak_themes:
# - "manage-account-2fa"
# remove:
# - "view-profile"
-# # For key rotation: whenever you need to rotate keys, this should normally be done as follows:
-# # Step 1: You need to add new keypairs, so you need to have both the new and the previous keys (4 keypairs) active in the realm. So you rename the placeholders "current" keys (in vault and in this file) as "previous", and you add two new keypairs (sig and enc) which will get the "current" linking in the vault.
-# # Step 2: Transition period is over, so you just mark the "previous" keys as (enabled: false) and (active: false). This means that the keys exist in the realm, but they are never used.
-# # Step 3: Rotation day has come, so you need to add new keys, thus, perform step 1.
-# keys: ### if the (providerId,name) entry already exists in the realm, ansible updates it. If not, it creates the key. So, in any subsequent run, it updates all the config parameters of the key.
+# For key rotation: whenever you need to rotate keys, this should normally be done as follows:
+# Step 1: You need to add new keypairs, so you need to have both the new and the previous keys (4 keypairs) active in the realm.
+# So you rename the placeholders "current" keys (in vault and in this file) as "previous",
+# and you add two new keypairs (sig and enc) which will get the "current" linking in the vault.
+# Step 2: Transition period is over, so you just mark the "previous" keys as (enabled: false) and (active: false).
+# This means that the keys exist in the realm, but they are never used.
+# Step 3: Rotation day has come, so you need to add new keys, thus, perform step 1.
+# keys:
+### if the (providerId,name) entry already exists in the realm, ansible updates it.
+# If not, it creates the key.
+# So, in any subsequent run, it updates all the config parameters of the key.
# - name: "rsa-sig"
# providerId: "rsa" #DO NOT CHANGE THIS
# config:
@@ -722,7 +731,8 @@ keycloak_themes:
# disableUserInfo: "" #boolean
# hideOnLoginPage: "" #boolean
# promotedLoginbutton: "" #boolean
-# #Each entry of idp_mappers list is a IdentityProviderMapperRepresentation, see here: https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identityprovidermapperrepresentation
+# Each entry of idp_mappers list is a IdentityProviderMapperRepresentation,
+# see here: https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identityprovidermapperrepresentation
# idp_mappers:
# - name:
# identityProviderAlias:
diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml
index dd80e343..6fe04eee 100644
--- a/roles/keycloak/handlers/main.yml
+++ b/roles/keycloak/handlers/main.yml
@@ -1,32 +1,31 @@
---
-
- name: Start keycloak
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: started
- become: yes
+ become: true
- name: Stop keycloak
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: stopped
- become: yes
+ become: true
- name: Restart keycloak
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: restarted
- become: yes
+ become: true
- name: Reload keycloak
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: restarted
- daemon_reload: yes
- become: yes
+ daemon_reload: true
+ become: true
- name: Clear Keycloak cache
ansible.builtin.file:
path: "{{ keycloak_home }}/data/tmp/"
state: absent
- become: yes
\ No newline at end of file
+ become: true
diff --git a/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml b/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml
index 13975e52..aafd4aa7 100644
--- a/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml
+++ b/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml
@@ -4,27 +4,50 @@
# current_cli_reg_pol = the current client registration policy (loop item) of the config
# found_cli_reg_pols = all the found client registration policies found on the server for the current_realm
-- set_fact:
+- name: Set reg pool match fact
+ ansible.builtin.set_fact:
cli_reg_pol_match: "{{ found_cli_reg_pols | json_query(query) | first | default({}) }}"
vars:
- query: '[? (name == `{{ current_cli_reg_pol.name }}` && providerId == `{{ current_cli_reg_pol.providerId }}` && subType == `{{ current_cli_reg_pol.subType }}`) ]'
+ query: >-
+ '[? (name == `{{ current_cli_reg_pol.name }}` &&
+ providerId == `{{ current_cli_reg_pol.providerId }}` &&
+ subType == `{{ current_cli_reg_pol.subType }}`)
+ ]'
-- set_fact:
+- name: Set reg pool found fact
+ ansible.builtin.set_fact:
cli_reg_pol_isfound: "{{ lookup('dict', cli_reg_pol_match) | length > 0 }}"
-- name: "{% if cli_reg_pol_isfound %} Update {% else %} Create {% endif %}client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components{% if cli_reg_pol_isfound %}/{{ cli_reg_pol_match.id }}{% endif %}"
- method: "{% if cli_reg_pol_isfound %}PUT{% else %}POST{% endif %}"
+# This task is very difficult to understand and maintain.
+# Propose specific tasks based on the cli_reg_pol_isfound variable
+- name: "Update client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components/{{ cli_reg_pol_match.id }}"
+ method: PUT
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body: # if found a match, fuse the existing with the match and overwrite (care, need to append the provided configuration on the existing/found one... not the opposite)
- "{%if cli_reg_pol_isfound %}{{ cli_reg_pol_match | combine(current_cli_reg_pol , recursive=True ) }}{% else %}{{ current_cli_reg_pol | combine(realm_parentId , recursive=True ) }}{% endif %}"
- status_code: "{% if cli_reg_pol_isfound %}204{% else %}201{% endif %}"
+ # if found a match, fuse the existing with the match and overwrite
+ # (care, need to append the provided configuration on the existing/found one... not the opposite)
+ body: "{{ cli_reg_pol_match | combine(current_cli_reg_pol, recursive=True) }}"
+ status_code: 204
vars:
- realm_parentId:
- parentId: "{{ current_realm.name }}"
-
-
+ realm_parentId: # noqa var-naming[pattern]
+ parentId: "{{ current_realm.name }}" # noqa var-naming[pattern]
+ when: cli_reg_pol_isfound
+- name: "Create client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components"
+ method: POST
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ # if found a match, fuse the existing with the match and overwrite
+ # (care, need to append the provided configuration on the existing/found one... not the opposite)
+ body: "{{ current_cli_reg_pol | combine(realm_parentId, recursive=True) }}"
+ status_code: 201
+ vars:
+ realm_parentId: # noqa var-naming[pattern]
+ parentId: "{{ current_realm.name }}" # noqa var-naming[pattern]
+ when: not cli_reg_pol_isfound
diff --git a/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml b/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml
index ab8737a5..db1971df 100644
--- a/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml
+++ b/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml
@@ -3,23 +3,27 @@
# current_realm = the current realm (loop item) of the config
# del_cli_reg_policy = the current client registration policy (loop item) of the config
# found_cli_reg_pols = all the found client registration policies found on the server for the current_realm
-
-
-- set_fact:
+- name: Set cli_reg_pol_match fact
+ ansible.builtin.set_fact:
cli_reg_pol_match: "{{ found_cli_reg_pols | json_query(query) | first | default({}) }}"
vars:
- query: '[? (name == `{{ del_cli_reg_policy.name }}` && providerId == `{{ del_cli_reg_policy.providerId }}` && subType == `{{ del_cli_reg_policy.subType }}`) ]'
+ query: >-
+ '[?
+ (name == `{{ del_cli_reg_policy.name }}` &&
+ providerId == `{{ del_cli_reg_policy.providerId }}` &&
+ subType == `{{ del_cli_reg_policy.subType }}`) ]'
-- set_fact:
+- name: Set cli_reg_pol_isfound fact
+ ansible.builtin.set_fact:
cli_reg_pol_isfound: "{{ lookup('dict', cli_reg_pol_match) | length > 0 }}"
-- name: "Delete client registration policy {{ del_cli_reg_policy.name }} with type {{ del_cli_reg_policy.subtype }} of realm {{ current_realm.name }}"
- uri:
+- name: Delete client registration policy
+ # {{ del_cli_reg_policy.name }} with type {{ del_cli_reg_policy.subtype }} of realm {{ current_realm.name }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components/{{ cli_reg_pol_match.id }}"
- method: "DELETE"
+ method: DELETE
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "204"
+ status_code: 204
when: cli_reg_pol_isfound
-
diff --git a/roles/keycloak/tasks/blocks/configure_basic_realm.yml b/roles/keycloak/tasks/blocks/configure_basic_realm.yml
index dcfda8e5..b7dd7898 100644
--- a/roles/keycloak/tasks/blocks/configure_basic_realm.yml
+++ b/roles/keycloak/tasks/blocks/configure_basic_realm.yml
@@ -1,10 +1,9 @@
---
-
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Check if realm {{ current_realm_item.name }} already exists"
- uri:
+- name: "Check if realm already exists: {{ current_realm_item.name }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}"
method: GET
headers:
@@ -12,11 +11,12 @@
status_code: [200, 404]
register: "current_realm_search_result"
-- set_fact:
+- name: Set current_realm_exists fact
+ ansible.builtin.set_fact:
current_realm_exists: "{% if current_realm_search_result.status == 200 %}true{% else %}false{% endif %}"
- name: "Initialize realm '{{ current_realm_item.name }}'"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms"
method: POST
body_format: json
@@ -27,11 +27,10 @@
id: "{{ current_realm_item.name }}"
realm: "{{ current_realm_item.name }}"
status_code: 201
- when: current_realm_exists == false
-
+ when: not current_realm_exists
-- name: "Get realm {{ current_realm_item.name }} config"
- uri:
+- name: "Get realm config: {{ current_realm_item.name }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}"
method: GET
headers:
@@ -40,15 +39,14 @@
register: "current_realm_search_result"
-#at this point, we have a realm, either a created or an existing, loaded into the current_realm_search_result variable
-
-- name: "Fuse realm '{{ current_realm_item.name }}' configurations (existing and ansible's)"
- set_fact:
- realm_config_to_set: "{{ current_realm_search_result.json | combine(current_realm_item.config | default({}) , recursive=True ) }}"
+# at this point, we have a realm, either a created or an existing, loaded into the current_realm_search_result variable
+- name: "Fuse realm configurations (existing and ansible's): '{{ current_realm_item.name }}'"
+ ansible.builtin.set_fact:
+ realm_config_to_set: "{{ current_realm_search_result.json | combine(current_realm_item.config | default({}), recursive=True) }}"
-#now HTTP PUT the information (either the fused or the ansible's original config) to the realm's REST API
+# now HTTP PUT the information (either the fused or the ansible's original config) to the realm's REST API
- name: "Update realm {{ current_realm_item.name }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}"
method: "PUT"
body_format: json
@@ -57,6 +55,3 @@
body:
"{{ realm_config_to_set }}"
status_code: "204"
-
-
-
diff --git a/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml b/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml
index 65e10da8..a0752629 100644
--- a/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml
+++ b/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml
@@ -3,30 +3,31 @@
# current_realm = the current realm (loop item) of the config
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: "Get all existing client registration policies of realm {{ current_realm.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components?type=org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components?type=org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" # noqa yaml[line-length]
method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: [200]
register: "found_cli_reg_pols"
-- set_fact:
+- name: Set found_cli_reg_pols fact
+ ansible.builtin.set_fact:
found_cli_reg_pols: "{{ found_cli_reg_pols.json | default([]) }}"
-- include_tasks: blocks/client_registration_policies/create_update_client_reg_policy.yml
+- name: Include create update client tasks
+ ansible.builtin.include_tasks: blocks/client_registration_policies/create_update_client_reg_policy.yml
with_items: "{{ current_realm.client_registration_policies.create_update | default([]) }}"
loop_control:
loop_var: current_cli_reg_pol
run_once: true
-- include_tasks: blocks/client_registration_policies/delete_client_reg_policy.yml
+- name: Include client registration tasks
+ ansible.builtin.include_tasks: blocks/client_registration_policies/delete_client_reg_policy.yml
with_items: "{{ current_realm.client_registration_policies.delete | default([]) }}"
loop_control:
loop_var: del_cli_reg_policy
run_once: true
-
-
diff --git a/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml b/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml
index 5ebfcf65..a70e6210 100644
--- a/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml
+++ b/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml
@@ -2,31 +2,52 @@
# item[0] -> whole realm config (ansible variable)
# item[1] -> current client_scope config (loop's item of ansible realm's client_scopes[] config)
# mapper -> the current mapper config (loop item of item[1].mappers[] above)
-# client_scope_matches -> if the current client_scope of the configuration is found in keycloak, it return a single-element array with a trimmed object client_scope.{id,name, protocolMappers} instance)
+# client_scope_matches -> if the current client_scope of the configuration is found in keycloak,
+# it return a single-element array with a trimmed object client_scope.{id,name, protocolMappers} instance)
-- set_fact:
+- name: Set mapper matches
+ ansible.builtin.set_fact:
mapper_matches: "{{ client_scope_matches[0].protocolMappers | json_query(query) | default([]) }}"
vars:
query: '[?name == `{{ mapper.name }}` ].{id: id, name: name }'
-- set_fact:
- mapper_exists: "{{mapper_matches | length > 0 }}"
+- name: Set existgs fact
+ ansible.builtin.set_fact:
+ mapper_exists: "{{ mapper_matches | length > 0 }}"
-- set_fact:
+- name: Set additional info fact
+ ansible.builtin.set_fact:
additional_info:
- id: "{{mapper_matches[0].id}}"
+ id: "{{ mapper_matches[0].id }}"
when: mapper_exists
-- set_fact:
- body: "{% if mapper_exists %}{{ mapper | combine(additional_info , recursive=True ) }}{% else %}{{ mapper }}{% endif %}"
+- name: Set body fact
+ ansible.builtin.set_fact:
+ body: |-
+ "{% if mapper_exists %}
+ {{ mapper | combine(additional_info, recursive=True) }}
+ {% else %}
+ {{ mapper }}
+ {% endif %}"
+ # body: "mapper_exists | ternary(mapper | combine(additional_info , recursive=True), mapper)"
+- name: "Update client scope mapper {{ mapper.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models/{{ body.id }}" # noqa yaml[line-length]
+ method: PUT
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ body }}"
+ status_code: 204
+ when: mapper_exists | bool
-- name: "{% if mapper_exists %} Update {% else %} Create {% endif %} client scope mapper {{ mapper.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models{% if mapper_exists %}/{{body.id}}{% endif %}"
- method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}"
+- name: "Create client scope mapper {{ mapper.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models" # noqa yaml[line-length]
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ body }}"
- status_code: "{% if mapper_exists %}204{% else %}201{% endif %}"
+ body: "{{ body }}"
+ status_code: 201
+ when: (not mapper_exists) | bool
diff --git a/roles/keycloak/tasks/blocks/configure_client_scopes.yml b/roles/keycloak/tasks/blocks/configure_client_scopes.yml
index 2aebd65a..bca6ca0a 100644
--- a/roles/keycloak/tasks/blocks/configure_client_scopes.yml
+++ b/roles/keycloak/tasks/blocks/configure_client_scopes.yml
@@ -1,82 +1,100 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Get current client scopes of realm: {{item[0].name}}"
- include_tasks: blocks/helpers/get_client_scopes_list.yml
+- name: "Get current client scopes of realm: {{ item[0].name }}"
+ ansible.builtin.include_tasks: blocks/helpers/get_client_scopes_list.yml
-- set_fact:
- client_scope_exists: "{{client_scope_matches | length > 0 }}"
+- name: Set fact
+ ansible.builtin.set_fact:
+ client_scope_exists: "{{ client_scope_matches | length > 0 }}"
-- set_fact:
+- name: Set fact
+ ansible.builtin.set_fact:
additional_info:
- id: "{{client_scope_matches[0].id}}"
+ id: "{{ client_scope_matches[0].id }}"
when: client_scope_exists
-- set_fact:
- body: "{{ item[1] | combine(additional_info , recursive=True ) }}"
+- name: Set fact
+ ansible.builtin.set_fact:
+ body: "{{ item[1] | combine(additional_info, recursive=True) }}"
when: client_scope_exists
-- set_fact:
+- name: Set fact
+ ansible.builtin.set_fact:
body: "{{ item[1] }}"
when: not client_scope_exists
-- set_fact: # remove the 'mappers' field from the body (if it exists)
- body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}'
+- name: Remove the 'mappers' field from the body (if it exists)
+ ansible.builtin.set_fact:
+ body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}'
-- set_fact: # remove the 'set_as' field from the body (if it exists)
- body: '{{ body | dict2items | rejectattr("key", "equalto", "set_as") | list | items2dict }}'
+- name: Remove the 'set_as' field from the body (if it exists)
+ ansible.builtin.set_fact:
+ body: '{{ body | dict2items | rejectattr("key", "equalto", "set_as") | list | items2dict }}'
-- name: "{% if client_scope_exists %}Update{% else %}Add{% endif %} client scope: {{ item[1].name }} in realm: {{item[0].name}}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes{% if client_scope_exists %}/{{body.id}}{% endif %}"
- method: "{% if client_scope_exists %}PUT{% else %}POST{% endif %}"
+- name: "Update client scope: {{ item[1].name }} in realm: {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ body.id }}"
+ method: "PUT"
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ body }}"
- status_code: "{% if client_scope_exists %}204{% else %}201{% endif %}"
+ body: "{{ body }}"
+ status_code: 204
+ when: client_scope_exists | bool
-- name: "Get again the client_scopes if there was a newly created just before of realm: {{item[0].name}}"
- include_tasks: blocks/helpers/get_client_scopes_list.yml
+- name: "Add client scope: {{ item[1].name }} in realm: {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes"
+ method: POST
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ body }}"
+ status_code: 201
+ when: (not client_scope_exists) | bool
+
+- name: "Get again the client_scopes if there was a newly created just before of realm: {{ item[0].name }}"
+ ansible.builtin.include_tasks: blocks/helpers/get_client_scopes_list.yml
when: not client_scope_exists
- name: "Clear from all the default client scopes list (if applicable)"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/default-{{ client_scope_mode }}-client-scopes/{{ client_scope_matches[0].id }}"
method: "DELETE"
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "204"
+ status_code: 204
with_items:
- optional
- default
loop_control:
loop_var: client_scope_mode
- ignore_errors: yes
+ ignore_errors: true # noqa ignore-errors
# set default or optional (if defined)
- name: "Configuring default/optional client-scope as '{{ item[1].set_as }}'"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/default-{{ item[1].set_as }}-client-scopes/{{ client_scope_matches[0].id }}"
- method: "PUT"
+ method: PUT
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
body:
- { realm: "{{ item[0].name }}", clientScopeId: "{{ client_scope_matches[0].id }}" }
- status_code: "204"
+ realm: "{{ item[0].name }}"
+ clientScopeId: "{{ client_scope_matches[0].id }}"
+ status_code: 204
when: not item[1].set_as is undefined
# now update its mappers
-- name: "Setup mappers of the client scope {{ item[1].name }} of the realm: {{item[0].name}}"
- include_tasks: blocks/configure_client_scope_mappers.yml
+- name: "Setup mappers of the client scope {{ item[1].name }} of the realm: {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.include_tasks: blocks/configure_client_scope_mappers.yml
with_items: "{{ item[1].mappers | default([]) }}"
loop_control:
loop_var: mapper
run_once: true
- when: "item[1].mappers | default([]) | length > 0"
+ when: item[1].mappers | default([]) | length > 0
diff --git a/roles/keycloak/tasks/blocks/configure_default_idp.yml b/roles/keycloak/tasks/blocks/configure_default_idp.yml
index 350214f2..fade4fb7 100644
--- a/roles/keycloak/tasks/blocks/configure_default_idp.yml
+++ b/roles/keycloak/tasks/blocks/configure_default_idp.yml
@@ -1,36 +1,37 @@
---
-
-- block:
-
+- name: Tasks
+ when: (current_realm.defaultIdPAlias is defined) and (current_realm.defaultIdPAlias | length > 0)
+ block:
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
-
- - name: "Get all executions of the 'browser' authentication flow of the realm {{ current_realm.name }}"
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
+ - ansible.builtin.name: "Get all executions of the 'browser' authentication flow of the realm {{ current_realm.name }}"
uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/flows/browser/executions"
method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
- register: "current_realm_browser_executions"
+ register: current_realm_browser_executions
- - set_fact:
+ - name: Set Fact
+ ansible.builtin.set_fact:
idp_redirector_matches: "{{ current_realm_browser_executions.json | json_query(query) | default([]) }}"
vars:
query: '[?providerId == `identity-provider-redirector` ]'
- - set_fact:
+ - name: Set fact
+ ansible.builtin.set_fact:
idp_redirector_id: "{{ idp_redirector_matches[0].id }}"
when: idp_redirector_matches | length > 0
- - set_fact:
+ - name: Set Fact
+ ansible.builtin.set_fact:
idp_redirector_config_id: "{{ idp_redirector_matches[0].authenticationConfig }}"
when: idp_redirector_id is defined and idp_redirector_matches[0].authenticationConfig is defined
-
# if idp_redirector_config_id is defined, it's an update, else it is a new one
- - name: "Updating default IdP redirector for the realm {{ current_realm.name }} to the IdP {{ current_realm.defaultIdPAlias }}"
- uri:
+ - name: "Updating default IdP redirector for the realm {{ current_realm.name }} to the IdP {{ current_realm.defaultIdPAlias }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/config/{{ idp_redirector_config_id }}"
method: PUT
body_format: json
@@ -38,24 +39,22 @@
Authorization: "Bearer {{ tokens.json.access_token }}"
body:
id: "{{ idp_redirector_config_id }}"
- alias: "idp-redirector"
+ alias: idp-redirector
config:
defaultProvider: "{{ current_realm.defaultIdPAlias }}"
status_code: 204
when: idp_redirector_id is defined and idp_redirector_config_id is defined
- - name: "Setting the IdP {{ current_realm.defaultIdPAlias }} as default IdP redirector for the realm {{ current_realm.name }}"
- uri:
+ - name: "Setting the IdP {{ current_realm.defaultIdPAlias }} as default IdP redirector for the realm {{ current_realm.name }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/executions/{{ idp_redirector_id }}/config"
method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
body:
- alias: "idp-redirector"
+ alias: idp-redirector
config:
defaultProvider: "{{ current_realm.defaultIdPAlias }}"
status_code: 201
when: idp_redirector_id is defined and idp_redirector_config_id is undefined
-
- when: (current_realm.defaultIdPAlias is defined) and (current_realm.defaultIdPAlias | length > 0)
diff --git a/roles/keycloak/tasks/blocks/configure_event_logging.yml b/roles/keycloak/tasks/blocks/configure_event_logging.yml
index c521ab24..7484c81c 100644
--- a/roles/keycloak/tasks/blocks/configure_event_logging.yml
+++ b/roles/keycloak/tasks/blocks/configure_event_logging.yml
@@ -1,32 +1,32 @@
---
# current_realm_item: is the current realm of the looping of the realms in the configuration
-- block:
-
- - name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
-
- - name: "Get current event logging configuration of realm: {{ current_realm_item.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config"
- method: "GET"
- headers:
- Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "200"
- register: current_events_logging
-
- - set_fact:
- new_events_logging: "{{ current_events_logging.json | combine(current_realm_item.events_logging , recursive=True ) }}"
+# Unnecessary block - use then when in the include_tasks task.``
+- name: Tasks
+ when: current_realm_item.events_logging is defined
+ block:
+ - name: Acquire tokens
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- - name: "Update event logging configuration of realm: {{ current_realm_item.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config"
- method: "PUT"
- body_format: json
- body:
- "{{ new_events_logging }}"
- headers:
- Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "204"
+ - name: "Get current event logging configuration of realm: {{ current_realm_item.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config"
+ method: GET
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ status_code: 200
+ register: current_events_logging
- when: current_realm_item.events_logging is defined
+ - name: Set Fact
+ ansible.builtin.set_fact:
+ new_events_logging: "{{ current_events_logging.json | combine(current_realm_item.events_logging, recursive=True) }}"
+ - name: "Update event logging configuration of realm: {{ current_realm_item.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config"
+ method: PUT
+ body_format: json
+ body:
+ "{{ new_events_logging }}"
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ status_code: 204
diff --git a/roles/keycloak/tasks/blocks/configure_federation_mapper.yml b/roles/keycloak/tasks/blocks/configure_federation_mapper.yml
index 8c2249f3..8fa69765 100644
--- a/roles/keycloak/tasks/blocks/configure_federation_mapper.yml
+++ b/roles/keycloak/tasks/blocks/configure_federation_mapper.yml
@@ -2,45 +2,61 @@
# item[0] -> whole realm config (ansible variable)
# item[1] -> current federation config (loop's item of ansible realm's federation config)
# federation_exists -> boolean flag (it's always true in this file)
-# realm_federation_matches -> it's always a single element array (since federation_exists==true) with: [{"alias": "federation_alias", "internalId": "federation_internalId" }]
+# realm_federation_matches -> it's always a single element array
+# (since federation_exists==true) with: [{"alias": "federation_alias", "internalId": "federation_internalId" }]
# existing_mappers_name_id -> contains the current federation mappers id,name pairs i.e. [{id:"mapper_id", name:"mapper_name"}, ...]
-# mapper -> contains the new mapper json (from ansible config vars) i.e. {"config":{},"identityProviderMapper":"hardcoded-attribute-idp-mapper","name":"test_mapper2"}
+# mapper -> contains the new mapper json (from ansible config vars)
+# i.e. {"config":{},"identityProviderMapper":"hardcoded-attribute-idp-mapper","name":"test_mapper2"}
-- set_fact:
+- name: Set mapper matches fact
+ ansible.builtin.set_fact:
mapper_matches: "{{ existing_mappers_name_id | json_query(query) | default([]) }}"
vars:
- query: '[?name == `{{ mapper.name }}` ].{id: id, name: name }'
+ query: '[?name == `{{ mapper.name }}`].{id: id, name: name}'
+- name: Set mapper exists fact
+ ansible.builtin.set_fact:
+ mapper_exists: "{{ mapper_matches | length > 0 | bool }}"
-- set_fact:
- mapper_exists: "{{ mapper_matches | length > 0 }}"
-
-- set_fact:
+- name: Set additional info fact
+ ansible.builtin.set_fact:
additional_info:
id: "{{ mapper_matches[0].id }}"
when: mapper_exists
-- set_fact:
- body: "{% if mapper_exists %}{{ mapper | combine(additional_info , recursive=True ) }}{% else %}{{ mapper }}{% endif %}"
+# Merge this set fact with the previous one.
+- name: Set body fact
+ ansible.builtin.set_fact:
+ body: "{% if mapper_exists %}{{ mapper | combine(additional_info, recursive=True) }}{% else %}{{ mapper }}{% endif %}"
+- name: "Updatefederation mapper {{ mapper.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}" # noqa yaml[line-length]
+ method: PUT
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ body }}"
+ status_code: 204
+ when: mapper_exists | bool
-- name: "{% if mapper_exists %} Update {% else %} Create {% endif %} federation mapper {{ mapper.name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers{% if mapper_exists %}/{{ body.id }}{% endif %}"
- method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}"
+- name: "Create federation mapper {{ mapper.name }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers" # noqa yaml[line-length]
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ body }}"
- status_code: "{% if mapper_exists %}204{% else %}201{% endif %}"
+ body: "{{ body }}"
+ status_code: 201
+ when: not (mapper_exists | bool)
# this is meant to run after a successful first deployment of the federations and the mappers (that's why the "when: mapper_exists")
# You should execute it only when you are sure that the federation(s) are fully populated
- name: Apply mappers (propagate) to federation IdP(s)
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}/idp/add"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}/idp/add" # noqa yaml[line-length]
method: POST
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
diff --git a/roles/keycloak/tasks/blocks/configure_federations.yml b/roles/keycloak/tasks/blocks/configure_federations.yml
index edf0948b..20f1baf2 100644
--- a/roles/keycloak/tasks/blocks/configure_federations.yml
+++ b/roles/keycloak/tasks/blocks/configure_federations.yml
@@ -1,63 +1,64 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Initiating federation search in keycloak"
- include_tasks: blocks/helpers/search_realm_federations.yml
+- name: Initiating federation search in keycloak
+ ansible.builtin.include_tasks: blocks/helpers/search_realm_federations.yml
-- set_fact:
+- name: Check if federation exists
+ ansible.builtin.set_fact:
federation_exists: "{{ realm_federation_matches | length > 0 }}"
-- set_fact:
+- name: Set additional info
+ ansible.builtin.set_fact:
additional_info:
internalId: "{{ realm_federation_matches[0].internalId }}"
when: federation_exists
-- set_fact:
- body: "{% if federation_exists %}{{ item[1] | combine(additional_info , recursive=True ) }}{% else %}{{ item[1] }}{% endif %}"
-
-- set_fact: # remove the 'mappers' field from the body (if it exists)
+- name: Set body fact
+ ansible.builtin.set_fact:
+ # body: "{% if federation_exists %}{{ item[1] | combine(additional_info, recursive=True) }}{% else %}{{ item[1] }}{% endif %}"
+ body: "{{ federation_exists | ternary((item[1] | combine(additional_info, recursive=True)), item[1]) }}"
+- name: Remove the 'mappers' field from the body (if it exists)
+ ansible.builtin.set_fact:
body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}'
- name: "Configuring federation {{ item[1].alias }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances"
method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ body }}"
+ body: "{{ body }}"
status_code: 201
- #get once more the federation_matches. now federation_matches should contain exactly one object in the list with the internalId and alias of the current federation
-- name: "Initiating federation search in keycloak"
- include_tasks: blocks/helpers/search_realm_federations.yml
+# get once more the federation_matches.
+# now federation_matches should contain exactly one object in the list with the internalId and alias of the current federation
+- name: Initiating federation search in keycloak
+ ansible.builtin.include_tasks: blocks/helpers/search_realm_federations.yml
-- name: "Configuring mappers of the federation {{ item[1].alias }} of the realm: {{ item[0].name }}"
+- name: "Configuring mappers of the federation {{ item[1].alias }} of the realm: {{ item[0].name }}" # noqa name[template]
+ when: (realm_federation_matches | length) > 0
block:
-
- - name: "Get list of federation {{ item[1].alias }} mappers"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers"
+ - name: "Get list of federation {{ item[1].alias }} mappers" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers" # noqa yaml[line-length]
method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
register: existing_mappers
- - set_fact:
+ - name: Set fact
+ ansible.builtin.set_fact:
existing_mappers_name_id: "{{ existing_mappers.json | json_query(query) | default([]) }}"
vars:
query: '[].{name: name, id: id }'
-
- name: Setup federation mapper
- include_tasks: blocks/configure_federation_mapper.yml
+ ansible.builtin.include_tasks: blocks/configure_federation_mapper.yml
with_items: "{{ item[1].mappers | default([]) }}"
loop_control:
loop_var: mapper
run_once: true
-
- when: "realm_federation_matches | length > 0"
-
diff --git a/roles/keycloak/tasks/blocks/configure_idp_mappers.yml b/roles/keycloak/tasks/blocks/configure_idp_mappers.yml
index 67425cc2..3577eea0 100644
--- a/roles/keycloak/tasks/blocks/configure_idp_mappers.yml
+++ b/roles/keycloak/tasks/blocks/configure_idp_mappers.yml
@@ -1,44 +1,49 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: "Get current mappers of idp: {{ item[0].name }}"
- include_tasks: blocks/helpers/get_idp_mappers_list.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_idp_mappers_list.yml
-- set_fact:
+- name: Set Fact
+ ansible.builtin.set_fact:
mapper_exists: "{{ idp_mapper_match | length > 0 }}"
-- set_fact:
+- name: Set Fact
+ ansible.builtin.set_fact:
additional_info:
id: "{{ idp_mapper_match[0].id }}"
- when: mapper_exists
+ when: mapper_exists | bool
-- set_fact:
- body: "{{ item[1] | combine(additional_info , recursive=True ) }}"
- when: mapper_exists
+- name: Set Fact
+ ansible.builtin.set_fact:
+ body: "{{ item[1] | combine(additional_info, recursive=True) }}"
+ when: mapper_exists | bool
-- set_fact:
+- name: Set Fact
+ ansible.builtin.set_fact:
body: "{{ item[1] }}"
- when: not mapper_exists
+ when: not (mapper_exists | bool)
-- name: "{% if mapper_exists %}Update{% else %}Add{% endif %} idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers{% if mapper_exists %}/{{ body.id }}{% endif %}"
- method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}"
+- name: "Update idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers/{{ body.id }}"
+ method: PUT
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ body }}"
- status_code: "{% if mapper_exists %}204{% else %}201{% endif %}"
-
-
-
-
-
-
-
-
-
-
+ body: "{{ body }}"
+ status_code: 204
+ when: mapper_exists | bool
+
+- name: "Add idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers"
+ method: POST
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ body }}"
+ status_code: 201
+ when: not (mapper_exists | bool)
diff --git a/roles/keycloak/tasks/blocks/configure_saml_idps.yml b/roles/keycloak/tasks/blocks/configure_saml_idps.yml
index 355ff84b..3b1efb12 100644
--- a/roles/keycloak/tasks/blocks/configure_saml_idps.yml
+++ b/roles/keycloak/tasks/blocks/configure_saml_idps.yml
@@ -1,18 +1,19 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: "Get current IdPs list of realm: {{ item[0].name }}"
- include_tasks: blocks/helpers/get_realm_idps_list.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_realm_idps_list.yml
-- set_fact:
- new_idp: "{% if item[1].data.alias not in idps_list %}true{% else %}false{% endif %}"
+- name: Set fact
+ ansible.builtin.set_fact:
+ new_idp: "({% if item[1].data.alias not in idps_list %}true{% else %}false{% endif %}) | bool"
- name: "{% if new_idp %}Installing{% else %}Updating{% endif %} saml IdP: {{ item[1].data.alias }}"
block:
- name: "Get config from url: {{ item[1].metadataUrl }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/import-config"
method: POST
body_format: json
@@ -24,13 +25,24 @@
status_code: 200
register: saml_idp_result
- - name: "Setup saml IdP {{ item[1].data.alias }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].data.alias }}{% endif %}"
- method: "{% if new_idp %}POST{% else %}PUT{% endif %}"
+ - name: "Create saml IdP {{ item[1].data.alias }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances"
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ { 'config': saml_idp_result.json } | combine( item[1].data, recursive=True ) }}"
- status_code: "{% if new_idp %}201{% else %}204{% endif %}"
+ body: "{{ {'config': saml_idp_result.json} | combine(item[1].data, recursive=True) }}"
+ status_code: 201
+ when: new_idp
+
+ - name: "Update saml IdP {{ item[1].data.alias }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ item[1].data.alias }}"
+ method: PUT
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ {'config': saml_idp_result.json} | combine(item[1].data, recursive=True) }}"
+ status_code: 204
+ when: not new_idp
diff --git a/roles/keycloak/tasks/blocks/configure_social_idps.yml b/roles/keycloak/tasks/blocks/configure_social_idps.yml
index db6c24f6..9fea8001 100644
--- a/roles/keycloak/tasks/blocks/configure_social_idps.yml
+++ b/roles/keycloak/tasks/blocks/configure_social_idps.yml
@@ -1,21 +1,33 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Configuring IdP: {{ item[1].alias }} Get current IdPs list for realm: {{ item[0].name }}"
- include_tasks: blocks/helpers/get_realm_idps_list.yml
+- name: "Configuring IdP: {{ item[1].alias }} Get current IdPs list for realm: {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.include_tasks: blocks/helpers/get_realm_idps_list.yml
-- set_fact:
+- name: Set new idp fact
+ ansible.builtin.set_fact:
new_idp: "{% if item[1].alias not in idps_list %}true{% else %}false{% endif %}"
-- name: "{% if new_idp %}Add{% else %}Update{% endif %} idp: {{ item[1].alias }}"
- uri:
+- name: "Add idp: {{ item[1].alias }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].alias }}{% endif %}"
- method: "{% if new_idp %}POST{% else %}PUT{% endif %}"
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ item[1] }}"
- status_code: "{% if new_idp %}201{% else %}204{% endif %}"
+ body: "{{ item[1] }}"
+ status_code: 201
+ when: new_idp
+
+- name: "Update idp: {{ item[1].alias }}"
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].alias }}{% endif %}"
+ method: PUT
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ item[1] }}"
+ status_code: 204
+ when: not new_idp
diff --git a/roles/keycloak/tasks/blocks/configure_theme.yml b/roles/keycloak/tasks/blocks/configure_theme.yml
index 48c50ad6..9212b2b1 100644
--- a/roles/keycloak/tasks/blocks/configure_theme.yml
+++ b/roles/keycloak/tasks/blocks/configure_theme.yml
@@ -1,15 +1,16 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
## we should issue the configuration calls from all host machines locally (and not through the proxy),
## because we want to be absolutely sure that all calls have been executed on all keycloak nodes at least once.
-- ansible.builtin.set_fact:
+- name: Ensure local host fact
+ ansible.builtin.set_fact:
keycloak_local_host: "http://{{ keycloak_local_address }}:{{ keycloak_bind_port }}/{{ keycloak_base_url_path }}"
-- name: "Add {{keycloak_plugins.wayf.theme.name}} theme's terms of use for the realm {{ item.name }}"
- uri:
+- name: "Add {{ keycloak_plugins.wayf.theme.name }} theme's terms of use for the realm {{ item.name }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/terms-of-use"
method: POST
body_format: raw
@@ -20,8 +21,8 @@
status_code: 201
when: not item.terms is undefined
-- name: "Add {{keycloak_plugins.wayf.theme.name}} theme's configuration for the realm {{ item.name }}"
- uri:
+- name: "Add {{ keycloak_plugins.wayf.theme.name }} theme's configuration for the realm {{ item.name }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/theme-config"
method: POST
body_format: json
@@ -32,7 +33,7 @@
when: not item.config is undefined
- name: "Add resource files"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/resource/{{ theme_realm_resource.filename }}"
method: POST
headers:
@@ -46,5 +47,3 @@
loop_control:
loop_var: theme_realm_resource
with_items: "{{ item.resources | default([]) }}"
-
-
diff --git a/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml b/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml
index fd54d353..614eafcc 100644
--- a/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml
+++ b/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml
@@ -1,6 +1,6 @@
---
- name: "Get list of client scopes"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes"
method: GET
headers:
@@ -8,7 +8,8 @@
status_code: 200
register: "client_scopes_list"
-- set_fact:
+- name: Set Fact
+ ansible.builtin.set_fact:
client_scope_matches: "{{ client_scopes_list.json | json_query(query) | default([]) }}"
vars:
query: '[?name == `{{ item[1].name }}` ]'
diff --git a/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml b/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml
index aca59cba..69e5f5b4 100644
--- a/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml
+++ b/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml
@@ -1,7 +1,6 @@
---
-
-- name: "Get list of idp's mappers"
- uri:
+- name: Get list of idp's mappers
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ item[1].identityProviderAlias }}/mappers"
method: GET
headers:
@@ -9,7 +8,8 @@
status_code: 200
register: "idp_mappers_result"
-- set_fact:
+- name: Set Fact
+ ansible.builtin.set_fact:
idp_mapper_match: "{{ idp_mappers_result.json | json_query(query) | default([]) }}"
vars:
query: '[?name == `{{ item[1].name }}` ].{name: name, id: id }'
diff --git a/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml b/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml
index a712cb74..ba12e58f 100644
--- a/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml
+++ b/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml
@@ -1,7 +1,7 @@
---
- name: "Get list of idps"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances"
method: GET
headers:
@@ -9,5 +9,6 @@
status_code: 200
register: "idps_result"
-- set_fact:
- idps_list: "{{ idps_result.json | json_query('[].alias') }}"
\ No newline at end of file
+- name: Set fact
+ ansible.builtin.set_fact:
+ idps_list: "{{ idps_result.json | json_query('[].alias') }}"
diff --git a/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml b/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml
index bdbfcee1..808e6a6d 100644
--- a/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml
+++ b/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml
@@ -1,6 +1,6 @@
---
- name: "Get list of keys of realm: {{ item[0].name }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/components?parent={{ item[0].name }}&type=org.keycloak.keys.KeyProvider"
method: GET
headers:
@@ -8,8 +8,9 @@
status_code: 200
register: "keys_result"
-- set_fact:
- keys_provideridName2id: "{{ keys_provideridName2id | default({}) | combine( { current_key.providerId + ':' + current_key.name : current_key.id } ) }}"
+- name: Set Fact
+ ansible.builtin.set_fact:
+ keys_providerid_name_2_id: "{{ keys_providerid_name_2_id | default({}) | combine({current_key.providerId + ':' + current_key.name: current_key.id}) }}"
loop_control:
loop_var: current_key
with_items:
diff --git a/roles/keycloak/tasks/blocks/helpers/get_tokens.yml b/roles/keycloak/tasks/blocks/helpers/get_tokens.yml
index 6e2d025f..deba711a 100644
--- a/roles/keycloak/tasks/blocks/helpers/get_tokens.yml
+++ b/roles/keycloak/tasks/blocks/helpers/get_tokens.yml
@@ -1,13 +1,12 @@
---
-
- name: Acquire tokens
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/realms/master/protocol/openid-connect/token"
method: POST
body_format: form-urlencoded
body:
- client_id: "admin-cli"
- username: "{{keycloak_admin.user}}"
- password: "{{keycloak_admin.pass}}"
- grant_type: "password"
- register: "tokens" # token is in "tokens.json.access_token"
+ client_id: admin-cli
+ username: "{{ keycloak_admin.user }}"
+ password: "{{ keycloak_admin.pass }}"
+ grant_type: password
+ register: tokens # token is in "tokens.json.access_token"
diff --git a/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml b/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml
index c545bf87..2a22090a 100644
--- a/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml
+++ b/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml
@@ -1,16 +1,16 @@
---
-- name: "Search federation {{ item[1].alias }} in keycloak"
- uri:
+- name: "Search federation in keycloak - {{ item[1].alias }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}"
method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
- register: "realm_result"
+ register: realm_result
-- set_fact:
+- name: Set real federation matches
+ ansible.builtin.set_fact:
realm_federation_matches: "{{ realm_result.json[keycloak_federation.saml.representation_entity] | json_query(query) | default([]) }}"
vars:
query: '[?alias == `{{ item[1].alias }}` ].{alias: alias, internalId: internalId }'
-
diff --git a/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml b/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml
index 450d4e7b..b41ec150 100644
--- a/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml
+++ b/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml
@@ -1,34 +1,30 @@
---
-- block:
- ##### Setup logs directory
- - name: "Create {{ keycloak_logs_folder }} (if it doesn't exist)"
- file:
- path: "{{ keycloak_logs_folder }}"
- owner: "{{ keycloak_service_user }}"
- group: "{{ keycloak_service_user }}"
- mode: 0750
- recurse: yes
- state: directory
- become: yes
-
- - name: "Move existing logs in default location to new location, if needed (that's for backwards compatibility)"
- block:
-
- - stat:
- path: "{{ keycloak_home }}/standalone/log"
- register: keycloak_old_logs_folder
-
- - name: "Copy everything from {{ keycloak_home }}/standalone/log to {{ keycloak_logs_folder }}"
- copy:
- src: "{{ keycloak_home }}/standalone/log/"
- dest: "{{ keycloak_logs_folder }}"
+- name: Setup logs directory
+ ansible.builtin.block:
+ - name: "Create {{ keycloak_logs_folder }} (if it doesn't exist)"
+ ansible.builtin.file:
+ path: "{{ keycloak_logs_folder }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- remote_src: true
- mode: 0640
- become: yes
- when: keycloak_old_logs_folder.stat.exists
-
- tags: "keycloak:setup_logs_folder"
+ mode: "0750"
+ recurse: true
+ state: directory
+ become: true
+ - name: Move existing logs in default location to new location, if needed (that's for backwards compatibility)
+ ansible.builtin.block:
+ - ansible.builtin.stat:
+ path: "{{ keycloak_home }}/standalone/log"
+ register: keycloak_old_logs_folder
+ - name: "Copy everything from {{ keycloak_home }}/standalone/log to {{ keycloak_logs_folder }}"
+ ansible.builtin.copy:
+ src: "{{ keycloak_home }}/standalone/log/"
+ dest: "{{ keycloak_logs_folder }}"
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_user }}"
+ remote_src: true
+ mode: "0640"
+ become: true
+ when: keycloak_old_logs_folder.stat.exists
+ tags: keycloak:setup_logs_folder
diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml
index 4d36b127..c5a8a2ef 100644
--- a/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml
+++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml
@@ -1,9 +1,10 @@
---
-
-- include_tasks: blocks/helpers/get_tokens.yml
+# this is included below - not idempotent should be a handler with flush
+- name: Include get tokens tasks
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: "Get all default optional client-scopes list"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-optional-client-scopes"
method: "GET"
headers:
@@ -12,26 +13,25 @@
register: "default_optional_list"
- name: "Clear all from the default optional client scopes list"
- include_tasks: blocks/helpers/unassign_default_optional_client_scope.yml
+ ansible.builtin.include_tasks: blocks/helpers/unassign_default_optional_client_scope.yml
with_items: "{{ default_optional_list.json | default([]) }}"
loop_control:
loop_var: current_default_optional
+- name: Include get_tokens
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- include_tasks: blocks/helpers/get_tokens.yml
-
-- name: "Get all default default client-scopes list"
- uri:
+- name: Get all default default client-scopes list
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-default-client-scopes"
method: "GET"
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "200"
+ status_code: 200
register: "default_default_list"
-
-- name: "Clear all from the default default client scopes list"
- include_tasks: blocks/helpers/unassign_default_default_client_scope.yml
+- name: Clear all from the default default client scopes list
+ ansible.builtin.include_tasks: blocks/helpers/unassign_default_default_client_scope.yml
with_items: "{{ default_default_list.json | default([]) }}"
loop_control:
loop_var: current_default_default
diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml
index 5414b2b8..10fab4cd 100644
--- a/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml
+++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml
@@ -1,11 +1,12 @@
---
+# tasks/blocks/helpers/unassign_default_default_client_scope.yml
+- name: Include tokens tasks
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- include_tasks: blocks/helpers/get_tokens.yml
-
-- name: "Clear {{ current_default_default.name }} from the default default client scopes list"
- uri:
+- name: "Clear from the default client scopes list: {{ current_default_default.name }}"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-default-client-scopes/{{ current_default_default.id }}"
- method: "DELETE"
+ method: DELETE
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "204"
\ No newline at end of file
+ status_code: 204
diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml
index b0acdd83..550e4210 100644
--- a/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml
+++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml
@@ -1,11 +1,12 @@
---
-- include_tasks: blocks/helpers/get_tokens.yml
+- name: Keycloak | helpers | unassign default | include get tokens
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Clear {{ current_default_optional.name }} from the default optional client scopes list"
- uri:
+- name: "Clear {{ current_default_optional.name }} from the default optional client scopes list" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-optional-client-scopes/{{ current_default_optional.id }}"
- method: "DELETE"
+ method: DELETE
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- status_code: "204"
\ No newline at end of file
+ status_code: 204
diff --git a/roles/keycloak/tasks/blocks/keys/configure_keys.yml b/roles/keycloak/tasks/blocks/keys/configure_keys.yml
index 226da57c..02e3f08d 100644
--- a/roles/keycloak/tasks/blocks/keys/configure_keys.yml
+++ b/roles/keycloak/tasks/blocks/keys/configure_keys.yml
@@ -1,20 +1,22 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Get current keys list of realm: {{item[0].name}}"
- include_tasks: blocks/helpers/get_realm_keys.yml
+- name: "Get current keys list of realm: {{ item[0].name }}"
+ ansible.builtin.include_tasks: blocks/helpers/get_realm_keys.yml
-- set_fact:
+- name: Keycloak | keys | configure | set fact
+ ansible.builtin.set_fact:
item0: "{{ item[0] }}"
item1: "{{ item[1] }}"
-- include_tasks: blocks/keys/create_javakeystores.yml
+- name: Keycloak | keys | configure | set fact
+ ansible.builtin.include_tasks: blocks/keys/create_javakeystores.yml
when: item1.keystore_config is defined
-- name: "Install {{ item1.providerId }} key with name '{{ item1.name }}'"
- uri:
+- name: "Install {{ item1.providerId }} key with name '{{ item1.name }}'" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components"
method: POST
body_format: json
@@ -23,28 +25,27 @@
body:
name: "{{ item1.name }}"
providerId: "{{ item1.providerId }}"
- providerType: org.keycloak.keys.KeyProvider #never change this
+ providerType: org.keycloak.keys.KeyProvider # never change this
parentId: "{{ item0.name }}"
config: "{{ item1.config }}"
status_code: 201
run_once: true
- when: keys_provideridName2id[item1.providerId + ':' + item1.name] is not defined
+ when: keys_providerid_name_2_id[item1.providerId + ':' + item1.name] is not defined
-
-- name: "Update {{ item1.providerId }} key with name '{{ item1.name }}'"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components/{{ keys_provideridName2id[item1.providerId + ':' + item1.name] }}"
+- name: "Update {{ item1.providerId }} key with name '{{ item1.name }}'" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components/{{ keys_providerid_name_2_id[item1.providerId + ':' + item1.name] }}"
method: PUT
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
body:
- id: "{{ keys_provideridName2id[item1.providerId + ':' + item1.name] }}"
+ id: "{{ keys_providerid_name_2_id[item1.providerId + ':' + item1.name] }}"
name: "{{ item1.name }}"
providerId: "{{ item1.providerId }}"
- providerType: org.keycloak.keys.KeyProvider #never change this
+ providerType: org.keycloak.keys.KeyProvider # never change this
parentId: "{{ item0.name }}"
config: "{{ item1.config }}"
status_code: 204
run_once: true
- when: keys_provideridName2id[item1.providerId + ':' + item1.name] is defined
+ when: keys_providerid_name_2_id[item1.providerId + ':' + item1.name] is defined
diff --git a/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml b/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml
index 7a499f56..a31523f6 100644
--- a/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml
+++ b/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml
@@ -1,17 +1,17 @@
---
-
+# tasks/blocks/keys/create_javakeystores.yml
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: Create the java keystores folder (if it doesn't exist)
ansible.builtin.file:
path: "{{ keycloak_keystores }}/{{ item[0].name }}"
- recurse: yes
+ recurse: true
state: directory
- mode: 0500
+ mode: "0500"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- become: yes
+ become: true
run_once: false
- name: Create a keystore for the given certificate/private key pair (inline)
@@ -22,17 +22,18 @@
private_key_passphrase: "{{ item[1].keystore_config.key_passphrase }}"
password: "{{ item[1].keystore_config.keystore_password }}"
dest: "{{ keycloak_keystores }}/{{ item[0].name }}/{{ item[1].keystore_config.key_alias }}.jks"
- mode: 0400
+ mode: "0400"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- become: yes
+ become: true
run_once: false
# Now modify the item[1] to match the expected one
# 1) assemble the correct item[1].config (fuse with keystore_config)
# 2) remove the item[1].keystore_config
-- set_fact:
+- name: Keycloak | keys | modify to match the expected
+ ansible.builtin.set_fact:
additional_config:
config:
keystore:
@@ -44,19 +45,23 @@
keyPassword:
- "{{ item[1].keystore_config.key_passphrase }}"
-- set_fact: # add the correct
- item1_fused: "{{ item[1] | combine(additional_config, recursive=True ) }}"
+- name: Keycloak | keys | add the correct
+ ansible.builtin.set_fact:
+ item1_fused: "{{ item[1] | combine(additional_config, recursive=True) }}"
-- set_fact:
+- name: Keycloak | keys |
+ ansible.builtin.set_fact:
item1_fused_cleaned: {}
-- set_fact:
+- name: Keycloak | keys |
+ ansible.builtin.set_fact:
item1_fused_cleaned: "{{ item1_fused_cleaned | combine({keypair.key: keypair.value}) }}"
when: keypair.key != "keystore_config"
loop_control:
loop_var: keypair
with_dict: "{{ item1_fused }}"
-- set_fact:
+- name: Keycloak | keys |
+ ansible.builtin.set_fact:
item0: "{{ item[0] }}"
item1: "{{ item1_fused_cleaned }}"
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml
index 9d1a7243..19926217 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml
@@ -8,20 +8,21 @@
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- set_fact:
+- name: Keycloak | roles | clients | set fact
+ ansible.builtin.set_fact:
body: "{{ client_roles | json_query(query) | default([]) }}"
vars:
- query: "{% if client_default_role_mode=='add' %}[?contains(`{{ realm_and_client_roles[1].add | to_json }}`, name)]{% elif client_default_role_mode=='remove' %}[?contains(`{{ realm_and_client_roles[1].remove | to_json }}`, name)]{% endif %}"
+ query: "{% if client_default_role_mode == 'add' %}[?contains(`{{ realm_and_client_roles[1].add | to_json }}`, name )]{% elif client_default_role_mode == 'remove' %}[?contains(`{{ realm_and_client_roles[1].remove | to_json }}`, name )]{% endif %}" # noqa yaml[line-length]
-- name: "{{ client_default_role_mode }} default-roles in realm {{ realm_and_client_roles[0].name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/roles/default-roles-{{ realm_and_client_roles[0].name | lower }}/composites"
- method: "{% if client_default_role_mode=='add' %}POST{% elif client_default_role_mode=='remove' %}DELETE{% endif %}"
+- name: "{{ client_default_role_mode }} default-roles in realm {{ realm_and_client_roles[0].name }}" # noqa name[template]
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/roles/default-roles-{{ realm_and_client_roles[0].name | lower }}/composites" # noqa yaml[line-length]
+ method: "{% if client_default_role_mode == 'add' %}POST{% elif client_default_role_mode == 'remove' %}DELETE{% endif %}"
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
body:
"{{ body }}"
- status_code: 204
\ No newline at end of file
+ status_code: 204
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml
index 3ccf499e..b9f65b2e 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml
@@ -4,38 +4,40 @@
# realm_and_client_roles[1] : the current element of the client_default_roles list
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: "Find client {{ realm_and_client_roles[1].name }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/clients?clientId={{ realm_and_client_roles[1].name }}&max=20&search=true"
- method: "GET"
+ method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
register: found_clients
-- set_fact:
+- name: Keycloak | roles | clients | set found_client fact
+ ansible.builtin.set_fact:
found_client: "{{ found_clients.json[0] | default() }}"
- name: "Find roles of client {{ found_client.clientId }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/clients/{{ found_client.id }}/roles"
- method: "GET"
+ method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
register: client_roles
-- set_fact:
- client_roles: "{{ client_roles.json| default([]) }}"
+- name: Keycloak | roles | clients | set client_roles fact
+ ansible.builtin.set_fact:
+ client_roles: "{{ client_roles.json | default([]) }}"
-- name: "Call default client roles updater (mode 'add')"
- include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml
+- name: Call default client roles updater (mode 'add')
+ ansible.builtin.include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml
vars:
client_default_role_mode: add
-- name: "Call default client roles updater (mode 'remove')"
- include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml
+- name: Call default client roles updater (mode 'remove')
+ ansible.builtin.include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml
vars:
client_default_role_mode: remove
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure.yml
index 1ef08d0c..13199d28 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/configure.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/configure.yml
@@ -1,7 +1,7 @@
---
- name: Setup roles
- include_tasks: configure_roles.yml
+ ansible.builtin.include_tasks: configure_roles.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "role_management.roles"
@@ -9,7 +9,7 @@
run_once: true
- name: Setup default roles (add)
- include_tasks: configure_default_roles.yml
+ ansible.builtin.include_tasks: configure_default_roles.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "role_management.default_roles.add"
@@ -19,7 +19,7 @@
run_once: true
- name: Setup default roles (remove)
- include_tasks: configure_default_roles.yml
+ ansible.builtin.include_tasks: configure_default_roles.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "role_management.default_roles.remove"
@@ -29,7 +29,7 @@
run_once: true
- name: Setup composite roles
- include_tasks: configure_role_composites.yml
+ ansible.builtin.include_tasks: configure_role_composites.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "role_management.composite_roles"
@@ -37,7 +37,7 @@
run_once: true
- name: Setup client default roles
- include_tasks: blocks/roles_configuration/clients/configure_client_default_roles.yml
+ ansible.builtin.include_tasks: blocks/roles_configuration/clients/configure_client_default_roles.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "role_management.client_default_roles"
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml
index f7a4b823..d438054c 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml
@@ -1,10 +1,10 @@
---
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Find full payload of all roles in the '{{ default_role_mode }}' list"
- uri:
+- name: "Find full payload of all roles in the list '{{ default_role_mode }}'"
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ default_role_name }}"
method: "GET"
headers:
@@ -15,20 +15,20 @@
with_items: "{{ item[1] }}"
register: search_results
-- set_fact:
+- name: Keycloak | roles | set default_roles_list fact
+ ansible.builtin.set_fact:
default_roles_list_complete: "{{ search_results | json_query(query) | default([]) }}"
vars:
query: 'results[].json'
+
+# Better to have two separate tasks here.
- name: "Edit default-roles in realm {{ item[0].name }}"
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/default-roles-{{ item[0].name | lower }}/composites"
- method: "{% if default_role_mode=='add' %}POST{% elif default_role_mode=='remove' %}DELETE{% endif %}"
+ method: "{% if default_role_mode == 'add' %}POST{% elif default_role_mode == 'remove' %}DELETE{% endif %}"
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ default_roles_list_complete }}"
+ body: "{{ default_roles_list_complete }}"
status_code: 204
-
-
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml
index bcedad79..a0cf2aa6 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml
@@ -1,12 +1,11 @@
---
-
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Find full payload of all roles in the composite list"
- uri:
+- name: Find full payload of all roles in the composite list
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ composite_name }}"
- method: "GET"
+ method: GET
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
status_code: 200
@@ -15,14 +14,15 @@
with_items: "{{ item[1].composites }}"
register: search_results
-- set_fact:
+- name: Keycloak | roles | Set composite_list_complete fact
+ ansible.builtin.set_fact:
composite_list_complete: "{{ search_results | json_query(query) | default([]) }}"
vars:
query: 'results[].json'
-- name: "Add composites of role {{ item[1].name }} in realm {{ item[0].name }}"
- uri:
+- name: "Add composites of role {{ item[1].name }} in realm {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}/composites"
method: "POST"
body_format: json
diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml
index 7eaf6f87..e7263bf0 100644
--- a/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml
+++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml
@@ -1,10 +1,9 @@
---
-
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
-- name: "Get the role {{ item[1].name }} from realm {{ item[0].name }}"
- uri:
+- name: "Get the role {{ item[1].name }} from realm {{ item[0].name }}" # noqa name[template]
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}"
method: "GET"
headers:
@@ -12,16 +11,29 @@
status_code: [200, 404]
register: realm_role_inquiry
-- set_fact:
+- name: Keycloak | Roles configuration | set role exists
+ ansible.builtin.set_fact:
current_role_exists: "{% if realm_role_inquiry.status == 200 %}true{% else %}false{% endif %}"
-- name: "{% if current_role_exists %}Update{% else %}Update{% endif %} the role {{ item[1].name }} in realm {{ item[0].name }}"
- uri:
- url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles{% if current_role_exists %}/{{ item[1].name }}{% endif %}"
- method: "{% if current_role_exists %}PUT{% else %}POST{% endif %}"
+# Probably better to define separate tasks and skip based on the fact
+- name: Update the role in realm
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles"
+ method: PUT
+ body_format: json
+ headers:
+ Authorization: "Bearer {{ tokens.json.access_token }}"
+ body: "{{ item[1] }}"
+ status_code: 204
+ when: (current_role_exists | bool)
+
+- name: Create role in realm
+ ansible.builtin.uri:
+ url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}"
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
- body:
- "{{ item[1] }}"
- status_code: "{% if current_role_exists %}204{% else %}201{% endif %}"
+ body: "{{ item[1] }}"
+ status_code: 201
+ when: not (current_role_exists | bool)
diff --git a/roles/keycloak/tasks/configure.yml b/roles/keycloak/tasks/configure.yml
index 771b86fd..d63139dd 100644
--- a/roles/keycloak/tasks/configure.yml
+++ b/roles/keycloak/tasks/configure.yml
@@ -1,55 +1,52 @@
---
-
# this is an important block! Do not remove
- name: Wait for keycloak to initialize
block:
- - name: Ensure Keycloak service is running
- systemd:
- name: "keycloak"
- state: "started"
- become: yes
- #wait for port to open
- - name: Waiting for service port to be opened...
- wait_for:
- host: "{{ keycloak_local_address }}"
- port: 8080
- delay: 10
- timeout: 180
- #wait for service to respond
- - name: Waiting for service to be up and running...
- uri:
- url: "http://{{ keycloak_local_address }}:8080/{{ keycloak_base_url_path }}"
- status_code: "200"
- timeout: 600
-
+ - name: Ensure Keycloak service is running
+ ansible.builtin.systemd:
+ name: keycloak
+ state: started
+ become: true
+ - name: Waiting for service port to be opened...
+ ansible.builtin.wait_for:
+ host: "{{ keycloak_local_address }}"
+ port: 8080
+ delay: 10
+ timeout: 180
+ - name: Waiting for service to be up and running...
+ ansible.builtin.uri:
+ url: "http://{{ keycloak_local_address }}:8080/{{ keycloak_base_url_path }}"
+ status_code: 200
+ timeout: 600
# configure AUP, realm keys, etc
- name: Configure the keycloak (AUP, realm keys, etc)
+ tags:
+ - keycloak:config:realm
block:
-
- name: Apply realm.config parameters
- include_tasks: blocks/configure_basic_realm.yml
+ ansible.builtin.include_tasks: blocks/configure_basic_realm.yml
with_items: "{{ keycloak_config.realms | default([]) }}"
loop_control:
loop_var: current_realm_item
run_once: true
- name: Configure keys
- include_tasks: blocks/keys/configure_keys.yml
+ ansible.builtin.include_tasks: blocks/keys/configure_keys.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- - "keys"
- - skip_missing: True
+ - keys
+ - skip_missing: true
- name: Configure events logging
- include_tasks: blocks/configure_event_logging.yml
+ ansible.builtin.include_tasks: blocks/configure_event_logging.yml
with_items: "{{ keycloak_config.realms | default([]) }}"
loop_control:
loop_var: current_realm_item
run_once: true
- name: Configure AUP (Terms and Conditions)
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item.name }}/authentication/required-actions/{{ keycloak_api.terms_and_conditions.endpoint }}"
method: PUT
body_format: json
@@ -71,66 +68,66 @@
run_once: true
- name: Setup roles
- include_tasks: blocks/roles_configuration/configure.yml
+ ansible.builtin.include_tasks: blocks/roles_configuration/configure.yml
- name: Setup federations
- include_tasks: blocks/configure_federations.yml
+ ansible.builtin.include_tasks: blocks/configure_federations.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "federations"
- - skip_missing: True
+ - skip_missing: true
run_once: true
- name: Setup social IdPs
- include_tasks: blocks/configure_social_idps.yml
+ ansible.builtin.include_tasks: blocks/configure_social_idps.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- "social_idps"
- - skip_missing: True
+ - skip_missing: true
run_once: true
- name: Setup saml IdPs
- include_tasks: blocks/configure_saml_idps.yml
+ ansible.builtin.include_tasks: blocks/configure_saml_idps.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- - "saml_idps"
- - skip_missing: True
+ - saml_idps
+ - skip_missing: true
run_once: true
- name: Setup IdP mappers
- include_tasks: blocks/configure_idp_mappers.yml
+ ansible.builtin.include_tasks: blocks/configure_idp_mappers.yml
with_subelements:
- "{{ keycloak_config.realms | default([]) }} "
- - "idp_mappers"
- - skip_missing: True
+ - idp_mappers
+ - skip_missing: true
run_once: true
- name: "Check if there is any default IdP (will skip the WAYF and redirect to that one) defined"
- include_tasks: blocks/configure_default_idp.yml
+ ansible.builtin.include_tasks: blocks/configure_default_idp.yml
with_items: "{{ keycloak_config.realms | default([]) }}"
loop_control:
loop_var: current_realm
- name: "Configure client scopes (block)"
+ tags:
+ - "keycloak:config:realm:client_scopes"
block:
- name: "Clear all assigned default and optional client scopes"
- include_tasks: blocks/helpers/unassign_default_client_scopes.yml
+ ansible.builtin.include_tasks: blocks/helpers/unassign_default_client_scopes.yml
with_items: "{{ keycloak_config.realms | default([]) }}"
loop_control:
loop_var: current_realm
run_once: true
- name: "Add new / update existing client scopes"
- include_tasks: blocks/configure_client_scopes.yml
+ ansible.builtin.include_tasks: blocks/configure_client_scopes.yml
with_subelements:
- - "{{keycloak_config.realms | default([])}} "
+ - "{{ keycloak_config.realms | default([]) }} "
- "client_scopes"
- - skip_missing: True
+ - skip_missing: true
run_once: true
- tags:
- - "keycloak:config:realm:client_scopes"
- name: "Configure client registration policies"
- include_tasks: blocks/configure_client_reg_policies.yml
+ ansible.builtin.include_tasks: blocks/configure_client_reg_policies.yml
with_items: "{{ keycloak_config.realms | default([]) }}"
loop_control:
loop_var: current_realm
@@ -138,33 +135,36 @@
tags:
- "keycloak:config:realm:client_reg_policies"
- tags: "keycloak:config:realm"
-
### wayf plugin configuration
- name: Configure wayf plugin
- block:
- - name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
- - name: "Configure wayf plugin"
- include_tasks: blocks/configure_theme.yml
- with_items: "{{ keycloak_plugins.wayf.theme.add_to_realms }}"
-
- when: wayf_enabled == true
+ when: wayf_enabled | bool
vars:
wayf_enabled: "{{ keycloak_plugins.wayf.enabled | default(false) }}"
tags:
- "keycloak:config:plugin"
- "keycloak:config:plugin:wayf"
+ block:
+ - name: Acquire tokens
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
+ - name: "Configure wayf plugin"
+ ansible.builtin.include_tasks: blocks/configure_theme.yml
+ with_items: "{{ keycloak_plugins.wayf.theme.add_to_realms }}"
### advanced group management plugin
- name: Configure advanced group management plugin
+ when: group_enabled | bool
+ vars:
+ group_enabled: "{{ keycloak_plugins.group.enabled | default(false) }}"
+ tags:
+ - keycloak:config:plugin
+ - keycloak:config:plugin:group
block:
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: Configure user attribute configuration for advanced group management plugin
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/realms/{{ item.name }}/agm/admin/member-user-attribute/configuration"
- method: "POST"
+ method: POST
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
@@ -174,26 +174,22 @@
with_items: "{{ keycloak_plugins.group.add_to_realms }}"
run_once: true
vars:
- - body_payload:
- userAttribute: "{{ item.member_user_attribute_configuration.userAttribute }}"
- urnNamespace: "{{ item.member_user_attribute_configuration.urnNamespace }}"
- authority: "{{ item.member_user_attribute_configuration.authority }}"
-
- when: group_enabled == true
- vars:
- group_enabled: "{{ keycloak_plugins.group.enabled | default(false) }}"
- tags:
- - "keycloak:config:plugin"
- - "keycloak:config:plugin:group"
+ body_payload:
+ userAttribute: "{{ item.member_user_attribute_configuration.userAttribute }}"
+ urnNamespace: "{{ item.member_user_attribute_configuration.urnNamespace }}"
+ authority: "{{ item.member_user_attribute_configuration.authority }}"
- name: Configure Keycloak themes
+ tags:
+ - keycloak:config:realm
+ - keycloak:config:realm:themes
block:
- name: Acquire tokens
- include_tasks: blocks/helpers/get_tokens.yml
+ ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml
- name: Configure Keycloak themes
- uri:
+ ansible.builtin.uri:
url: "{{ keycloak_proxy_host }}/admin/realms/{{ item.name }}"
- method: "PUT"
+ method: PUT
body_format: json
headers:
Authorization: "Bearer {{ tokens.json.access_token }}"
@@ -203,10 +199,7 @@
with_items: "{{ keycloak_config.realms | default([]) }}"
run_once: true
vars:
- - body_payload:
- loginTheme: "{{ item.themes.login | default(keycloak_themes.login) | default(omit) }}"
- accountTheme: "{{ item.themes.account | default(keycloak_themes.account) | default(omit) }}"
- emailTheme: "{{ item.themes.email | default(keycloak_themes.email) | default(omit) }}"
- tags:
- - "keycloak:config:realm"
- - "keycloak:config:realm:themes"
+ body_payload:
+ loginTheme: "{{ item.themes.login | default(keycloak_themes.login) | default(omit) }}"
+ accountTheme: "{{ item.themes.account | default(keycloak_themes.account) | default(omit) }}"
+ emailTheme: "{{ item.themes.email | default(keycloak_themes.email) | default(omit) }}"
diff --git a/roles/keycloak/tasks/java/Debian-bookworm.yml b/roles/keycloak/tasks/java/Debian-bookworm.yml
index c221e002..4a273c80 100644
--- a/roles/keycloak/tasks/java/Debian-bookworm.yml
+++ b/roles/keycloak/tasks/java/Debian-bookworm.yml
@@ -1,8 +1,7 @@
---
-
- name: Ensure Java 17 is installed
- apt:
+ ansible.builtin.apt:
name: openjdk-17-jdk
state: present
- update_cache: yes
- become: yes
\ No newline at end of file
+ update_cache: true
+ become: true
diff --git a/roles/keycloak/tasks/java/Debian-bullseye.yml b/roles/keycloak/tasks/java/Debian-bullseye.yml
index 9a2d0c23..cf51bfc5 100644
--- a/roles/keycloak/tasks/java/Debian-bullseye.yml
+++ b/roles/keycloak/tasks/java/Debian-bullseye.yml
@@ -1,8 +1,7 @@
---
-
- name: Ensure Java 11 is installed
- apt:
+ ansible.builtin.apt:
name: openjdk-11-jdk
state: present
- update_cache: yes
- become: yes
+ update_cache: true
+ become: true
diff --git a/roles/keycloak/tasks/java/Debian-buster.yml b/roles/keycloak/tasks/java/Debian-buster.yml
index eecb7f68..042c3d06 100644
--- a/roles/keycloak/tasks/java/Debian-buster.yml
+++ b/roles/keycloak/tasks/java/Debian-buster.yml
@@ -1,9 +1,8 @@
---
-
- name: Ensure that the vm has java 11
- apt:
+ ansible.builtin.apt:
name: openjdk-11-jdk
state: present
- update_cache: yes
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
diff --git a/roles/keycloak/tasks/java/Ubuntu-focal.yml b/roles/keycloak/tasks/java/Ubuntu-focal.yml
index eecb7f68..042c3d06 100644
--- a/roles/keycloak/tasks/java/Ubuntu-focal.yml
+++ b/roles/keycloak/tasks/java/Ubuntu-focal.yml
@@ -1,9 +1,8 @@
---
-
- name: Ensure that the vm has java 11
- apt:
+ ansible.builtin.apt:
name: openjdk-11-jdk
state: present
- update_cache: yes
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 40faa2a8..681cb095 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,162 +1,172 @@
---
-
## start the installation of keycloak
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- "os/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
- "os/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "os/{{ ansible_distribution }}.yml"
- "os/{{ ansible_os_family }}.yml"
- ignore_errors: yes
+ ignore_errors: true # noqa ignore-errors
tags:
- always
-- block:
+- name: Keycloak | Set vars
+ tags:
+ - always
+ block:
- name: Split Keycloak version string into parts
- set_fact:
+ ansible.builtin.set_fact:
keycloak_version_parts: "{{ keycloak_version.split('.') }}"
- name: Define Keycloak major version number
- set_fact:
+ ansible.builtin.set_fact:
keycloak_major_version: "{{ keycloak_version_parts[0] }}"
tags:
- always
- name: Define Keycloak minor version number
- set_fact:
+ ansible.builtin.set_fact:
keycloak_minor_version: "{{ keycloak_version_parts[1] }}"
tags:
- always
- name: Define Keycloak patch version number only when specified in version string
- set_fact:
+ ansible.builtin.set_fact:
keycloak_patch_version: "{{ keycloak_version_parts[2] | default(omit) }}"
- tags:
- - always
- name: Include keycloak-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- "keycloak-{{ keycloak_major_version }}.{{ keycloak_minor_version }}.yml"
- "keycloak-{{ keycloak_major_version }}.yml"
- ignore_errors: yes
+ ignore_errors: true # noqa ignore-errors
tags:
- always
-### Install Java with OS-specific packages
-- include: "java/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+- name: Install Java with OS-specific packages
+ ansible.builtin.include_tasks: "java/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
tags:
- always
- name: Find local keycloak address
- set_fact:
- keycloak_local_address: "{% if ansible_facts.default_ipv4.address is defined %}{{ ansible_facts.default_ipv4.address }}{% elif ansible_facts.default_ipv6.address is defined %}{{ ansible_facts.default_ipv6.address }}{% else %}localhost{% endif %}"
+ ansible.builtin.set_fact:
+ keycloak_local_address: >-
+ {% if ansible_facts.default_ipv4.address is defined %}
+ {{ ansible_facts.default_ipv4.address }}
+ {% elif ansible_facts.default_ipv6.address is defined %}
+ {{ ansible_facts.default_ipv6.address }}
+ {% else %}
+ localhost
+ {% endif %}
tags:
- always
### create keycloak_service_user
- name: Create Keycloak service user/group
- user:
+ ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /nonexistent
shell: /usr/sbin/nologin
- system: yes
- create_home: no
- become: yes
+ system: true
+ create_home: false
+ become: true
tags:
- always
### setup the logs folder (also do some actions to preserve backwards compatibility)
-- name: "Setup logs folder"
- include_tasks: "blocks/helpers/setup_logs_folder.yml"
+- name: Setup logs folder
+ ansible.builtin.include_tasks: "blocks/helpers/setup_logs_folder.yml"
tags: "keycloak:install:setup_logs_folder"
-#### Extract keycloak from archive
-- block:
+- name: Extract keycloak from archive
+ block:
- name: "Task block: Download keycloak"
+ become: true
block:
- name: Create keycloak temp directory
- file:
+ ansible.builtin.file:
path: "/tmp/keycloak-tmp"
state: directory
+ mode: "0755"
- name: Download keycloak archive file
- get_url:
+ ansible.builtin.get_url:
url: "{{ keycloak_archive_url }}"
- dest: "/tmp/keycloak_archive"
+ dest: /tmp/keycloak_archive
timeout: 30
+ mode: "0644"
- name: Compute sha1 hash of archive
- stat:
+ ansible.builtin.stat:
path: "/tmp/keycloak_archive"
checksum_algorithm: sha1
register: keycloak_sha1
- name: Create keycloak_home if not exists
- file:
+ ansible.builtin.file:
path: "{{ keycloak_home }}"
state: directory
- - name: create empty file if not exists
+ mode: "0755"
+ - name: Create empty file if not exists
ansible.builtin.copy:
dest: "{{ keycloak_home }}/sha1"
content: ""
- force: no
- - name: Previous sha1
- shell: "cat {{ keycloak_home }}/sha1"
+ force: false
+ mode: "0644"
+ - name: Previous sha1 # noqa command-instead-of-shell
+ ansible.builtin.shell: "cat {{ keycloak_home }}/sha1"
+ changed_when: false
register: previous_sha1
- - name: "Compare sha1"
- set_fact:
+ - name: Compare sha1
+ ansible.builtin.set_fact:
is_same_archive: "{{ true if keycloak_sha1.stat.checksum == previous_sha1.stdout else false }}"
- become: yes
- name: "Task block: Extract keycloak"
+ become: true
+ when: not is_same_archive
block:
- - name: unpack keycloak
- unarchive:
- src: "/tmp/keycloak_archive"
- dest: "/tmp/keycloak-tmp"
+ - name: Unpack keycloak
+ ansible.builtin.unarchive:
+ src: /tmp/keycloak_archive
+ dest: /tmp/keycloak-tmp
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- remote_src: yes
- extra_opts: "--no-same-owner" #since it's run with elevated priviledges, to avoid preserving ownership from the archive
+ remote_src: true
+ extra_opts: "--no-same-owner" # since it's run with elevated priviledges, to avoid preserving ownership from the archive
- name: Find keycloak extracted folder name
- find:
+ ansible.builtin.find:
paths: /tmp/keycloak-tmp
- patterns: 'keycloak*'
+ patterns: "keycloak*"
file_type: directory
- recurse: no
+ recurse: false
register: find_result
- name: Remove any previous installation
ansible.builtin.file:
path: "{{ keycloak_home }}"
state: absent
- name: Move extracted keycloak to final keycloak folder
- command: "mv {{ find_result.files[0].path }} {{ keycloak_home }}"
+ ansible.builtin.command: "mv {{ find_result.files[0].path }} {{ keycloak_home }}"
args:
removes: "{{ find_result.files[0].path }}"
creates: "{{ keycloak_home }}"
- name: Store previous sha1
- copy:
+ ansible.builtin.copy:
dest: "{{ keycloak_home }}/sha1"
content: "{{ keycloak_sha1.stat.checksum }}"
- become: yes
- when: not is_same_archive
-
+ mode: "0644"
always:
- name: Delete downloaded archive
ansible.builtin.file:
- path: "/tmp/keycloak_archive"
+ path: /tmp/keycloak_archive
state: absent
- become: yes
- tags: "keycloak:install:download_extract"
-
-- import_tasks: "quarkus/install.yml"
+- name: Keycloak | import quarkus install tasks
+ ansible.builtin.import_tasks: "quarkus/install.yml"
when: keycloak_version.split('.')[0] | int >= 18
-- import_tasks: "wildfly/install.yml"
+- name: Keycloak | import wildfly install
+ ansible.builtin.import_tasks: wildfly/install.yml
when: keycloak_version.split('.')[0] | int < 18
-
##### configure keycloak
- name: Configure various keycloak aspects
- import_tasks: "configure.yml"
+ ansible.builtin.import_tasks: "configure.yml"
tags: "keycloak:config"
diff --git a/roles/keycloak/tasks/quarkus/install.yml b/roles/keycloak/tasks/quarkus/install.yml
index 76c7c3d2..72b5c250 100644
--- a/roles/keycloak/tasks/quarkus/install.yml
+++ b/roles/keycloak/tasks/quarkus/install.yml
@@ -1,92 +1,89 @@
---
-
-##### Set service user as owner of keycloak base dir
-- block:
+- name: Set service user as owner of keycloak base dir
+ become: true
+ tags: "keycloak:install:setup_file_permissions"
+ block:
- name: "Setting everything under keycloak_home dir to belong to user: {{ keycloak_service_user }}"
- file:
+ ansible.builtin.file:
dest: "{{ keycloak_home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- recurse: yes
- become: yes
- tags: "keycloak:install:setup_file_permissions"
+ recurse: true
######### Install configuration templates
-- block:
-
+- name: Install configuration templates
+ tags: "keycloak:install:config"
+ block:
- name: Set the appropriate permissions for the keycloak's config folder
- file:
+ ansible.builtin.file:
path: "{{ keycloak_home }}/conf"
state: directory
- mode: 0700
- become: yes
+ mode: "0700"
+ become: true
- name: Installing keycloak main configuration (keycloak.conf)
- template:
- mode: 0600
+ ansible.builtin.template:
+ mode: "0600"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
src: "templates/{{ keycloak_version }}/keycloak.conf.j2"
dest: "{{ keycloak_home }}/conf/keycloak.conf"
- become: yes
+ become: true
- name: Installing keycloak cache configuration (cache-ispn-jdbc-ping.xml)
- template:
- mode: 0600
+ ansible.builtin.template:
+ mode: "0600"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
src: "templates/{{ keycloak_version }}/cache-ispn-jdbc-ping.xml.j2"
dest: "{{ keycloak_home }}/conf/cache-ispn-jdbc-ping.xml"
- become: yes
+ become: true
- name: Installing keycloak quarkus configuration (quarkus.properties)
- template:
- mode: 0600
+ ansible.builtin.template:
+ mode: "0600"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
src: "templates/{{ keycloak_version }}/quarkus.properties.j2"
dest: "{{ keycloak_home }}/conf/quarkus.properties"
- become: yes
-
- tags: "keycloak:install:config"
-
+ become: true
#### Setup logcleaner script
- name: "Task block: Setup logcleaner script"
+ become: true
+ tags: "keycloak:install:setup_logcleaner"
block:
- name: "Ensure the logs folder exists"
- file:
+ ansible.builtin.file:
path: "{{ keycloak_logs_folder }}"
state: directory
mode: '0755'
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- recurse: yes
+ recurse: true
- name: "Install the logcleaner script template"
- template:
+ ansible.builtin.template:
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- mode: 0644
+ mode: "0644"
src: templates/logcleaner.sh.j2
dest: "{{ keycloak_home }}/logcleaner.sh"
- name: "Create the cronjob"
- cron:
+ ansible.builtin.cron:
name: keycloak logcleaner
day: "*"
hour: "0"
minute: "0"
user: "{{ keycloak_service_user }}"
job: "sh {{ keycloak_home }}/logcleaner.sh {{ keycloak_logs_folder }} {{ keycloak_logs_max_days }}"
- become: yes
- tags: "keycloak:install:setup_logcleaner"
### install other plugins
# would loop over block of tasks within install_plugin.yml, but looping on blocks is not allowed in ansible
- name: Install other plugins
- include_tasks: "quarkus/install_plugin.yml"
+ ansible.builtin.include_tasks: quarkus/install_plugin.yml
when: keycloak_plugins is defined
loop: "{{ lookup('dict', keycloak_plugins, wantlist=True) }}"
tags: "keycloak:install:plugins"
@@ -94,37 +91,33 @@
#### setup admin user (it's just adding a file with env variables which are picked up by keycloak upon startup)
- name: "Set env variables for admin user configuration"
- template:
+ ansible.builtin.template:
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- mode: 0600
+ mode: "0600"
src: "templates/{{ keycloak_version }}/env.conf.j2"
dest: "{{ keycloak_home }}/conf/env.conf"
- become: yes
+ become: true
tags: "keycloak:config:setup_admin_user"
############### Setup keycloak as a service
- name: "Setup keycloak as a service"
- template:
+ ansible.builtin.template:
owner: root
group: root
- mode: 0644
+ mode: "0644"
src: templates/keycloak.service.quarkus.j2
dest: /etc/systemd/system/keycloak.service
- become: yes
+ become: true
tags: "keycloak:install:systemd_service"
- name: "Restart keycloak"
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: restarted
- daemon_reload: yes
- enabled: yes
- become: yes
+ daemon_reload: true
+ enabled: true
+ become: true
tags: "keycloak:install:restart_sys_service"
-
-
-
-
diff --git a/roles/keycloak/tasks/quarkus/install_plugin.yml b/roles/keycloak/tasks/quarkus/install_plugin.yml
index 247941e3..3587c837 100644
--- a/roles/keycloak/tasks/quarkus/install_plugin.yml
+++ b/roles/keycloak/tasks/quarkus/install_plugin.yml
@@ -1,20 +1,21 @@
---
-
-- block:
-
- - name: "Installing plugin {{ item.value.name }} with hot deploy"
+# keycloak/tasks/quarkus/install_plugin.yml
+- name: Why do we have this block?
+ become: true
+ when: not item is undefined
+ tags: "keycloak:install:plugins"
+ block:
+ - name: "Installing plugin with hot deploy: {{ item.value.name }}"
+ when: item.value.hotdeploy is defined
block:
- name: "Download plugin jar into folder /tmp (for plugin: {{ item.value.name }})"
- get_url:
+ ansible.builtin.get_url:
url: "{{ item.value.hotdeploy.jar_url }}"
dest: "/tmp/"
+ mode: "0644"
register: download_result
- #do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken)
+ # do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken)
- name: "Move into deployment folder (for plugin: {{ item.value.name }})"
- command: "mv {{download_result.dest}} {{keycloak_home}}/providers/"
- notify: Clear Keycloak cache
- when: item.value.hotdeploy is defined
-
- when: not item is undefined
- become: yes
- tags: "keycloak:install:plugins"
\ No newline at end of file
+ ansible.builtin.command: "mv {{ download_result.dest }} {{ keycloak_home }}/providers/"
+ notify: Clear Keycloak cache # This is a really bad idea
+ changed_when: true # Gonna have to trigger this always
diff --git a/roles/keycloak/tasks/wildfly/install.yml b/roles/keycloak/tasks/wildfly/install.yml
index 2eafb6a9..5a6098ec 100644
--- a/roles/keycloak/tasks/wildfly/install.yml
+++ b/roles/keycloak/tasks/wildfly/install.yml
@@ -1,84 +1,90 @@
---
######## Create postgresql plugin
-- name: "Task block: Create postgresql plugin"
- block:
- - name: create postresql plugin dir with parent directories
- file:
- path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main"
- state: directory
- - name: Download postgresql JDBC driver
- get_url:
- url: "https://jdbc.postgresql.org/download/{{ keycloak_postgresql_jar_name }}"
- dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main"
- - name: Installing postgresql plugin
- template:
- src: templates/module.xml.j2
- dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main/module.xml"
- become: yes
+- name: Task block | Create postgresql plugin
+ become: true
tags: "keycloak:install:postgresql_plugin"
+ block:
+ - name: Ceate postresql plugin dir with parent directories
+ ansible.builtin.file:
+ path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main"
+ state: directory
+ mode: "0755"
+ - name: Download postgresql JDBC driver
+ ansible.builtin.get_url:
+ url: "https://jdbc.postgresql.org/download/{{ keycloak_postgresql_jar_name }}"
+ dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main"
+ mode: "0644"
+ - name: Installing postgresql plugin
+ ansible.builtin.template:
+ src: templates/module.xml.j2
+ dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main/module.xml"
+ mode: "0600"
-######## Install template standalone-ha.xml
+######## Install template standalone-ha.xml
- name: Installing keycloak configuration (standalone-ha.xml)
- template:
- mode: 0600
+ ansible.builtin.template:
+ mode: "0600"
src: "templates/{{ keycloak_version }}/standalone-ha.xml.j2"
dest: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml"
- become: yes
+ become: true
tags: "keycloak:install:standaloneha"
##### Set keycloak working dir and logs writable for service user
-- name: "Setting standalone folder writable for user: {{ keycloak_service_user }} - where it's internal temporary files are created"
- file:
+- name: "Setting standalone folder writable for user: where it's internal temporary files are created: {{ keycloak_service_user }}"
+ ansible.builtin.file:
dest: "{{ keycloak_home }}/standalone"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- recurse: yes
- become: yes
+ recurse: true
+ become: true
tags: "keycloak:install:setup_file_permissions"
############### Setup admin user
-- name: "Task block: Setup admin user"
- block:
- - name: Remove file (delete file if exists)
- file:
- path: "{{ keycloak_home }}/standalone/configuration/keycloak-add-user.json"
- state: absent
- - name: Create admin user
- shell: "{{ keycloak_home }}/bin/add-user-keycloak.sh -u {{ keycloak_admin.user }} -p {{ keycloak_admin.pass }}"
- args:
- executable: /bin/bash
- become: yes
+- name: Task block | Setup admin user"
+ become: true
tags: "keycloak:install:setup_admin"
+ block:
+ - name: Remove file (delete file if exists)
+ ansible.builtin.file:
+ path: "{{ keycloak_home }}/standalone/configuration/keycloak-add-user.json"
+ state: absent
+ - name: Create admin user
+ ansible.builtin.shell: >-
+ "{{ keycloak_home }}/bin/add-user-keycloak.sh \
+ -u {{ keycloak_admin.user }} \
+ -p {{ keycloak_admin.pass }}"
+ args:
+ executable: /bin/bash
+ changed_when: false
#### Setup logcleaner script
- name: "Task block: Setup logcleaner script"
+ become: true
+ tags: "keycloak:install:setup_logcleaner"
block:
- name: "Install the logcleaner script template"
- template:
+ ansible.builtin.template:
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
- mode: 0640
+ mode: "0640"
src: templates/logcleaner.sh.j2
dest: "{{ keycloak_home }}/logcleaner.sh"
- name: "Create the cronjob"
- cron:
+ ansible.builtin.cron:
name: keycloak logcleaner
day: "*"
hour: "0"
minute: "0"
user: "{{ keycloak_service_user }}"
job: "sh {{ keycloak_home }}/logcleaner.sh {{ keycloak_logs_folder }} {{ keycloak_logs_max_days }}"
- become: yes
- tags: "keycloak:install:setup_logcleaner"
-
### install other plugins
# would loop over block of tasks within install_plugin.yml, but looping on blocks is not allowed in ansible
- name: Install other plugins
- include_tasks: "wildfly/install_plugin.yml"
+ ansible.builtin.include_tasks: "wildfly/install_plugin.yml"
when: not keycloak_plugins is undefined
loop: "{{ lookup('dict', keycloak_plugins, wantlist=True) }}"
tags: "keycloak:install:plugins"
@@ -87,24 +93,20 @@
############### Setup keycloak as a service
- name: "Setup keycloak as a service"
- template:
+ ansible.builtin.template:
owner: root
group: root
- mode: 0644
+ mode: "0644"
src: templates/keycloak.service.wildfly.j2
dest: /etc/systemd/system/keycloak.service
- become: yes
+ become: true
tags: "keycloak:install:setup_sys_service"
- name: "Restart keycloak"
- systemd:
+ ansible.builtin.systemd:
name: keycloak
state: restarted
- daemon_reload: yes
- enabled: yes
- become: yes
+ daemon_reload: true
+ enabled: true
+ become: true
tags: "keycloak:install:restart_sys_service"
-
-
-
-
diff --git a/roles/keycloak/tasks/wildfly/install_plugin.yml b/roles/keycloak/tasks/wildfly/install_plugin.yml
index 1f315cfd..e7923c33 100644
--- a/roles/keycloak/tasks/wildfly/install_plugin.yml
+++ b/roles/keycloak/tasks/wildfly/install_plugin.yml
@@ -1,26 +1,32 @@
---
-
-- block:
- - name: "Installing plugin {{ item.value.name }} as a module"
- block:
-
+# keycloak/tasks/widlfly/install-plugin.yml
+- name: Install widlfly plugin
+ when: not item is undefined
+ become: true
+ tags: "keycloak:install:plugins"
+ ansible.builtin.block:
+ - name: "Installing plugin as a module: {{ item.value.name }}"
+ ansible.builtin.block:
- name: "Create plugin dir with parent directories (for plugin: {{ item.value.name }})"
- file:
+ ansible.builtin.file:
path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main"
state: directory
+ mode: "0755"
- name: "Download plugin jar (of plugin: {{ item.value.name }})"
- get_url:
+ ansible.builtin.get_url:
url: "{{ item.value.module.jar_url }}"
dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main/"
+ mode: "0644"
- name: "Install module.xml (for plugin: {{ item.value.name }})"
- get_url:
+ ansible.builtin.get_url:
url: "{{ item.value.module.modulexml_url }}"
dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main/"
+ mode: "0644"
- name: "Setup keycloak xml providers (for plugin: {{ item.value.name }})"
- xml:
+ community.general.xml:
path: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml"
xpath: /srv:server/srv:profile/sub:subsystem/sub:providers
input_type: xml
@@ -31,7 +37,7 @@
sub: "{{ namespaces.domain_server }}"
- name: "Setup keycloak xml theme modules (for plugin: {{ item.value.name }})"
- xml:
+ community.general.xml:
path: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml"
xpath: /srv:server/srv:profile/sub:subsystem/sub:theme
input_type: xml
@@ -41,22 +47,17 @@
srv: "{{ namespaces.domain }}"
sub: "{{ namespaces.domain_server }}"
when: item.value.theme is defined
-
when: item.value.module is defined
- - name: "Installing plugin {{ item.value.name }} with hot deploy"
+ - name: "Installing plugin with hot deploy: {{ item.value.name }}"
block:
- name: "Download plugin jar into folder /tmp (for plugin: {{ item.value.name }})"
- get_url:
+ ansible.builtin.get_url:
url: "{{ item.value.hotdeploy.jar_url }}"
dest: "/tmp/"
register: download_result
- #do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken)
+ # do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken)
- name: "Move into deployment folder (for plugin: {{ item.value.name }})"
- command: "mv {{download_result.dest}} {{keycloak_home}}/standalone/deployments/"
+ ansible.builtin.command: "mv {{ download_result.dest }} {{ keycloak_home }}/standalone/deployments/"
when: item.value.hotdeploy is defined
-
- when: not item is undefined
- become: yes
- tags: "keycloak:install:plugins"
\ No newline at end of file
diff --git a/roles/keycloak/vars/keycloak-13.yml b/roles/keycloak/vars/keycloak-13.yml
index a158abb1..659bff0d 100644
--- a/roles/keycloak/vars/keycloak-13.yml
+++ b/roles/keycloak/vars/keycloak-13.yml
@@ -1,7 +1,6 @@
# file: keycloak/vars/13.yml
#
---
-
-namespaces:
+namespaces: # noqa var-naming[no-role-prefix]
domain: "urn:jboss:domain:16.0"
domain_server: "urn:jboss:domain:keycloak-server:1.1"
diff --git a/roles/keycloak/vars/keycloak-14.yml b/roles/keycloak/vars/keycloak-14.yml
index 91898e4d..6deb2d6f 100644
--- a/roles/keycloak/vars/keycloak-14.yml
+++ b/roles/keycloak/vars/keycloak-14.yml
@@ -2,6 +2,6 @@
#
---
-namespaces:
+namespaces: # noqa var-naming[no-role-prefix]
domain: "urn:jboss:domain:16.0"
domain_server: "urn:jboss:domain:keycloak-server:1.1"
diff --git a/roles/keycloak/vars/keycloak-15.yml b/roles/keycloak/vars/keycloak-15.yml
index 17b6b981..f451a32c 100644
--- a/roles/keycloak/vars/keycloak-15.yml
+++ b/roles/keycloak/vars/keycloak-15.yml
@@ -1,8 +1,7 @@
# file: keycloak/vars/15.yml
#
---
-
-namespaces:
+namespaces: # noqa var-naming[no-role-prefix]
domain: "urn:jboss:domain:16.0"
domain_server: "urn:jboss:domain:keycloak-server:1.1"
diff --git a/roles/keycloak/vars/keycloak-16.yml b/roles/keycloak/vars/keycloak-16.yml
index 0bdab65f..40a1c2b4 100644
--- a/roles/keycloak/vars/keycloak-16.yml
+++ b/roles/keycloak/vars/keycloak-16.yml
@@ -1,8 +1,7 @@
# file: keycloak/vars/16.yml
#
---
-
-namespaces:
+namespaces: # noqa var-naming[no-role-prefix]
domain: "urn:jboss:domain:19.0"
domain_server: "urn:jboss:domain:keycloak-server:1.1"
diff --git a/roles/keycloak/vars/os/Debian-buster.yml b/roles/keycloak/vars/os/Debian-buster.yml
index 16e57ba5..f67f5985 100644
--- a/roles/keycloak/vars/os/Debian-buster.yml
+++ b/roles/keycloak/vars/os/Debian-buster.yml
@@ -1,4 +1,4 @@
---
-
-#this jar should match with the default version of postgresql of the target machine. i.e. for debian 10, it's the postgresql-42.2.22.jar
+# this jar should match with the default version of postgresql of the target machine.
+# i.e. for debian 10, it's the postgresql-42.2.22.jar
keycloak_postgresql_jar_name: "postgresql-42.2.22.jar"
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
index 399fd148..4ccda14c 100644
--- a/roles/letsencrypt/defaults/main.yml
+++ b/roles/letsencrypt/defaults/main.yml
@@ -1,7 +1,9 @@
---
# this should have value either "snap" or "os_repo"
-install_from: "snap"
+letsencrypt_install_from: "snap"
-# Email address for important account notifications. For example, Let’s Encrypt will automatically send expiry notices to this email address when your certificate is coming up for renewal
-#letsencrypt_email: "bob.builder@example.org"
+# Email address for important account notifications.
+# For example, Let’s Encrypt will automatically send expiry notices
+# to this email address when your certificate is coming up for renewal
+# letsencrypt_email: "bob.builder@example.org"
diff --git a/roles/letsencrypt/tasks/install-Debian.yml b/roles/letsencrypt/tasks/install-Debian.yml
index fea74409..5f55ae77 100644
--- a/roles/letsencrypt/tasks/install-Debian.yml
+++ b/roles/letsencrypt/tasks/install-Debian.yml
@@ -1,43 +1,56 @@
---
-
- name: Install certbot from snap
+ become: true
+ when: letsencrypt_install_from == "snap"
block:
- - name: "Required packages"
- apt:
+ - name: Required packages
+ ansible.builtin.apt:
name:
- snapd
- python-simplejson
state: present
- name: Ensure versions of certbot from apt are not present
- apt:
+ ansible.builtin.apt:
name:
- certbot
state: absent
- - name: snap install core
- snap:
+ - name: Snap install core
+ community.general.snapsnap:
name: core
- - name: snap install certbot
- snap:
+ - name: Snap install certbot
+ community.general.snap:
name: certbot
- classic: yes
+ classic: true
- name: Prepare certbot folders
- shell: "ln -sf /snap/bin/certbot /usr/bin/certbot"
- when: {{ install_from }} == "snap"
+ ansible.builtin.file:
+ src: /snap/bin/certbot
+ dest: /usr/bin/certbot
+ owner: root
+ group: root
+ state: link
- name: Install certbot from debian repo
+ become: true
+ when: letsencrypt_install_from == "os_repo"
block:
- - name: "Installing certbot from apt"
- apt:
- name:
- - certbot
- state: present
- when: {{ install_from }} == "os_repo"
-
-
+ - name: "Installing certbot from apt"
+ ansible.builtin.apt:
+ name:
+ - certbot
+ state: present
-- name: Run certbot script and create certificates
- shell: "certbot certonly --standalone --email {{ letsencrypt_email }} --agree-tos -d {{ inventory_hostname }} --non-interactive"
+- name: Run certbot script and create certificates # noqa command-instead-of-shell
+ become: true
+ ansible.builtin.shell: >-
+ certbot
+ certonly
+ --standalone
+ --email "{{ letsencrypt_email }}"
+ --agree-tos
+ -d "{{ inventory_hostname }}"
+ --non-interactive
+ changed_when: false
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index abf9a163..f5375282 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -1,7 +1,5 @@
---
-- name: "Detected Debian - Running debian installation file"
- include: install-Debian.yml
+- name: Detected Debian - Running debian installation file
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
- become: yes
-
diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml
index 0f4b3478..cd67383d 100644
--- a/roles/memcached/defaults/main.yml
+++ b/roles/memcached/defaults/main.yml
@@ -1,12 +1,11 @@
---
-
memcached_log_file: "/var/log/memcached.log"
-# Log verbosity levels:
+# Log verbosity levels:
# `""` Don't log anything (Default)
# `-v` Be verbose during the event loop; print out errors and warnings.
# `-vv` Be even more verbose; same as -v but also print client commands and
# responses.
-# `-vvv` Be extremely verbose; same as -vv but also print internal state
+# `-vvv` Be extremely verbose; same as -vv but also print internal state
# transitions.
memcached_log_verbosity: ""
@@ -20,7 +19,7 @@ memcached_listen_port_udp: 11211
# IP address to listen on; the default is to listen on all IP addresses.
# Binding to an internal or firewalled network interface is suggested.
-#memcached_listen_address: 127.0.0.1
+# memcached_listen_address: 127.0.0.1
# Max number of simultaneous connections.
memcached_connections_max: 1024
diff --git a/roles/memcached/handlers/main.yml b/roles/memcached/handlers/main.yml
index 48d36004..663bb3bb 100644
--- a/roles/memcached/handlers/main.yml
+++ b/roles/memcached/handlers/main.yml
@@ -1,7 +1,6 @@
---
-
- name: Restart memcached
- service:
- name: memcached
+ ansible.builtin.service:
+ name: memcached
state: restarted
- become: yes
+ become: true
diff --git a/roles/memcached/tasks/configure-common.yml b/roles/memcached/tasks/configure-common.yml
index ce376ab3..f13436c9 100644
--- a/roles/memcached/tasks/configure-common.yml
+++ b/roles/memcached/tasks/configure-common.yml
@@ -1,11 +1,10 @@
---
-
- name: Ensure memcached service is configured
- template:
+ ansible.builtin.template:
src: memcached-{{ ansible_os_family }}.conf.j2
dest: "{{ memcached_config_file }}"
owner: root
group: root
- mode: 0644
- become: yes
+ mode: "0644"
+ become: true
notify: Restart memcached
diff --git a/roles/memcached/tasks/install-Debian.yml b/roles/memcached/tasks/install-Debian.yml
index 3ca5825b..04531ed0 100644
--- a/roles/memcached/tasks/install-Debian.yml
+++ b/roles/memcached/tasks/install-Debian.yml
@@ -1,7 +1,6 @@
---
-
- name: Update package cache (Debian)
- apt:
- update_cache: yes
+ ansible.builtin.apt:
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
diff --git a/roles/memcached/tasks/install-common.yml b/roles/memcached/tasks/install-common.yml
index 0dcbec29..2a5250cd 100644
--- a/roles/memcached/tasks/install-common.yml
+++ b/roles/memcached/tasks/install-common.yml
@@ -1,7 +1,6 @@
---
-
- name: Ensure memcached server is installed
- package:
- name: memcached
+ ansible.builtin.package:
+ name: memcached
state: present
- become: yes
+ become: true
diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml
index ba2ee25a..bd560e59 100644
--- a/roles/memcached/tasks/main.yml
+++ b/roles/memcached/tasks/main.yml
@@ -1,21 +1,21 @@
---
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Run OS-specific installation tasks
-- include: install-Debian.yml
+- name: OS-specific installation tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-# Run OS-independent installation tasks
-- include: install-common.yml
+- name: OS-independent installation tasks
+ ansible.builtin.include_tasks: install-common.yml
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
- name: Ensure memcached service is at selected state and enabled on boot
- service:
+ ansible.builtin.service:
name: memcached
state: started
- enabled: yes
- become: yes
+ enabled: true
+ become: true
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 92a02a28..1b6e0709 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -12,7 +12,7 @@ nginx_remove_default_vhost: false
# SSL protocols that should be enabled
nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
# SSL ciphers that should be enabled
-nginx_ssl_ciphers: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
+nginx_ssl_ciphers: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" # noqa yaml[line-length]
# Name servers used to resolve names of upstream servers into addresses
nginx_resolver: "8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]"
@@ -32,21 +32,21 @@ nginx_ssl_certificate_key_file_group: "root"
nginx_ssl_certificate_key_file_mode: "0600"
# Uncomment to generate file with custom DH parameters for DHE ciphers
-#nginx_dhparam_file: "dhparam.pem"
+# nginx_dhparam_file: "dhparam.pem"
# Number of bits used for generating DH parameter set
nginx_dhparam_size: 2048
nginx_enable_rsyslog_pgsql_logs: false
-#nginx_upstream_groups:
+# nginx_upstream_groups:
# - name: "web_backend"
# servers:
-# - address: "192.168.0.1"
+# - address: "192.168.0.1"
# weight: 1
-# - address: "192.168.0.2"
+# - address: "192.168.0.2"
# weight: 1
-#nginx_vhosts:
+# nginx_vhosts:
# - server_name: "www.example.org"
# listen:
# - "443 ssl default_server"
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index 7c2fa2bd..391e14b3 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,7 +1,7 @@
---
- name: Restart nginx
- service:
- name: nginx
+ ansible.builtin.service:
+ name: nginx
state: restarted
- become: yes
+ become: true
diff --git a/roles/nginx/tasks/configure-common.yml b/roles/nginx/tasks/configure-common.yml
index c5b37225..9c60f675 100644
--- a/roles/nginx/tasks/configure-common.yml
+++ b/roles/nginx/tasks/configure-common.yml
@@ -1,58 +1,57 @@
# file: nginx/tasks/configure-common.yml
#
---
-
-- name: Ensure file with custom DH parameters for DHE ciphers exists
- shell: openssl dhparam -dsaparam -out {{ nginx_dhparam_file }} {{ nginx_dhparam_size }}
+- name: Ensure file with custom DH parameters for DHE ciphers exists # noqa command-instead-of-shell
+ ansible.builtin.shell: openssl dhparam -dsaparam -out {{ nginx_dhparam_file }} {{ nginx_dhparam_size }}
args:
chdir: "{{ nginx_conf_path }}"
creates: "{{ nginx_conf_path }}/{{ nginx_dhparam_file }}"
- become: yes
+ become: true
notify: Restart nginx
when: nginx_dhparam_file is defined
- name: Ensure nginx service is configured
- template:
+ ansible.builtin.template:
src: nginx-{{ ansible_os_family }}.conf.j2
dest: "{{ nginx_conf_path }}/nginx.conf"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
+ mode: "0644"
+ backup: true
+ become: true
notify: Restart nginx
- name: Disable default nginx Virtual Host configuration
- file:
+ ansible.builtin.file:
path: "{{ nginx_conf_path }}/sites-enabled/{{ nginx_default_vhost_filename }}"
state: absent
- become: yes
+ become: true
notify: Restart nginx
when: nginx_remove_default_vhost
-# Configure nginx Virtual Host SSL certificates
-- include: configure-ssl-cert.yml
+- name: Configure nginx Virtual Host SSL certificates
+ ansible.builtin.include_tasks: configure-ssl-cert.yml
when: nginx_vhosts is defined
tags:
- nginx:config:cert
- name: Add nginx Virtual Host configuration
- template:
+ ansible.builtin.template:
src: "vhosts.conf.j2"
dest: "{{ nginx_conf_path }}/sites-available/{{ nginx_vhosts_filename }}"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
+ mode: "0644"
+ backup: true
+ become: true
notify: Restart nginx
when: nginx_create_vhosts
- name: Enable nginx Virtual Host configuration
- file:
+ ansible.builtin.file:
src: "{{ nginx_conf_path }}/sites-available/{{ nginx_vhosts_filename }}"
dest: "{{ nginx_conf_path }}/sites-enabled/{{ nginx_vhosts_filename }}"
state: link
- become: yes
+ become: true
notify: Restart nginx
when: nginx_create_vhosts
diff --git a/roles/nginx/tasks/configure-ssl-cert.yml b/roles/nginx/tasks/configure-ssl-cert.yml
index 2b03b756..63614738 100644
--- a/roles/nginx/tasks/configure-ssl-cert.yml
+++ b/roles/nginx/tasks/configure-ssl-cert.yml
@@ -3,54 +3,56 @@
---
- name: Ensure nginx SSL certificate directories exist
- file:
+ ansible.builtin.file:
path: "{{ item.certificate_file | dirname }}"
owner: "{{ nginx_ssl_certificate_file_owner }}"
group: "{{ nginx_ssl_certificate_file_group }}"
state: directory
+ mode: "0755"
with_items:
- "{{ nginx_vhosts }}"
when: item.certificate_file is defined and item.certificate is defined
- become: yes
+ become: true
- name: Ensure nginx SSL certificates are copied
- copy:
+ ansible.builtin.copy:
dest: "{{ item.certificate_file }}"
content: "{{ item.certificate }}"
owner: "{{ nginx_ssl_certificate_file_owner }}"
group: "{{ nginx_ssl_certificate_file_group }}"
mode: "{{ nginx_ssl_certificate_file_mode }}"
- backup: yes
+ backup: true
with_items:
- "{{ nginx_vhosts }}"
when: item.certificate_file is defined and item.certificate is defined
- become: yes
+ become: true
notify:
- Restart nginx
- name: Ensure nginx SSL certificate key directories exist
- file:
+ ansible.builtin.file:
path: "{{ item.certificate_key_file | dirname }}"
owner: "{{ nginx_ssl_certificate_key_file_owner }}"
group: "{{ nginx_ssl_certificate_key_file_group }}"
state: directory
+ mode: "0755"
with_items:
- "{{ nginx_vhosts }}"
when: item.certificate_key_file is defined and item.certificate_key is defined
- become: yes
+ become: true
- name: Ensure nginx SSL certificate keys are copied
- copy:
+ ansible.builtin.copy:
dest: "{{ item.certificate_key_file }}"
content: '{{ item.certificate_key }}'
owner: "{{ nginx_ssl_certificate_key_file_owner }}"
group: "{{ nginx_ssl_certificate_key_file_group }}"
mode: "{{ nginx_ssl_certificate_key_file_mode }}"
- backup: yes
+ backup: true
with_items:
- "{{ nginx_vhosts }}"
when: item.certificate_key_file is defined and item.certificate_key is defined
- become: yes
- no_log: yes
+ become: true
+ no_log: true
notify:
- Restart nginx
diff --git a/roles/nginx/tasks/install-Debian.yml b/roles/nginx/tasks/install-Debian.yml
index 0c1e4347..7ae0adb7 100644
--- a/roles/nginx/tasks/install-Debian.yml
+++ b/roles/nginx/tasks/install-Debian.yml
@@ -1,11 +1,11 @@
---
- name: Ensure nginx server is installed (Debian)
- apt:
+ ansible.builtin.apt:
name:
- nginx
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 0f52adf2..ce3f091d 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,20 +1,21 @@
---
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
-# when: ansible_os_family == 'CentOS'
-# Apply OS-independent configuration
-- include: configure-common.yml
+# - include: install-CentOS.yml
+# when: ansible_os_family == 'CentOS'
+
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
- name: Ensure nginx service is started and enabled on boot
- service:
+ ansible.builtin.service:
name: "{{ nginx_service }}"
state: started
- enabled: yes
- become: yes
+ enabled: true
+ become: true
diff --git a/roles/nginx/templates/vhosts.conf.j2 b/roles/nginx/templates/vhosts.conf.j2
index d185cb65..f98b8a5c 100644
--- a/roles/nginx/templates/vhosts.conf.j2
+++ b/roles/nginx/templates/vhosts.conf.j2
@@ -8,7 +8,7 @@ upstream {{ upstream_group.name }} {
{{ upstream_group.load_balancing_method }};
{% endif %}
{% for upstream_server in upstream_group.servers %}
- server {{ upstream_server.address }}
+ server {{ upstream_server.address }}
weight={{ upstream_server.weight | default(1) }}
{% if upstream_server.backup is defined and upstream_server.backup %}
backup
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
index 31d65b39..b4fb752b 100644
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@@ -1,26 +1,26 @@
---
# defaults file for ansible-openldap
-openldap_init: false #when enabled it will initialise the LDAP directory. If already installed, the LDAP directory contents will be backed up
-#openldap_admin_password: 'secret'
-#openldap_admin_password_salt: 'defaultsecretsalt'
+openldap_init: false # when enabled it will initialise the LDAP directory. If already installed, the LDAP directory contents will be backed up
+# openldap_admin_password: 'secret'
+# openldap_admin_password_salt: 'defaultsecretsalt'
openldap_admin_user: 'admin'
openldap_org: 'example.test'
openldap_tld: 'org'
openldap_base: 'dc=example,dc=test,dc={{ openldap_tld }}'
openldap_uri: 'ldap://example.test.org'
openldap_bind_id: 'cn={{ openldap_admin_user }},{{ openldap_base }}'
-openldap_organizationalunits: #defines OU's to populate
+openldap_organizationalunits: # defines OU's to populate
- people
- groups
-openldap_populate: false #defines if openldap DB should be populated with openldap_organizationalunits, openldap_posixgroups
-openldap_schema: false #defines if additional schemas should be added
+openldap_populate: false # defines if openldap DB should be populated with openldap_organizationalunits, openldap_posixgroups
+openldap_schema: false # defines if additional schemas should be added
openldap_acl: false
-openldap_posixgroups: #defines groups to create within OU's
+openldap_posixgroups: # defines groups to create within OU's
- name: admin-CO:COU:example.org:members
ou: roles
- gidNum: 500 #start group numbers at 500 and up
+ gidNum: 500 # start group numbers at 500 and up
-openldap_adminusers: #defines admin users
+openldap_adminusers: # defines admin users
- cn: client-example
sn: Example
displayName: 'Client Example'
@@ -37,4 +37,4 @@ openldap_certificate: []
openldap_certificate_key_file: 'cert_key.key'
openldap_certificate_key: []
openldap_slapd_services: "ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
-pri_domain_name: '{{ openldap_org }}.{{ openldap_tld }}'
+openldap_pri_domain_name: '{{ openldap_org }}.{{ openldap_tld }}'
diff --git a/roles/openldap/handlers/main.yml b/roles/openldap/handlers/main.yml
index 92294dbe..b1708a9f 100644
--- a/roles/openldap/handlers/main.yml
+++ b/roles/openldap/handlers/main.yml
@@ -1,8 +1,19 @@
---
# handlers file for ansible-openldap
- name: Restart slapd
- service:
+ ansible.builtin.service:
name: slapd
state: restarted
- become: yes
+ become: true
+- name: Enable Attribute Options to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapmodify \
+ -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/olc_attribute_options.ldif
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
+ when: olc_attribute_options_file is changed # noqa no-handler
+ become: true
+ run_once: true
diff --git a/roles/openldap/tasks/configure.yml b/roles/openldap/tasks/configure.yml
index 3eeeb035..aa977a46 100644
--- a/roles/openldap/tasks/configure.yml
+++ b/roles/openldap/tasks/configure.yml
@@ -1,277 +1,328 @@
---
- name: Configure openLDAP file
- template:
- src: "etc/ldap/ldap.conf.j2"
- dest: "/etc/ldap/ldap.conf"
+ ansible.builtin.template:
+ src: etc/ldap/ldap.conf.j2
+ dest: /etc/ldap/ldap.conf
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
+ mode: "0644"
+ backup: true
+ become: true
- name: Enable SSL port for openLDAP
- template:
- src: 'etc/default/slapd/slapd.j2'
- dest: '/etc/default/slapd'
+ ansible.builtin.template:
+ src: etc/default/slapd/slapd.j2
+ dest: /etc/default/slapd
owner: root
group: root
- backup: yes
- become: yes
+ mode: "0644"
+ backup: true
+ become: true
- name: Ensure /etc/ldap/certs dir exists
- file:
+ ansible.builtin.file:
path: /etc/ldap/certs
state: directory
owner: openldap
group: openldap
- become: yes
+ mode: "0755"
+ become: true
when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0
- name: Copy certificates config file
- template:
+ ansible.builtin.template:
src: "etc/ldap/certs/certs.ldif.j2"
dest: "/etc/ldap/slapd.d/certs.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0
- name: Ensure /etc/ldap/cacerts dir exists
- file:
+ ansible.builtin.file:
path: /etc/ldap/cacerts
state: directory
owner: openldap
group: openldap
- become: yes
+ mode: "0755"
+ become: true
when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0
- name: Ensure CA certificate is copied
- copy:
+ ansible.builtin.copy:
dest: "/etc/ldap/cacerts/{{ openldap_ca_certificate_file }}"
content: "{{ openldap_ca_certificate }}"
owner: openldap
group: openldap
mode: '0600'
- backup: yes
+ backup: true
when: openldap_ca_certificate_file is defined and openldap_ca_certificate is defined
and openldap_ca_certificate|length > 0
- become: yes
+ become: true
- name: Ensure certificate is copied
- copy:
+ ansible.builtin.copy:
dest: "/etc/ldap/certs/{{ openldap_certificate_file }}"
content: "{{ openldap_certificate }}"
owner: openldap
group: openldap
mode: '0600'
- backup: yes
+ backup: true
when: openldap_certificate_file is defined and openldap_certificate is defined
and openldap_certificate|length > 0
- become: yes
+ become: true
- name: Ensure certificate key is copied
- copy:
+ ansible.builtin.copy:
dest: "/etc/ldap/certs/{{ openldap_certificate_key_file }}"
content: "{{ openldap_certificate_key }}"
owner: openldap
group: openldap
- mode: '0600'
- backup: yes
- when: openldap_certificate_key_file is defined and openldap_certificate_key is defined
- and openldap_certificate_key|length > 0
- become: yes
- no_log: yes
+ mode: "0600"
+ backup: true
+ when: openldap_certificate_key_file is defined and openldap_certificate_key is defined and openldap_certificate_key|length > 0
+ become: true
+ no_log: true
-- name: Add certificate config file to OpenLDAP
- shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/certs.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
+- name: Add certificate config file to OpenLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapmodify \
+ -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/certs.ldif
+ ignore_errors: true # noqa ignore-errors
when: openldap_ca_certificate is defined
and openldap_ca_certificate|length > 0
and openldap_certificate is defined
and openldap_certificate|length > 0
and openldap_certificate_key is defined
and openldap_certificate_key|length > 0
- become: yes
+ become: true
+ changed_when: false # TODO define change conditions
notify: Restart slapd
- name: Copy admin_password to /etc/ldap/slapd.d/.slapdadmin
- copy:
- content: "{{ openldap_admin_password | password_hash('ldap_salted_sha1', openldap_admin_password_salt) }}"
+ ansible.builtin.copy:
+ content: "{{ openldap_admin_password | password_hash('ldap_salted_sha1', openldap_admin_password_salt) }}"
dest: "/etc/ldap/slapd.d/.slapdadmin"
owner: root
group: root
- mode: 400
- become: yes
+ mode: "0400"
+ become: true
register: admin_pass_file
- name: Copy the ldif template to set the admin password
- template:
- src: "etc/ldap/slapd.d/modify_password.ldif.j2"
- dest: "/etc/ldap/slapd.d/adminpwd_ldif.tmpl"
- become: yes
+ ansible.builtin.template:
+ src: etc/ldap/slapd.d/modify_password.ldif.j2
+ dest: /etc/ldap/slapd.d/adminpwd_ldif.tmpl
+ mode: "0644"
+ become: true
when: openldap_admin_password is defined and admin_pass_file is changed
-- name: Create the ldif file to set the admin password
- shell: export ADMIN_PASS=$( cat /etc/ldap/slapd.d/.slapdadmin ); sed -e "s|@ADMINPWD@|$ADMIN_PASS|" /etc/ldap/slapd.d/adminpwd_ldif.tmpl > /etc/ldap/slapd.d/adminpwd.ldif ; chmod 400 /etc/ldap/slapd.d/adminpwd.ldif
+- name: Create the ldif file to set the admin password # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ set -o pipefail ; \
+ export ADMIN_PASS=$( cat /etc/ldap/slapd.d/.slapdadmin ); \
+ sed -e "s|@ADMINPWD@|$ADMIN_PASS|" /etc/ldap/slapd.d/adminpwd_ldif.tmpl \
+ > /etc/ldap/slapd.d/adminpwd.ldif ; \
+ chmod 400 /etc/ldap/slapd.d/adminpwd.ldif
when: openldap_admin_password is defined and admin_pass_file is changed
- become: yes
+ changed_when: false # TODO define changed conditions
+ become: true
-- name: Finally set the admin password
- shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/adminpwd.ldif
+- name: Finally set the admin password # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapmodify \
+ -Q \
+ -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/adminpwd.ldif
when: openldap_admin_password is defined and admin_pass_file is changed
- become: yes
+ become: true
+ changed_when: false # TODO define change conditions
- name: Run replicate tasks
- when: "groups['openldap'] | length > 1"
+ when: (groups['openldap'] | length) > 1
block:
- name: Copy config_olc_server_id file
- template:
- src: "etc/ldap/slapd.d/config_olc_server_id.ldif.j2"
- dest: "/etc/ldap/slapd.d/config_olc_server_id.ldif"
+ ansible.builtin.template:
+ src: etc/ldap/slapd.d/config_olc_server_id.ldif.j2
+ dest: /etc/ldap/slapd.d/config_olc_server_id.ldif
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: config_olc_server_id_file
- name: Copy mod_syncprov file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/mod_syncprov.ldif.j2"
dest: "/etc/ldap/slapd.d/mod_syncprov.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: mod_syncprov_file
- name: Copy replicate_configuration file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/replicate_configuration.ldif.j2"
dest: "/etc/ldap/slapd.d/replicate_configuration.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: replicate_configuration_file
- name: Copy replicate_database file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/replicate_database.ldif.j2"
dest: "/etc/ldap/slapd.d/replicate_database.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: replicate_database_file
run_once: true
- name: Copy trigger_replicate file
- template:
- src: "etc/ldap/slapd.d/trigger_replicate.ldif.j2"
- dest: "/etc/ldap/slapd.d/trigger_replicate.ldif"
+ ansible.builtin.template:
+ src: etc/ldap/slapd.d/trigger_replicate.ldif.j2
+ dest: /etc/ldap/slapd.d/trigger_replicate.ldif
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
run_once: true
- - name: Add olcServerId to openLDAP
- shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/config_olc_server_id.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- become: yes
- when: config_olc_server_id_file is changed
+ - name: Add olcServerId to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapadd -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/config_olc_server_id.ldif
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
+ become: true
+ when: config_olc_server_id_file is changed # noqa no-handler
- - name: Add syncprov module to openLDAP
- shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/mod_syncprov.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- become: yes
- when: mod_syncprov_file is changed
+ - name: Add syncprov module to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapadd -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/mod_syncprov.ldif
+ ignore_errors: true # noqa ignore-errors
+ become: true
+ changed_when: false
+ when: mod_syncprov_file is changed # noqa no-handler
- - name: Add replicate configuration to openLDAP
- shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/replicate_configuration.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- become: yes
- when: replicate_configuration_file is changed
+ - name: Add replicate configuration to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapadd -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/replicate_configuration.ldif
+ ignore_errors: true # noqa ignore-errors
+ become: true
+ changed_when: false
+ when: replicate_configuration_file is changed # noqa no-handler
- - name: Add replicate database to openLDAP
- shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/replicate_database.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- become: yes
- when: replicate_database_file is changed
+ - name: Add replicate database to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapadd -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/replicate_database.ldif
+ ignore_errors: true # noqa ignore-errors set to get around erroring out that items already exist
+ become: true
+ changed_when: false # TODO - define change criteria
+ when: replicate_database_file is changed # noqa no-handler
run_once: true
-
+
- name: Restart slapd
- systemd:
+ ansible.builtin.systemd:
name: slapd
- enabled: yes
- daemon_reload: yes
+ enabled: true
+ daemon_reload: true
state: restarted
- become: yes
+ become: true
- name: Trigger replicate to openLDAP
- shell: 'ldapadd -c -x -H ldapi:/// -D {{ openldap_bind_id }} -w "{{ openldap_admin_password }}" -f /etc/ldap/slapd.d/trigger_replicate.ldif'
- become: yes
+ ansible.builtin.shell: >- # noqa command-isntead-of-shell
+ ldapadd -c -x \
+ -H ldapi:/// \
+ -D {{ openldap_bind_id }} \
+ -w "{{ openldap_admin_password }}" \
+ -f /etc/ldap/slapd.d/trigger_replicate.ldif'
+ become: true
run_once: true
- name: Copy additional schemas file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/modify_schemas.ldif.j2"
dest: "/etc/ldap/slapd.d/modify_schemas.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: additional_schemas_file
run_once: true
- name: Copy ACL config file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/access_control_list.ldif.j2"
dest: "/etc/ldap/slapd.d/access_control_list.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: acl_file
run_once: true
- name: Copy Attribute Options config file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/olc_attribute_options.ldif.j2"
dest: "/etc/ldap/slapd.d/olc_attribute_options.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: olc_attribute_options_file
run_once: true
+ notify: Enable Attribute Options to openLDAP
-- name: Add schemas to openLDAP
- shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/modify_schemas.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- when: >
- openldap_schema is defined and
- openldap_schema and
- additional_schemas_file is changed
- become: yes
+- name: Add schemas to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapadd -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/modify_schemas.ldif
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
+ when:
+ - openldap_schema is defined
+ - openldap_schema and
+ - additional_schemas_file is changed
+ become: true
run_once: true
-- name: Add ACL to openLDAP
- shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/access_control_list.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
+- name: Add ACL to openLDAP # noqa command-instead-of-shell
+ ansible.builtin.shell: >-
+ ldapmodify -Y EXTERNAL \
+ -H ldapi:/// \
+ -f /etc/ldap/slapd.d/access_control_list.ldif
+ ignore_errors: true # noqa ignore-errors set to get around erroring out that items already exist
when: >
openldap_acl is defined and
openldap_acl and
acl_file is changed
- become: yes
+ become: true
run_once: true
+ changed_when: false
-- name: Enable Attribute Options to openLDAP
- shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/olc_attribute_options.ldif'
- ignore_errors: yes #set to get around erroring out that items already exist
- when: olc_attribute_options_file is changed
- become: yes
- run_once: true
-
-
+# TODO Should do a stat - set to get around erroring out that items already exist
+# Moved to handler
+# - name: Enable Attribute Options to openLDAP
+# ansible.builtin.shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/olc_attribute_options.ldif'
+# ignore_errors: true # noqa ignore-errors
+# changed_when: false
+# when: olc_attribute_options_file is changed
+# become: true
+# run_once: true
diff --git a/roles/openldap/tasks/install-Debian.yml b/roles/openldap/tasks/install-Debian.yml
index 42826b2c..0a65445f 100644
--- a/roles/openldap/tasks/install-Debian.yml
+++ b/roles/openldap/tasks/install-Debian.yml
@@ -1,14 +1,14 @@
---
- name: "Gather the package facts"
- package_facts:
+ ansible.builtin.package_facts:
manager: "auto"
- name: "Run Initialise tasks"
- when: ('slapd' not in ansible_facts.packages or 'ldap-utils' not in ansible_facts.packages) or openldap_init == true
+ when: ('slapd' not in ansible_facts.packages or 'ldap-utils' not in ansible_facts.packages) or openldap_init
block:
# run these tasks only when initialise variable is true or slapd/ldap-utils are not installed
- name: Define slapd installation settings
- debconf:
+ ansible.builtin.debconf:
name: "slapd"
question: "{{ item.question }}"
value: "{{ item.value }}"
@@ -27,52 +27,57 @@
value: 'true'
vtype: 'boolean'
- question: "slapd/domain"
- value: "{{ pri_domain_name }}"
+ value: "{{ openbldap_pri_domain_name }}"
vtype: 'string'
- question: "shared/organization"
value: "{{ openldap_org }}"
vtype: 'string'
- become: yes
+ become: true
- name: Install required packages
- apt:
+ ansible.builtin.apt:
name: "{{ openldap_debian_packages }}"
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
- name: Find /var/backups ending with .ldapdb or matching with slapd-*+*
- find:
+ ansible.builtin.find:
paths: /var/backups
patterns: "*.ldapdb,slapd-*+*"
file_type: directory
- become: yes
+ become: true
register: backup_files
- name: Ensure /var/backups/openldap dir exists
- file:
+ ansible.builtin.file:
path: /var/backups/openldap
state: directory
owner: openldap
group: openldap
- become: yes
+ mode: "0755"
+ become: true
- name: Move Backup Files to another folder
- command: mv {{ item.path }} /var/backups/openldap/{{ item.path | replace("/var/backups/","") }}.{{ ansible_date_time.epoch }}
+ ansible.builtin.command: >-
+ mv {{ item.path }} \
+ /var/backups/openldap/{{ item.path | replace("/var/backups/", "") }}.{{ ansible_date_time.epoch }}
with_items: "{{ backup_files.files }}"
- ignore_errors: true
- become: yes
+ ignore_errors: true # noqa ignore-errors
+ changed_when: false
+ become: true
- - name: Reconfigure slapd
- command: dpkg-reconfigure -f noninteractive slapd
- become: yes
+ - name: Reconfigure slapd # TODO - should be a handler
+ ansible.builtin.command: dpkg-reconfigure -f noninteractive slapd
+ changed_when: false
+ become: true
- - name: Restart slapd
- systemd:
+ - name: Restart slapd # TODO - should be a handler
+ ansible.builtin.systemd:
name: slapd
- enabled: yes
- daemon_reload: yes
+ enabled: true
+ daemon_reload: true
state: restarted
- become: yes
+ become: true
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 2a6b776f..681b653d 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -1,24 +1,27 @@
---
# tasks file for ansible-openldap
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
-- include: install-Debian.yml
- when: ansible_os_family == "Debian"
+- name: Install Debian
+ ansible.builtin.include_tasks: install-Debian.yml
+ when: ansible_os_family == 'Debian'
tags:
- install
- openldap:install
-- include: configure.yml
+- name: Configure
+ ansible.builtin.include_tasks: configure.yml
tags:
- config
- openldap:config
-- include: populate.yml
+- name: Populate
+ ansible.builtin.include_tasks: populate.yml
tags:
- openldap:populate
diff --git a/roles/openldap/tasks/populate.yml b/roles/openldap/tasks/populate.yml
index dc045db5..0bbd2013 100644
--- a/roles/openldap/tasks/populate.yml
+++ b/roles/openldap/tasks/populate.yml
@@ -1,21 +1,28 @@
- name: Copy database population config file
- template:
+ ansible.builtin.template:
src: "etc/ldap/slapd.d/populate_content.ldif.j2"
dest: "/etc/ldap/slapd.d/populate_content.ldif"
owner: root
group: root
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
register: populate_content_file
run_once: true
# This operation may return "FAILED" if an entry already exists but it will continue to add non existing entries
-- name: Populate openLDAP with groups and users
- shell: "ldapadd -c -x -H ldapi:/// -D {{ openldap_bind_id }} -w '{{ openldap_admin_password }}' -f /etc/ldap/slapd.d/populate_content.ldif"
- ignore_errors: yes #set to get around erroring out that items already exist
+- name: Populate openLDAP with groups and users # noqa ignore-errors
+ # Use a different module
+ ansible.builtin.shell: >- # noqa command-instead-of-shell
+ ldapadd -c -x \
+ -H ldapi:/// \
+ -D {{ openldap_bind_id }} \
+ -w '{{ openldap_admin_password }}' \
+ -f /etc/ldap/slapd.d/populate_content.ldif"
+ ignore_errors: true # set to get around erroring out that items already exist <- this should be tested
+ changed_when: false
when: >
openldap_populate is defined and
openldap_populate and
populate_content_file is changed
- become: yes
- run_once: true
\ No newline at end of file
+ become: true
+ run_once: true
diff --git a/roles/openldap/vars/Debian.yml b/roles/openldap/vars/Debian.yml
index ab92fb14..a23246c9 100644
--- a/roles/openldap/vars/Debian.yml
+++ b/roles/openldap/vars/Debian.yml
@@ -1,3 +1,3 @@
openldap_debian_packages:
- slapd
- - ldap-utils
\ No newline at end of file
+ - ldap-utils
diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml
index 6aad55ad..adccc432 100644
--- a/roles/php/defaults/main.yml
+++ b/roles/php/defaults/main.yml
@@ -1,18 +1,17 @@
---
# Whether to install PHP packages from alternative repository
-php_alt_repo: no
+php_alt_repo: false
# Override default list of PHP packages to install.
# See php_default_packages in php/vars/
-#php_packages:
+# php_packages:
# List of PHP extensions to install
php_extensions: []
-
# Override default PHP configuration scan directory.
# See php_default_conf_scan_dir in php/vars/
-#php_conf_scan_dir:
+# php_conf_scan_dir:
# List of PHP configuration files to load
php_conf_files: []
diff --git a/roles/php/handlers/main.yml b/roles/php/handlers/main.yml
index 8578faad..fda70f62 100644
--- a/roles/php/handlers/main.yml
+++ b/roles/php/handlers/main.yml
@@ -1,7 +1,6 @@
---
-
-- name: restart webserver
- service:
+- name: Restart webserver
+ ansible.builtin.service:
name: "{{ php_webserver }}"
state: restarted
- become: yes
+ become: true
diff --git a/roles/php/tasks/configure.yml b/roles/php/tasks/configure.yml
index 064a723c..f28fd4ae 100644
--- a/roles/php/tasks/configure.yml
+++ b/roles/php/tasks/configure.yml
@@ -1,13 +1,12 @@
---
-
- name: Ensure PHP configuration files exist
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: "{{ php_conf_scan_dir }}/"
- owner: "root"
- group: "root"
- mode: 0644
- with_items: "{{ php_conf_files }}"
- become: yes
+ owner: root
+ group: root
+ mode: "0644"
+ with_items: "{{ php_conf_files }}"
+ become: true
notify:
- restart webserver
diff --git a/roles/php/tasks/install-Debian.yml b/roles/php/tasks/install-Debian.yml
index 48571947..bd7875b6 100644
--- a/roles/php/tasks/install-Debian.yml
+++ b/roles/php/tasks/install-Debian.yml
@@ -1,46 +1,45 @@
---
-
- name: Install apt packages required for alternative PHP repo (Debian)
- apt:
+ ansible.builtin.apt:
name: "{{ php_apt_packages }}"
state: present
- update_cache: yes
+ update_cache: true
when: php_alt_repo and php_apt_packages is defined and php_apt_packages|length
- become: yes
+ become: true
- name: Install apt key for PHP repo (Debian)
- apt_key:
- url: '{{ php_apt_key }}'
+ ansible.builtin.apt_key:
+ url: "{{ php_apt_key }}"
state: present
when: php_alt_repo and php_apt_key is defined
- become: yes
+ become: true
- name: Add alternative PHP repo (Debian)
- apt_repository:
+ ansible.builtin.apt_repository:
repo: "{{ item }}"
state: present
- update_cache: yes
- filename: "php"
+ update_cache: true
+ filename: php
loop: "{{ php_apt_repositories }}"
when: php_alt_repo and php_apt_repositories is defined and php_apt_repositories|length
- become: yes
+ become: true
- name: Ensure PHP packages are installed (Debian)
- apt:
+ ansible.builtin.apt:
name: "{{ php_packages }}"
state: present
- update_cache: yes
- install_recommends: no
- become: yes
+ update_cache: true
+ install_recommends: false
+ become: true
notify:
- restart webserver
- name: Ensure PHP extensions are installed (Debian)
- apt:
+ ansible.builtin.apt:
pkg: "{{ php_extensions }}"
state: present
- update_cache: yes
- install_recommends: no
- become: yes
+ update_cache: true
+ install_recommends: false
+ become: true
notify:
- restart webserver
diff --git a/roles/php/tasks/install-RedHat.yml b/roles/php/tasks/install-RedHat.yml
index 8cad451b..222e0817 100644
--- a/roles/php/tasks/install-RedHat.yml
+++ b/roles/php/tasks/install-RedHat.yml
@@ -1,7 +1,6 @@
---
-
- name: Ensure Repositories are installed (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
loop: "{{ php_yum_repositories }}"
@@ -9,7 +8,7 @@
become: true
- name: Import remi GPG key.
- rpm_key:
+ ansible.builtin.rpm_key:
key: "{{ item }}"
state: present
loop: "{{ php_yum_keys }}"
@@ -17,11 +16,11 @@
become: true
- name: Ensure PHP packages are installed (RedHat)
- yum:
- enablerepo: "remi,remi-safe,remi-php{{ php_version }}"
+ ansible.builtin.yum:
+ enablerepo: remi,remi-safe,remi-php{{ php_version }}
name: "{{ item }}"
state: present
- update_cache: yes
+ update_cache: true
become: true
loop: "{{ php_packages }}"
when: php_alt_repo and php_yum_repositories is defined and php_yum_repositories|length
@@ -29,10 +28,10 @@
- restart webserver
- name: Ensure PHP packages are installed (default repo) (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
- update_cache: yes
+ update_cache: true
become: true
loop: "{{ php_packages }}"
when: not php_alt_repo and php_yum_repositories is not defined
@@ -40,11 +39,11 @@
- restart webserver
- name: Ensure PHP extensions are installed (RedHat)
- yum:
- enablerepo: "remi,remi-safe,remi-php{{ php_version }}"
+ ansible.builtin.yum:
+ enablerepo: remi,remi-safe,remi-php{{ php_version }}
name: "{{ php_extensions }}"
state: present
- update_cache: yes
+ update_cache: true
become: true
loop: "{{ php_extensions | default([]) }}"
when: php_alt_repo and php_yum_repositories is defined and php_yum_repositories|length
@@ -52,10 +51,10 @@
- restart webserver
- name: Ensure PHP extensions are installed (default repo) (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ php_extensions }}"
state: present
- update_cache: yes
+ update_cache: true
become: true
loop: "{{ php_extensions | default([]) }}"
when: not php_alt_repo and php_yum_repositories is not defined
diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml
index 13b2337f..7ece0459 100644
--- a/roles/php/tasks/main.yml
+++ b/roles/php/tasks/main.yml
@@ -1,28 +1,32 @@
---
-
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- name: Define PHP packages
- set_fact:
+ ansible.builtin.set_fact:
php_packages: "{{ php_default_packages | list }}"
when: php_packages is not defined
- name: Define PHP configuration scan dir
- set_fact:
+ ansible.builtin.set_fact:
php_conf_scan_dir: "{{ php_default_conf_scan_dir }}"
when: php_conf_scan_dir is not defined
# Include OS-specific installation tasks
-- include: install-Debian.yml
+- name: Include Debian Install Tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-- include: install-RedHat.yml
+- name: Include RedHat Install Tasks
+ ansible.builtin.include_tasks: install-RedHat.yml
when: ansible_os_family == 'RedHat'
+# Could be refactored
+
# Include OS-independent configuration tasks
-- include: configure.yml
+- name: Include Configure Tasks
+ ansible.builtin.include_tasks: configure.yml
diff --git a/roles/php/vars/Debian-bookworm.yml b/roles/php/vars/Debian-bookworm.yml
index 0d0a2e19..84971add 100644
--- a/roles/php/vars/Debian-bookworm.yml
+++ b/roles/php/vars/Debian-bookworm.yml
@@ -1,17 +1,17 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php8.2"
+ - libapache2-mod-php8.2
-php_default_conf_scan_dir: "/etc/php/8.2/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php/8.2/apache2/conf.d
# Only when php_alt_repo is set to true
php_apt_repositories:
- - "deb https://packages.sury.org/php/ bookworm main"
+ - deb https://packages.sury.org/php/ bookworm main
-php_apt_key: "https://packages.sury.org/php/apt.gpg"
+php_apt_key: https://packages.sury.org/php/apt.gpg
php_apt_packages:
- apt-transport-https
diff --git a/roles/php/vars/Debian-bullseye.yml b/roles/php/vars/Debian-bullseye.yml
index 886dc438..28206672 100644
--- a/roles/php/vars/Debian-bullseye.yml
+++ b/roles/php/vars/Debian-bullseye.yml
@@ -1,17 +1,17 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php7.4"
+ - libapache2-mod-php7.4
-php_default_conf_scan_dir: "/etc/php/7.4/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php/7.4/apache2/conf.d
# Only when php_alt_repo is set to true
php_apt_repositories:
- - "deb https://packages.sury.org/php/ bullseye main"
+ - deb https://packages.sury.org/php/ bullseye main
-php_apt_key: "https://packages.sury.org/php/apt.gpg"
+php_apt_key: https://packages.sury.org/php/apt.gpg
php_apt_packages:
- apt-transport-https
diff --git a/roles/php/vars/Debian-buster.yml b/roles/php/vars/Debian-buster.yml
index f6596041..b1cdeb9f 100644
--- a/roles/php/vars/Debian-buster.yml
+++ b/roles/php/vars/Debian-buster.yml
@@ -1,17 +1,17 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php7.3"
+ - libapache2-mod-php7.3
-php_default_conf_scan_dir: "/etc/php/7.3/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php/7.3/apache2/conf.d
# Only when php_alt_repo is set to true
php_apt_repositories:
- - "deb https://packages.sury.org/php/ buster main"
+ - deb https://packages.sury.org/php/ buster main
-php_apt_key: "https://packages.sury.org/php/apt.gpg"
+php_apt_key: https://packages.sury.org/php/apt.gpg
php_apt_packages:
- apt-transport-https
diff --git a/roles/php/vars/Debian-jessie.yml b/roles/php/vars/Debian-jessie.yml
index b0d0c287..bc23037e 100644
--- a/roles/php/vars/Debian-jessie.yml
+++ b/roles/php/vars/Debian-jessie.yml
@@ -1,8 +1,8 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php5"
+ - libapache2-mod-php5
-php_default_conf_scan_dir: "/etc/php5/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php5/apache2/conf.d
diff --git a/roles/php/vars/Debian-stretch.yml b/roles/php/vars/Debian-stretch.yml
index 4bc9ea7f..0c8b6b0e 100644
--- a/roles/php/vars/Debian-stretch.yml
+++ b/roles/php/vars/Debian-stretch.yml
@@ -1,17 +1,17 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php7.0"
+ - libapache2-mod-php7.0
-php_default_conf_scan_dir: "/etc/php/7.0/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php/7.0/apache2/conf.d
# Only when php_alt_repo is set to true
php_apt_repositories:
- - "deb https://packages.sury.org/php/ stretch main"
+ - deb https://packages.sury.org/php/ stretch main
-php_apt_key: "https://packages.sury.org/php/apt.gpg"
+php_apt_key: https://packages.sury.org/php/apt.gpg
php_apt_packages:
- apt-transport-https
diff --git a/roles/php/vars/RedHat.yml b/roles/php/vars/RedHat.yml
index e31ecad1..5b6e0714 100644
--- a/roles/php/vars/RedHat.yml
+++ b/roles/php/vars/RedHat.yml
@@ -1,8 +1,8 @@
---
-php_webserver: "httpd"
+php_webserver: httpd
php_default_packages:
- - "php"
+ - php
-php_default_conf_scan_dir: "/etc/php.d"
+php_default_conf_scan_dir: /etc/php.d
diff --git a/roles/php/vars/Ubuntu-focal.yml b/roles/php/vars/Ubuntu-focal.yml
index d2c0b69b..f6a22829 100644
--- a/roles/php/vars/Ubuntu-focal.yml
+++ b/roles/php/vars/Ubuntu-focal.yml
@@ -1,15 +1,15 @@
---
-php_webserver: "apache2"
+php_webserver: apache2
php_default_packages:
- - "libapache2-mod-php7.4"
+ - libapache2-mod-php7.4
-php_default_conf_scan_dir: "/etc/php/7.4/apache2/conf.d"
+php_default_conf_scan_dir: /etc/php/7.4/apache2/conf.d
# Only when php_alt_repo is set to true
php_apt_repositories:
- - "ppa:ondrej/php"
+ - ppa:ondrej/php
php_apt_packages:
- - "software-properties-common"
+ - software-properties-common
diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml
index c94b71bc..126eaf98 100644
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -4,47 +4,47 @@
# Override default PostgreSQL version
# See postgresql_default_version defined in postgresql/vars/
-#postgresql_version: "11"
+# postgresql_version: "11"
# Override default PostgreSQL configuration path
# See postgresql_default_conf_path in postgresql/vars/
-#postgresql_conf_path: "/etc/postgresql/{{ postgresql_version }}"
+# postgresql_conf_path: "/etc/postgresql/{{ postgresql_version }}"
# Override default PostgreSQL data path
# See postgresql_default_data_path in postgresql/vars/
-#postgresql_data_path: "/var/lib/postgresql/{{ postgresql_version }}"
+# postgresql_data_path: "/var/lib/postgresql/{{ postgresql_version }}"
# Override default PostgreSQL service name
# See postgresql_default_service in postgresql/vars/
-#postgresql_service: "postgresql"
+# postgresql_service: "postgresql"
# Override default PostgreSQL user
# See postgresql_default_user in postgresql/vars/
-#postgresql_user: "postgresql"
+# postgresql_user: "postgresql"
# Override default PostgreSQL group
# See postgresql_default_group in postgresql/vars/
-#postgresql_group: "postgresql"
+# postgresql_group: "postgresql"
postgresql_clients:
# Connection type:
# - "local": Unix-domain socket
# - "host": plain or SSL-encrypted TCP/IP socket
- # - "hostssl": SSL-encrypted TCP/IP socket
- # - "hostnossl": plain TCP/IP socket
+ # - "hostssl": SSL-encrypted TCP/IP socket
+ # - "hostnossl": plain TCP/IP socket
- connection_type: "local"
# Database: "all", "sameuser", "samerole", "replication", a database name,
- # or a comma-separated list thereof. The "all" keyword does not match
+ # or a comma-separated list thereof. The "all" keyword does not match
# "replication". Access to replication must be enabled in a separate record
database: "all"
# User: "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the database and user fields you
- # can also write a file name prefixed with "@" to include names from a
+ # can also write a file name prefixed with "@" to include names from a
# separate file.
user: "postgres"
# Address (for non-"local" connection_type only): the set of hosts the
# client matches. It can be a host name, or it is made up of an IP address
- # and a CIDR mask that is an integer (between 0 and 32 (IPv4) or 128
+ # and a CIDR mask that is an integer (between 0 and 32 (IPv4) or 128
# (IPv6) inclusive) that specifies the number of significant bits in the
# mask. A host name that starts with a dot (.) matches a suffix of the
# actual host name. Alternatively, you can write an IP address and netmask
@@ -52,10 +52,10 @@ postgresql_clients:
# CIDR-address, you can write "samehost" to match any of the server's own
# IP addresses, or "samenet" to match any address in any subnet that the
# server is directly connected to.
- #address:
- # Method: "trust", "reject", "md5", "password", "gss", "sspi", "ident",
+ # address:
+ # Method: "trust", "reject", "md5", "password", "gss", "sspi", "ident",
# "peer", "pam", "ldap", "radius" or "cert". Note that # "password" sends
- # passwords in clear text; "md5" is preferred since it sends encrypted
+ # passwords in clear text; "md5" is preferred since it sends encrypted
# passwords.
method: "peer"
- connection_type: "local"
@@ -73,22 +73,22 @@ postgresql_clients:
address: "::1/128"
method: "md5"
-#postgresql_replication_user: "repuser"
-#postgresql_replication_password: "repuser"
+# postgresql_replication_user: "repuser"
+# postgresql_replication_password: "repuser"
postgresql_users: []
# Username
- #- name: "theuser"
+ # - name: "theuser"
# (Optional) Whether the password is stored hashed in the database
- #encrypted: yes
+ # encrypted: yes
# (Optional) User password
- #password: "thepassword"
+ # password: "thepassword"
# (Optional) Name of database where permissions will be granted
- #db: "thedatabase"
- # (Optional) Privileges string in the format:
+ # db: "thedatabase"
+ # (Optional) Privileges string in the format:
# "table:priv1,priv2"
- #priv:
- # (Optional) Role attributes string in the format:
+ # priv:
+ # (Optional) Role attributes string in the format:
# "CREATEDB,CREATEROLE,SUPERUSER"
# Available options:
# - [NO]SUPERUSER
@@ -98,40 +98,40 @@ postgresql_users: []
# - [NO]INHERIT
# - [NO]LOGIN
# - [NO]REPLICATION
- #role_attr_flags:
+ # role_attr_flags:
postgresql_databases: []
# Name of the database
- #- name: "thedatabase"
+ # - name: "thedatabase"
# (Optional) Name of the role to set as owner of the database
- #owner: "theuser"
+ # owner: "theuser"
# (Optional) Encoding of the database
- #encoding: "UTF8"
+ # encoding: "UTF8"
# (Optional) Collation order (LC_COLLATE) to use in the database. Must
# match collation order of template database unless template0 is used as
# template.
- #lc_collate: "en_US.UTF-8"
+ # lc_collate: "en_US.UTF-8"
# (Optional) Character classification (LC_CTYPE) to use in the database.
# Must match LC_CTYPE of template database unless template0 is used as
# template.
- #lc_ctype: "en_US.UTF-8"
+ # lc_ctype: "en_US.UTF-8"
# (Optional) Template used to create the database
- #template: "thetemplate"
+ # template: "thetemplate"
postgresql_privs: []
- # Name of database to connect to
- #- database: "thedatabase"
+ # Name of database to connect to
+ # - database: "thedatabase"
# Comma separated list of role (user/group) names to set permissions for.
# The special value PUBLIC can be provided instead to set permissions for
# the implicitly defined PUBLIC group.
- #roles: "theuser"
+ # roles: "theuser"
# (Optional) Whether role may grant/revoke the specified privileges/group
# memberships to others. Set to no to revoke GRANT OPTION, leave
# unspecified to make no changes. grant_option only has an effect if state
# is present.
- #grant_option: yes
+ # grant_option: yes
# (Optional) Comma separated list of privileges to grant/revoke.
- #privs:
+ # privs:
# Type of database object to set privileges on:
# - table
# - sequence
@@ -141,20 +141,20 @@ postgresql_privs: []
# - language
# - tablespace
# - group
- #type: "table"
+ # type: "table"
# (Optional) Comma separated list of database objects to set privileges on.
# If type is table or sequence, the special value ALL_IN_SCHEMA can be
# provided instead to specify all database objects of type type in the
- # schema specified via schema.
+ # schema specified via schema.
# If type is database, this parameter can be omitted, in which case
# privileges are set for the database specified via database.
# If type is function, colons (":") in object names will be replaced with
# commas
- #objs:
+ # objs:
# (Optional) Schema that contains the database objects specified via objs.
# May only be provided if type is table, sequence or function. Defaults to
- # public in these cases.
- #schema: public
+ # public in these cases.
+ # schema: public
# What IP address(es) to listen on
postgresql_listen_addresses: "localhost"
@@ -166,9 +166,9 @@ postgresql_max_connections: 100
# Min 128kB
postgresql_shared_buffers: "128MB"
-# Enables/disables the use of huge memory pages for PostgreSQL.
-# Valid values are:
-# - try (default)
+# Enables/disables the use of huge memory pages for PostgreSQL.
+# Valid values are:
+# - try (default)
# - on
# - off
# The use of huge pages results in smaller page tables and less CPU time spent
@@ -176,7 +176,7 @@ postgresql_shared_buffers: "128MB"
postgresql_huge_pages_mode: "try"
# Number of huge memory pages to be allocated
-#postgresql_huge_pages_number: 0
+# postgresql_huge_pages_number: 0
# Min 64kB
postgresql_work_mem: "4MB"
@@ -204,23 +204,27 @@ postgresql_wal_keep_segments: 0
# Standby server settings (ignored on a master server)
-# Master/primary server host
+# Master/primary server host
postgresql_master_host: "{{ groups['dbmaster'][0] }}"
-# Master/primary server port
+# Master/primary server port
postgresql_master_port: "{{ hostvars[groups['dbmaster'][0]]['postgresql_port'] | default(postgresql_port) }}"
-
+
# "on" allows queries during recovery
postgresql_hot_standby_mode: "off"
# If set, the PostgreSQL server will try to connect to the master using this
# connection string and receive XLOG records continuously.
# e.g. 'host={{ postgresql_master_host }} port={{ postgresql_master_port }}'
-#postgresql_master_conninfo: "host={{ postgresql_master_host }} port={{ postgresql_master_port }} user={{ postgresql_replication_user }} password={{ postgresql_replication_password }}"
+# postgresql_master_conninfo: # This should be done with a join
+ # "host={{ postgresql_master_host }}
+ # port={{ postgresql_master_port }}
+ # user={{ postgresql_replication_user }}
+ # password={{ postgresql_replication_password }}"
# By default, a standby server keeps restoring XLOG records from the primary
# indefinitely. If you want to stop the standby mode, finish recovery and open
# the system in read/write mode, specify a path to a trigger file. The server
# will poll the trigger file path periodically and start as a primary server
# when it's found.
-#postgresql_trigger_file: "/tmp/postgresql.trigger.5432"
+# postgresql_trigger_file: "/tmp/postgresql.trigger.5432"
diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml
index 3686ebd8..e30379ad 100644
--- a/roles/postgresql/handlers/main.yml
+++ b/roles/postgresql/handlers/main.yml
@@ -1,13 +1,13 @@
---
-
+# postgresql
- name: Reload PostgreSQL
- service:
+ ansible.builtin.service:
name: "{{ postgresql_service }}"
state: "reloaded"
- become: yes
+ become: true
- name: Restart PostgreSQL
- service:
+ ansible.builtin.service:
name: "{{ postgresql_service }}"
- state: "restarted"
- become: yes
+ state: restarted
+ become: true
diff --git a/roles/postgresql/tasks/configure-common.yml b/roles/postgresql/tasks/configure-common.yml
index 79a1ed36..4a261c7a 100644
--- a/roles/postgresql/tasks/configure-common.yml
+++ b/roles/postgresql/tasks/configure-common.yml
@@ -1,25 +1,24 @@
# file: postgresql/tasks/configure-common.yml
#
---
-
- name: Configure PostgreSQL client authentication
- template:
+ ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
- mode: 0640
- backup: yes
+ mode: "0640"
+ backup: true
with_items:
- { src: "pg_hba.conf.j2", dest: "{{ postgresql_conf_path }}/main/pg_hba.conf" }
- become: yes
+ become: true
notify:
- Reload PostgreSQL
tags:
- - postgresql:pg_hba
+ - postgresql:pg_hba
- name: Create PostgreSQL databases
- postgresql_db:
+ community.postgresql.postgresql_db:
state: present
name: "{{ item.name }}"
encoding: "{{ item.encoding | default(omit) }}"
@@ -27,31 +26,33 @@
lc_ctype: "{{ item.lc_ctype | default(omit) }}"
template: "{{ item.template | default(omit) }}"
with_items: "{{ postgresql_databases }}"
- become: yes
+ become: true
become_user: "{{ postgresql_user }}"
- name: Configure PostgreSQL users
- postgresql_user:
+ community.postgresql.postgresql_user:
state: present
name: "{{ item.name }}"
- encrypted: "{{ item.encrypted | default(omit) }}"
+ encrypted: "{{ item.encrypted | default(omit) }}"
password: "{{ item.password | default(omit) }}"
- db: "{{ item.db | default(omit) }}"
+ db: "{{ item.db | default(omit) }}"
priv: "{{ item.priv | default(omit) }}"
role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
+ conn_limit: "{{ item.connection_limit }}" # Should force a default here
with_items: "{{ postgresql_users }}"
- become: yes
+ become: true
become_user: "{{ postgresql_user }}"
-- name: Configure connection limit of PostgreSQL users
- command: psql -U {{ postgresql_user }} -c 'ALTER ROLE {{ item.name }} WITH CONNECTION LIMIT {{ item.connection_limit }}'
- with_items: "{{ postgresql_users }}"
- when: "item.connection_limit is defined"
- become: yes
- become_user: "{{ postgresql_user }}"
+# This task deprecated by conn_limit arg in previous task.
+# - name: Configure connection limit of PostgreSQL users
+# ansible.builtin.command: psql -U {{ postgresql_user }} -c 'ALTER ROLE {{ item.name }} WITH CONNECTION LIMIT {{ item.connection_limit }}'
+# with_items: "{{ postgresql_users }}"
+# when: "item.connection_limit is defined"
+# become: true
+# become_user: "{{ postgresql_user }}"
- name: Configure privileges of PostgreSQL users
- postgresql_privs:
+ community.postgresql.postgresql_privs:
state: present
database: "{{ item.database }}"
roles: "{{ item.roles }}"
@@ -61,20 +62,27 @@
privs: "{{ item.privs | default(omit) }}"
schema: "{{ item.schema | default(omit) }}"
with_items: "{{ postgresql_privs }}"
- when: item.target is not defined
- become: yes
+ when: item.target is not defined
+ become: true
become_user: "{{ postgresql_user }}"
# See https://github.com/ansible/ansible-modules-core/issues/4493
-- name: Configure default privileges of PostgreSQL users
- command: psql -U {{ postgresql_user }} -c 'ALTER DEFAULT PRIVILEGES FOR USER {{ item.target }} IN SCHEMA {{ item.schema | default("public") }} GRANT {{ item.privs }} ON {{ item.type }} TO {{ item.roles }};'
- with_items: "{{ postgresql_privs }}"
- when: item.target is defined
- become: yes
- become_user: "{{ postgresql_user }}"
+# The above repo is deprecated, this task is probably obsolete
+# - name: Configure default privileges of PostgreSQL users
+# ansible.builtin.command: |-
+ # psql -U {{ postgresql_user }} \
+ # -c 'ALTER DEFAULT PRIVILEGES FOR USER {{ item.target }} \
+ # IN SCHEMA {{ item.schema | default("public") }} \
+ # GRANT {{ item.privs }} \
+ # ON {{ item.type }} \
+ # TO {{ item.roles }};'
+# with_items: "{{ postgresql_privs }}"
+# when: item.target is defined
+# become: true
+# become_user: "{{ postgresql_user }}"
- name: Configure PostgreSQL databases
- postgresql_db:
+ community.postgresql.postgresql_db:
state: present
name: "{{ item.name }}"
owner: "{{ item.owner | default(omit) }}"
@@ -83,44 +91,48 @@
lc_ctype: "{{ item.lc_ctype | default(omit) }}"
template: "{{ item.template | default(omit) }}"
with_items: "{{ postgresql_databases }}"
- become: yes
+ become: true
become_user: "{{ postgresql_user }}"
- name: Configure number of huge memory pages to be allocated
- sysctl:
+ ansible.posix.sysctl:
name: vm.nr_hugepages
value: "{{ postgresql_huge_pages_number }}"
state: present
when: postgresql_huge_pages_number is defined
- become: yes
+ become: true
- name: Configure PostgreSQL
- template:
- src: "{{ item.src }}"
- dest: "{{ item.dest }}"
- owner: "{{ postgresql_user }}"
+ ansible.builtin.template:
+ src: "postgresql-{{ postgresql_version }}.conf.j2"
+ dest: "{{ postgresql_conf_path }}/main/postgresql.conf"
+ owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
- mode: 0644
- backup: yes
- with_items:
- - { src: "postgresql-{{ postgresql_version }}.conf.j2", dest: "{{ postgresql_conf_path }}/main/postgresql.conf" }
- become: yes
+ mode: "0644"
+ backup: true
+ # unnecessary loop - disabled
+ # with_items:
+ # - src: "postgresql-{{ postgresql_version }}.conf.j2"
+ # dest: "{{ postgresql_conf_path }}/main/postgresql.conf"
+ become: true
notify:
- Restart PostgreSQL
-- name: Check if PostreSQL standby server is in recovery
- command: psql -U {{ postgresql_user }} -c 'SELECT pg_is_in_recovery();'
+# This should be done with an assertion on an output
+- name: Check if PostreSQL standby server is in recovery
+ ansible.builtin.command: psql -U {{ postgresql_user }} -c 'SELECT pg_is_in_recovery();'
when: "'dbstandby' in group_names"
register: postgresql_is_in_recovery_status
- ignore_errors: yes
- changed_when: no
- become: yes
+ ignore_errors: true
+ changed_when: false
+ become: true
become_user: "{{ postgresql_user }}"
- name: Register PostgreSQL standby server recovery status
- set_fact:
+ ansible.builtin.set_fact:
postgresql_is_in_recovery: "{{ postgresql_is_in_recovery_status is success and postgresql_is_in_recovery_status.stdout_lines[2].find('t') == 1 }}"
when: "'dbstandby' in group_names"
-- include: init-standby-common.yml
+- name: Init Standby
+ ansible.builtin.include_tasks: init-standby-common.yml
when: "'dbstandby' in group_names and not postgresql_is_in_recovery"
diff --git a/roles/postgresql/tasks/init-standby-common.yml b/roles/postgresql/tasks/init-standby-common.yml
index e0177571..2d7bb318 100644
--- a/roles/postgresql/tasks/init-standby-common.yml
+++ b/roles/postgresql/tasks/init-standby-common.yml
@@ -1,32 +1,42 @@
---
- name: Stop PostgreSQL
- service:
+ ansible.builtin.service:
name: "{{ postgresql_service }}"
state: "stopped"
- become: yes
+ become: true
- name: Remove PostgreSQL data dir
- file:
+ ansible.builtin.file:
path: "{{ postgresql_data_path }}/main"
state: absent
- become: yes
+ become: true
- name: Take base backup of PostgreSQL database
- shell: "{{ item }}"
+ ansible.builtin.shell: "{{ item }}" # noqa command-instead-of-shell
environment:
PGPASSWORD: "{{ postgresql_replication_password }}"
- become: yes
+ become: true
become_user: "{{ postgresql_user }}"
+ changed_when: false
with_items:
- - pg_basebackup -h {{ postgresql_master_host }} -p {{ postgresql_master_port }} -D {{ postgresql_data_path }}/main -U {{ postgresql_replication_user }} -X stream -R
+ - |-
+ pg_basebackup \
+ -h {{ postgresql_master_host }} \
+ -p {{ postgresql_master_port }} \
+ -D {{ postgresql_data_path }}/main \
+ -U {{ postgresql_replication_user }} \
+ -X stream \
+ -R
- sleep 15
+# sleep should be a wait_for task after this one
+
- name: Configure PostgreSQL replication
- template:
- src: recovery.conf.j2
+ ansible.builtin.template:
+ src: recovery.conf.j2
dest: "{{ postgresql_data_path }}/main/recovery.conf"
owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
- mode: 0640
- become: yes
+ mode: "0640"
+ become: true
when: postgresql_version is version('12', '<')
diff --git a/roles/postgresql/tasks/install-Debian.yml b/roles/postgresql/tasks/install-Debian.yml
index 30dd2dc7..44c3363b 100644
--- a/roles/postgresql/tasks/install-Debian.yml
+++ b/roles/postgresql/tasks/install-Debian.yml
@@ -1,25 +1,24 @@
# file: postgresql/tasks/install-Debian.yml
#
---
-
- name: Ensure PostgreSQL is installed (Debian)
- apt:
+ ansible.builtin.apt:
name: "postgresql-{{ postgresql_version }}"
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
-# The postgresql_user module requires psycopg2, a Python PostgreSQL database
+# The postgresql_user module requires psycopg2, a Python PostgreSQL database
# adapter. We must ensure that psycopg2 is installed on the remote host before
# using this module.
- name: Ensure PostgreSQL python module is installed (Debian)
- apt:
+ ansible.builtin.apt:
name: "{{ postgresql_psycopg2_package }}"
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
when: postgresql_users | length > 0
- become: yes
+ become: true
diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml
index 493c1281..03d0673c 100644
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -1,9 +1,8 @@
# file: postgresql/tasks/main.yml
#
---
-
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
@@ -13,66 +12,67 @@
- always
- name: Define PostgreSQL version
- set_fact:
+ ansible.builtin.set_fact:
postgresql_version: "{{ postgresql_default_version }}"
when: postgresql_version is not defined
tags:
- always
- name: Define PostgreSQL configuration path
- set_fact:
+ ansible.builtin.set_fact:
postgresql_conf_path: "{{ postgresql_default_conf_path }}"
when: postgresql_conf_path is not defined
tags:
- always
- name: Define PostgreSQL data path
- set_fact:
+ ansible.builtin.set_fact:
postgresql_data_path: "{{ postgresql_default_data_path }}"
when: postgresql_data_path is not defined
tags:
- always
- name: Define PostgreSQL service name
- set_fact:
+ ansible.builtin.set_fact:
postgresql_service: "{{ postgresql_default_service }}"
when: postgresql_service is not defined
tags:
- always
- name: Define PostgreSQL user
- set_fact:
+ ansible.builtin.set_fact:
postgresql_user: "{{ postgresql_default_user }}"
when: postgresql_user is not defined
tags:
- always
- name: Define PostgreSQL group
- set_fact:
+ ansible.builtin.set_fact:
postgresql_group: "{{ postgresql_default_group }}"
when: postgresql_group is not defined
tags:
- always
- name: Define PostgreSQL python module version
- set_fact:
+ ansible.builtin.set_fact:
postgresql_psycopg2_package: "{{ postgresql_default_psycopg2_package }}"
when: postgresql_psycopg2_package is not defined
tags:
- always
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
+# - include: install-CentOS.yml
# when: ansible_os_family == 'CentOS
-# Apply OS-independent configuration
-- include: configure-common.yml
+#
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
- name: Ensure PostgreSQL service is started and enabled on boot
- service:
+ ansible.builtin.service:
name: "{{ postgresql_service }}"
state: "started"
- enabled: yes
- become: yes
+ enabled: true
+ become: true
diff --git a/roles/postgresql/templates/postgresql-11.conf.j2 b/roles/postgresql/templates/postgresql-11.conf.j2
index 1764fde0..c0f16512 100644
--- a/roles/postgresql/templates/postgresql-11.conf.j2
+++ b/roles/postgresql/templates/postgresql-11.conf.j2
@@ -122,7 +122,7 @@ huge_pages = {{ postgresql_huge_pages_mode }} # on, off, or try
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
-# Caution: it is not advisable to set max_prepared_transactions nonzero unless|
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless|
# you actively intend to use prepared transactions.
work_mem = {{ postgresql_work_mem }} # min 64kB
#maintenance_work_mem = 64MB # min 1MB
diff --git a/roles/postgresql/templates/postgresql-12.conf.j2 b/roles/postgresql/templates/postgresql-12.conf.j2
index 7ba45837..54a219f7 100644
--- a/roles/postgresql/templates/postgresql-12.conf.j2
+++ b/roles/postgresql/templates/postgresql-12.conf.j2
@@ -127,7 +127,7 @@ huge_pages = {{ postgresql_huge_pages_mode }} # on, off, or try
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
-# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
work_mem = {{ postgresql_work_mem }} # min 64kB
#maintenance_work_mem = 64MB # min 1MB
diff --git a/roles/rciam-metrics/defaults/main.yml b/roles/rciam-metrics/defaults/main.yml
index 0d4112ae..01a33fa9 100644
--- a/roles/rciam-metrics/defaults/main.yml
+++ b/roles/rciam-metrics/defaults/main.yml
@@ -1,7 +1,5 @@
# file: group_vars/metrics/main.yml
-
---
-
metrics_path: /srv/rciam-metrics-client/rciam-metrics
metrics_repo: https://github.com/rciam/rciam-metrics-dev
metrics_release: 1.0.0
@@ -9,7 +7,7 @@ metrics_fast_api_folder_name: app
metrics_ip2country_dir: ip2country_directory
# Whether to install RCIAM metrics cron job; Enabled by default
-metrics_cron_enabled: yes
+metrics_cron_enabled: true
metrics_api:
address: "localhost"
@@ -30,7 +28,7 @@ metrics_config:
admin: metrics_dev_admin
password: "{{ vault_metrics_db_password }}"
host: db.rciam.noc.grnet.gr
- pool_size : 15
+ pool_size: 15
max_overflow: 5
log:
level: DEBUG
@@ -129,6 +127,6 @@ metrics_user:
month: "*"
weekday: "*"
-#metrics_symlinks:
+# metrics_symlinks:
# - target: "/path/to/target"
# link: "/path/to/symlink"
diff --git a/roles/rciam-metrics/handlers/main.yml b/roles/rciam-metrics/handlers/main.yml
index 09ca680d..aeb99312 100644
--- a/roles/rciam-metrics/handlers/main.yml
+++ b/roles/rciam-metrics/handlers/main.yml
@@ -1,10 +1,10 @@
---
# handlers file for rciam-metrics
-- name: fastapi.service restart
- systemd:
+- name: Fastapi.service restart
+ ansible.builtin.systemd:
name: fastapi
state: restarted
- enabled: yes
- daemon_reload: yes
- become: yes
+ enabled: true
+ daemon_reload: true
+ become: true
diff --git a/roles/rciam-metrics/tasks/bootstrap.yml b/roles/rciam-metrics/tasks/bootstrap.yml
index 7a44ab67..58ded1ac 100644
--- a/roles/rciam-metrics/tasks/bootstrap.yml
+++ b/roles/rciam-metrics/tasks/bootstrap.yml
@@ -1,40 +1,39 @@
# file: tasks/bootstrap.yml
---
-
- name: Ensure util groups exist
- group:
+ ansible.builtin.group:
name: "{{ metrics_user.group }}"
- system: yes
- become: yes
+ system: true
+ become: true
- name: Ensure metrics user exists
- user:
+ ansible.builtin.user:
name: "{{ metrics_user.name }}"
groups: "{{ metrics_user.group }}"
- comment: "{{ metrics_user.gecos }}"
+ comment: "{{ metrics_user.gecos }}"
shell: "{{ metrics_user.shell }}"
home: "{{ metrics_user.path }}"
- system: yes
- create_home: yes
+ system: true
+ create_home: true
skeleton: "/empty"
- become: yes
+ become: true
- name: Upgrade pip3
- pip:
+ ansible.builtin.pip:
name: pip
- state: latest
+ state: present
virtualenv: "{{ metrics_path }}/.venv"
extra_args: --upgrade
- become: yes
+ become: true
-- name: fastapi systemd setup
- template:
- owner: "www-data"
- group: "www-data"
- mode: 0644
- src: templates/fastapi/fastapi.service.j2
- dest: /etc/systemd/system/fastapi.service
+- name: Fastapi systemd setup
+ ansible.builtin.template:
+ owner: "www-data"
+ group: "www-data"
+ mode: "0644"
+ src: templates/fastapi/fastapi.service.j2
+ dest: /etc/systemd/system/fastapi.service
notify: fastapi.service restart
- become: yes
+ become: true
tags:
- fastapi_service
diff --git a/roles/rciam-metrics/tasks/configure-local.yml b/roles/rciam-metrics/tasks/configure-local.yml
index 098d0654..70e30e2d 100644
--- a/roles/rciam-metrics/tasks/configure-local.yml
+++ b/roles/rciam-metrics/tasks/configure-local.yml
@@ -3,12 +3,12 @@
# After creating react configuration, github action will move the file to the react application
# before building
- name: Create react configuration file locally
- template:
- src: "react/config.json.j2"
+ ansible.builtin.template:
+ src: react/config.json.j2
dest: "{{ inventory_dir }}/files/config.{{ item.tenant }}.json"
- mode: 0400
- backup: yes
+ mode: "0400"
+ backup: true
loop: "{{ metrics_config | default([]) }}"
when: item.frontend is defined
- no_log: yes
- delegate_to: localhost
\ No newline at end of file
+ no_log: true
+ delegate_to: localhost
diff --git a/roles/rciam-metrics/tasks/deploy-backend.yml b/roles/rciam-metrics/tasks/deploy-backend.yml
index 8465f385..999cb97f 100644
--- a/roles/rciam-metrics/tasks/deploy-backend.yml
+++ b/roles/rciam-metrics/tasks/deploy-backend.yml
@@ -2,104 +2,106 @@
---
# This needs the metrics_release, only github actions can know or if you set it manually
- name: Download and unarchive latest release zip file
- unarchive:
+ ansible.builtin.unarchive:
src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/backend-release-build.tar.gz"
dest: "{{ metrics_path }}"
remote_src: true
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.name }}"
- become: yes
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:unarchive
- name: Ensure metrics python requirements are installed in virtualenv
- pip:
+ ansible.builtin.pip:
requirements: "{{ metrics_path }}/requirements.txt"
virtualenv: "{{ metrics_path }}/.venv"
virtualenv_command: python3 -m venv
state: present
- become: yes
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:requirements
- name: Ensure configurations (fastapi) are configured
- template:
+ ansible.builtin.template:
src: "fastapi/config.py.j2"
dest: "{{ metrics_path }}/config.{{ item.tenant }}.py"
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.group }}"
- mode: 0400
- backup: yes
+ mode: "0400"
+ backup: true
loop: "{{ metrics_config | default([]) }}"
- no_log: yes
- become: yes
+ no_log: true
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:config
- name: Ensure authorizations are configured
- template:
+ ansible.builtin.template:
src: "fastapi/authorize.py.j2"
dest: "{{ metrics_path }}/authorize.{{ item.tenant }}.py"
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.group }}"
- mode: 0400
- backup: yes
+ mode: "0400"
+ backup: true
loop: "{{ metrics_config | default([]) }}"
- become: yes
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:authorize
- name: Ensure ip to country database file(s) are copied
- copy:
+ become: true
+ ansible.builtin.copy:
src: "{{ metrics_ip2country_dir }}/"
dest: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/ip_databases/"
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.group }}"
- mode: 0400
- backup: yes
- become: yes
+ mode: "0400"
+ backup: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:iptocountry
- name: Ensure log path exists
- file:
- path: "{{ metrics_path }}/{{metrics_fast_api_folder_name}}/logs"
+ ansible.builtin.file:
+ path: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/logs"
state: directory
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.group }}"
- become: yes
+ mode: "0755"
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:logging
- name: Ensure log file exists
- file:
- path: "{{ metrics_path }}/{{metrics_fast_api_folder_name}}/logs/metrics.log"
+ ansible.builtin.file:
+ path: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/logs/metrics.log"
state: touch
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.group }}"
- become: yes
+ mode: "0644"
+ become: true
notify:
- fastapi.service restart
tags:
- rciam-metrics:deploy-backend:logging
- name: Create Symbolic links
- file:
+ ansible.builtin.file:
src: "{{ item.symlink.target }}"
dest: "{{ item.symlink.link }}"
- force: yes
+ force: true
state: link
owner: root
group: root
@@ -110,11 +112,11 @@
- rciam-metrics:deploy-backend:symlink
- name: Add ENV vars in cron.d file
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
user: "{{ item.user }}"
- env: yes
+ env: true
cron_file: "{{ item.filename }}"
state: present
loop: "{{ metrics_user.cron_env | default([]) }}"
@@ -124,10 +126,10 @@
- rciam-metrics:deploy-backend:cron
- name: Ensure util cron jobs are installed
- cron:
+ ansible.builtin.cron:
name: "{{ metrics_user.name }}"
user: "{{ metrics_user.name }}"
- cron_file: "{{ metrics_user.name}}"
+ cron_file: "{{ metrics_user.name }}"
job: "{{ metrics_user.cron.job }}"
minute: "{{ metrics_user.cron.minute | default(omit) }}"
hour: "{{ metrics_user.cron.hour | default(omit) }}"
@@ -135,8 +137,6 @@
month: "{{ metrics_user.cron.month | default(omit) }}"
backup: true
when: metrics_user.cron is defined and metrics_cron_enabled
- become: yes
+ become: true
tags:
- rciam-metrics:deploy-backend:cron
-
-
diff --git a/roles/rciam-metrics/tasks/deploy-frontend.yml b/roles/rciam-metrics/tasks/deploy-frontend.yml
index a318c42a..894a7b6f 100644
--- a/roles/rciam-metrics/tasks/deploy-frontend.yml
+++ b/roles/rciam-metrics/tasks/deploy-frontend.yml
@@ -1,27 +1,28 @@
---
- name: Ensure release directory exists
- file:
- path: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}"
+ ansible.builtin.file:
+ path: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}"
state: directory
- become: yes
+ mode: "0755"
+ become: true
# This needs the metrics_release, only github actions can know or if you set it manually
# This needs the tenant_environment, only github actions can know or if you set it manually
- name: Download and unarchive latest release zip file
- unarchive:
- src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/frontend-{{tenant_environment}}-release-build.tar.gz"
- dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}"
+ ansible.builtin.unarchive:
+ src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/frontend-{{ tenant_environment }}-release-build.tar.gz"
+ dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}"
remote_src: true
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.name }}"
- become: yes
+ become: true
- name: Ensure symbolic link to latest metrics package exists
- file:
- src: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}"
- dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics"
- force: yes
+ ansible.builtin.file:
+ src: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}"
+ dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics"
+ force: true
state: link
owner: "{{ metrics_user.name }}"
group: "{{ metrics_user.name }}"
- become: yes
+ become: true
diff --git a/roles/rciam-metrics/tasks/install-Debian.yml b/roles/rciam-metrics/tasks/install-Debian.yml
index 45d12421..47d04a91 100644
--- a/roles/rciam-metrics/tasks/install-Debian.yml
+++ b/roles/rciam-metrics/tasks/install-Debian.yml
@@ -1,10 +1,9 @@
# file: metrics/tasks/install-Debian.yml
#
---
-
- name: Ensure metrics dependencies are installed
- apt:
- name:
+ ansible.builtin.apt:
+ name: # Should be declared in defaults
- git
- python3-venv
- build-essential
@@ -14,7 +13,7 @@
- python3-virtualenv
- libpq-dev
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
diff --git a/roles/rciam-metrics/tasks/main.yml b/roles/rciam-metrics/tasks/main.yml
index 3995d27c..259f01b0 100644
--- a/roles/rciam-metrics/tasks/main.yml
+++ b/roles/rciam-metrics/tasks/main.yml
@@ -1,17 +1,15 @@
---
-
-# Include OS-specific installation tasks
-- include_tasks: install-Debian.yml
+- name: Include OS-specific installation tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
tags:
- rciam-metrics:install
-# Include OS-independent installation tasks
-- import_tasks: bootstrap.yml
+- name: Include OS-independent installation tasks
+ ansible.builtin.import_tasks: bootstrap.yml
tags:
- rciam-metrics:bootstrap
-# Include OS-independent configuration tasks
# NOTE: The first time this task has to run manually using the --extra-var parameter
# of ansible cmd command
# e.g. ansible-playbook -u debian
@@ -22,18 +20,19 @@
# --extra-vars metrics_release="metrics-api-deploy_changes-rc-deploy_changes-6335295151"
# --diff
# --check
-- import_tasks: deploy-backend.yml
+- name: Include OS-independent configuration tasks
+ ansible.builtin.import_tasks: deploy-backend.yml
tags:
- rciam-metrics:deploy-backend
- # Include OS-independent configuration tasks
# NOTE: Runs through github actions ONLY
-- import_tasks: configure-local.yml
+- name: Include OS-independent configuration tasks
+ ansible.builtin.import_tasks: configure-local.yml
tags:
- rciam-metrics:config-local
- # Include OS-independent configuration tasks
# NOTE: Runs through github actions ONLY
-- import_tasks: deploy-frontend.yml
+- name: Include OS-independent configuration tasks
+ ansible.builtin.import_tasks: deploy-frontend.yml
tags:
- rciam-metrics:deploy-frontend
diff --git a/roles/rciam-oidc-client/tasks/configure-common.yml b/roles/rciam-oidc-client/tasks/configure-common.yml
index 837a2d40..a8d7942d 100644
--- a/roles/rciam-oidc-client/tasks/configure-common.yml
+++ b/roles/rciam-oidc-client/tasks/configure-common.yml
@@ -1,9 +1,10 @@
# file: tasks/configure.yml
---
- name: Configure webapp
- template:
+ ansible.builtin.template:
src: "{{ item.src_config_path }}"
dest: "{{ item.dest_config_path }}"
- backup: yes
+ backup: true
+ mode: "0644"
loop: "{{ rciam_oidc_clients }}"
- become: yes
+ become: true
diff --git a/roles/rciam-oidc-client/tasks/install-common-client.yml b/roles/rciam-oidc-client/tasks/install-common-client.yml
index 5c340d03..c5d85272 100644
--- a/roles/rciam-oidc-client/tasks/install-common-client.yml
+++ b/roles/rciam-oidc-client/tasks/install-common-client.yml
@@ -3,46 +3,48 @@
---
- name: Create RCIAM OIDC Client temp directory
- file:
+ ansible.builtin.file:
path: "/tmp/{{ item.item.name }}"
state: directory
- become: yes
+ mode: "0755"
+ become: true
- name: Download & unarchive RCIAM OIDC Client to temp directory
- unarchive:
+ ansible.builtin.unarchive:
src: "{{ item.item.release }}"
dest: "/tmp/{{ item.item.name }}"
- remote_src: yes
- list_files: yes
+ remote_src: true
+ list_files: true
register: rciam_oidc_client_unarchive
- become: yes
+ become: true
- name: Setting RCIAM OIDC Client temp directory
- set_fact:
+ ansible.builtin.set_fact:
rciam_oidc_client_tmp_dir: "/tmp/{{ item.item.name }}/{{ rciam_oidc_client_unarchive.files[0].split('/')[0] }}"
- name: Backup old version of RCIAM OIDC Client
- command:
+ ansible.builtin.command:
cmd: "mv {{ item.item.path }} {{ item.item.path }}.{{ ansible_date_time.iso8601 }}"
removes: "{{ item.item.path }}"
- become: yes
+ become: true
- name: Move RCIAM OIDC Client from temp directory to target path
- command: "mv {{ rciam_oidc_client_tmp_dir }} {{ item.item.path }}"
- become: yes
+ ansible.builtin.command: "mv {{ rciam_oidc_client_tmp_dir }} {{ item.item.path }}"
+ changed_when: false
+ become: true
- name: Create a file with the version of the RCIAM OIDC Client
- copy:
+ ansible.builtin.copy:
content: ""
dest: "{{ item.item.path }}/{{ item.item.version }}"
- force: no
- owner: "root"
- group: "root"
+ force: false
+ owner: root
+ group: root
mode: "0644"
- become: yes
+ become: true
- name: Ensure RCIAM OIDC Client temp directory is absent
- file:
+ ansible.builtin.file:
path: "/tmp/{{ item.item.name }}"
state: absent
- become: yes
+ become: true
diff --git a/roles/rciam-oidc-client/tasks/install-common.yml b/roles/rciam-oidc-client/tasks/install-common.yml
index cce56a17..dff42eb7 100644
--- a/roles/rciam-oidc-client/tasks/install-common.yml
+++ b/roles/rciam-oidc-client/tasks/install-common.yml
@@ -3,18 +3,18 @@
---
- name: Ensure unzip is installed
- package:
+ ansible.builtin.package:
name: unzip
state: present
become: true
-- name: Check which RCIAM OIDC Clients need to be installed
- stat:
- path: "{{ item.path }}/{{ item.version }}"
+- name: Check which RCIAM OIDC Clients need to be installed
+ ansible.builtin.stat:
+ path: "{{ item.path }}/{{ item.version }}"
loop: "{{ rciam_oidc_clients }}"
register: rciam_oidc_client_stats
- name: Ensure RCIAM OIDC Client is installed
- include_tasks: install-common-client.yml
+ ansible.builtin.include_tasks: install-common-client.yml
loop: "{{ rciam_oidc_client_stats.results }}"
when: not item.stat.exists
diff --git a/roles/rciam-oidc-client/tasks/main.yml b/roles/rciam-oidc-client/tasks/main.yml
index ae049d80..6e186782 100644
--- a/roles/rciam-oidc-client/tasks/main.yml
+++ b/roles/rciam-oidc-client/tasks/main.yml
@@ -1,12 +1,12 @@
# file: rciam-oidc-client/tasks/main.yml
#
---
-# Include OS-specific installation tasks
-- include: install-common.yml
+- name: Include OS-specific installation tasks
+ ansible.builtin.include_tasks: install-common.yml
tags:
- install
-# Include OS-independent configuration tasks
-- include: configure-common.yml
+- name: Include OS-independent configuration tasks
+ ansible.builtin.include_tasks: configure-common.yml
tags:
- config
diff --git a/roles/rciam-probes/defaults/main.yml b/roles/rciam-probes/defaults/main.yml
index b2b78493..5dfb3272 100644
--- a/roles/rciam-probes/defaults/main.yml
+++ b/roles/rciam-probes/defaults/main.yml
@@ -4,7 +4,7 @@ timezone: "UTC"
nagios_home: "/home/nagios"
rciam_probes_log_dir: "/var/log/rciam_probes"
-#argo_environment: "devel"
+# argo_environment: "devel"
repos:
- name: "argo-{{ argo_environment }}"
@@ -12,4 +12,4 @@ repos:
file: "argo"
baseurl: "http://rpm-repo.argo.grnet.gr/ARGO/{{ argo_environment }}/centos{{ ansible_distribution_major_version }}/"
gpgcheck: 0
- enabled: 1
\ No newline at end of file
+ enabled: 1
diff --git a/roles/rciam-probes/handlers/main.yml b/roles/rciam-probes/handlers/main.yml
index 849169c7..ed97d539 100644
--- a/roles/rciam-probes/handlers/main.yml
+++ b/roles/rciam-probes/handlers/main.yml
@@ -1,3 +1 @@
---
-
-
diff --git a/roles/rciam-probes/tasks/configure-RedHat.yml b/roles/rciam-probes/tasks/configure-RedHat.yml
index 3f4feb39..9ca4d658 100644
--- a/roles/rciam-probes/tasks/configure-RedHat.yml
+++ b/roles/rciam-probes/tasks/configure-RedHat.yml
@@ -1,11 +1,11 @@
---
- name: Add ENV vars in cron.d file (REDHAD)
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
job: "{{ item.job }}"
user: "{{ item.user }}"
- env: yes
+ env: true
cron_file: "{{ item.filename }}"
state: present
loop: "{{ cron_env | default([]) }}"
@@ -13,7 +13,7 @@
when: cron_env is defined
- name: Add cron jobs (RedHat)
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
minute: "{{ item.minute }}"
job: "{{ item.job }}"
@@ -25,19 +25,19 @@
when: cron_jobs is defined
- name: Set a universal Apache policy (RedHat)
- command: "setsebool -P httpd_unified 1"
+ ansible.builtin.command: "setsebool -P httpd_unified 1"
become: true
changed_when: false
- name: Ensure nagios home directory has search permissions on (RedHat)
- file:
+ ansible.builtin.file:
path: "{{ nagios_registered.home }}"
state: directory
mode: "0701"
become: true
- name: Ensure html directory exists under nagios home directory (RedHat)
- file:
+ ansible.builtin.file:
path: "{{ nagios_registered.home }}/{{ item }}"
state: directory
owner: nagios
@@ -48,7 +48,7 @@
become: true
- name: Install policycoreutils-python (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
update_cache: true
@@ -58,17 +58,18 @@
# semanage fcontext -a -t httpd_sys_content_t "/var/spool/nagios/html(/.*)?"
# /etc/selinux/targeted/contexts/files/file_contexts.local
- name: Set selinux policy for directories (RedHat)
- sefcontext:
- target: "{{ item.target }}(/.*)?"
- setype: "{{ item.setype }}"
- reload: True
- state: present
+ community.general.sefcontext:
+ target: "{{ item.target }}(/.*)?"
+ setype: "{{ item.setype }}"
+ reload: true
+ state: present
become: true
with_items:
- - { target: "{{ nagios_registered.home }}/html", setype: "httpd_sys_content_t" }
+ - { target: "{{ nagios_registered.home }}/html", setype: "httpd_sys_content_t" }
- name: Apply new SELinux file context to filesystem (RedHat)
- command: "restorecon -irv {{ item }}"
+ ansible.builtin.command: "restorecon -irv {{ item }}"
+ changed_when: false
loop:
- "{{ nagios_registered.home }}/html"
- become: true
\ No newline at end of file
+ become: true
diff --git a/roles/rciam-probes/tasks/install-RedHat.yml b/roles/rciam-probes/tasks/install-RedHat.yml
index 5736f6da..17074f8c 100644
--- a/roles/rciam-probes/tasks/install-RedHat.yml
+++ b/roles/rciam-probes/tasks/install-RedHat.yml
@@ -1,34 +1,34 @@
---
- name: Ensure Repos are installed (RedHat)
- yum_repository:
+ ansible.builtin.yum_repository:
name: "{{ item.name }}"
description: "{{ item.description }}"
file: "{{ item.file }}"
baseurl: "{{ item.baseurl }}"
- gpgcheck: "{{ item.gpgcheck}}"
+ gpgcheck: "{{ item.gpgcheck }}"
enabled: "{{ item.enabled }}"
- loop: "{{ repos | default([])}}"
- become: yes
+ loop: "{{ repos | default([]) }}"
+ become: true
- name: Install dependencies (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ item }}"
state: present
- validate_certs: no
+ validate_certs: false
update_cache: true
loop: "{{ dependencies | default([]) }}"
when: dependencies is defined
- name: Ensure nagios group is present (RedHat)
- group:
+ ansible.builtin.group:
name: nagios
state: present
become: true
- name: Ensure nagios user is present and member of nagios and apache groups (RedHat)
- user:
+ ansible.builtin.user:
name: nagios
state: present
home: "{{ nagios_home }}"
@@ -38,19 +38,19 @@
become: true
- name: Echo nagios home directory (RedHat)
- debug:
+ ansible.builtin.debug:
var: nagios_registered
verbosity: 1
- name: Install rciam_probes (RedHat)
- yum:
+ ansible.builtin.yum:
name: rciam_probes
- state: latest
+ state: present
update_cache: true
become: true
- name: Ensure log file owned by nagios user (RedHat)
- file:
+ ansible.builtin.file:
dest: "{{ rciam_probes_log_dir }}"
state: directory
mode: "0744"
@@ -59,14 +59,14 @@
become: true
- name: Upgrade pip3 (RedHat)
- pip:
+ ansible.builtin.pip:
name: pip
executable: pip3
extra_args: --upgrade
# Ensuring the umask is 0022 (to ensure other users can use it)
- name: Install python3 packages (RedHat)
- pip:
+ ansible.builtin.pip:
name: "{{ item.name }}"
version: "{{ item.version }}"
umask: "0022"
@@ -74,4 +74,3 @@
loop: "{{ pip_dependencies | default([]) }}"
become: true
when: pip_dependencies is defined
-
diff --git a/roles/rciam-probes/tasks/main.yml b/roles/rciam-probes/tasks/main.yml
index a0077fd5..0dc49523 100644
--- a/roles/rciam-probes/tasks/main.yml
+++ b/roles/rciam-probes/tasks/main.yml
@@ -3,34 +3,34 @@
---
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
- - "{{ ansible_os_family }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+ - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- always
-# Install OS-specific packages
-- include: install-RedHat.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-RedHat.yml
when: ansible_os_family == 'RedHat'
-#- include: install-Debian.yml
+# - include: install-Debian.yml
# when: ansible_os_family == 'Debian'
-# Configure OS-specific packages
-- include: configure-RedHat.yml
+- name: Configure RedHat
+ ansible.builtin.include_tasks: configure-RedHat.yml
when: ansible_os_family == 'RedHat'
-#- include: configure-Debian.yml
+# - include: configure-Debian.yml
# when: ansible_os_family == 'Debian'
# Tasks adding/copying/replacing files
- name: Include OS-independent Update/Copy tasks
- include_tasks:
+ ansible.builtin.include_tasks:
file: update-static.yml
apply:
tags:
- - update
+ - update
tags:
- - update
\ No newline at end of file
+ - update
diff --git a/roles/rciam-probes/tasks/update-static.yml b/roles/rciam-probes/tasks/update-static.yml
index 7ef51d5b..1a4bc045 100644
--- a/roles/rciam-probes/tasks/update-static.yml
+++ b/roles/rciam-probes/tasks/update-static.yml
@@ -1,16 +1,16 @@
---
- name: Register static files to be copied
- find:
+ ansible.builtin.find:
paths: "{{ inventory_dir }}/files/monservers"
file_type: file
- recurse: yes
+ recurse: true
register: static_files
- ignore_errors: yes
+ ignore_errors: true
delegate_to: 127.0.0.1
- name: Display files to be copied
- debug:
+ ansible.builtin.debug:
msg: "/{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}"
verbosity: 1
loop: "{{ static_files.files }}"
@@ -19,16 +19,16 @@
when: static_files is defined
- name: Copy static files
- copy:
+ ansible.builtin.copy:
src: "{{ item.path }}"
dest: "/{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}"
- force: yes
+ force: true
owner: root
- mode: 0664
+ mode: "0664"
backup: true
loop: "{{ static_files.files }}"
loop_control:
label: "Added file /{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}"
- become: yes
- ignore_errors: yes
+ become: true
+ ignore_errors: true # noqa ignore-errors
when: static_files is defined
diff --git a/roles/rciam-probes/vars/RedHat-7.yml b/roles/rciam-probes/vars/RedHat-7.yml
index b7d11469..7d5ef101 100644
--- a/roles/rciam-probes/vars/RedHat-7.yml
+++ b/roles/rciam-probes/vars/RedHat-7.yml
@@ -5,4 +5,4 @@ apache_user: "apache"
apache_group: "apache"
core_utils:
- - policycoreutils-python
\ No newline at end of file
+ - policycoreutils-python
diff --git a/roles/rciam-probes/vars/RedHat-8.yml b/roles/rciam-probes/vars/RedHat-8.yml
index cfdf94bb..a2d79c0f 100644
--- a/roles/rciam-probes/vars/RedHat-8.yml
+++ b/roles/rciam-probes/vars/RedHat-8.yml
@@ -1,9 +1,9 @@
---
-clean_cache_cmd: "yum clean all"
-apache_user: "apache"
-apache_group: "apache"
+clean_cache_cmd: yum clean all
+apache_user: apache
+apache_group: apache
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index
core_utils:
- - policycoreutils-python-utils
\ No newline at end of file
+ - policycoreutils-python-utils
diff --git a/roles/rciam-probes/vars/RedHat.yml b/roles/rciam-probes/vars/RedHat.yml
index 89d1fbb9..1999494e 100644
--- a/roles/rciam-probes/vars/RedHat.yml
+++ b/roles/rciam-probes/vars/RedHat.yml
@@ -1,6 +1,5 @@
---
-clean_cache_cmd: "yum clean all"
-apache_user: "apache"
-apache_group: "apache"
-
+clean_cache_cmd: yum clean all
+apache_user: apache
+apache_group: apache
diff --git a/roles/rciam-utils/defaults/main.yml b/roles/rciam-utils/defaults/main.yml
index 6fec3de7..121b6a0a 100644
--- a/roles/rciam-utils/defaults/main.yml
+++ b/roles/rciam-utils/defaults/main.yml
@@ -22,7 +22,7 @@ rciam_utils: []
# #month:
# Configuration for https://github.com/rciam/rciam-sync-voms.git
-#rciam_utils_sync_voms:
+# rciam_utils_sync_voms:
# vomses_file:
# url: "https://{{ rciam_hostname }}/static/diracVOs.json"
# # Uncomment the following line to use the specified CA_BUNDLE file or
@@ -49,7 +49,7 @@ rciam_utils: []
# level: "DEBUG"
# Whether to install RCIAM util cron jobs; Enabled by default
-rciam_utils_cron_enabled: yes
+rciam_utils_cron_enabled: true
rciam_utils_sync_client_names:
# Type of OP: "mitreid" or "keycloak". Defaults to "mitreid".
diff --git a/roles/rciam-utils/tasks/configure.yml b/roles/rciam-utils/tasks/configure.yml
index 63d81b76..6a6d0824 100644
--- a/roles/rciam-utils/tasks/configure.yml
+++ b/roles/rciam-utils/tasks/configure.yml
@@ -2,86 +2,89 @@
---
- name: Ensure utils are configured
- template:
+ ansible.builtin.template:
src: "{{ item.name }}/config.py.j2"
dest: "{{ item.path }}/config.py"
owner: "{{ item.user.name }}"
group: "{{ item.user.group }}"
- mode: 0400
- backup: yes
+ mode: "0400"
+ backup: true
loop: "{{ rciam_utils }}"
- become: yes
+ become: true
- name: Ensure util SSL certificate directories exist
- file:
+ ansible.builtin.file:
path: "{{ item.ssl.cert.path | dirname }}"
owner: "{{ item.ssl.cert.owner }}"
group: "{{ item.ssl.cert.group }}"
state: directory
+ mode: "0750"
loop: "{{ rciam_utils }}"
when: item.ssl is defined
- become: yes
+ become: true
- name: Ensure util SSL certificates are copied
- copy:
+ ansible.builtin.copy:
dest: "{{ item.ssl.cert.path }}"
content: "{{ item.ssl.cert.content }}"
owner: "{{ item.ssl.cert.owner }}"
group: "{{ item.ssl.cert.group }}"
mode: "{{ item.ssl.cert.mode }}"
- backup: yes
+ backup: true
loop: "{{ rciam_utils }}"
when: item.ssl is defined
- become: yes
+ become: true
- name: Ensure util SSL certificate key directories exist
- file:
+ ansible.builtin.file:
path: "{{ item.ssl.cert_key.path | dirname }}"
owner: "{{ item.ssl.cert_key.owner }}"
group: "{{ item.ssl.cert_key.group }}"
state: directory
+ mode: "0750"
loop: "{{ rciam_utils }}"
when: item.ssl is defined
- become: yes
+ become: true
- name: Ensure util SSL certificate keys are copied
- copy:
+ ansible.builtin.copy:
dest: "{{ item.ssl.cert_key.path }}"
content: "{{ item.ssl.cert_key.content }}"
owner: "{{ item.ssl.cert_key.owner }}"
group: "{{ item.ssl.cert_key.group }}"
mode: "{{ item.ssl.cert_key.mode }}"
- backup: yes
+ backup: true
loop: "{{ rciam_utils }}"
when: item.ssl is defined
- become: yes
- no_log: yes
+ become: true
+ no_log: true
-- name: Ensure tables have been created for rciam-ip2country
- shell: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/.venv/bin/python -m Utils.install"
+- name: Ensure tables have been created for rciam-ip2country # noqa command-instead-of-shell
+ ansible.builtin.shell: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/.venv/bin/python -m Utils.install" # noqa yaml[line-length]
args:
chdir: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}"
when: rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1
- become: yes
+ become: true
become_user: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.name') | list)[0] }}"
+ changed_when: false
tags:
- rciam_utils:config:ip2country:db
- name: Ensure database files are copied for rciam-ip2country
- copy:
+ ansible.builtin.copy:
src: "{{ rciam_utils_ip2country.database_files_dir }}/{{ rciam_utils_ip2country.db_file_extension }}/"
dest: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/databases/"
owner: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.name') | list)[0] }}"
group: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.group') | list)[0] }}"
- mode: 0400
- backup: yes
+ mode: "0400"
+ backup: true
when: '(rciam_utils_ip2country.database_files_dir is defined) and (rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1)'
- become: yes
+ become: true
tags:
- rciam_utils:config:ip2country:files
- name: Ensure util cron jobs are installed
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
user: "{{ item.user.name | default('root') }}"
cron_file: "{{ item.name }}"
@@ -92,4 +95,4 @@
month: "{{ item.cron.month | default(omit) }}"
loop: "{{ rciam_utils }}"
when: item.cron is defined and rciam_utils_cron_enabled
- become: yes
+ become: true
diff --git a/roles/rciam-utils/tasks/install-Debian.yml b/roles/rciam-utils/tasks/install-Debian.yml
index 3405de1d..657d3bcb 100644
--- a/roles/rciam-utils/tasks/install-Debian.yml
+++ b/roles/rciam-utils/tasks/install-Debian.yml
@@ -3,51 +3,51 @@
---
- name: Ensure util dependencies are installed
- apt:
+ ansible.builtin.apt:
name:
- git
- python3-venv
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
+ become: true
- name: Ensure PPA is installed for MaxMind (required for rciam-ip2country)
- apt_repository:
+ ansible.builtin.apt_repository:
repo: 'ppa:maxmind/ppa'
state: present
- update_cache: yes
+ update_cache: true
codename: trusty
- when:
+ when:
- rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1
- rciam_utils_ip2country.db_file_extension is defined and rciam_utils_ip2country.db_file_extension == "dat"
- become: yes
+ become: true
- name: Ensure dependencies for rciam-ip2country are installed
- apt:
+ ansible.builtin.apt:
name:
- build-essential
- python3-dev
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- when:
+ when:
- rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1
- become: yes
+ become: true
- name: Ensure additional dependencies for rciam-ip2country (legacy version only) are installed
- apt:
+ ansible.builtin.apt:
name:
- libgeoip1
- libgeoip-dev
- geoip-bin
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- when:
+ when:
- rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1
- rciam_utils_ip2country.db_file_extension is defined and rciam_utils_ip2country.db_file_extension == "dat"
- become: yes
+ become: true
diff --git a/roles/rciam-utils/tasks/install-common.yml b/roles/rciam-utils/tasks/install-common.yml
index dd92c2ff..45c5b70e 100644
--- a/roles/rciam-utils/tasks/install-common.yml
+++ b/roles/rciam-utils/tasks/install-common.yml
@@ -2,40 +2,40 @@
---
- name: Ensure util groups exist
- group:
+ ansible.builtin.group:
name: "{{ item.user.group }}"
- system: yes
+ system: true
loop: "{{ rciam_utils }}"
- become: yes
+ become: true
- name: Ensure util users exist
- user:
+ ansible.builtin.user:
name: "{{ item.user.name }}"
groups: "{{ item.user.group }}"
- comment: "{{ item.user.gecos }}"
+ comment: "{{ item.user.gecos }}"
shell: "{{ item.user.shell }}"
home: "{{ item.user.path }}"
- system: yes
- create_home: yes
+ system: true
+ create_home: true
skeleton: "/empty"
loop: "{{ rciam_utils }}"
- become: yes
+ become: true
- name: Ensure util code checkouts are up-to-date
- git:
+ ansible.builtin.git:
repo: "{{ item.repo }}"
dest: "{{ item.path }}"
version: "{{ item.version }}"
loop: "{{ rciam_utils }}"
- become: yes
+ become: true
become_user: "{{ item.user.name }}"
- name: Ensure util python requirements are installed in virtualenvs
- pip:
+ ansible.builtin.pip:
requirements: "{{ item.path }}/requirements.txt"
virtualenv: "{{ item.path }}/.venv"
virtualenv_command: python3 -m venv
- state: latest
+ state: present
loop: "{{ rciam_utils }}"
- become: yes
+ become: true
become_user: "{{ item.user.name }}"
diff --git a/roles/rciam-utils/tasks/main.yml b/roles/rciam-utils/tasks/main.yml
index 9f377d85..c94d26da 100644
--- a/roles/rciam-utils/tasks/main.yml
+++ b/roles/rciam-utils/tasks/main.yml
@@ -1,24 +1,23 @@
# file: tasks/main.yml
#
---
-
-# Include OS-specific installation tasks
-- include: install-Debian.yml
+- name: Include OS-specific installation tasks
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-RedHat.yml
+# - include: install-RedHat.yml
# when: ansible_os_family == 'RedHat'
tags:
- install
- rciam_utils:install
-# Include OS-independent installation tasks
-- include: install-common.yml
+- name: Include OS-independent installation tasks
+ ansible.builtin.include_tasks: install-common.yml
tags:
- install
- rciam_utils:install
-# Include OS-independent configuration tasks
-- include: configure.yml
+- name: Include OS-independent configuration tasks
+ ansible.builtin.include_tasks: configure.yml
tags:
- config
- rciam_utils:config
diff --git a/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2 b/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2
index e3e5fda7..098d5930 100644
--- a/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2
+++ b/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2
@@ -1,6 +1,6 @@
# {{ ansible_managed }}
-mitreid_config = {
+mitreid_config = {
{% if rciam_utils_sync_client_names.op == "mitreid" %}
"dbname": "{{ rciam_dbs.oidc.name }}",
"user": "{{ rciam_dbs.oidc.owner_username }}",
@@ -9,7 +9,7 @@ mitreid_config = {
{% endif %}
}
-keycloak_config = {
+keycloak_config = {
{% if rciam_utils_sync_client_names.op == "keycloak" %}
"dbname": "{{ rciam_dbs.keycloak.name }}",
"user": "{{ rciam_dbs.keycloak.owner_username }}",
@@ -19,7 +19,7 @@ keycloak_config = {
{% endif %}
}
-proxystats_config = {
+proxystats_config = {
"dbname": "{{ rciam_dbs.proxy.name }}",
"user": "{{ rciam_dbs.proxy.owner_username }}",
"host": "{{ rciam_dbs.proxy.host }}",
diff --git a/roles/rsyslog-pgsql/handlers/main.yml b/roles/rsyslog-pgsql/handlers/main.yml
index e17f0c55..753f9f9c 100644
--- a/roles/rsyslog-pgsql/handlers/main.yml
+++ b/roles/rsyslog-pgsql/handlers/main.yml
@@ -1,6 +1,6 @@
---
- name: Restart rsyslog
- service:
+ ansible.builtin.service:
name: rsyslog
state: restarted
- become: yes
+ become: true
diff --git a/roles/rsyslog-pgsql/tasks/configure-common.yml b/roles/rsyslog-pgsql/tasks/configure-common.yml
index e4e1caae..a87c6216 100644
--- a/roles/rsyslog-pgsql/tasks/configure-common.yml
+++ b/roles/rsyslog-pgsql/tasks/configure-common.yml
@@ -1,10 +1,10 @@
---
- name: Remove pgsql.conf file if exists
- file:
+ ansible.builtin.file:
path: "{{ rsyslogd_path }}/pgsql.conf"
state: absent
- become: yes
- when: rsyslog_pgsql_enable_logs == true
+ become: true
+ when: rsyslog_pgsql_enable_logs
- name: Ensure /dev/xconsole exists
ansible.builtin.file:
@@ -13,17 +13,17 @@
owner: syslog
group: adm
mode: u=rw,g=rw,o=r
- when: rsyslog_pgsql_enable_logs == true
- become: yes
+ when: rsyslog_pgsql_enable_logs
+ become: true
- name: Ensure rsyslog for nginx logs is configured
- template:
+ ansible.builtin.template:
src: rsyslogd-nginx-{{ ansible_os_family }}.conf.j2
dest: "{{ rsyslogd_path }}/51-nginx.conf"
owner: root
group: root
- mode: 0644
- backup: yes
- become: yes
+ mode: "0644"
+ backup: true
+ become: true
notify: Restart rsyslog
- when: rsyslog_pgsql_enable_logs == true
+ when: rsyslog_pgsql_enable_logs
diff --git a/roles/rsyslog-pgsql/tasks/install-Debian.yml b/roles/rsyslog-pgsql/tasks/install-Debian.yml
index 9eff3c04..d061a11c 100644
--- a/roles/rsyslog-pgsql/tasks/install-Debian.yml
+++ b/roles/rsyslog-pgsql/tasks/install-Debian.yml
@@ -1,8 +1,11 @@
---
- name: Ensure rsyslog & rsyslog-pgsql is installed (Debian)
- apt: name={{item}} state=present install_recommends=no
- loop:
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ install_recommends: false
+ loop: # TODO - define in defaults
- rsyslog
- rsyslog-pgsql
- become: yes
- when: rsyslog_pgsql_enable_logs == true
+ become: true
+ when: rsyslog_pgsql_enable_logs
diff --git a/roles/rsyslog-pgsql/tasks/main.yml b/roles/rsyslog-pgsql/tasks/main.yml
index 5b3a3726..40d6c944 100644
--- a/roles/rsyslog-pgsql/tasks/main.yml
+++ b/roles/rsyslog-pgsql/tasks/main.yml
@@ -1,19 +1,19 @@
---
- name: Include OS-specific variables
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
-# when: ansible_os_family == 'CentOS'
+# - include: install-CentOS.yml
+# when: ansible_os_family == 'CentOS'
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
- name: Ensure rsyslog service is started and enabled on boot
- service:
+ ansible.builtin.service:
name: "{{ rsyslog_service }}"
state: started
- enabled: yes
- become: yes
+ enabled: true
+ become: true
diff --git a/roles/shibboleth-sp/defaults/main.yml b/roles/shibboleth-sp/defaults/main.yml
index 46a34777..9173a863 100644
--- a/roles/shibboleth-sp/defaults/main.yml
+++ b/roles/shibboleth-sp/defaults/main.yml
@@ -2,42 +2,42 @@
# Set to yes/true to generate self-signed SSL certificate for signing requests/
# response received from/sent to the IdP, as well as for receiving encrypted
# responses.
-shibboleth_sp_ssl_cert_generate: no
+shibboleth_sp_ssl_cert_generate: false
# SSL certificate subject (ignored when shibboleth_sp_ssl_cert_generate is set
# to no)
-#shibboleth_sp_ssl_cert_subj: "/C=/ST=/L=/O=/CN=sp.example.org"
+# shibboleth_sp_ssl_cert_subj: "/C=/ST=/L=/O=/CN=sp.example.org"
# SSL certificate (ignored when shibboleth_sp_ssl_cert_generate is set to yes)
-#shibboleth_sp_ssl_cert: |
-# -----BEGIN CERTIFICATE-----
-# ...
-# -----END CERTIFICATE-----
+# shibboleth_sp_ssl_cert: |
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
# SSL certificate key (ignored when shibboleth_sp_ssl_cert_generate is set to
# yes)
-#shibboleth_sp_ssl_cert_key: |
-# -----BEGIN PRIVATE KEY-----
-# ...
-# -----END PRIVATE KEY-----
+# shibboleth_sp_ssl_cert_key: |
+# -----BEGIN PRIVATE KEY-----
+# ...
+# -----END PRIVATE KEY-----
# ApplicationDefaults
# The SAML entityID of this SP
-shibboleth_sp_entity_id: "https://sp.example.org/shibboleth"
+shibboleth_sp_entity_id: https://sp.example.org/shibboleth
# One or more attributes used for the primary identifier of the browser user
# passed through the REMOTE_USER server variable.
-# Set to null to disable setting the variable.
-shibboleth_sp_remote_user: "eppn persistent-id targeted-id"
+# Set to null to disable setting the variable.
+shibboleth_sp_remote_user: eppn persistent-id targeted-id
# Where the SP redirects the client to when there is nothing else that can be
# done with a request and can be set to a standard home page or index page.
-#shibboleth_sp_home_url: "/"
+# shibboleth_sp_home_url: "/"
shibboleth_sp_session:
# The base location on the server that dispatches requests to the handlers
# configured inside the element. The location is specified as a
# relative or absolute URL. The default is "/Shibboleth.sso" on v2.4+,
# required otherwise.
-# handler_url: "/Shibboleth.sso"
+ # handler_url: "/Shibboleth.sso"
# When handlerSSL is set to true, only web requests over SSL/TLS will be
# processed by handlers. Other requests may be blocked, or possibly ignored
# (and usually result in a 404 error) depending on the web server, but will
@@ -62,7 +62,7 @@ shibboleth_sp_session:
# this limits the amount of time between the act of authentication and the
# attempt to access the SP. This can be useful to ensure that the SAML 2.0
# ForceAuthn flag was honored.
-# max_time_since_authn:
+ # max_time_since_authn:
# The IdP will place the IP address of the user agent it authenticated into
# the assertions it issues. When true, the SP will check this address
# against the address of the client presenting an assertion before creating
@@ -75,21 +75,21 @@ shibboleth_sp_session:
# associated with this session come from the same address. This can help
# protect against cookie theft and is less likely than the checkAddress
# setting to block legitimate access. Default is true.
-# consistent_address: "true"
+ # consistent_address: "true"
# Meta-properties like path or the secure and HttpOnly flags to attach to
# the cookies. Defautls to "; path=/; HttpOnly". If set to a custom string,
# the string is appended to the cookie values maintained by the SP. A common
# value for SSL-only use is "; path=/; secure; HttpOnly". As of v2.5, this
# property can be set to a pair of built-in values, "http" and "https",
# which expand to the default and SSL-only properties respectively.
- cookie_props: "http"
+ cookie_props: http
# Cookie lifetime in seconds. If set, cookies used for session management
# will be created with the designated lifetime. When omitted, which is the
# default, such cookies are in-memory only and do not persist across browser
# restarts (assuming various session restore features aren't in use). Note
# that this will not affect "transitory" cookies used for maintaining state
# across redirects.
-# cookie_lifetime:
+ # cookie_lifetime:
# Controls how information associated with requests for authentication,
# primarily the original resource accessed, is preserved for the completion
# of the authentication process. If not specified, the resource URL is
@@ -100,41 +100,41 @@ shibboleth_sp_session:
# element, typically "ss:mem". As of v2.5, the "cookie"
# option can include a ":n" suffix, where n specifies the number of cookies
# to permit before purging old ones, defaulting to 25.
- relay_state: "ss:mem"
+ relay_state: ss:mem
# V3.2+: One of "none", "exact", "host", "allow", "exact+allow", "host+allow"
# Earlier: One of "none", "exact", "host", "whitelist", "exact+whitelist",
# "host+whitelist".
# "none" is the default and does no limiting
# N.B. Consider carefully before using this option as it can allow malicious
# use of your SP as an open redirect
- #redirect_limit: "none"
+ # redirect_limit: "none"
# SSO settings. To allow for >1 IdP, remove entity_id property and adjust
# discovery_url to point to discovery service.
shibboleth_sp_sso:
- protocols: "SAML2 SAML1"
- entity_id: "https://idp.example.org/idp/shibboleth"
- discovery_protocol: "SAMLDS"
- discovery_url: "https://ds.example.org/DS/WAYF"
+ protocols: SAML2 SAML1
+ entity_id: https://idp.example.org/idp/shibboleth
+ discovery_protocol: SAMLDS
+ discovery_url: https://ds.example.org/DS/WAYF
shibboleth_sp_logout:
- protocols: "SAML2 Local"
+ protocols: SAML2 Local
# See https://wiki.shibboleth.net/confluence/display/SP3/Handler
shibboleth_sp_handlers:
- - type: "MetadataGenerator"
- location: "/Metadata"
+ - type: MetadataGenerator
+ location: /Metadata
signing: "false"
- - type: "Status"
- location: "/Status"
- acl: "127.0.0.1 ::1"
- - type: "Session"
- location: "/Session"
+ - type: Status
+ location: /Status
+ acl: 127.0.0.1 ::1
+ - type: Session
+ location: /Session
show_attributes: "false"
- - type: "DiscoveryFeed"
- location: "/DiscoFeed"
+ - type: DiscoveryFeed
+ location: /DiscoFeed
-shibboleth_sp_supportcontact_email: "root@localhost"
+shibboleth_sp_supportcontact_email: root@localhost
# TODO Add support for metadata filters
shibboleth_sp_metadata_providers: []
@@ -142,18 +142,18 @@ shibboleth_sp_metadata_providers: []
# uri: "http://federation.org/federation-metadata.xml"
# backing_file_path: "federation-metadata.xml"
# reload_interval: 7200
-# - type: "XML"
+# - type: "XML"
# file: "partner-metadata.xml"
shibboleth_sp_attribute_extractors:
- - type: "XML"
+ - type: XML
params:
validate: "true"
reloadChanges: "false"
- path: "attribute-map.xml"
+ path: attribute-map.xml
shibboleth_sp_attribute_resolvers:
- - type: "Query"
+ - type: Query
subject_match: "true"
# The default settings can be overridden by creating ApplicationOverride
@@ -188,14 +188,14 @@ shibboleth_sp_overrides: []
# name: "Local"
# handlers:
# - handler:
-# type: "MetadataGenerator"
+# type: "MetadataGenerator"
# location: "/Metadata"
# signing: "false"
# - handler:
# type: "Status"
# location: "/Status"
# acl: "127.0.0.1 ::1"
-# - handler:
+# - handler:
# type: "Session"
# location: "/Session"
# show_attributes: "true"
@@ -211,7 +211,7 @@ shibboleth_sp_ext_libraries: []
# fatal: "false"
# Path to file containing attribute mappings
-shibboleth_sp_attribute_map_file: "attribute-map.xml"
+shibboleth_sp_attribute_map_file: attribute-map.xml
# Path to file containing attribute policies
-shibboleth_sp_attribute_policy_file: "attribute-policy.xml"
+shibboleth_sp_attribute_policy_file: attribute-policy.xml
diff --git a/roles/shibboleth-sp/files/attribute-map.xml b/roles/shibboleth-sp/files/attribute-map.xml
index ccb3b375..5d15065a 100644
--- a/roles/shibboleth-sp/files/attribute-map.xml
+++ b/roles/shibboleth-sp/files/attribute-map.xml
@@ -8,13 +8,13 @@ th a
few exceptions for newer attributes where the name is the same for both versions. You will
usually want to uncomment or map the names for both SAML versions as a unit.
-->
-
+
-
+
@@ -37,12 +37,12 @@ th a
-
+
-
+
@@ -52,7 +52,7 @@ th a
-
+
-
+
-
+
-
+
diff --git a/roles/shibboleth-sp/files/attribute-policy.xml b/roles/shibboleth-sp/files/attribute-policy.xml
index a2d1742e..7e855b83 100644
--- a/roles/shibboleth-sp/files/attribute-policy.xml
+++ b/roles/shibboleth-sp/files/attribute-policy.xml
@@ -16,7 +16,7 @@
-
+
@@ -106,10 +106,10 @@
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
-
-
{{ shibboleth_sp_logout.protocols }}
-
+
{% for handler in shibboleth_sp_handlers | default([]) %}
-
+
{% for metadata in shibboleth_sp_metadata_providers %}
- =') %}
url="{{ metadata.uri }}"
@@ -187,7 +187,7 @@
{% endif %}
{% endif %}
{% if metadata.backing_file_path is defined %}
- backingFilePath="{{ metadata.backing_file_path }}"
+ backingFilePath="{{ metadata.backing_file_path }}"
{% endif %}
{% if metadata.reload_interval is defined %}
reloadInterval="{{ metadata.reload_interval }}"
@@ -208,7 +208,7 @@
{% endfor %}
{% for resolver in shibboleth_sp_attribute_resolvers %}
-
-
+
diff --git a/roles/shibboleth-sp/vars/Debian-buster.yml b/roles/shibboleth-sp/vars/Debian-buster.yml
index 2bf78f4a..080b33eb 100644
--- a/roles/shibboleth-sp/vars/Debian-buster.yml
+++ b/roles/shibboleth-sp/vars/Debian-buster.yml
@@ -3,7 +3,7 @@
---
shibboleth_sp_default_version: "3.0"
-shibboleth_sp_default_service: "shibd"
-shibboleth_sp_default_conf_path: "/etc/shibboleth"
-shibboleth_sp_default_user: "_shibd"
-shibboleth_sp_default_group: "_shibd"
+shibboleth_sp_default_service: shibd
+shibboleth_sp_default_conf_path: /etc/shibboleth
+shibboleth_sp_default_user: _shibd
+shibboleth_sp_default_group: _shibd
diff --git a/roles/shibboleth-sp/vars/Debian-jessie.yml b/roles/shibboleth-sp/vars/Debian-jessie.yml
index 98c38454..3ef4e035 100644
--- a/roles/shibboleth-sp/vars/Debian-jessie.yml
+++ b/roles/shibboleth-sp/vars/Debian-jessie.yml
@@ -3,7 +3,7 @@
---
shibboleth_sp_default_version: "2.5"
-shibboleth_sp_default_service: "shibd"
-shibboleth_sp_default_conf_path: "/etc/shibboleth"
-shibboleth_sp_default_user: "_shibd"
-shibboleth_sp_default_group: "_shibd"
+shibboleth_sp_default_service: shibd
+shibboleth_sp_default_conf_path: /etc/shibboleth
+shibboleth_sp_default_user: _shibd
+shibboleth_sp_default_group: _shibd
diff --git a/roles/shibboleth-sp/vars/Debian-stretch.yml b/roles/shibboleth-sp/vars/Debian-stretch.yml
index deafcfd5..69a26d78 100644
--- a/roles/shibboleth-sp/vars/Debian-stretch.yml
+++ b/roles/shibboleth-sp/vars/Debian-stretch.yml
@@ -3,7 +3,7 @@
---
shibboleth_sp_default_version: "2.6"
-shibboleth_sp_default_service: "shibd"
-shibboleth_sp_default_conf_path: "/etc/shibboleth"
-shibboleth_sp_default_user: "_shibd"
-shibboleth_sp_default_group: "_shibd"
+shibboleth_sp_default_service: shibd
+shibboleth_sp_default_conf_path: /etc/shibboleth
+shibboleth_sp_default_user: _shibd
+shibboleth_sp_default_group: _shibd
diff --git a/roles/ssp-module-proxystatistics/defaults/main.yml b/roles/ssp-module-proxystatistics/defaults/main.yml
index 5a170668..11640db5 100644
--- a/roles/ssp-module-proxystatistics/defaults/main.yml
+++ b/roles/ssp-module-proxystatistics/defaults/main.yml
@@ -12,15 +12,15 @@ ssp_module_proxystatistics_mode: "PROXY"
# REQUIRED FOR "IDP" MODE
# EntityId of IdP
-#ssp_module_proxystatistics_idp_entity_id: "https://idp.example.org"
+# ssp_module_proxystatistics_idp_entity_id: "https://idp.example.org"
# Name of IdP
-#ssp_module_proxystatistics_idp_entity_name: "IDP NAME"
+# ssp_module_proxystatistics_idp_entity_name: "IDP NAME"
# REQUIRED FOR "SP" MODE
# EntityId of SP
-#ssp_module_proxystatistics_sp_entity_id: "https://sp.example.org"
+# ssp_module_proxystatistics_sp_entity_id: "https://sp.example.org"
# Name of SP
-#ssp_module_proxystatistics_sp_entity_name: "SP NAME"
+# ssp_module_proxystatistics_sp_entity_name: "SP NAME"
ssp_module_proxystatistics_db:
name: "STATS"
@@ -28,9 +28,9 @@ ssp_module_proxystatistics_db:
username: "stats"
password: "stats"
prefix: ""
- persistent: no
- #slaves:
- # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8"
+ persistent: false
+ # slaves:
+ # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8"
# username: "stats"
# password: "stats"
# persistent: no
@@ -48,5 +48,5 @@ ssp_module_proxystatistics_table_name:
ssp_module_proxystatistics_oidc_issuer: "http://example.org/openidconnect/sp"
# Ignore from statistics calculations the list of identifiers below.
-#ssp_module_proxystatistics_user_id_blacklist:
+# ssp_module_proxystatistics_user_id_blacklist:
# - xxxxxx@example.org
diff --git a/roles/ssp-module-proxystatistics/tasks/configure-common.yml b/roles/ssp-module-proxystatistics/tasks/configure-common.yml
index 9108edab..4de00688 100644
--- a/roles/ssp-module-proxystatistics/tasks/configure-common.yml
+++ b/roles/ssp-module-proxystatistics/tasks/configure-common.yml
@@ -1,19 +1,20 @@
---
- name: Configure SSP proxystatistics module
- template:
+ ansible.builtin.template:
src: "config/module_statisticsproxy-{{ ssp_module_proxystatistics_version }}.php.j2"
dest: "{{ ssp_path }}/config/module_statisticsproxy.php"
- backup: yes
- force: yes
- become: yes
+ backup: true
+ force: true
+ mode: "0644"
+ become: true
-- name: Enable SSP proxystatistics module
- copy:
+- name: Enable SSP proxystatistics module
+ ansible.builtin.copy:
content: ""
dest: "{{ ssp_module_proxystatistics_path }}/enable"
- force: no
- owner: "root"
- group: "root"
+ force: false
+ owner: root
+ group: root
mode: "0644"
- become: yes
+ become: true
diff --git a/roles/ssp-module-proxystatistics/tasks/install-common.yml b/roles/ssp-module-proxystatistics/tasks/install-common.yml
index d2cb3105..c75aeea2 100644
--- a/roles/ssp-module-proxystatistics/tasks/install-common.yml
+++ b/roles/ssp-module-proxystatistics/tasks/install-common.yml
@@ -1,16 +1,16 @@
---
- name: Checkout SSP proxystatistics module source
- git:
+ ansible.builtin.git:
repo: "{{ ssp_module_proxystatistics_repo_url }}"
dest: "{{ ssp_module_proxystatistics_path }}"
version: "{{ ssp_module_proxystatistics_repo_version }}"
- accept_hostkey: yes
- force: no
- update: yes
- become: yes
+ accept_hostkey: true
+ force: false
+ update: true
+ become: true
-#- name: Create SSP proxystatistics statistics table
+# - name: Create SSP proxystatistics statistics table
# postgresql_table:
# db: "ssp_module_proxystatistics_db.name"
# name: "{{ ssp_module_proxystatistics_table_name.statistics }}"
diff --git a/roles/ssp-module-proxystatistics/tasks/main.yml b/roles/ssp-module-proxystatistics/tasks/main.yml
index 7a606c93..45821db2 100644
--- a/roles/ssp-module-proxystatistics/tasks/main.yml
+++ b/roles/ssp-module-proxystatistics/tasks/main.yml
@@ -1,6 +1,5 @@
---
-# Run OS-independent installation tasks
-- include: install-common.yml
-
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Run OS-independent installation tasks
+ ansible.builtin.include_tasks: install-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
diff --git a/roles/ssp-modules/defaults/main.yml b/roles/ssp-modules/defaults/main.yml
index fe289c1e..d17de6d3 100644
--- a/roles/ssp-modules/defaults/main.yml
+++ b/roles/ssp-modules/defaults/main.yml
@@ -1,14 +1,13 @@
---
-
+# ssp-modules/defaults/main.yml
ssp_mods_extra_enabled: []
ssp_modules_db: []
-
# Examples of use cases:
## Modules
-#ssp_mods_extra_enabled:
+# ssp_mods_extra_enabled:
# - name: "module1"
# path: "{{ ssp_path }}/modules/module1_directory"
# repo_url: "https://github.com/example/module1.git"
@@ -53,7 +52,7 @@ ssp_mods_extra_files: []
# dest_path: "{{ ssp_path }}/modules/theme/dictionaries/default.definition.json"
## Database
-#ssp_modules_db:
+# ssp_modules_db:
# - db_host: "127.0.0.1" or "{{ lookup('dig', groups['dbmaster'][0]) }}"
# db_name: database_name or "{{ rciam_dbs.proxy.name }}"
# db_username: database_username or "{{ rciam_dbs.proxy.owner_username }}"
@@ -138,7 +137,7 @@ ssp_mods_extra_files: []
# prefix: ""
# persistent: no
# #slaves:
-# # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8"
+# # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8"
# # username: "stats"
# # password: "stats"
# # persistent: no
@@ -202,4 +201,4 @@ ssp_mods_extra_files: []
# Required
# ssp_module_rciammetrics_ams_base_url: 'https://example.com/'
# Optional
-# ssp_module_rciammetrics_ams_datatype: 'login|registration|membership'
\ No newline at end of file
+# ssp_module_rciammetrics_ams_datatype: 'login|registration|membership'
diff --git a/roles/ssp-modules/handlers/main.yml b/roles/ssp-modules/handlers/main.yml
index c11453f3..edc894c3 100644
--- a/roles/ssp-modules/handlers/main.yml
+++ b/roles/ssp-modules/handlers/main.yml
@@ -1,10 +1,7 @@
---
-
-
-- name: restart webserver
- service:
+# ssp-modules/handlers/main.yml
+- name: Restart webserver
+ ansible.builtin.service:
name: "{{ ssp_webserver }}"
state: restarted
- become: yes
-
-
+ become: true
diff --git a/roles/ssp-modules/tasks/configure-common.yml b/roles/ssp-modules/tasks/configure-common.yml
index daac1778..e8e4387a 100644
--- a/roles/ssp-modules/tasks/configure-common.yml
+++ b/roles/ssp-modules/tasks/configure-common.yml
@@ -1,47 +1,47 @@
# file: ssp-modules/tasks/configure-common.php
#
---
-
-
- name: Configure SSP modules
- template:
+ ansible.builtin.template:
src: "{{ item.src_config_path }}"
dest: "{{ item.dest_config_path }}"
- backup: yes
- force: yes
- become: yes
+ backup: true
+ force: true
+ mode: "0644"
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when: item.src_config_path is defined and item.dest_config_path is defined
- name: Enable SSP modules
- copy:
+ ansible.builtin.copy:
content: ""
dest: "{{ item.path }}/enable"
- force: no
+ force: false
owner: "root"
group: "root"
mode: "0644"
- become: yes
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
- when: "{{ ssp_major_version|float < 2}}"
+ when: ssp_major_version | float < 2
tags:
- ssp-modules:config:enable
- name: Ensure SSP module extra files are copied
- copy:
+ ansible.builtin.copy:
src: "{{ item.src_path }}"
dest: "{{ item.dest_path }}"
- backup: yes
+ backup: true
+ mode: "0644"
with_items: "{{ ssp_mods_extra_files }}"
when: item.src_path is defined and item.dest_path is defined
- become: yes
+ become: true
tags:
- ssp-modules:config:files
- name: About Themes
- debug:
+ ansible.builtin.debug:
msg:
- The role also installs Themes, but doesn't produce the CSS files.
- To produce them, you must install `sass` and follow the installation instructions for each theme.
diff --git a/roles/ssp-modules/tasks/install-common-Ubuntu.yml b/roles/ssp-modules/tasks/install-common-Ubuntu.yml
index a176c9b8..1d87f488 100644
--- a/roles/ssp-modules/tasks/install-common-Ubuntu.yml
+++ b/roles/ssp-modules/tasks/install-common-Ubuntu.yml
@@ -1,17 +1,16 @@
---
-
- name: Define PostgreSQL python module version (Ubuntu)
- set_fact:
+ ansible.builtin.set_fact:
postgresql_psycopg2_package: "{{ postgresql_default_psycopg2_package }}"
when: postgresql_psycopg2_package is not defined
tags:
- always
- name: Ensure PostgreSQL python module is installed (Ubuntu)
- apt:
+ ansible.builtin.apt:
name: "{{ postgresql_psycopg2_package }}"
state: present
- install_recommends: no
- update_cache: yes
+ install_recommends: false
+ update_cache: true
cache_valid_time: 86400
- become: yes
\ No newline at end of file
+ become: true
diff --git a/roles/ssp-modules/tasks/install-common.yml b/roles/ssp-modules/tasks/install-common.yml
index c6aa7e23..5c9bfbf1 100644
--- a/roles/ssp-modules/tasks/install-common.yml
+++ b/roles/ssp-modules/tasks/install-common.yml
@@ -1,22 +1,21 @@
---
-
-
+# ssp-modules/tasks/install-common.yml
- name: Install unzip
- package:
+ ansible.builtin.package:
name: unzip
- state: latest
- become: yes
+ state: present
+ become: true
- name: Checkout SSP modules source
- git:
+ ansible.builtin.git:
repo: "{{ item.repo_url }}"
dest: "{{ item.path }}"
version: "{{ item.version }}"
- accept_hostkey: yes
- force: no
- update: yes
- become: yes
+ accept_hostkey: true
+ force: false
+ update: true
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when: item.repo_url is defined
tags:
@@ -24,43 +23,45 @@
- name: Download & unarchive to /tmp/ ( zip only )
- unarchive:
+ ansible.builtin.unarchive:
src: "{{ item.zip_url }}"
dest: "/tmp/"
creates: "{{ item.path }}/{{ item.version }}"
- remote_src: yes
- become: yes
+ remote_src: true
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when: item.zip_url is defined
register: zip_downloaded
tags:
- ssp-modules:install:zip
+# This is a series of very sus actions.
# We need to create the directory if it does not exists
- name: Ensure Theme Directory exists ( zip only ) [1/5]
- file:
+ ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: root
group: root
- become: yes
+ mode: "0750"
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when: item.zip_url is defined
register: directory_created
tags:
- ssp-modules:install:zip
-- name: Backup old version (zip only) [2/5]
- command: "mv {{ item.path }} {{ item.path }}.{{ ansible_date_time.iso8601 }}"
- become: yes
+- name: Backup old version (zip only) [2/5] # noqa no-changed-when
+ ansible.builtin.command: "mv {{ item.path }} {{ item.path }}.{{ ansible_date_time.iso8601 }}"
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when: zip_downloaded.changed and item.zip_url is defined and item.fullname is defined
tags:
- ssp-modules:install:zip
-- name: Move unarchived module files from /tmp/ to module directory (zip only) [3/5]
- command: "mv /tmp/{{ item.fullname }} {{ item.path }}"
- become: yes
+- name: Move unarchived module files from /tmp/ to module directory (zip only) [3/5] # noqa no-changed-when
+ ansible.builtin.command: "mv /tmp/{{ item.fullname }} {{ item.path }}"
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when:
- zip_downloaded.changed or directory_created.changed
@@ -70,14 +71,14 @@
- ssp-modules:install:zip
- name: Set a version file in module directory (zip only) [4/5]
- copy:
+ ansible.builtin.copy:
content: ""
dest: "{{ item.path }}/{{ item.version }}"
- force: no
+ force: false
owner: "root"
group: "root"
mode: "0644"
- become: yes
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when:
- zip_downloaded.changed or directory_created.changed
@@ -87,10 +88,11 @@
- ssp-modules:install:zip
- name: Remove unused directories from /tmp/ (zip only) [5/5]
- file:
+ ansible.builtin.file:
path: "/tmp/{{ item.fullname }}"
state: absent
- become: yes
+ mode: "0644"
+ become: true
with_items: "{{ ssp_mods_extra_enabled }}"
when:
- zip_downloaded.changed or directory_created.changed
diff --git a/roles/ssp-modules/tasks/install-db.yml b/roles/ssp-modules/tasks/install-db.yml
index 1630f8d3..2970a601 100644
--- a/roles/ssp-modules/tasks/install-db.yml
+++ b/roles/ssp-modules/tasks/install-db.yml
@@ -1,15 +1,14 @@
---
-
-
+# ssp-modules/tasks/install-db.yml
- name: Create PostgreSQL tables for SSP modules via SQL scripts
- postgresql_query:
+ community.postgresql.postgresql_script:
db: "{{ item.db_name }}"
login_user: "{{ item.db_username }}"
login_password: "{{ item.db_password }}"
- path_to_script: "{{ item.db_script_path }}"
+ path: "{{ item.db_script_path }}"
login_host: "{{ item.db_host }}"
- #positional_args:
- #- 1
+ # positional_args:
+ # - 1
register: postgresql_result
failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg"
with_items: "{{ ssp_modules_db }}"
diff --git a/roles/ssp-modules/tasks/main.yml b/roles/ssp-modules/tasks/main.yml
index 50f1f83f..1f3b4547 100644
--- a/roles/ssp-modules/tasks/main.yml
+++ b/roles/ssp-modules/tasks/main.yml
@@ -1,18 +1,17 @@
---
-
-
+# ssp-modules/tasks/main.yml
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- always
-# Install OS-specific packages
-- include: install-common-Ubuntu.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-common-Ubuntu.yml
when: ansible_os_family == 'Debian' and ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'focal'
tags:
- install
@@ -20,22 +19,22 @@
- ssp:install:mods
- ssp-modules:install
-# Run OS-independent installation tasks
-- include: install-common.yml
+- name: Run OS-independent installation tasks
+ ansible.builtin.include_tasks: install-common.yml
tags:
- install
- ssp:install
- ssp:install:mods
- ssp-modules:install
-# Run OS-independent installation tasks
-- include: install-db.yml
+- name: Run OS-independent installation tasks
+ ansible.builtin.include_tasks: install-db.yml
tags:
- never
- ssp-modules:install:db
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
tags:
- config
- ssp:config
diff --git a/roles/ssp-modules/vars/Debian.yml b/roles/ssp-modules/vars/Debian.yml
index 61844771..4e10d47e 100644
--- a/roles/ssp-modules/vars/Debian.yml
+++ b/roles/ssp-modules/vars/Debian.yml
@@ -1,6 +1,5 @@
---
-
+# ssp-modules/vars/Debian.yml
ssp_default_webserver: "apache2"
ssp_default_webuser: "www-data"
ssp_default_webgroup: "www-data"
-
diff --git a/roles/ssp-modules/vars/RedHat.yml b/roles/ssp-modules/vars/RedHat.yml
index 005c5582..14609c5d 100644
--- a/roles/ssp-modules/vars/RedHat.yml
+++ b/roles/ssp-modules/vars/RedHat.yml
@@ -1,6 +1,4 @@
---
-
ssp_default_webserver: "httpd"
ssp_default_webuser: "apache"
ssp_default_webgroup: "apache"
-
diff --git a/roles/ssp-modules/vars/Ubuntu-focal.yml b/roles/ssp-modules/vars/Ubuntu-focal.yml
index 377b555b..84bab750 100644
--- a/roles/ssp-modules/vars/Ubuntu-focal.yml
+++ b/roles/ssp-modules/vars/Ubuntu-focal.yml
@@ -1,3 +1,2 @@
---
-
-postgresql_default_psycopg2_package: "python3-psycopg2"
\ No newline at end of file
+postgresql_default_psycopg2_package: "python3-psycopg2"
diff --git a/roles/ssp-modules/vars/main.yml b/roles/ssp-modules/vars/main.yml
index 849169c7..ed97d539 100644
--- a/roles/ssp-modules/vars/main.yml
+++ b/roles/ssp-modules/vars/main.yml
@@ -1,3 +1 @@
---
-
-
diff --git a/roles/ssp/defaults/main.yml b/roles/ssp/defaults/main.yml
index 45278d19..cf5b40ae 100644
--- a/roles/ssp/defaults/main.yml
+++ b/roles/ssp/defaults/main.yml
@@ -2,18 +2,18 @@
#
---
-ssp_version: "2.1.1"
+ssp_version: 2.1.1
-ssp_repo_url: "https://github.com/simplesamlphp/simplesamlphp.git"
-ssp_repo_version: "simplesamlphp-{{ ssp_version }}"
+ssp_repo_url: https://github.com/simplesamlphp/simplesamlphp.git
+ssp_repo_version: simplesamlphp-{{ ssp_version }}
# Uncomment in order to install using the release
# ssp_release_url: "https://github.com/simplesamlphp/simplesamlphp/releases/download/v{{ ssp_version }}/{{ ssp_repo_version }}-full.tar.gz"
-ssp_path: "/var/simplesamlphp"
+ssp_path: /var/simplesamlphp
# The base path of the URLs to the content of the SimpleSAMPphp www folder.
-ssp_baseurlpath: "simplesaml"
-# Specify base URL path with the external scheme (protocol) and FQDN if your
+ssp_baseurlpath: simplesaml
+# Specify base URL path with the external scheme (protocol) and FQDN if your
# SimpleSAMLphp installation is hosted behind a reverse proxy.
-#ssp_external_baseurlpath: "https://example.com/simplesaml"
+# ssp_external_baseurlpath: "https://example.com/simplesaml"
ssp_configdir: "{{ ssp_path }}/config/"
ssp_certdir: "{{ ssp_path }}/cert/"
@@ -26,13 +26,13 @@ ssp_metadatadir: "{{ ssp_path }}/metadata/"
ssp_www_path: "{{ ssp_path }}/../simplesaml-current"
# Enable the installation of the composer
-#ssp_composer_install: True
+# ssp_composer_install: True
-ssp_composer_executable: "/usr/local/bin/composer"
-ssp_composer_install_directory: "/tmp/composer"
+ssp_composer_executable: /usr/local/bin/composer
+ssp_composer_install_directory: /tmp/composer
# Enable the installation of nodejs and twig
-#ssp_twig_install: True
+# ssp_twig_install: True
# Security configuration options
@@ -41,12 +41,12 @@ ssp_composer_install_directory: "/tmp/composer"
# The value can be any valid string of any length.
# A possible way to generate a random salt is by running the following command:
# LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo
-#ssp_secretsalt: "defaultsecretsalt"
+# ssp_secretsalt: "defaultsecretsalt"
# Password giving access to the installation page of SimpleSAMLphp with
# metadata listing and diagnostics pages.
# This password must be kept secret, and modified from the default value 123.
-#ssp_adminpassword: "123"
+# ssp_adminpassword: "123"
# Secret salt used to generate a secure hash of the ssp_adminpassword.
# A possible way to generate a random salt is by running the following command:
@@ -55,13 +55,12 @@ ssp_composer_install_directory: "/tmp/composer"
# ssp_adminpassword_salt: "defaultsecretsalt"
# Whether to require administrator password to access the web interface
-ssp_admin_protectindexpage: no
+ssp_admin_protectindexpage: false
# Whether to require administrator password to access the metadata pages
-ssp_admin_protectmetadata: no
+ssp_admin_protectmetadata: false
-
-ssp_theme: "default"
+ssp_theme: default
# Set this option to true to activate the new UI based on Twig templates.
# When this option is activated the index file redirects to the login page
# where the a list of authentication sources (excluded admin) is displayed.
@@ -71,58 +70,57 @@ ssp_twig_template: false
# Set this option if a custom theme controller is required by the Theme
# ssp_theme_controller_class: ""
-ssp_session_cookie_name: "SimpleSAMLSessionID"
+ssp_session_cookie_name: SimpleSAMLSessionID
ssp_session_cookie_secure: false
# Set the SameSite attribute in the cookie to support RFC6265bis.
# You can set this to 'None', 'Lax', or 'Strict'.
# If set to null, no SameSite attribute will be sent.
-ssp_session_cookie_samesite: null
-ssp_authtoken_cookiename: "SimpleSAMLAuthToken"
+ssp_session_cookie_samesite:
+ssp_authtoken_cookiename: SimpleSAMLAuthToken
-ssp_tempdir: "/tmp/simplesaml"
+ssp_tempdir: /tmp/simplesaml
# Select where to store session information:
# `phpsession` Uses the built-in session management in PHP (default).
-# `memcache` Uses memcached to cache sessions in memory.
+# `memcache` Uses memcached to cache sessions in memory.
# Sessions can be distributed and replicated among several
# memcached servers, enabling both load-balancing and fail-over.
# `sql` Stores session information in a SQL database (WIP).
-#ssp_store_type: "phpsession"
+# ssp_store_type: "phpsession"
# One or more memcached server groups for storing session information when
# ssp_store_type is set to `memcache`. Every session data item will be mirrored
# in every server group. Each server group is a list of servers. The data items
# will be load-balanced between all servers in each server group.
-#ssp_memcache_store_servers:
-# - # Group A
-# - "memcached1.acme.com"
-# - "memcached2.acme.com"
-# - # Group B
-# - "memcached3.acme.com"
-# - "memcached4.acme.com"
+# ssp_memcache_store_servers:
+# - # Group A
+# - "memcached1.acme.com"
+# - "memcached2.acme.com"
+# - # Group B
+# - "memcached3.acme.com"
+# - "memcached4.acme.com"
ssp_memcache_store_servers:
- -
- - "localhost"
+ - - localhost
# Alternatively, define ssp_memcache_store_servers_group to dynamically build
# the memcache server group configuration from the host group
# See templates/config/config-x.y.php.j2
-#ssp_memcache_store_servers_group: "cache"
+# ssp_memcache_store_servers_group: "cache"
ssp_memcache_store_prefix: ""
# Database configuration is optional. If you are not using core functionality
# or modules that require a database, you can skip this configuration
ssp_database:
- dsn: "mysql:host=localhost;dbname=saml"
- username: "simplesamlphp"
- password: "secret"
+ dsn: mysql:host=localhost;dbname=saml
+ username: simplesamlphp
+ password: secret
prefix: ""
- persistent: no
+ persistent: false
ssp_database_slaves: []
# - dsn: "mysql:host=myslave;dbname=saml"
# username: "simplesamlphp"
-# password: "secret"
+# password: "secret"
# persistent: no
ssp_debug_saml: false
@@ -137,14 +135,14 @@ ssp_showerrors: false
ssp_errorreporting: true
# Let SSP figure out timezone based on the host machine
-ssp_timezone: 'null'
+ssp_timezone: "null"
# otherwise set it explicitly, e.g.:
-#ssp_timezone: "'Europe/Athens'"
+# ssp_timezone: "'Europe/Athens'"
# The process name that should be used when logging to syslog
-ssp_logging_processname: "simplesamlphp"
+ssp_logging_processname: simplesamlphp
# The name of the logfile when using the file handler for logging
-ssp_logging_logfile: "simplesamlphp.log"
+ssp_logging_logfile: simplesamlphp.log
# Available log levels are:
# ERR No statistics, only errors
# WARNING No statistics, only warnings/errors
@@ -156,53 +154,53 @@ ssp_logging_level: NOTICE
ssp_logging_handler: syslog
ssp_language_available:
- - "en"
+ - en
- "no"
- - "nn"
- - "se"
- - "da"
- - "de"
- - "sv"
- - "fi"
- - "es"
- - "ca"
- - "fr"
- - "it"
- - "nl"
- - "lb"
- - "cs"
- - "sl"
- - "lt"
- - "hr"
- - "hu"
- - "pl"
- - "pt"
- - "pt-br"
- - "tr"
- - "ja"
- - "zh"
- - "zh-tw"
- - "ru"
- - "et"
- - "he"
- - "id"
- - "sr"
- - "lv"
- - "ro"
- - "eu"
- - "el"
- - "af"
- - "zu"
- - "xh"
+ - nn
+ - se
+ - da
+ - de
+ - sv
+ - fi
+ - es
+ - ca
+ - fr
+ - it
+ - nl
+ - lb
+ - cs
+ - sl
+ - lt
+ - hr
+ - hu
+ - pl
+ - pt
+ - pt-br
+ - tr
+ - ja
+ - zh
+ - zh-tw
+ - ru
+ - et
+ - he
+ - id
+ - sr
+ - lv
+ - ro
+ - eu
+ - el
+ - af
+ - zu
+ - xh
ssp_language_rtl:
- - "ar"
- - "dv"
- - "fa"
- - "ur"
- - "he"
+ - ar
+ - dv
+ - fa
+ - ur
+ - he
-ssp_language_default: "en"
+ssp_language_default: en
# Array of domains that are allowed when generating links or redirects
# to URLs. SimpleSAMLphp will use this option to determine whether to
@@ -218,7 +216,6 @@ ssp_language_default: "en"
# Set to NULL to disable checking of URLs.
# ssp_trusted_url_domains: null
ssp_trusted_url_domains: []
-
# Enable regular expression matching of ssp_trusted_url_domains.
# Set to true to treat the values in ssp_trusted_url_domains as regular
# expressions. Set to false to do exact string matching.
@@ -233,31 +230,31 @@ ssp_trusted_url_domains: []
ssp_authproc_idp:
- "30":
# Adopts language from attribute to use in UI
- class: "core:LanguageAdaptor"
+ class: core:LanguageAdaptor
- "45":
# Add a realm attribute from edupersonprincipalname
- class: "core:StatisticsWithAttribute"
- attributename: "realm"
- type: "saml20-idp-SSO"
+ class: core:StatisticsWithAttribute
+ attributename: realm
+ type: saml20-idp-SSO
- "50":
- # Filter attributes by checking the 'attributes' parameter in metadata
- # on IdP hosted and SP remote.
- class: "core:AttributeLimit"
+ # Filter attributes by checking the 'attributes' parameter in metadata
+ # on IdP hosted and SP remote.
+ class: core:AttributeLimit
- "99":
- # If language is set in Consent module it will be added as an attribute.
- class: "core:LanguageAdaptor"
+ # If language is set in Consent module it will be added as an attribute.
+ class: core:LanguageAdaptor
# Authentication processing filters that will be executed for all SPs.
# See https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
# The filters can be specified with PHP syntax using `ssp_authproc_sp_raw` or
# alternatively, with YAML syntax using `ssp_authproc_sp`.
-ssp_authproc_sp:
+ssp_authproc_sp:
- "90":
# Adopts language from attribute to use in UI
- class: "core:LanguageAdaptor"
+ class: core:LanguageAdaptor
# This will be added before the config[] in SimpleSAMLphp authentication sources
-#ssp_authsources_preamble: |
+# ssp_authsources_preamble: |
# function foo() {
# // Do something
# }
@@ -273,341 +270,339 @@ ssp_authsources_saml:
# this SP should contact. When NULL the user will be shown a list of
# available IdPs.
# idp_function: "findIdP()"
- #disco_url: "/{{ ssp_alias }}/module.php/discopower/disco.php"
+ # disco_url: "/{{ ssp_alias }}/module.php/discopower/disco.php"
# Set to true to generate self-signed SSL certificate for signing requests/
# response received from/sent to the IdP, as well as for receiving encrypted
# responses.
- ssl_certificate_generate: yes
+ ssl_certificate_generate: true
# SSL certificate options (ignored when `ssl_certificate_generate` is set
# to false):
# SSL certificate Common Name (CN)
- #ssl_certificate_cn: sp.example.com
+ # ssl_certificate_cn: sp.example.com
# Alternatively, you can generate the certificate as follows:
# openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN=sp.example.com" -nodes -out sp-default-sp.crt -keyout sp-default-sp.key
# SSL certificate
- #ssl_certificate: |
- # -----BEGIN CERTIFICATE-----
- # ...
- # -----END CERTIFICATE-----
+ # ssl_certificate: |
+ # -----BEGIN CERTIFICATE-----
+ # ...
+ # -----END CERTIFICATE-----
# SSL certificate private key
- #ssl_certificate_key: |
- # -----BEGIN PRIVATE KEY-----
- # ...
- # -----END PRIVATE KEY-----
+ # ssl_certificate_key: |
+ # -----BEGIN PRIVATE KEY-----
+ # ...
+ # -----END PRIVATE KEY-----
# Algorithm to use when signing any message generated by this SP:
# - http://www.w3.org/2000/09/xmldsig#rsa-sha1 (default)
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
# Note: the use of SHA1 is deprecated and will be disallowed in the future.
- #sign_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+ # sign_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
# Whether authentication requests, logout requests and logout responses
# sent from this SP should be signed. Default is false.
- #redirect_sign: true
+ # redirect_sign: true
# Whether logout requests and logout responses received received by
# this SP should be validated. Default is false.
- #redirect_validate: true
- # Whether to sign authentication requests sent from this SP. Default is
+ # redirect_validate: true
+ # Whether to sign authentication requests sent from this SP. Default is
# false.
- #sign_authnrequest: true
+ # sign_authnrequest: true
# Whether to sign logout messages sent from this SP. Default is false.
- #sign_logout: true
+ # sign_logout: true
# SAML V2.0 Metadata Extensions for Login and Discovery
# UIInfo Items
# Localised list of names for this entity
- #display_name:
- # en: Example SP
+ # display_name:
+ # en: Example SP
# Localised list of descriptions for this entity
- #description:
- # en: This is an SP used as an example
+ # description:
+ # en: This is an SP used as an example
# Optional list of logos for this SP
# - use a transparent background where appropriate
# - use PNG or GIF (less preferred) images
# - use HTTPS URLs in order to avoid mixed-content warnings within browsersk
- #logos:
- #- url: "https://example.com/logo-80x60.png"
- # The rendered height of the logo measured in pixels.
- #height: 60
- # The rendered width of the logo measured in pixels.
- #width: 80
- # Optional language code for localised logos.
- #lang: en
- #- url: "https://example.com/logo-50x50.png"
- # The rendered height of the logo measured in pixels.
- #height: 50
- # The rendered width of the logo measured in pixels.
- #width: 50
- # Optional language code for localised logos.
- #lang: en
+ # logos:
+ # - url: "https://example.com/logo-80x60.png"
+ # The rendered height of the logo measured in pixels.
+ # height: 60
+ # The rendered width of the logo measured in pixels.
+ # width: 80
+ # Optional language code for localised logos.
+ # lang: en
+ # - url: "https://example.com/logo-50x50.png"
+ # height: 50
+ # width: 50
+ # lang: en
# Localised list of URLs where more information about the entity is located
- #information_url:
+ # information_url:
# en: "http://sp.example.com/info/en"
# Localised list of URLs where the entity's privacy statement is located
- #privacy_statement_url:
+ # privacy_statement_url:
# en: "http://sp.example.com/privacy/en"
- #entity_attributes:
- #- attribute_name: "http://macedir.org/entity-category"
- # attribute_values:
- # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
- # Optional list of contacts in addition to the technical contact configured
+ # entity_attributes:
+ # - attribute_name: "http://macedir.org/entity-category"
+ # attribute_values:
+ # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
+ # Optional list of contacts in addition to the technical contact configured
# through config/config.php
- #contacts:
- # The type of contact. The possible values are `technical`, `support`,
- # `administrative`, `billing`, and `other`.
- #- contact_type: "technical"
- # Optional name of the company for the contact person.
- #company: "ACME"
- # Optional given (first) name of the contact person.
- #given_name: "Jane"
- # Optional surname of the contact person.
- #sur_name: "Doe"
- # Optional `mailto:` URI representing e-mail address of contact person.
- #email_address: "mailto:jane.doe@acme.example.com"
- # Optional telephone number of the contact person.
- #telephone_numbers: "+31(0)12345678"
- # To support a trust framework that requires extra attributes on the
- # contact person element in your metadata (e.g. SIRTFI), you can specify
- # an array of attributes on a contact
- #- contact_type: "other"
- # Optional given (first) name of the contact person.
- #given_name: "Security Response Team"
- # Optional `mailto:` URI representing e-mail address of contact person.
- #email_address: "mailto:security@example.com"
- #attributes:
- # "xmlns:remd": "http://refeds.org/metadata"
- # "remd:contactType": "http://refeds.org/metadata/contactType/security"
+ # contacts:
+ # The type of contact. The possible values are `technical`, `support`,
+ # `administrative`, `billing`, and `other`.
+ # - contact_type: "technical"
+ # Optional name of the company for the contact person.
+ # company: "ACME"
+ # Optional given (first) name of the contact person.
+ # given_name: "Jane"
+ # Optional surname of the contact person.
+ # sur_name: "Doe"
+ # Optional `mailto:` URI representing e-mail address of contact person.
+ # email_address: "mailto:jane.doe@acme.example.com"
+ # Optional telephone number of the contact person.
+ # telephone_numbers: "+31(0)12345678"
+ # To support a trust framework that requires extra attributes on the
+ # contact person element in your metadata (e.g. SIRTFI), you can specify
+ # an array of attributes on a contact
+ # - contact_type: "other"
+ # Optional given (first) name of the contact person.
+ # given_name: "Security Response Team"
+ # Optional `mailto:` URI representing e-mail address of contact person.
+ # email_address: "mailto:security@example.com"
+ # attributes:
+ # "xmlns:remd": "http://refeds.org/metadata"
+ # "remd:contactType": "http://refeds.org/metadata/contactType/security"
# Localised names of the organisation responsible for this SP.
- #organization_name:
- # en: ACME
+ # organization_name:
+ # en: ACME
# Localised user-friendly names of the organisation responsible for this
# SP.
- #organization_display_name:
+ # organization_display_name:
# en: ACME
# Localised URLs of the organisation responsible for this SP.
- #organization_url:
- # en: "https://www.acme.example.com/en"
+ # organization_url:
+ # en: "https://www.acme.example.com/en"
# List of attributes this SP requests from the IdP. This list will be added
# to the generated metadata.
- # The attributes will be added without a `NameFormat` by default. Use the
+ # The attributes will be added without a `NameFormat` by default. Use the
# name_format option to specify the `NameFormat` for the attributes.
- #attributes:
- #name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- #required:
- # uid: "urn:oid:0.9.2342.19200300.100.1.1"
- #optional:
- # eduPersonPrincipalName: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
- # eduPersonTargetedID: "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
- # commonName: "urn:oid:2.5.4.3"
- # givenName: "urn:oid:2.5.4.42"
- # sn: "urn:oid:2.5.4.4"
- # displayName: "urn:oid:2.16.840.1.113730.3.1.241"
- # mail: "urn:oid:0.9.2342.19200300.100.1.3"
- # The format of the NameID we request from the IdP. Defaults to the
+ # attributes:
+ # name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ # required:
+ # uid: "urn:oid:0.9.2342.19200300.100.1.1"
+ # optional:
+ # eduPersonPrincipalName: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+ # eduPersonTargetedID: "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+ # commonName: "urn:oid:2.5.4.3"
+ # givenName: "urn:oid:2.5.4.42"
+ # sn: "urn:oid:2.5.4.4"
+ # displayName: "urn:oid:2.16.840.1.113730.3.1.241"
+ # mail: "urn:oid:0.9.2342.19200300.100.1.3"
+ # The format of the NameID we request from the IdP. Defaults to the
# transient format if unspecified.
- #name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+ # name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
# List of supported ACS bindings. If unspecified, all will be added.
# Possible values:
# - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# - urn:oasis:names:tc:SAML:1.0:profiles:browser-post
# - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
# - urn:oasis:names:tc:SAML:1.0:profiles:artifact-01
- # - urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser
- #acs_bindings:
+ # - urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser
+ # acs_bindings:
# Optional list of processing filters to run after SP authentication. See
# https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
# The filters can be specified with PHP syntax using `authproc_raw` or
# alternatively, with YAML syntax using `authproc`. See examples below:
- #authproc_raw: |-
+ # authproc_raw: |-
# // Add the persistent NameID to the eduPersonTargetedID attribute
# 60 => [
# 'class' => 'saml:PersistentNameID2TargetedID',
# 'attribute' => 'eduPersonTargetedID', // The default
# 'nameId' => true, // The default
# ],
- #authproc:
- # - "60":
- # class: "saml:PersistentNameID2TargetedID"
- # attribute: "eduPersonTargetedID"
- # nameId: no
-
-# Requires `authfacebook` module in `ssp_mods_enabled`.
-#ssp_authsources_facebook:
-# - name: facebook
- # Register your Facebook application at http://www.facebook.com/developers
- # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
- #api_key: "123456789012345"
- #secret: "1ab23456cdef78g90123h4ij56k789l0"
- # Optional list of additional permissions to request from user.
- # See https://developers.facebook.com/docs/facebook-login/permissions
- #req_perms: "email"
- # Optional list of user profile fields to request.
- # When empty, only the app-specific user id and name will be returned
- # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list
- #user_fields: "email,birthday,third_party_id,name,first_name,last_name"
-
-# Requires `authlinkedin` and `oauth` modules in `ssp_mods_enabled`.
-#ssp_authsources_linkedin:
-# - name: "linkedin"
- #key: "xxxxxxxxxxxxxx"
- #secret: "xxxxxxxxxxxxxxxx"
- # See https://developer.linkedin.com/docs/fields/basic-profile for the full list
- #user_fields: "id,formatted-name,first-name,last-name,email-address"
-
-# Requires `authlinkedin` and `oauth` module in `ssp_mods_enabled`.
-#ssp_authsources_facebook:
-# - name: facebook
- # Register your Facebook application at http://www.facebook.com/developers
- # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
- #api_key: "123456789012345"
- #secret: "1ab23456cdef78g90123h4ij56k789l0"
- # Optional list of additional permissions to request from user.
- # See https://developers.facebook.com/docs/facebook-login/permissions
- #req_perms: "email"
- # Optional list of user profile fields to request.
- # When empty, only the app-specific user id and name will be returned
- # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list
- #user_fields: "email,birthday,third_party_id,name,first_name,last_name"
-
-# IdP configuration
-# Enable SAML 2.0 IdP functionality
-ssp_idp_saml20_enabled: false
-# Enable Shibboleth 1.3 IdP (SAML 1.1) functionality
-ssp_idp_shib13_enabled: false
-# Hosted IdP metadata
-ssp_idp_hosts: []
- # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`,
- # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
- # automatically.
- # As of SimplesamlPHP version 2.x __DYNAMIC:.. is not supported. Thus we need to provide
- # the entity ID ourselves, e.g. "https://rciam.example.org/saml-idp"
- # or "urn:x-rciam:example-idp" (see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted)
- #- entity_id: "__DYNAMIC:1__"
+ # authproc:
+ # - "60":
+ # class: "saml:PersistentNameID2TargetedID"
+ # attribute: "eduPersonTargetedID"
+ # nameId: no
+
+ # Requires `authfacebook` module in `ssp_mods_enabled`.
+ # ssp_authsources_facebook:
+ # - name: facebook
+ # Register your Facebook application at http://www.facebook.com/developers
+ # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
+ # api_key: "123456789012345"
+ # secret: "1ab23456cdef78g90123h4ij56k789l0"
+ # Optional list of additional permissions to request from user.
+ # See https://developers.facebook.com/docs/facebook-login/permissions
+ # req_perms: "email"
+ # Optional list of user profile fields to request.
+ # When empty, only the app-specific user id and name will be returned
+ # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user
+ # for the full list
+ # user_fields: "email,birthday,third_party_id,name,first_name,last_name"
+
+ # Requires `authlinkedin` and `oauth` modules in `ssp_mods_enabled`.
+ # ssp_authsources_linkedin:
+ # - name: "linkedin"
+ # key: "xxxxxxxxxxxxxx"
+ # secret: "xxxxxxxxxxxxxxxx"
+ # See https://developer.linkedin.com/docs/fields/basic-profile for the full list
+ # user_fields: "id,formatted-name,first-name,last-name,email-address"
+
+ # Requires `authlinkedin` and `oauth` module in `ssp_mods_enabled`.
+ # ssp_authsources_facebook:
+ # - name: facebook
+ # Register your Facebook application at http://www.facebook.com/developers
+ # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
+ # api_key: "123456789012345"
+ # secret: "1ab23456cdef78g90123h4ij56k789l0"
+ # Optional list of additional permissions to request from user.
+ # See https://developers.facebook.com/docs/facebook-login/permissions
+ # req_perms: "email"
+ # Optional list of user profile fields to request.
+ # When empty, only the app-specific user id and name will be returned
+ # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list
+ # user_fields: "email,birthday,third_party_id,name,first_name,last_name"
+
+ # IdP configuration
+ # Enable SAML 2.0 IdP functionality
+ ssp_idp_saml20_enabled: false
+ # Enable Shibboleth 1.3 IdP (SAML 1.1) functionality
+ ssp_idp_shib13_enabled: false
+ # Hosted IdP metadata
+ ssp_idp_hosts: []
+ # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`,
+ # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated
+ # automatically.
+ # As of SimplesamlPHP version 2.x __DYNAMIC:.. is not supported. Thus we need to provide
+ # the entity ID ourselves, e.g. "https://rciam.example.org/saml-idp"
+ # or "urn:x-rciam:example-idp" (see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted)
+ # - entity_id: "__DYNAMIC:1__"
# The hostname for this IdP. One of the IdPs can also have its `host` set
# to `__DEFAULT__`, and that IdP will be used when no other entries in the
# metadata matches.
- #host: "__DEFAULT__"
+ # host: "__DEFAULT__"
# Set to true to generate self-signed SSL certificate which should be
# used by this IdP, in PEM format
- #ssl_certificate_generate: yes
+ # ssl_certificate_generate: yes
# SSL certificate options (ignored when `ssl_certificate_generate` is set
# to false):
# SSL certificate Common Name (CN)
- #ssl_certificate_cn: idp.example.com
+ # ssl_certificate_cn: idp.example.com
# Alternatively, you can generate the certificate as follows:
# openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN=idp.example.com" -nodes -out idp-__DYNAMIC:1__.crt -keyout idp-__DYNAMIC:1__.key
# SSL certificate
- #ssl_certificate: |
- # -----BEGIN CERTIFICATE-----
- # ...
- # -----END CERTIFICATE-----
+ # ssl_certificate: |
+ # -----BEGIN CERTIFICATE-----
+ # ...
+ # -----END CERTIFICATE-----
# SSL certificate private key
- #ssl_certificate_key: |
- # -----BEGIN PRIVATE KEY-----
- # ...
- # -----END PRIVATE KEY-----
+ # ssl_certificate_key: |
+ # -----BEGIN PRIVATE KEY-----
+ # ...
+ # -----END PRIVATE KEY-----
# Algorithm to use when signing any message generated by this IdP:
# - http://www.w3.org/2000/09/xmldsig#rsa-sha1 (default)
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
# - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
# Note: the use of SHA1 is deprecated and will be disallowed in the future.
- #sign_algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha256"
+ # sign_algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha256"
# Whether logout requests and logout responses sent from this IdP should be
# signed. Default is false.
- #redirect_sign: true
+ # redirect_sign: true
# Whether authentication requests, logout requests and logout responses
# received/sent from this IdP should be validated. Default is false.
- #redirect_validate: true
+ # redirect_validate: true
# The authentication source to be used to authenticate users on this IdP.
- #auth: default-sp
- #contacts:
- # The type of contact. The possible values are `technical`, `support`,
- # `administrative`, `billing`, and `other`.
- #- contact_type: "technical"
- # Optional name of the company for the contact person.
- #company: "ACME"
- # Optional given (first) name of the contact person.
- #given_name: "Jane"
- # Optional surname of the contact person.
- #sur_name: "Doe"
- # Optional `mailto:` URI representing e-mail address of contact person.
- #email_address: "mailto:jane.doe@acme.example.com"
- # Optional telephone number of the contact person.
- #telephone_numbers: "+31(0)12345678"
- # A list with scopes for this IdP. The scopes will be added to the
+ # auth: default-sp
+ # contacts:
+ # The type of contact. The possible values are `technical`, `support`,
+ # `administrative`, `billing`, and `other`.
+ # - contact_type: "technical"
+ # Optional name of the company for the contact person.
+ # company: "ACME"
+ # Optional given (first) name of the contact person.
+ # given_name: "Jane"
+ # Optional surname of the contact person.
+ # sur_name: "Doe"
+ # Optional `mailto:` URI representing e-mail address of contact person.
+ # email_address: "mailto:jane.doe@acme.example.com"
+ # Optional telephone number of the contact person.
+ # telephone_numbers: "+31(0)12345678"
+ # A list with scopes for this IdP. The scopes will be added to the
# generated XML metadata. A scope can either be a domain name or a regular
# expression matching a number of domains.
- #scopes:
- # - domain1.example.com
- # - domain2.example.com
+ # scopes:
+ # - domain1.example.com
+ # - domain2.example.com
# Localised names of the organisation responsible for this IdP.
- #organization_name:
- # en: ACME
+ # organization_name:
+ # en: ACME
# Localised user-friendly names of the organisation responsible for this
# IdP.
- #organization_display_name:
- # en: ACME
+ # organization_display_name:
+ # en: ACME
# Localised URLs of the organisation responsible for this IdP.
- #organization_url:
- # en: "https://www.acme.example.com/en"
+ # organization_url:
+ # en: "https://www.acme.example.com/en"
# SAML V2.0 Metadata Extensions for Login and Discovery
# UIInfo Items
# Localised list of names for this entity
- #display_name:
- # en: Example IdP
+ # display_name:
+ # en: Example IdP
# Localised list of descriptions for this entity
- #description:
- # en: This is an IdP used as an example
+ # description:
+ # en: This is an IdP used as an example
# Localised list of URLs where more information about the entity is located
# Optional list of logos for this IdP
# - use a transparent background where appropriate
# - use PNG or GIF (less preferred) images
# - use HTTPS URLs in order to avoid mixed-content warnings within browsers
- #logos:
- #- url: "https://example.com/logo-80x60.png"
- # The rendered height of the logo measured in pixels.
- #height: 60
- # The rendered width of the logo measured in pixels.
- #width: 80
- # Optional language code for localised logos.
- #lang: en
- #- url: "https://example.com/logo-50x50.png"
- # The rendered height of the logo measured in pixels.
- #height: 50
- # The rendered width of the logo measured in pixels.
- #width: 50
- # Optional language code for localised logos.
- #lang: en
- #information_url:
- # en: "https://idp1.example.com/info/en"
+ # logos:
+ # - url: "https://example.com/logo-80x60.png"
+ # The rendered height of the logo measured in pixels.
+ # height: 60
+ # The rendered width of the logo measured in pixels.
+ # width: 80
+ # Optional language code for localised logos.
+ # lang: en
+ # - url: "https://example.com/logo-50x50.png"
+ # The rendered height of the logo measured in pixels.
+ # height: 50
+ # The rendered width of the logo measured in pixels.
+ # width: 50
+ # Optional language code for localised logos.
+ # lang: en
+ # information_url:
+ # en: "https://idp1.example.com/info/en"
# Localised list of URLs where the entity's privacy statement is located
- #privacy_statement_url:
- # en: "https://idp1.example.com/privacy/en"
+ # privacy_statement_url:
+ # en: "https://idp1.example.com/privacy/en"
# DiscoHints items
- # List of IPv4 and IPv6 addresses in CIDR notation serviced by or
+ # List of IPv4 and IPv6 addresses in CIDR notation serviced by or
# associated with this IdP.
- #ip_hints:
- # - "130.59.0.0/16"
- # - "2001:620::0/96"
+ # ip_hints:
+ # - "130.59.0.0/16"
+ # - "2001:620::0/96"
# List of domain names serviced by or associated with this IdP.
- #domain_hints:
- # - "example.com"
- # - "www.example.com"
+ # domain_hints:
+ # - "example.com"
+ # - "www.example.com"
# List of geographic coordinates serviced by or associated with this IdP.
# Coordinates are given in the geo URI scheme (RFC5870).
- #geolocation_hints:
- # - "geo:47.37328,8.531126"
- # - "geo:19.34343,12.342514"
- #entity_attributes:
- #- attribute_name: "http://macedir.org/entity-category"
- # attribute_values:
- # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
+ # geolocation_hints:
+ # - "geo:47.37328,8.531126"
+ # - "geo:19.34343,12.342514"
+ # entity_attributes:
+ # - attribute_name: "http://macedir.org/entity-category"
+ # attribute_values:
+ # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
# SAML2-specific options
# The value to set in the Format field of attribute statements.
- #attributes_name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ # attributes_name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
# The format of the NameID supported by this IdP. Defaults to the transient
# format if unspecified.
- #name_id_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+ # name_id_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
# Override the default URL for the SingleSignOnService for this IdP.
# This is an absolute URL. The default value is:
# /module.php/saml/idp/singleSignOnService
@@ -615,7 +610,7 @@ ssp_idp_hosts: []
# in the messages sent to others. You must also configure your webserver
# to deliver this URL to the correct PHP page.
# Uncomment the following for backwards compatibility with SSP v1.x
- #sso_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SSOService.php"
+ # sso_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SSOService.php"
# Override the default URL for the SingleLogoutService for this IdP.
# This is an absolute URL. The default value is:
# /module.php/saml/idp/singleLogout
@@ -623,12 +618,12 @@ ssp_idp_hosts: []
# in the messages sent to others. You must also configure your webserver
# to deliver this URL to the correct PHP page.
# Uncomment the following for backwards compatibility with SSP v1.x
- #slo_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SingleLogoutService.php"
+ # slo_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SingleLogoutService.php"
# Optional list of processing filters to run for this IdP. See
# https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
# The filters can be specified with PHP syntax using `authproc_raw` or
# alternatively, with YAML syntax using `authproc`. See examples below:
- #authproc_raw: |-
+ # authproc_raw: |-
# 80 => array(
# // Maps attribute OIDs to names.
# // Usually combined with SAML:2.0:attrname-format:uri
@@ -645,36 +640,36 @@ ssp_idp_hosts: []
# 'hiddenAttributes' => array(
# ),
# ),
- #authproc:
- # - "80":
- # Maps attribute OIDs to names.
- # Usually combined with SAML:2.0:attrname-format:uri
- #class: "core:AttributeMap"
- #oid2name:
- # - "90":
- # Requires `consent` in `ssp_mods_enabled`.
- #class: "consent:Consent"
- # The Consent storage backend. Currently only `consent:Cookie` is
- # supported. This option is optional. If omitted, the user is still
- # asked to consent, but the decision is not saved.
- #store: "consent:Cookie"
- # Optional flag that indicates whether the values of the attributes
- # should be used in calculating the unique hashes that identify the
- # consent. If includeValues is set and the value of an attribute
- # changes, then the consent becomes invalid. Defaults to false.
- #includeValues: false
- # Optional flag that indicates whether the "Remember" consent
- # checkbox is checkd by default. Defaults to false.
- #checked: false
- # Indicates whether the "Yes" or "No" button is in fucus by default.
- # This option is optional and can take the value 'yes' or 'no'.
- # If omitted, neither will recive focus.
- #focus: "yes" | "no"
- # Optional list of attributes whose values should be hidden.
- # Default behaviour is that all attribute values are shown.
- #hiddenAttributes:
- #- entity_id: "__DYNAMIC:2__"
- # host: "idp2.example.com"
+ # authproc:
+ # - "80":
+ # Maps attribute OIDs to names.
+ # Usually combined with SAML:2.0:attrname-format:uri
+ # class: "core:AttributeMap"
+ # oid2name:
+ # - "90":
+ # Requires `consent` in `ssp_mods_enabled`.
+ # class: "consent:Consent"
+ # The Consent storage backend. Currently only `consent:Cookie` is
+ # supported. This option is optional. If omitted, the user is still
+ # asked to consent, but the decision is not saved.
+ # store: "consent:Cookie"
+ # Optional flag that indicates whether the values of the attributes
+ # should be used in calculating the unique hashes that identify the
+ # consent. If includeValues is set and the value of an attribute
+ # changes, then the consent becomes invalid. Defaults to false.
+ # includeValues: false
+ # Optional flag that indicates whether the "Remember" consent
+ # checkbox is checkd by default. Defaults to false.
+ # checked: false
+ # Indicates whether the "Yes" or "No" button is in fucus by default.
+ # This option is optional and can take the value 'yes' or 'no'.
+ # If omitted, neither will recive focus.
+ # focus: "yes" | "no"
+ # Optional list of attributes whose values should be hidden.
+ # Default behaviour is that all attribute values are shown.
+ # hiddenAttributes:
+ # - entity_id: "__DYNAMIC:2__"
+ # host: "idp2.example.com"
## Extra SSP files to copy, e.g. dictionaries, attribute maps, certificates, etc
ssp_extra_files: []
@@ -717,30 +712,28 @@ ssp_mods_enabled:
# List of SSP modules to disable
# Deprecated for SSP v2.0
ssp_mods_disabled: []
- # - admin
- # - authorize
- # - consent
- # - core
- # - discopower
- # - exampleattributeserver
- # - expirycheck
- # - ldap
- # - memcookie
- # - multiauth
- # - portal
- # - saml
- # - sanitycheck
-
-
+# - admin
+# - authorize
+# - consent
+# - core
+# - discopower
+# - exampleattributeserver
+# - expirycheck
+# - ldap
+# - memcookie
+# - multiauth
+# - portal
+# - saml
+# - sanitycheck
# Configuration options for automated SAML metadata management.
-# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`.
+# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`.
#
# Options applicable to SSP version < 2
#
# Cron module URL
-ssp_mod_cron_url: "https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron.php"
+ssp_mod_cron_url: https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron.php
#
# Options applicable to SSP version >= 2
@@ -748,7 +741,7 @@ ssp_mod_cron_url: "https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron.
# Maximum amount of memory each metarefresh cron tag may consume
# (see http://php.net/memory-limit)
-ssp_mod_cron_job_memory_limit: "768M"
+ssp_mod_cron_job_memory_limit: 768M
#
# Common options for all SSP versions
@@ -759,91 +752,89 @@ ssp_mod_cron_job_memory_limit: "768M"
ssp_mod_cron_job_max_execution_time: 90
# Secret key used to restrict access to your cron.
-#ssp_mod_cron_secret: "secret"
+# ssp_mod_cron_secret: "secret"
ssp_mod_cron_entries:
- - name: "SSP metarefresh [daily]"
- tag: "daily"
- file: "simplesamlphp"
+ - name: SSP metarefresh [daily]
+ tag: daily
+ file: simplesamlphp
user: "{{ ssp_webuser }}"
minute: "30"
hour: "3"
- - name: "SSP metarefresh [hourly]"
- tag: "hourly"
- file: "simplesamlphp"
+ - name: SSP metarefresh [hourly]
+ tag: hourly
+ file: simplesamlphp
user: "{{ ssp_webuser }}"
minute: "15"
# Cron job variables
ssp_mod_cron_vars:
- - name: "MAILTO"
- value: "na@example.org"
- file: "simplesamlphp"
-
+ - name: MAILTO
+ value: na@example.org
+ file: simplesamlphp
# Global blacklist: Optional list of entityIDs that should be excluded from ALL
# metadata sets.
-#ssp_mod_metarefresh_blacklist:
-# - "https://my.own.domain.com/ssp/saml2/idp/metadata.php"
+# ssp_mod_metarefresh_blacklist:
+# - "https://my.own.domain.com/ssp/saml2/idp/metadata.php"
#
-#ssp_mod_metarefresh_sets:
- #- name: reep
+# ssp_mod_metarefresh_sets:
+# - name: reep
# Can be `hourly` or `daily`
- #cron: hourly
+ # cron: hourly
# A list of one or more sources that will be included in this metadata set.
# The filters can be specified with PHP syntax using `sources_raw` or
# alternatively, with YAML syntax using `sources`. See examples below:
- #sources_raw: include 'path-to-file.php'
- #sources:
- # The source URL where the metadata will be fetched from.
- #- url: "https://reep.refeds.org/entity/69/latest_metadata/"
- # The fingerprint of the certificate used to sign the metadata.
+ # sources_raw: include 'path-to-file.php'
+ # sources:
+ # The source URL where the metadata will be fetched from.
+ # - url: "https://reep.refeds.org/entity/69/latest_metadata/"
+ # The fingerprint of the certificate used to sign the metadata.
# You can omit this option if you don't want to validate the signature
# on the metadata.
- #validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01"
+ # validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01"
# Optional list of tags/labels for the entities in the metadata.
- #tags:
+ # tags:
# - tag1
# - tag2
# Optional list of processing filters to run for this entity. See
# https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
# The filters can be specified with PHP syntax using `authproc_raw` or
# alternatively, with YAML syntax using `authproc`. See examples below:
- #authproc_raw: |-
+ # authproc_raw: |-
# 50 => [
# 'class' => 'core:ExampleFilter',
# ],
- #authproc:
+ # authproc:
# - "50":
# class: "core:ExampleFilter"
- #extra_parameters: |-
+ # extra_parameters: |-
# 'foo' => 'bar',
# Optional list of entityIDs that should be excluded from this src.
- #blacklist:
+ # blacklist:
# - "https://black.example.com/idp"
# - "https://black.example.com/sp"
# Optional list of entityIDs that should be included from this src.
- #whitelist:
+ # whitelist:
# - "https://white.example.com/idp"
# - "https://white.example.com/sp"
# Maximum cache time in days
- #expire_after: 7
+ # expire_after: 7
# Output directory is relative to {{ ssp_path }}/metadata/
- #output_dir: metarefresh-aarc
+ # output_dir: metarefresh-aarc
# Can be `flatfile` or `serialize`
- #output_format: serialize
-
+ # output_format: serialize
# Configuration options for the discopower module that provides a more
# user-friendly IdP discovery service compared to the default.
# Requires `discopower` module in `ssp_mods_enabled`.
#
# List of tags (mapped to tabs) that should be listed in a specific order.
-#ssp_mod_discopower_taborder:
+# ssp_mod_discopower_taborder:
# - tag1
# - tag2
# Filter list of IdPs by matching the beginning of search keywords
-#ssp_mod_discopower_suggest: false
+# ssp_mod_discopower_suggest: false
# List of tab/tag translations to add
-#ssp_mod_discopower_dictionaries:
+# ssp_mod_discopower_dictionaries:
# - tag1:
# en: "Tab One"
# - tag2:
diff --git a/roles/ssp/handlers/main.yml b/roles/ssp/handlers/main.yml
index c46a3249..a2babca4 100644
--- a/roles/ssp/handlers/main.yml
+++ b/roles/ssp/handlers/main.yml
@@ -1,10 +1,6 @@
---
-
-- name: restart webserver
- service:
+- name: Restart webserver
+ ansible.builtin.service:
name: "{{ ssp_webserver }}"
state: restarted
- become: yes
-
-
-
+ become: true
diff --git a/roles/ssp/tasks/composer.yml b/roles/ssp/tasks/composer.yml
index c1921e87..106bf41a 100644
--- a/roles/ssp/tasks/composer.yml
+++ b/roles/ssp/tasks/composer.yml
@@ -1,77 +1,91 @@
---
-
- name: Create installation directory for composer
- file:
+ ansible.builtin.file:
state: directory
- path: '{{ ssp_composer_install_directory }}'
- become: yes
+ path: "{{ ssp_composer_install_directory }}"
+ mode: "0644"
+ become: true
tags:
- ssp:install
- ssp:install:composer
-- name: check if exist composer executable exists
- stat:
+- name: Check if exist composer executable exists
+ ansible.builtin.stat:
path: "{{ ssp_composer_executable }}"
register: composer_exists
- become: yes
+ become: true
tags:
- ssp:install
- ssp:install:composer
-- name: Download composer
+# Use uri here
+- name: Download composer # noqa command-instead-of-module no-changed-when
ansible.builtin.command: curl -sS https://getcomposer.org/installer -o composer-setup.php
args:
- chdir: '{{ ssp_composer_install_directory }}'
- when: composer_exists.stat.exists == False
- become: yes
+ chdir: "{{ ssp_composer_install_directory }}"
+ when: not composer_exists.stat.exists
+ become: true
tags:
- ssp:install
- ssp:install:composer
+ creates: "{{ ssp_composer_install_directory }}/composer-setup.php"
-- name: Generate composer hash
+# Use uri here
+- name: Generate composer hash # noqa command-instead-of-module
ansible.builtin.command: curl -sS https://composer.github.io/installer.sig
register: composerhash
- when: composer_exists.stat.exists == False
- become: yes
+ when: not composer_exists.stat.exists
+ become: true
tags:
- ssp:install
- ssp:install:composer
+ changed_when: false # noqa no-changed-when
- name: Print composer hash
ansible.builtin.debug:
msg: "Composer hash is: {{ composerhash.stdout }}"
when: composerhash.stdout is defined
- become: yes
+ become: true
tags:
- ssp:install
- ssp:install:composer
-- name: Verify composer
- command: php -r "if (hash_file('SHA384', 'composer-setup.php') === '{{ composerhash.stdout }}') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
+- name: Verify composer # noqa command-instead-of-module
+ ansible.builtin.command: |-
+ php -r \
+ "if (hash_file('SHA384', 'composer-setup.php') === '{{ composerhash.stdout }}') \
+ { echo 'Installer verified'; } \
+ else \
+ { echo 'Installer corrupt'; unlink('composer-setup.php'); } \
+ echo PHP_EOL;"
args:
- chdir: '{{ ssp_composer_install_directory }}'
- when: composer_exists.stat.exists == False
- become: yes
+ chdir: "{{ ssp_composer_install_directory }}"
+ when: not composer_exists.stat.exists
+ become: true
tags:
- ssp:install
- ssp:install:composer
+ changed_when: false
+ failed_when: false1
-- name: Composer setup
+# Use community.general.composer here
+- name: Composer setup # noqa no-changed-when
ansible.builtin.command: php composer-setup.php
args:
- chdir: '{{ ssp_composer_install_directory }}'
- when: composer_exists.stat.exists == False
- become: yes
+ chdir: "{{ ssp_composer_install_directory }}"
+ when: not composer_exists.stat.exists
+ become: true
tags:
- ssp:install
- ssp:install:composer
+ changed_when: false
-- name: Move Composer globally
- ansible.builtin.command: "mv composer.phar {{ ssp_composer_executable }}"
+- name: Move Composer globally # noqa no-changed-when
+ ansible.builtin.command: mv composer.phar {{ ssp_composer_executable }}
args:
- chdir: '{{ ssp_composer_install_directory }}'
- become: yes
- when: composer_exists.stat.exists == False
+ chdir: "{{ ssp_composer_install_directory }}"
+ become: true
+ when: not composer_exists.stat.exists
tags:
- ssp:install
- ssp:install:composer
@@ -79,8 +93,8 @@
- name: Set permissions on Composer
ansible.builtin.file:
path: "{{ ssp_composer_executable }}"
- mode: "a+x"
- become: yes
+ mode: a+x
+ become: true
tags:
- ssp:install
- ssp:install:composer
diff --git a/roles/ssp/tasks/configure-common.yml b/roles/ssp/tasks/configure-common.yml
index 008cce99..a324bda9 100644
--- a/roles/ssp/tasks/configure-common.yml
+++ b/roles/ssp/tasks/configure-common.yml
@@ -1,258 +1,279 @@
# file: ssp/tasks/configure-common.php
#
---
-
-
- name: Configure SSP
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_configdir }}/config.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0644"
with_first_found:
- - "config/config-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "config/config-{{ ssp_major_version }}.php.j2"
- - "config/config.php.j2"
- become: yes
+ - config/config-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - config/config-{{ ssp_major_version }}.php.j2
+ - config/config.php.j2
+ become: true
tags:
- ssp:config:config
- name: Generate self-signed SP certificates
- command: openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN={{ item.ssl_certificate_cn }}" -nodes -out sp-{{ item.name }}.crt -keyout sp-{{ item.name }}.key
+ ansible.builtin.command: |-
+ openssl req -newkey rsa:2048 \
+ -new -x509 \
+ -days 3652 \
+ -subj "/CN={{ item.ssl_certificate_cn }}" \
+ -nodes -out sp-{{ item.name }}.crt \
+ -keyout sp-{{ item.name }}.key
args:
chdir: "{{ ssp_certdir }}"
creates: "{{ ssp_certdir }}/sp-{{ item.name }}.key"
with_items: "{{ ssp_authsources_saml }}"
- when: item.ssl_certificate_generate | default(True) | bool == True
- become: yes
+ when: item.ssl_certificate_generate | default(True) | bool
+ become: true
tags:
- ssp:config:authsources
- name: Copy SP SSL certificate (.crt)
- copy:
- content: '{{ item.ssl_certificate }}'
+ ansible.builtin.copy:
+ content: "{{ item.ssl_certificate }}"
dest: "{{ ssp_certdir }}/sp-{{ item.name }}.crt"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0644"
with_items: "{{ ssp_authsources_saml }}"
- when: item.ssl_certificate_generate | default(True) | bool == False
- become: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool)
+ become: true
tags:
- ssp:config:authsources
- name: Copy SP SSL certificate (.key)
- copy:
- content: '{{ item.ssl_certificate_key }}'
+ ansible.builtin.copy:
+ content: "{{ item.ssl_certificate_key }}"
dest: "{{ ssp_certdir }}/sp-{{ item.name }}.key"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0600"
with_items: "{{ ssp_authsources_saml }}"
- when: item.ssl_certificate_generate | default(True) | bool == False
- become: yes
- no_log: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool)
+ become: true
+ no_log: true
tags:
- ssp:config:authsources
- name: Ensure SP certificate keys are installed
- file:
+ ansible.builtin.file:
state: file
path: "{{ ssp_certdir }}/sp-{{ item.name }}.key"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0600"
with_items: "{{ ssp_authsources_saml }}"
- when: item.ssl_certificate_generate | default(True) | bool == False or item.ssl_certificate_key is defined
- become: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool) or item.ssl_certificate_key is defined
+ become: true
tags:
- ssp:config:authsources
- name: Ensure SP certificates are installed
- file:
+ ansible.builtin.file:
state: file
path: "{{ ssp_certdir }}/sp-{{ item.name }}.crt"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0644"
with_items: "{{ ssp_authsources_saml }}"
- when: item.ssl_certificate_generate | default(True) | bool == False or item.ssl_certificate is defined
- become: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool) or item.ssl_certificate is defined
+ become: true
tags:
- ssp:config:authsources
- name: Configure SSP authN sources
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_configdir }}/authsources.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0600"
with_first_found:
- - "config/authsources-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "config/authsources-{{ ssp_major_version }}.php.j2"
- - "config/authsources.php.j2"
- become: yes
+ - config/authsources-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - config/authsources-{{ ssp_major_version }}.php.j2
+ - config/authsources.php.j2
+ become: true
tags:
- ssp:config:authsources
+# Use community.crypto modules here
- name: Generate self-signed IdP certificates
- command: openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN={{ item.ssl_certificate_cn }}" -nodes -out idp-{{ item.entity_id }}.crt -keyout idp-{{ item.entity_id }}.key
+ ansible.builtin.command: |-
+ openssl req -newkey rsa:2048 \
+ -new -x509 -days 3652 \
+ -subj "/CN={{ item.ssl_certificate_cn }}" \
+ -nodes -out idp-{{ item.entity_id }}.crt \
+ -keyout idp-{{ item.entity_id }}.key
args:
chdir: "{{ ssp_certdir }}"
creates: "{{ ssp_certdir }}/idp-{{ item.entity_id }}.key"
with_items: "{{ ssp_idp_hosts }}"
when: (ssp_idp_saml20_enabled or ssp_idp_shib13_enabled) and item.ssl_certificate_generate | default(True)
- become: yes
+ become: true
tags:
- ssp:config:saml20-idp-hosted
- ssp:config:shib13-idp-hosted
- name: Copy IdP certificate (.crt)
- copy:
- content: '{{ item.ssl_certificate }}'
- dest: "{{ ssp_certdir }}idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.crt"
+ ansible.builtin.copy:
+ content: "{{ item.ssl_certificate }}"
+ dest: "{{ ssp_certdir }}idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.crt"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0644"
with_items: "{{ ssp_idp_hosts }}"
- when: item.ssl_certificate_generate | default(True) | bool == False and item.ssl_certificate is defined
- become: yes
- no_log: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool) and item.ssl_certificate is defined
+ become: true
+ no_log: true
tags:
- ssp:config:saml20-idp-hosted
- ssp:config:shib13-idp-hosted
- name: Copy IdP certificate (.key)
- copy:
- content: '{{ item.ssl_certificate_key }}'
- dest: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.key"
+ ansible.builtin.copy:
+ content: "{{ item.ssl_certificate_key }}"
+ dest: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.key"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0600"
with_items: "{{ ssp_idp_hosts }}"
- when: item.ssl_certificate_generate | default(True) | bool == False and item.ssl_certificate_key is defined
- become: yes
- no_log: yes
+ when: not (item.ssl_certificate_generate | default(True) | bool) and item.ssl_certificate_key is defined
+ become: true
+ no_log: true
tags:
- ssp:config:saml20-idp-hosted
- ssp:config:shib13-idp-hosted
- name: Ensure IdP certificate keys are installed
- file:
+ ansible.builtin.file:
state: file
- path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.key"
+ path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.key"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0600"
with_items: "{{ ssp_idp_hosts }}"
when: ssp_idp_saml20_enabled or ssp_idp_shib13_enabled
- become: yes
+ become: true
tags:
- ssp:config:saml20-idp-hosted
- ssp:config:shib13-idp-hosted
- name: Ensure IdP certificates are installed
- file:
+ ansible.builtin.file:
state: file
- path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.crt"
+ path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.crt"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0644"
with_items: "{{ ssp_idp_hosts }}"
when: ssp_idp_saml20_enabled or ssp_idp_shib13_enabled
- become: yes
+ become: true
tags:
- ssp:config:saml20-idp-hosted
- ssp:config:shib13-idp-hosted
- name: Configure SSP hosted SAML 2.0 IdP metadata
- include_tasks: configure-saml20-idp-hosted.yml
+ ansible.builtin.include_tasks: configure-saml20-idp-hosted.yml
when: ssp_idp_saml20_enabled
tags:
- ssp:config:saml20-idp-hosted
- name: Configure SSP hosted SAML 1.1 IdP metadata
- include_tasks: configure-shib13-idp-hosted.yml
+ ansible.builtin.include_tasks: configure-shib13-idp-hosted.yml
when: ssp_idp_shib13_enabled
tags:
- ssp:config:shib13-idp-hosted
- name: Ensure SSP extra files are copied
- copy:
+ ansible.builtin.copy:
src: "{{ item.src_path }}"
dest: "{{ item.dest_path }}"
- backup: yes
+ backup: true
+ mode: "0600"
with_items: "{{ ssp_extra_files }}"
when: item.src_path is defined and item.dest_path is defined
- become: yes
+ become: true
tags:
- ssp:config:files
+# No command - should be empty file with file module
- name: Enable required SSP modules
- command: touch "{{ ssp_path }}/modules/{{ item }}/enable"
+ ansible.builtin.command: touch "{{ ssp_path }}/modules/{{ item }}/enable"
args:
creates: "{{ ssp_path }}/modules/{{ item }}/enable"
with_items: "{{ ssp_mods_enabled }}"
- when: "{{ ssp_major_version|float < 2}}"
- become: yes
+ when: ssp_major_version | float < 2
+ become: true
tags:
- ssp:config:mods
- name: Disable unnecessary SSP modules
- command: touch "{{ ssp_path }}/modules/{{ item }}/disable"
+ ansible.builtin.command: touch "{{ ssp_path }}/modules/{{ item }}/disable"
args:
creates: "{{ ssp_path }}/modules/{{ item }}/disable"
with_items: "{{ ssp_mods_disabled }}"
- when: "{{ ssp_major_version|float < 2}}"
- become: yes
+ when: ssp_major_version | float < 2
+ become: true
tags:
- ssp:config:mods
- name: Ensure required SSP metarefresh module dirs exist
- file: path={{ ssp_metadatadir }}/{{ item.output_dir }} state=directory owner={{ssp_webuser }} group={{ ssp_webgroup }}
+ ansible.builtin.file:
+ path: "{{ ssp_metadatadir }}"
+ state: directory
+ owner: "{{ ssp_webuser }}"
+ group: "{{ ssp_webgroup }}"
+ mode: "0755"
with_items: "{{ ssp_mod_metarefresh_sets }}"
when: "'metarefresh' in ssp_mods_enabled"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:metarefresh
- name: Configure SSP metarefresh module
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_configdir }}/{{ ssp_mod_metarefresh.template.dest }}"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0644"
with_first_found:
- "{{ ssp_mod_metarefresh.template.src }}-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- "{{ ssp_mod_metarefresh.template.src }}-{{ ssp_major_version }}.php.j2"
- "{{ ssp_mod_metarefresh.template.src }}.php.j2"
when: "'metarefresh' in ssp_mods_enabled"
register: ssp_mod_metarefresh_config
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:metarefresh
- name: Configure SSP cron module
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_configdir }}/module_cron.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0644"
with_first_found:
- - "config/module_cron-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "config/module_cron-{{ ssp_major_version }}.php.j2"
- - "config/module_cron.php.j2"
+ - config/module_cron-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - config/module_cron-{{ ssp_major_version }}.php.j2
+ - config/module_cron.php.j2
when: "'cron' in ssp_mods_enabled"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:cron
- ssp:config:mods:metarefresh
- name: Configure SSP cron jobs
- cron:
+ ansible.builtin.cron:
name: "{{ item.name }}"
user: "{{ item.user | default('root') }}"
cron_file: "{{ item.file }}"
@@ -260,9 +281,14 @@
job: >
{% if ssp_major_version | int < 2 %}
# Set maximum time for preventing curl job from hanging
- curl -k --silent -m {{ ssp_mod_cron_job_max_execution_time }} {{ ssp_mod_cron_url }}?key={{ ssp_mod_cron_secret }}&tag={{ item.tag }}
+ curl -k --silent -m {{ ssp_mod_cron_job_max_execution_time }} \
+ {{ ssp_mod_cron_url }}?key={{ ssp_mod_cron_secret }}&\
+ tag={{ item.tag }}
{% else %}
- php -d max_execution_time={{ ssp_mod_cron_job_max_execution_time }} -d memory_limit={{ ssp_mod_cron_job_memory_limit }} {{ ssp_path }}/modules/cron/bin/cron.php -t {{ item.tag }}
+ php -d max_execution_time={{ ssp_mod_cron_job_max_execution_time }} \
+ -d memory_limit={{ ssp_mod_cron_job_memory_limit }} \
+ {{ ssp_path }}/modules/cron/bin/cron.php \
+ -t {{ item.tag }}
{% endif %}
minute: "{{ item.minute | default(omit) }}"
hour: "{{ item.hour | default(omit) }}"
@@ -270,55 +296,55 @@
month: "{{ item.month | default(omit) }}"
with_items: "{{ ssp_mod_cron_entries }}"
when: "'cron' in ssp_mods_enabled"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:cron
- ssp:config:mods:metarefresh
- name: Configure SSP cron job variables
- cronvar:
+ community.general.cronvar:
name: "{{ item.name }}"
value: "{{ item.value }}"
cron_file: "{{ item.file }}"
with_items: "{{ ssp_mod_cron_vars }}"
when: "'cron' in ssp_mods_enabled"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:cron
- ssp:config:mods:metarefresh
- name: Configure SSP discopower module
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_configdir }}/module_discopower.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0644"
with_first_found:
- - "config/module_discopower-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "config/module_discopower-{{ ssp_major_version }}.php.j2"
- - "config/module_discopower.php.j2"
+ - config/module_discopower-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - config/module_discopower-{{ ssp_major_version }}.php.j2
+ - config/module_discopower.php.j2
when: "'discopower' in ssp_mods_enabled"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:discopower
- name: Update SSP discopower module dictionary definitions
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_path }}/modules/discopower/dictionaries/tabs.definition.json"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0644"
with_first_found:
- - "modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.{{ ssp_minor_version }}.json.j2"
- - "modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.json.j2"
- - "modules/discopower/dictionaries/tabs.definition.json.j2"
+ - modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.{{ ssp_minor_version }}.json.j2
+ - modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.json.j2
+ - modules/discopower/dictionaries/tabs.definition.json.j2
when: "'discopower' in ssp_mods_enabled and ssp_mod_discopower_dictionaries is defined"
- become: yes
+ become: true
tags:
- ssp:config:mods
- ssp:config:mods:discopower
-
-
diff --git a/roles/ssp/tasks/configure-saml20-idp-hosted.yml b/roles/ssp/tasks/configure-saml20-idp-hosted.yml
index 351df897..0504579f 100644
--- a/roles/ssp/tasks/configure-saml20-idp-hosted.yml
+++ b/roles/ssp/tasks/configure-saml20-idp-hosted.yml
@@ -1,15 +1,15 @@
---
-
- name: Configure SSP hosted SAML 2.0 IdP metadata
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_metadatadir }}/saml20-idp-hosted.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0600"
with_first_found:
- - "metadata/saml20-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "metadata/saml20-idp-hosted-{{ ssp_major_version }}.php.j2"
- - "metadata/saml20-idp-hosted.php.j2"
- become: yes
+ - metadata/saml20-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - metadata/saml20-idp-hosted-{{ ssp_major_version }}.php.j2
+ - metadata/saml20-idp-hosted.php.j2
+ become: true
tags:
- ssp:config:saml20-idp-hosted
diff --git a/roles/ssp/tasks/configure-shib13-idp-hosted.yml b/roles/ssp/tasks/configure-shib13-idp-hosted.yml
index 65d8de14..305cdcf7 100644
--- a/roles/ssp/tasks/configure-shib13-idp-hosted.yml
+++ b/roles/ssp/tasks/configure-shib13-idp-hosted.yml
@@ -1,15 +1,15 @@
---
-
- name: Configure SSP hosted SAML 1.1 IdP metadata
- template:
+ ansible.builtin.template:
src: "{{ item }}"
dest: "{{ ssp_metadatadir }}/shib13-idp-hosted.php"
- backup: yes
- force: yes
+ backup: true
+ force: true
+ mode: "0600"
with_first_found:
- - "metadata/shib13-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2"
- - "metadata/shib13-idp-hosted-{{ ssp_major_version }}.php.j2"
- - "metadata/shib13-idp-hosted.php.j2"
- become: yes
+ - metadata/shib13-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2
+ - metadata/shib13-idp-hosted-{{ ssp_major_version }}.php.j2
+ - metadata/shib13-idp-hosted.php.j2
+ become: true
tags:
- ssp:config:shib13-idp-hosted
diff --git a/roles/ssp/tasks/install-Debian.yml b/roles/ssp/tasks/install-Debian.yml
index 9c06cb38..e0eaa5d4 100644
--- a/roles/ssp/tasks/install-Debian.yml
+++ b/roles/ssp/tasks/install-Debian.yml
@@ -1,25 +1,29 @@
---
-
- name: Update package cache (Debian)
- apt: update_cache=yes cache_valid_time=86400
- become: yes
+ ansible.builtin.apt:
+ update_cache: "yes"
+ cache_valid_time: "86400"
+ become: true
- name: Ensure latest CA certificates are installed (Debian)
- apt: pkg=ca-certificates state=latest install_recommends=no
+ ansible.builtin.apt:
+ pkg: ca-certificates
+ state: present
+ install_recommends: "no"
become: true
- name: Ensure SSP cron module dependencies are installed (Debian)
- apt:
+ ansible.builtin.apt:
pkg: "{{ ssp_mod_cron_deps }}"
state: present
- install_recommends: no
+ install_recommends: false
when: "'cron' in ssp_mods_enabled"
become: true
-#- name: Ensure memcached dependencies are installed (Debian)
-# apt: pkg={{ item }} state=present install_recommends=no
-# with_items: "{{ ssp_memcache_deps }}"
-# when: "ssp_store_type is defined and ssp_store_type == 'memcache'"
-# become: true
-# notify:
-# - restart webserver
+# - name: Ensure memcached dependencies are installed (Debian)
+# apt: pkg={{ item }} state=present install_recommends=no
+# with_items: "{{ ssp_memcache_deps }}"
+# when: "ssp_store_type is defined and ssp_store_type == 'memcache'"
+# become: true
+# notify:
+# - restart webserver
diff --git a/roles/ssp/tasks/install-RedHat.yml b/roles/ssp/tasks/install-RedHat.yml
index 4cd74b65..d0650879 100644
--- a/roles/ssp/tasks/install-RedHat.yml
+++ b/roles/ssp/tasks/install-RedHat.yml
@@ -1,24 +1,23 @@
---
-
- name: Ensure latest CA certificates are installed (RedHat)
- yum:
+ ansible.builtin.yum:
name: ca-certificates
- state: latest
+ state: present
become: true
- name: Ensure SSP cron module dependencies are installed (RedHat)
- yum:
+ ansible.builtin.yum:
name: "{{ ssp_mod_cron_deps }}"
state: present
when: "'cron' in ssp_mods_enabled"
become: true
-#- name: Ensure memcached dependencies are installed (RedHat)
-# yum:
-# name: "{{ item }}"
-# state: present
-# with_items: "{{ ssp_memcache_deps }}"
-# when: "ssp_store_type is defined and ssp_store_type == 'memcache'"
-# become: true
-# notify:
-# - restart webserver
+# - name: Ensure memcached dependencies are installed (RedHat)
+# yum:
+# name: "{{ item }}"
+# state: present
+# with_items: "{{ ssp_memcache_deps }}"
+# when: "ssp_store_type is defined and ssp_store_type == 'memcache'"
+# become: true
+# notify:
+# - restart webserver
diff --git a/roles/ssp/tasks/install-common.yml b/roles/ssp/tasks/install-common.yml
index f17dc7ed..78f30cfd 100644
--- a/roles/ssp/tasks/install-common.yml
+++ b/roles/ssp/tasks/install-common.yml
@@ -1,59 +1,72 @@
---
-
-- include_tasks: install-release.yml
+- name: Include Release Tasks
+ ansible.builtin.include_tasks: install-release.yml
when: ssp_release_url is defined
tags:
- ssp:install
-- include_tasks: install-source.yml
+- name: Include source install tasks
+ ansible.builtin.include_tasks: install-source.yml
when: ssp_release_url is not defined
tags:
- ssp:install
- name: Update symbolic link to SSP
- file:
+ ansible.builtin.file:
src: "{{ ssp_path }}/{{ 'public' if ssp_major_version == '2' else 'www' }}/"
dest: "{{ ssp_www_path }}"
state: link
- become: yes
+ become: true
tags:
- ssp:install
-- include_tasks: twig.yml
- when: (ssp_twig_install is defined) and (ssp_twig_install|bool == True)
+- name: Include Twig tasks
+ ansible.builtin.include_tasks: twig.yml
+ when: (ssp_twig_install is defined) and (ssp_twig_install | bool)
- name: Ensure SSP config dir exists
- file: path={{ ssp_configdir }} state=directory
- become: yes
+ ansible.builtin.file:
+ path: "{{ ssp_configdir }}"
+ state: directory
+ mode: "0750"
+ become: true
tags:
- ssp:install
- name: Ensure SSP logging dir exists
- file:
+ ansible.builtin.file:
state: directory
path: "{{ ssp_loggingdir }}"
owner: "{{ ssp_webuser }}"
group: "{{ ssp_webgroup }}"
mode: "0750"
- become: yes
+ become: true
tags:
- ssp:install
- name: Ensure SSP data dir exists
- file: path={{ ssp_datadir }} state=directory
- become: yes
+ ansible.builtin.file:
+ path: "{{ ssp_datadir }}"
+ state: directory
+ mode: "0750"
+ become: true
tags:
- ssp:install
- name: Ensure SSP metadata dir exists
- file: path={{ ssp_metadatadir }} state=directory
- become: yes
+ ansible.builtin.file:
+ path: "{{ ssp_metadatadir }}"
+ state: directory
+ mode: "0750"
+ become: true
tags:
- ssp:install
- name: Ensure SSP cert dir exists
- file: path={{ ssp_certdir }} state=directory
- become: yes
+ ansible.builtin.file:
+ path: "{{ ssp_certdir }}"
+ state: directory
+ mode: "0750"
+ become: true
tags:
- ssp:install
-
diff --git a/roles/ssp/tasks/install-release.yml b/roles/ssp/tasks/install-release.yml
index 26b21eac..a8e092bd 100644
--- a/roles/ssp/tasks/install-release.yml
+++ b/roles/ssp/tasks/install-release.yml
@@ -1,47 +1,47 @@
---
-
- name: Check if SSP path exists
- stat:
+ ansible.builtin.stat:
path: "{{ ssp_path }}"
register: release_downloaded
tags:
- ssp:install:release
-- block:
-
+- name: SSP Install
+ when: not release_downloaded.stat.exists
+ become: true
+ tags:
+ - ssp:install:release
+ block:
- name: Create temp SSP installation directory
- tempfile:
+ ansible.builtin.tempfile:
state: directory
register: ssp_basepath
- name: Download and unarchive SSP release into temp installation directory
- unarchive:
+ ansible.builtin.unarchive:
src: "{{ ssp_release_url }}"
dest: "{{ ssp_basepath.path }}/"
- owner: "root"
- group: "root"
+ owner: root
+ group: root
list_files: true
remote_src: true
- name: Ensure SSP path exists
- file:
+ ansible.builtin.file:
path: "{{ ssp_path }}"
state: directory
- owner: "root"
- group: "root"
+ owner: root
+ group: root
+ mode: "0750"
- name: Copy release to SSP path
- copy:
+ ansible.builtin.copy:
src: "{{ ssp_basepath.path }}/{{ ssp_repo_version }}/"
dest: "{{ ssp_path }}"
remote_src: true
+ mode: "0600"
- name: Remove temp SSP installation directory
- file:
+ ansible.builtin.file:
path: "{{ ssp_basepath.path }}"
state: absent
-
- when: release_downloaded.stat.exists == False
- become: yes
- tags:
- - ssp:install:release
\ No newline at end of file
diff --git a/roles/ssp/tasks/install-source.yml b/roles/ssp/tasks/install-source.yml
index 69eec8d1..5ffb59cf 100644
--- a/roles/ssp/tasks/install-source.yml
+++ b/roles/ssp/tasks/install-source.yml
@@ -1,23 +1,23 @@
---
-
- name: Checkout SSP source
- git:
+ ansible.builtin.git:
repo: "{{ ssp_repo_url }}"
dest: "{{ ssp_path }}"
version: "{{ ssp_repo_version }}"
- accept_hostkey: yes
- force: no
- update: no
- become: yes
+ accept_hostkey: true
+ force: false
+ update: false
+ become: true
when: ssp_release_file is not defined
tags:
- ssp:install:source
-- include_tasks: composer.yml
- when: (ssp_composer_install is defined) and (ssp_composer_install|bool == True)
+- name: Include composer tasks
+ ansible.builtin.include_tasks: composer.yml
+ when: (ssp_composer_install is defined) and (ssp_composer_install | bool)
- name: Install/Update SimplesamlPHP
- composer:
+ community.general.composer:
command: update
working_dir: "{{ ssp_path }}"
composer_executable: "{{ ssp_composer_executable }}"
@@ -25,4 +25,4 @@
no_scripts: true
become: true
tags:
- - ssp:install:source
\ No newline at end of file
+ - ssp:install:source
diff --git a/roles/ssp/tasks/main.yml b/roles/ssp/tasks/main.yml
index ae60ccc2..727711aa 100644
--- a/roles/ssp/tasks/main.yml
+++ b/roles/ssp/tasks/main.yml
@@ -1,94 +1,96 @@
---
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- always
-- block:
+- name: Set SSP facts
+ tags:
+ - always
+ block:
- name: Split SSP version string into parts
- set_fact:
+ ansible.builtin.set_fact:
ssp_version_parts: "{{ ssp_version.split('.') }}"
- name: Define SSP major version number
- set_fact:
+ ansible.builtin.set_fact:
ssp_major_version: "{{ ssp_version_parts[0] }}"
tags:
- always
- name: Define SSP minor version number
- set_fact:
+ ansible.builtin.set_fact:
ssp_minor_version: "{{ ssp_version_parts[1] }}"
tags:
- always
- name: Define SSP patch version number only when specified in version string
- set_fact:
+ ansible.builtin.set_fact:
ssp_patch_version: "{{ ssp_version_parts[2] | default(omit) }}"
- tags:
- - always
- name: Include SSP-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "ssp-{{ ssp_major_version }}.{{ ssp_minor_version }}.yml"
- - "ssp-{{ ssp_major_version }}.yml"
- ignore_errors: yes
+ - ssp-{{ ssp_major_version }}.{{ ssp_minor_version }}.yml
+ - ssp-{{ ssp_major_version }}.yml
+ failed_when: false # noqa ignore-errors
tags:
- always
- name: Define SSP web server
- set_fact:
+ ansible.builtin.set_fact:
ssp_webserver: "{{ ssp_default_webserver }}"
when: ssp_webserver is not defined
tags:
- always
- name: Define SSP web user
- set_fact:
+ ansible.builtin.set_fact:
ssp_webuser: "{{ ssp_default_webuser }}"
when: ssp_webuser is not defined
tags:
- always
- name: Define SSP web group
- set_fact:
+ ansible.builtin.set_fact:
ssp_webgroup: "{{ ssp_default_webgroup }}"
when: ssp_webgroup is not defined
tags:
- always
- name: Define SSP cron module dependencies
- set_fact:
+ ansible.builtin.set_fact:
ssp_mod_cron_deps: "{{ ssp_default_mod_cron_deps | list }}"
when: ssp_mod_cron_deps is not defined
tags:
- always
-
- name: Define SSP path
- set_fact:
+ ansible.builtin.set_fact:
ssp_path: "{{ ssp_path }}-{{ ssp_version_suffix }}"
when: ssp_version_suffix is defined and ssp_version_suffix != ""
tags:
- always
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install Debian packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-- include: install-RedHat.yml
+
+- name: Install Redhat packages
+ ansible.builtin.include_tasks: install-RedHat.yml
when: ansible_os_family == 'RedHat'
-# Run OS-independent installation tasks
-- include: install-common.yml
+- name: Run OS-independent installation tasks
+ ansible.builtin.include_tasks: install-common.yml
tags:
- install
- ssp:install
-# Apply OS-independent configuration
-- include: configure-common.yml
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
tags:
- config
- ssp:config
diff --git a/roles/ssp/tasks/twig.yml b/roles/ssp/tasks/twig.yml
index 4fa11d9a..4ce481cc 100644
--- a/roles/ssp/tasks/twig.yml
+++ b/roles/ssp/tasks/twig.yml
@@ -1,85 +1,92 @@
---
-
## Node Version Manager (nvm) | Installing and Updating
### http://nvm.sh
### https://github.com/nvm-sh/nvm#installing-and-updating
### https://github.com/nvm-sh/nvm#ansible
-- name: Install Node Version Manager (nvm)
- shell: "curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash"
+- name: Install Node Version Manager (nvm) # noqa command-instead-of-module
+ ansible.builtin.shell:
+ executable: /bin/bash
+ cmd: |
+ set -o pipefaile
+ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash
args:
creates: "{{ ansible_env.HOME }}/.nvm/nvm.sh"
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
tags:
- ssp:install
- ssp:install:install_nvm
- ssp:install:ssp_twig_template
- name: Install Node.js v14.15.1
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm install v14.15.1"
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm install v14.15.1
args:
executable: /bin/bash
register: v14
changed_when: v14 is changed and "is already installed" not in v14.stderr
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
tags:
- ssp:install
- ssp:install:install_nvm
- install_node_14
- ssp:install:ssp_twig_template
-- name: npm install
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm install --unsafe-perm=true --allow-root"
+- name: Npm install
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm install --unsafe-perm=true --allow-root
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
register: npm_install_results
changed_when: npm_install_results is changed and "added" in npm_install_results.stdout
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
become: true
tags:
- ssp:install
- ssp:install:ssp_twig_template
-- name: npm audit fix
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm audit fix"
+- name: Npm audit fix
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm audit fix
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
become: true
tags:
- ssp:install
- ssp:install:ssp_twig_template
+ changed_when: false
-- name: npm run build (1/3)
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/install.js"
+- name: Npm run build (1/3)
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/install.js
args:
chdir: "{{ ssp_path }}/node_modules/node-sass/"
executable: /bin/bash
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
become: true
tags:
- ssp:install
- ssp:install:ssp_twig_template
+ changed_when: false
-- name: npm run build (2/3)
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/build.js"
+- name: Npm run build (2/3)
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/build.js
args:
chdir: "{{ ssp_path }}/node_modules/node-sass/"
executable: /bin/bash
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
become: true
tags:
- ssp:install
- ssp:install:ssp_twig_template
+ changed_when: false
-- name: npm run build (3/3)
- shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm run build"
+- name: Npm run build (3/3)
+ ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm run build
args:
chdir: "{{ ssp_path }}/"
executable: /bin/bash
- when: ssp_twig_template | default(False) | bool == True
+ when: ssp_twig_template | default(False) | bool
become: true
tags:
- ssp:install
- - ssp:install:ssp_twig_template
\ No newline at end of file
+ - ssp:install:ssp_twig_template
+ changed_when: false
diff --git a/roles/ssp/templates/config/module_discopower-1.14.php.j2 b/roles/ssp/templates/config/module_discopower-1.14.php.j2
index 6e91dba2..6581e1af 100644
--- a/roles/ssp/templates/config/module_discopower-1.14.php.j2
+++ b/roles/ssp/templates/config/module_discopower-1.14.php.j2
@@ -1,5 +1,5 @@
'suggest',
+ 'score' => 'suggest',
{% endif %}
/*
* The domain to use for common domain cookie support.
@@ -49,4 +49,4 @@ $config = array (
);
-?>
\ No newline at end of file
+?>
diff --git a/roles/ssp/templates/config/module_discopower-1.17.php.j2 b/roles/ssp/templates/config/module_discopower-1.17.php.j2
index 5d583c49..f26281da 100644
--- a/roles/ssp/templates/config/module_discopower-1.17.php.j2
+++ b/roles/ssp/templates/config/module_discopower-1.17.php.j2
@@ -1,6 +1,6 @@
-
+ "{{ inventory_dir }}/files/get_gh_asset_id.sh \
+ {{ webapp_github_repo }} \
+ {{ webapp_github_repo_token }} \
+ {{ webapp_github_release_version }} \
+ {{ webapp_github_release_file }}"
register: github_asset_id
-- name: Ensure WAR file is downloaded
- command: wget -q --auth-no-challenge --header="Accept:application/octet-stream" "https://{{ webapp_github_repo_token }}:@api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}" -O "{{ webapp_file }}_{{ webapp_github_release_version }}"
- args:
- chdir: "{{ webapp_download_path }}/"
- creates: "{{ webapp_file }}_{{ webapp_github_release_version }}"
+# Replaced by get_url below
+# - name: Ensure WAR file is downloaded
+# ansible.builtin.command: wget \
+ # -q --auth-no-challenge \
+ # --header="Accept:application/octet-stream" \
+ # "https://{{ webapp_github_repo_token }}:@api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}" \
+ # -O "{{ webapp_file }}_{{ webapp_github_release_version }}"
+# args:
+# chdir: "{{ webapp_download_path }}/"
+# creates: "{{ webapp_file }}_{{ webapp_github_release_version }}"
+# become: true
+
+- name: Ensure WAR file
+ ansible.builtin.get_url:
+ url: "https://api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}"
+ dest: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}"
+ headers:
+ Accept: application/octet-stream
+ Authorization: "Bearer {{ webapp_github_repo_token }}"
+ mode: "0644"
become: true
- name: Check that WAR file has been deployed
- stat:
+ ansible.builtin.stat:
path: "{{ webapp_path }}/{{ webapp_file }}"
register: webapp_file_status
become: true
- name: Deploy WAR file when WAR file has not been deployed
- copy:
+ ansible.builtin.copy:
src: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}"
dest: "{{ webapp_path }}/{{ webapp_file }}"
remote_src: true
- when: webapp_file_status.stat.exists == False
+ mode: "0644"
+ when: not webapp_file_status.stat.exists
become: true
- name: Calculate checksum of deployed WAR file
- stat:
+ ansible.builtin.stat:
path: "{{ webapp_path }}/{{ webapp_file }}"
checksum_algorithm: sha256
get_checksum: true
register: webapp_file_checksum_old
- when: webapp_file_status.stat.exists == True
+ when: webapp_file_status.stat.exists
become: true
- name: Calculate checksum of downloaded WAR file
- stat:
+ ansible.builtin.stat:
path: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}"
checksum_algorithm: sha256
get_checksum: true
register: webapp_file_checksum_new
- when: webapp_file_status.stat.exists == True
+ when: webapp_file_status.stat.exists
become: true
- name: Ensure Tomcat is stopped
- service:
+ ansible.builtin.service:
name: "{{ tomcat_service }}"
- state: "stopped"
- when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
+ state: stopped
+ when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
become: true
- name: Ensure previous WAR file is deleted
- file:
+ ansible.builtin.file:
path: "{{ webapp_path }}/{{ webapp_file }}"
state: absent
- when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
+ when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
become: true
- name: Ensure previous WAR directory is deleted
- file:
+ ansible.builtin.file:
path: "{{ webapp_path }}/{{ webapp_context_path }}"
state: absent
- when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
+ when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
become: true
- name: Deploy new version of WAR file
- copy:
+ ansible.builtin.copy:
src: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}"
dest: "{{ webapp_path }}/{{ webapp_file }}"
+ mode: "0644"
remote_src: true
- when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
+ when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
become: true
- name: Ensure Tomcat is started
- service:
+ ansible.builtin.service:
name: "{{ tomcat_service }}"
state: "started"
- when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
+ when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum
become: true
diff --git a/roles/tomcat/tasks/install-Debian.yml b/roles/tomcat/tasks/install-Debian.yml
index a3c460fb..0a8b97f5 100644
--- a/roles/tomcat/tasks/install-Debian.yml
+++ b/roles/tomcat/tasks/install-Debian.yml
@@ -1,12 +1,11 @@
# file: tomcat/tasks/install-Debian.yml
#
---
-
- name: Ensure Tomcat is installed (Debian)
- apt:
+ ansible.builtin.apt:
name: "{{ tomcat_package }}"
state: present
- update_cache: yes
+ update_cache: true
cache_valid_time: 86400
- install_recommends: no
- become: yes
+ install_recommends: false
+ become: true
diff --git a/roles/tomcat/tasks/main.yml b/roles/tomcat/tasks/main.yml
index b0899cdd..ef8ab3ac 100644
--- a/roles/tomcat/tasks/main.yml
+++ b/roles/tomcat/tasks/main.yml
@@ -1,70 +1,70 @@
# file: tomcat/tasks/main.yml
#
---
-
- name: Include OS-specific variables
- include_vars: "{{ item }}"
+ ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml"
- - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
+ - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags:
- always
- name: Define tomcat version
- set_fact:
+ ansible.builtin.set_fact:
tomcat_version: "{{ tomcat_default_version }}"
when: tomcat_version is not defined
tags:
- always
- name: Define tomcat package name
- set_fact:
+ ansible.builtin.set_fact:
tomcat_package: "{{ tomcat_default_package }}"
when: tomcat_package is not defined
tags:
- always
- name: Define tomcat service name
- set_fact:
+ ansible.builtin.set_fact:
tomcat_service: "{{ tomcat_default_service }}"
when: tomcat_service is not defined
tags:
- always
- name: Define tomcat configuration path
- set_fact:
+ ansible.builtin.set_fact:
tomcat_conf_path: "{{ tomcat_default_conf_path }}"
when: tomcat_conf_path is not defined
tags:
- always
- name: Define tomcat JAVA_HOME
- set_fact:
+ ansible.builtin.set_fact:
tomcat_java_home: "{{ tomcat_default_java_home }}"
when: tomcat_java_home is not defined
tags:
- always
-# Install OS-specific packages
-- include: install-Debian.yml
+- name: Install OS-specific packages
+ ansible.builtin.include_tasks: install-Debian.yml
when: ansible_os_family == 'Debian'
-#- include: install-CentOS.yml
-# when: ansible_os_family == 'CentOS'
-# Apply OS-independent configuration
-- include: configure-common.yml
+# - include: install-CentOS.yml
+# when: ansible_os_family == 'CentOS'
+
+- name: Apply OS-independent configuration
+ ansible.builtin.include_tasks: configure-common.yml
-# Deploy .war file
-- include: deploy-webapp.yml
+- name: Deploy .war file
+ ansible.builtin.include_tasks: deploy-webapp.yml
tags:
- never
- tomcat:deploy
- name: Ensure Tomcat service is started and enabled on boot
- service:
+ ansible.builtin.service:
name: "{{ tomcat_service }}"
- state: "started"
- enabled: yes
- become: yes
+ state: started
+ enabled: true
+ become: true
diff --git a/roles/tomcat/templates/server-8.5.xml.j2 b/roles/tomcat/templates/server-8.5.xml.j2
index 0a753779..9399d055 100644
--- a/roles/tomcat/templates/server-8.5.xml.j2
+++ b/roles/tomcat/templates/server-8.5.xml.j2
@@ -72,7 +72,7 @@
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
{% for connector in tomcat_connectors %}
-
{% for connector in tomcat_connectors %}
-
{% for connector in tomcat_connectors %}
- -
+ cp -p config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER
+ "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
+ when: not secrets_file.stat.exists
+ changed_when: false # TODO determine change conditions
+
+ - name: "Set permissions of {{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" # noqa name[template]
+ ansible.builtin.file:
path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
state: file
- mode: 0600
- when: secrets_file.stat.exists == False
-
+ mode: "0600"
+ when: not secrets_file.stat.exists
- name: Generate self-signed SP certificates
- command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out sp-{{ item.name }}.crt -keyout sp-{{ item.name }}.key"
+ ansible.builtin.command: >-
+ openssl req \
+ -newkey rsa:2048 \
+ -new -x509 \
+ -days 3652 \
+ -subj "/CN={{ rciam_hostname }}" \
+ -nodes \
+ -out "sp-{{ item.name }}.crt" \
+ -keyout "sp-{{ item.name }}.key"
args:
chdir: config/PLACEHOLDER/
no_log: true
register: new_sp_certificate
with_items: "{{ ssp_authsources_saml }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
+ changed_when: false
+ # TODO - use community.pki
- name: Generate self-signed IdP certificates
- command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out idp-{{ item.entity_id }}.crt -keyout idp-{{ item.entity_id }}.key"
+ ansible.builtin.command: >-
+ openssl req \
+ -newkey rsa:2048 \
+ -new -x509 \
+ -days 3652 \
+ -subj \"/CN={{ rciam_hostname }}\" \
+ -nodes \
+ -out "idp-{{ item.entity_id }}.crt" \
+ -keyout "idp-{{ item.entity_id }}.key"
args:
chdir: config/PLACEHOLDER/
no_log: true
register: new_sp_certificate
with_items: "{{ ssp_idp_hosts }}"
- when: secrets_file.stat.exists == False
-
-
+ when: not secrets_file.stat.exists
+ changed_when: false
- name: Fill in random genarated passwords & salts
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.regex }}"
line: "{{ item.replace_with }}"
state: present
no_log: true
loop:
- - { regex: '^ssp_secretsalt: CHANGEME', replace_with: "ssp_secretsalt: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" }
- - { regex: '^ssp_adminpassword: CHANGEME', replace_with: "ssp_adminpassword: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" }
- - { regex: '^ssp_adminpassword_salt: CHANGEME', replace_with: "ssp_adminpassword_salt: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" }
- - { regex: '^ssp_mod_cron_secret: CHANGEME', replace_with: "ssp_mod_cron_secret: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" }
- when: secrets_file.stat.exists == False
-
+ - regex: "^ssp_secretsalt: CHANGEME"
+ replace_with: 'ssp_secretsalt: "{{ lookup(''password'', ''/dev/null length=33 chars=ascii_lowercase,digits'') }}"'
+ - regex: "^ssp_adminpassword: CHANGEME"
+ replace_with: 'ssp_adminpassword: "{{ lookup(''password'', ''/dev/null length=15 chars=ascii_lowercase,digits'') }}"'
+ - regex: "^ssp_adminpassword_salt: CHANGEME"
+ replace_with: 'ssp_adminpassword_salt: "{{ lookup(''password'', ''/dev/null length=15 chars=ascii_lowercase,digits'') }}"'
+ - regex: "^ssp_mod_cron_secret: CHANGEME"
+ replace_with: 'ssp_mod_cron_secret: "{{ lookup(''password'', ''/dev/null length=33 chars=ascii_lowercase,digits'') }}"'
+ when: not secrets_file.stat.exists
- name: Fill in certificate cn
- replace:
+ ansible.builtin.replace:
path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "ssl_certificate_cn: CHANGEME"
replace: "ssl_certificate_cn: {{ rciam_hostname }}"
- when: secrets_file.stat.exists == False
-
+ when: not secrets_file.stat.exists
- name: Fill in SP self-signed certificates
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.crt') | indent(width=6) }}"
state: present
with_items: "{{ ssp_authsources_saml }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
- name: Fill in IdP self-signed certificates
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.crt') | indent(width=6) }}"
state: present
with_items: "{{ ssp_idp_hosts }}"
- when: secrets_file.stat.exists == False
-
+ when: not secrets_file.stat.exists
- name: Fill in SP self-signed certificate keys
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate_key }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.key') | indent(width=6) }}"
state: present
no_log: true
with_items: "{{ vault_ssp_authsources_saml }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
- name: Fill in IdP self-signed certificate keys
- lineinfile:
+ ansible.builtin.lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate_key }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.key') | indent(width=6) }}"
state: present
no_log: true
with_items: "{{ vault_ssp_idp_hosts }}"
- when: secrets_file.stat.exists == False
-
+ when: not secrets_file.stat.exists
- name: Delete SP certificates
- file:
+ ansible.builtin.file:
path: "config/PLACEHOLDER/sp-{{ item.name }}.crt"
state: absent
with_items: "{{ ssp_authsources_saml }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
- name: Delete SP certificate keys
- file:
+ ansible.builtin.file:
path: "config/PLACEHOLDER/sp-{{ item.name }}.key"
state: absent
with_items: "{{ ssp_authsources_saml }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
- name: Delete IdP certificates
- file:
+ ansible.builtin.file:
path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.crt"
state: absent
with_items: "{{ ssp_idp_hosts }}"
- when: secrets_file.stat.exists == False
+ when: not secrets_file.stat.exists
- name: Delete IdP certificate keys
- file:
+ ansible.builtin.file:
path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.key"
state: absent
with_items: "{{ ssp_idp_hosts }}"
- when: secrets_file.stat.exists == False
-
+ when: not secrets_file.stat.exists
diff --git a/site.yml b/site.yml
index a4df2eee..79b78fa9 100644
--- a/site.yml
+++ b/site.yml
@@ -1,7 +1,9 @@
---
+- name: Deploy Cache Servers
+ ansible.builtin.import_playbook: cacheservers.yml
-- import_playbook: cacheservers.yml
+- name: Deploy Auth Servers
+ ansible.builtin.import_playbook: authservers.yml
-- import_playbook: authservers.yml
-
-- import_playbook: webproxyservers.yml
+- name: Deploy Web Proxy servers
+ ansible.builtin.import_playbook: webproxyservers.yml
diff --git a/sspservers.yml b/sspservers.yml
index 1f7d67e0..03634ac8 100644
--- a/sspservers.yml
+++ b/sspservers.yml
@@ -2,7 +2,8 @@
#
---
-- hosts: ssp
+- name: Deploy SSP
+ hosts: ssp
roles:
- { role: apache, tags: apache }
- { role: php, tags: php }
diff --git a/templates/rciam-sync-client-names/config.py.j2 b/templates/rciam-sync-client-names/config.py.j2
index 6d325ee7..e336d3fc 100644
--- a/templates/rciam-sync-client-names/config.py.j2
+++ b/templates/rciam-sync-client-names/config.py.j2
@@ -1,13 +1,13 @@
# {{ ansible_managed }}
-mitreid_config = {
+mitreid_config = {
"dbname": "{{ rciam_dbs.oidc.name }}",
"user": "{{ rciam_dbs.oidc.owner_username }}",
"host": "{{ lookup('dig', groups['dbmaster'][0]) }}",
"password": "{{ rciam_dbs.oidc.owner_password }}"
}
-proxystats_config = {
+proxystats_config = {
"dbname": "{{ rciam_dbs.proxy.name }}",
"user": "{{ rciam_dbs.proxy.owner_username }}",
"host": "{{ rciam_dbs.proxy.host | default(lookup('dig', groups['dbmaster'][0])) }}",
diff --git a/utilservers.yml b/utilservers.yml
index 3655b626..a7ab64ec 100644
--- a/utilservers.yml
+++ b/utilservers.yml
@@ -2,6 +2,7 @@
#
---
-- hosts: util
+- name: Configure Util machines
+ hosts: util
roles:
- { role: rciam-utils }
diff --git a/webproxyservers.yml b/webproxyservers.yml
index 7bfa1786..784c66cb 100644
--- a/webproxyservers.yml
+++ b/webproxyservers.yml
@@ -2,42 +2,43 @@
#
---
-- hosts: webproxy
+- name: Deploy Web Proxy
+ hosts: webproxy
roles:
- { role: rsyslog-pgsql, tags: [rsyslog-pgsql, nginx] }
- { role: nginx, tags: nginx }
tasks:
- name: Set Maintenance Locations
- set_fact:
+ ansible.builtin.set_fact:
maintenance_locations: "['roles','registry','oidc','proxy']"
tags:
- nginx:maintenance_on
- nginx:maintenance_off
- never
- name: Enter Maintenance Mode
- copy:
+ ansible.builtin.copy:
content: ""
dest: "/var/www/html/{{ item }}.maintenance.enable"
- force: no
+ force: false
owner: root
- mode: 0644
+ mode: "0644"
loop: "{{ maintenance | default(maintenance_locations) | default([]) }}"
loop_control:
label: "Add control file for Maintenance Mode {{ item }}"
- become: yes
- ignore_errors: yes
+ become: true
+ ignore_errors: true # noqa ignore-errors
tags:
- nginx:maintenance_on
- never
- name: Exit Maintenance Mode
- file:
+ ansible.builtin.file:
path: "/var/www/html/{{ item }}.maintenance.enable"
state: absent
loop: "{{ maintenance_locations | default([]) }}"
loop_control:
label: "Removing control file for Maintenance Mode {{ item }}"
- become: yes
- ignore_errors: yes
+ become: true
+ ignore_errors: true # noqa ignore-errors
tags:
- nginx:maintenance_off
- - never
\ No newline at end of file
+ - never
diff --git a/webservers.yml b/webservers.yml
index 710ab479..c3936773 100644
--- a/webservers.yml
+++ b/webservers.yml
@@ -2,21 +2,22 @@
#
---
-- hosts: web
+- name: Deploy Web Servers
+ hosts: web
roles:
- { role: apache, tags: apache }
- { role: php, tags: php }
tasks:
- name: Ensure static files for each Virtual Host are copied
- copy:
+ ansible.builtin.copy:
src: "{{ inventory_dir }}/files/web/vhosts/{{ item.servername | urlsplit('hostname') }}/"
dest: "{{ item.documentroot }}/"
owner: root
group: root
- mode: 0644
+ mode: "0644"
loop: "{{ apache_vhosts | default([]) }}"
loop_control:
label: "Copying static files for Virtual Host {{ item.servername | urlsplit('hostname') }}"
- ignore_errors: yes
- become: yes
+ ignore_errors: true # noqa ignore-errors
+ become: true
tags: web:static