diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 00000000..d7b2f251 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,9 @@ +exclude_paths: + - .pre-commit-config.yaml + - icingaagents.yml + - roles/common/handlers/main.yml + - authzkeys.yml + - inventories +offline: false +skip_list: + - role-name diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..0d53aefa --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,13 @@ +# .github/workflows/ansible-lint.yml +name: ansible-lint +on: + pull_request: + branches: ["main"] +jobs: + build: + name: Ansible Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run ansible-lint + uses: ansible/ansible-lint@v6.22.2 diff --git a/.gitignore b/.gitignore index c3cb7c0b..d72fc806 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,8 @@ .LSOverride # Icon must end with two \r -Icon +Icon + # Thumbnails ._* @@ -25,3 +26,6 @@ Network Trash Folder Temporary Items .apdisk # END OSX.gitignore + +# ignore editor cruft +.vscode diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..6bd8c584 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,44 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: requirements-txt-fixer + +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: + - --baseline + - .secrets.baseline + +- repo: https://github.com/ansible-community/ansible-lint + rev: v24.2.1 + hooks: + - id: ansible-lint + always_run: false + files: ^.*.yml + exclude: .github + additional_dependencies: + - ansible-core>=2.16.0 + args: + - --exclude + - .pre-commit-config.yaml + - icingaagents.yml + # For some reason noqa is not being picked up on these files + - roles/common/handlers/main.yml + - authzkeys.yml + # ssp-modules is a bad name for a role + - roles/ssp-modules + +- repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.28.0 + hooks: + - id: check-github-workflows + - id: check-dependabot diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 00000000..9e4ba683 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,479 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + "roles/apache/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/apache/defaults/main.yml", + "hashed_secret": "de8aa86286dbb8eb74d2748c7b6d4486d0458203", + "is_verified": false, + "line_number": 19, + "is_secret": false + } + ], + "roles/comanage-registry/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/comanage-registry/defaults/main.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 45, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/comanage-registry/defaults/main.yml", + "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", + "is_verified": false, + "line_number": 75, + "is_secret": true + } + ], + "roles/comanage-registry/templates/core.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/comanage-registry/templates/core.php.j2", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 322, + "is_secret": true + } + ], + "roles/federation-registry/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/federation-registry/defaults/main.yml", + "hashed_secret": "011228a1c7888a9c99379c1e6bce9328ca6153ea", + "is_verified": false, + "line_number": 14, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/federation-registry/defaults/main.yml", + "hashed_secret": "fc4ba7249ac2f9430f9f2de2f8bf2c37c5345fa4", + "is_verified": false, + "line_number": 16, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/federation-registry/defaults/main.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 46, + "is_secret": false + } + ], + "roles/keycloak/templates/13.0.0/standalone-ha.xml.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/keycloak/templates/13.0.0/standalone-ha.xml.j2", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 47, + "is_secret": true + } + ], + "roles/keycloak/templates/14.0.0/standalone-ha.xml.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/keycloak/templates/14.0.0/standalone-ha.xml.j2", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 47, + "is_secret": true + } + ], + "roles/keycloak/templates/15.0.2/standalone-ha.xml.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/keycloak/templates/15.0.2/standalone-ha.xml.j2", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 47, + "is_secret": true + } + ], + "roles/openldap/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/openldap/defaults/main.yml", + "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", + "is_verified": false, + "line_number": 28, + "is_secret": true + } + ], + "roles/rciam-metrics/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/rciam-metrics/defaults/main.yml", + "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", + "is_verified": false, + "line_number": 84, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/rciam-metrics/defaults/main.yml", + "hashed_secret": "a0281cd072cea8e80e7866b05dc124815760b6c9", + "is_verified": false, + "line_number": 87, + "is_secret": true + } + ], + "roles/rciam-oidc-client/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/rciam-oidc-client/defaults/main.yml", + "hashed_secret": "ea06090a0b9590add823ade2334090fa216acb2b", + "is_verified": false, + "line_number": 21, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/rciam-oidc-client/defaults/main.yml", + "hashed_secret": "4843cf9994fed3db0cf15d935bbc743937c1e692", + "is_verified": false, + "line_number": 32, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "roles/rciam-oidc-client/defaults/main.yml", + "hashed_secret": "a09c557bb9fb354eabbac43eb4053d31e10412b2", + "is_verified": false, + "line_number": 33, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "roles/rciam-oidc-client/defaults/main.yml", + "hashed_secret": "eca7926596fd7cefdcd6912449bd7e63172fb87e", + "is_verified": false, + "line_number": 34, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "roles/rciam-oidc-client/defaults/main.yml", + "hashed_secret": "97cdbdc7feff827efb082a6b6dd2727237cd49fd", + "is_verified": false, + "line_number": 41, + "is_secret": true + } + ], + "roles/ssp-module-proxystatistics/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp-module-proxystatistics/defaults/main.yml", + "hashed_secret": "e350d5ce0153f3e22d5db21cf2a4eff00f3ee877", + "is_verified": false, + "line_number": 29, + "is_secret": true + } + ], + "roles/ssp-modules/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp-modules/defaults/main.yml", + "hashed_secret": "0936a636d6995e987e4c3fe4afe7af211ff08a70", + "is_verified": false, + "line_number": 59, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/ssp-modules/defaults/main.yml", + "hashed_secret": "0b874f84abac95c4ee5127ce67333745c6c77098", + "is_verified": false, + "line_number": 71, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/ssp-modules/defaults/main.yml", + "hashed_secret": "e350d5ce0153f3e22d5db21cf2a4eff00f3ee877", + "is_verified": false, + "line_number": 136, + "is_secret": true + } + ], + "roles/ssp/defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/defaults/main.yml", + "hashed_secret": "35552f5865f33c688eff5f7e958b7074a3ddf3dc", + "is_verified": false, + "line_number": 79, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/ssp/defaults/main.yml", + "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", + "is_verified": false, + "line_number": 116, + "is_secret": true + } + ], + "roles/ssp/templates/config/authsources-1.14.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/config/authsources-1.14.php.j2", + "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b", + "is_verified": false, + "line_number": 45, + "is_secret": true + } + ], + "roles/ssp/templates/config/authsources-1.17.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/config/authsources-1.17.php.j2", + "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b", + "is_verified": false, + "line_number": 45, + "is_secret": false + } + ], + "roles/ssp/templates/config/authsources-1.18.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/config/authsources-1.18.php.j2", + "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b", + "is_verified": false, + "line_number": 45, + "is_secret": false + } + ], + "roles/ssp/templates/config/authsources-2.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/config/authsources-2.php.j2", + "hashed_secret": "6a15c37a5492ec167761a981dc1e4f1fa140747b", + "is_verified": false, + "line_number": 45, + "is_secret": false + } + ], + "roles/ssp/templates/config/config-2.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/config/config-2.php.j2", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 148, + "is_secret": true + } + ], + "roles/ssp/templates/metadata/saml20-idp-hosted-1.14.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.14.php.j2", + "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f", + "is_verified": false, + "line_number": 19, + "is_secret": false + } + ], + "roles/ssp/templates/metadata/saml20-idp-hosted-1.17.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.17.php.j2", + "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f", + "is_verified": false, + "line_number": 20, + "is_secret": false + } + ], + "roles/ssp/templates/metadata/saml20-idp-hosted-1.18.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/metadata/saml20-idp-hosted-1.18.php.j2", + "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f", + "is_verified": false, + "line_number": 21, + "is_secret": false + } + ], + "roles/ssp/templates/metadata/shib13-idp-hosted-1.14.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/metadata/shib13-idp-hosted-1.14.php.j2", + "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f", + "is_verified": false, + "line_number": 19, + "is_secret": false + } + ], + "roles/ssp/templates/metadata/shib13-idp-hosted-1.17.php.j2": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/templates/metadata/shib13-idp-hosted-1.17.php.j2", + "hashed_secret": "8b12b590286f9def22f853dd5940480bfd3e619f", + "is_verified": false, + "line_number": 20, + "is_secret": false + } + ], + "roles/ssp/vars/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/ssp/vars/main.yml", + "hashed_secret": "8c07302345e837d007eecc23871809d291b9bac1", + "is_verified": false, + "line_number": 3, + "is_secret": true + }, + { + "type": "Secret Keyword", + "filename": "roles/ssp/vars/main.yml", + "hashed_secret": "8152bc582f58c854f580cb101d3182813dec4afe", + "is_verified": false, + "line_number": 4, + "is_secret": true + } + ], + "secrets.yml": [ + { + "type": "Secret Keyword", + "filename": "secrets.yml", + "hashed_secret": "8b16dae36b11d73264c343f2a5d84c8b6d87c99b", + "is_verified": false, + "line_number": 7, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "secrets.yml", + "hashed_secret": "99689e42a4cfd02871e085b5af75fdfe3ac04ccf", + "is_verified": false, + "line_number": 8, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "secrets.yml", + "hashed_secret": "54053db99b49b4cc046f7b4854a80de3d6dfae71", + "is_verified": false, + "line_number": 78, + "is_secret": true + } + ] + }, + "generated_at": "2024-03-28T14:50:35Z" +} diff --git a/ansible.cfg b/ansible.cfg index 4cc0e3e5..42943103 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -6,7 +6,7 @@ remote_user = root # Alternatively, connect as user with sudo privileges #remote_user = bob #[privilege_escalation] -#become_ask_pass = True +#become_ask_pass = True # The comment inserted into files written by Ansible’s config templating system #ansible_managed = Ansible managed: Modified on %Y-%m-%d %H:%M:%S by {uid} on {host} @@ -16,13 +16,13 @@ stdout_callback = yaml [ssh_connection] # Reduce the number of SSH operations required to execute a module on the remote -# server to improve performance. +# server to improve performance. # Note: When using “sudo:” operations you must first disable ‘requiretty’ in # /etc/sudoers on all managed hosts. # See also http://docs.ansible.com/ansible/intro_configuration.html#pipelining pipelining = True -# Increase the ControlPersist time to encourage performance. A value of 30 -# minutes should be appropriate. +# Increase the ControlPersist time to encourage performance. A value of 30 +# minutes should be appropriate. # See also http://docs.ansible.com/ansible/intro_configuration.html#ssh-args ssh_args = -o ControlMaster=auto -o ControlPersist=1800s diff --git a/apiservers.yml b/apiservers.yml index f90f145f..090374c9 100644 --- a/apiservers.yml +++ b/apiservers.yml @@ -1,13 +1,13 @@ # file: apiservers.yml # --- - -- hosts: api +- name: Deploy API servers + hosts: api roles: - # ansible-galaxy install geerlingguy.nodejs - - { role: geerlingguy.nodejs, become: yes } - # ansible-galaxy install Oefenweb.yarn - - { role: Oefenweb.yarn, become: yes } + - role: geerlingguy.nodejs + become: true + - role: Oefenweb.yarn + become: true vars: nodejs_version: "10.x" nodejs_npm_global_packages: @@ -25,51 +25,54 @@ gecos: "RCIAM COmanage Registry API Server,,," shell: /bin/bash home: /srv/comanage-registry-simple-membership-api - + tasks: - name: Ensure RCIAM API dependencies are installed - apt: - name: - - git + become: true + ansible.builtin.apt: + name: git state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + - name: Ensure RCIAM COmanage Registry API group exists - group: + become: true + ansible.builtin.group: name: "{{ rciam_api.user.group }}" - system: yes - become: yes + system: true - name: Ensure RCIAM COmanage Registry API user exists - user: + become: true + ansible.builtin.user: name: "{{ rciam_api.user.name }}" groups: "{{ rciam_api.user.group }}" - comment: "{{ rciam_api.user.gecos }}" + comment: "{{ rciam_api.user.gecos }}" shell: "{{ rciam_api.user.shell }}" home: "{{ rciam_api.user.home }}" - system: yes - create_home: yes + system: true + create_home: true skeleton: "/empty" - become: yes + - name: Ensure RCIAM COmanage Registry API code checkout directory exists - file: + become: true + ansible.builtin.file: path: "{{ rciam_api.path }}" owner: "{{ rciam_api.user.name }}" group: "{{ rciam_api.user.group }}" state: directory - become: yes + mode: "0775" + - name: Ensure RCIAM COmanage Registry API code checkout is up-to-date - git: + become: true + become_user: "{{ rciam_api.user.name }}" + ansible.builtin.git: repo: "{{ rciam_api.repo_url }}" dest: "{{ rciam_api.path }}" version: "{{ rciam_api.repo_version }}" - become: yes - become_user: "{{ rciam_api.user.name }}" notify: Restart RCIAM COmanage Registry API processes # TODO- name: Ensure RCIAM COmanage Registry API current symlink to code checkout directory exists @@ -82,52 +85,55 @@ # become: yes - name: Ensure RCIAM COmanage Registry API is configured - template: + become: true + ansible.builtin.template: src: "{{ playbook_dir }}/templates/comanage-registry-simple-membership-api/settings.js.j2" dest: "{{ rciam_api.path }}/settings.js" owner: "{{ rciam_api.user.name }}" group: "{{ rciam_api.user.group }}" - mode: 0400 - backup: yes - become: yes + mode: "0400" + backup: true notify: Restart RCIAM COmanage Registry API processes - name: Ensure RCIAM COmanage Registry API packages are installed - yarn: - path: "{{ rciam_api.path }}" - production: yes - become: yes + become: true become_user: "{{ rciam_api.user.name }}" + community.general.yarn: + path: "{{ rciam_api.path }}" + production: true handlers: - - name: Delete existing RCIAM COmanage Registry API pm2 processes if running - command: + become: true + become_user: "{{ rciam_api.user.name }}" + ansible.builtin.command: # noqa: no-changed-when cmd: "/usr/local/lib/npm/bin/pm2 delete {{ rciam_api.name }}" chdir: "{{ rciam_api.path }}" - ignore_errors: yes - become: yes - become_user: "{{ rciam_api.user.name }}" + ignore_errors: true # noqa: ignore-errors + # failed_when: # Add acceptable failure conditions listen: Restart RCIAM COmanage Registry API processes - name: Ensure RCIAM COmanage Registry API pm2 processes are running - command: + become: true + become_user: "{{ rciam_api.user.name }}" + ansible.builtin.command: # noqa: no-changed-when cmd: "/usr/local/lib/npm/bin/pm2 start server.js -i 2 --name {{ rciam_api.name }}" chdir: "{{ rciam_api.path }}" - become: yes - become_user: "{{ rciam_api.user.name }}" + # changed_when: # Add acceptable change conditions to ensure idempotency listen: Restart RCIAM COmanage Registry API processes - name: Ensure RCIAM COmanage Registry API init script exists - command: + become: true + ansible.builtin.command: # noqa: no-changed-when cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 startup systemd -u {{ rciam_api.user.name }} --hp {{ rciam_api.user.home }}" - become: yes + # changed_when: # Add acceptable change conditions to ensure idempotency listen: Restart RCIAM COmanage Registry API processes - + - name: Ensure RCIAM COmanage Registry API process list is saved - command: + become: true + become_user: "{{ rciam_api.user.name }}" + ansible.builtin.command: # noqa: no-changed-when cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 save" chdir: "{{ rciam_api.path }}" - become: yes - become_user: "{{ rciam_api.user.name }}" listen: Restart RCIAM COmanage Registry API processes + # changed_when: # Add acceptable change conditions to ensure idempotency diff --git a/attrauthservers.yml b/attrauthservers.yml index 3915054c..dee34936 100644 --- a/attrauthservers.yml +++ b/attrauthservers.yml @@ -1,9 +1,11 @@ +# filename: attrauthservers.yml +# Deploys attribute authority servers --- - -- hosts: attrauth +- name: Deploy Attribute Authority Servers + hosts: attrauth roles: - apache - php - shibboleth-sp - comanage-registry - #- cm-role-ui + # - cm-role-ui diff --git a/authservers.yml b/authservers.yml index fa83360a..343a2c1f 100644 --- a/authservers.yml +++ b/authservers.yml @@ -1,6 +1,8 @@ --- - -- hosts: authservers +# File: authservers.yml +# Deployes authentication servers +- name: Deploy authentication servers + hosts: authservers roles: - common - ssp diff --git a/authzkeys.yml b/authzkeys.yml index fd8f8916..68918514 100644 --- a/authzkeys.yml +++ b/authzkeys.yml @@ -1,7 +1,7 @@ # file: authzkeys.yml # # Playbook for managing SSH authorized keys in ~/.ssh/authorized_keys. -# +# # The `authz_keys_paths` variable needs to be defined to specify the paths # to files containing the public keys. You can include keys based on matching # files or specifying individual paths. @@ -15,26 +15,27 @@ # authz_keys_paths: # - "{{ inventory_dir }}/files/authorized_keys/devs/alice.pub" # - "{{ inventory_dir }}/files/authorized_keys/ops/bob.pub" -# +# # N.B. The playbook will *remove* all other non-specified keys from the # authorized_keys file. Defining authz_keys_paths as an empty list # will result in an *empty* authorized_keys file # --- - -- hosts: all - +- name: Create authorized keys + hosts: all tasks: - - - set_fact: + - name: Set list fact + ansible.builtin.set_fact: authzkeys_list: "{{ lookup('file', item) }}" register: authzkeys with_fileglob: "{{ authz_keys_paths }}" - - set_fact: + - name: Set string fact + ansible.builtin.set_fact: authzkeys_string: "{{ authzkeys.results | map(attribute='ansible_facts.authzkeys_list') | join('\n') }}" - - ansible.posix.authorized_key: + - name: Create key + ansible.posix.authorized_key: # noqa syntax-check[unknown-module] user: "{{ ansible_user }}" key: "{{ authzkeys_string }}" exclusive: true diff --git a/cacheservers.yml b/cacheservers.yml index cfd9dcf5..5781edc2 100644 --- a/cacheservers.yml +++ b/cacheservers.yml @@ -1,5 +1,6 @@ --- - -- hosts: cache +# cacheservers.yml +- name: Provision Cache Servers + hosts: cache roles: - memcached diff --git a/cert2samlservers.yml b/cert2samlservers.yml index 35d12838..6e9b22e5 100644 --- a/cert2samlservers.yml +++ b/cert2samlservers.yml @@ -1,8 +1,8 @@ # file: cert2samlservers.yml -# +# --- - -- hosts: cert2saml +- name: Deploy Certificate to SML servers + hosts: cert2saml roles: - { role: apache, tags: apache } - { role: php, tags: php } diff --git a/cmrolesuiservers.yml b/cmrolesuiservers.yml index 182cd548..4cbe790e 100644 --- a/cmrolesuiservers.yml +++ b/cmrolesuiservers.yml @@ -1,11 +1,10 @@ # file: cmrolesuiservers.yml - --- - -- hosts: registry +- name: Deploy Comanage registry UI + hosts: registry roles: - { role: git, tags: git } - { role: apache, tags: apache } - { role: php, tags: php } - { role: shibboleth-sp, tags: shibboleth-sp } - - { role: cm-role-ui, tags: cm-role-ui } \ No newline at end of file + - { role: cm-role-ui, tags: cm-role-ui } diff --git a/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER b/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER index d17addec..d83c816b 100644 --- a/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER +++ b/config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER @@ -43,7 +43,7 @@ ssp_authsources_saml: ssp_idp_hosts: # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`, - # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated + # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated # automatically. - entity_id: "__DYNAMIC:1__" # The hostname for this IdP. One of the IdPs can also have its `host` set @@ -92,5 +92,3 @@ vault_ssp_idp_hosts: - entity_id: "__DYNAMIC:2__" ssl_certificate_key: | idp_key_CHANGEME - - diff --git a/d4science2samlservers.yml b/d4science2samlservers.yml index a28206cd..b567a63d 100644 --- a/d4science2samlservers.yml +++ b/d4science2samlservers.yml @@ -1,22 +1,28 @@ # file: d4science2samlservers.yml -# +# --- - -- hosts: d4science2saml +- name: Deploy D4Science servers + hosts: d4science2saml roles: # - { role: apache, tags: apache } # - { role: php, tags: php } - { role: ssp, tags: ssp } - { role: ssp-modules, tags: ssp-modules } tasks: - - name: Install Keycloak Provicer library v2.2.2 - shell: php composer.phar require stevenmaguire/oauth2-keycloak:v2.2.2 --ignore-platform-reqs --no-interaction --no-scripts --no-update + # Keycloak provider library version should be a variable. + - name: Install Keycloak Provider library v2.2.2 + ansible.builtin.shell: |- + php composer.phar require stevenmaguire/oauth2-keycloak:v2.2.2 \ + --ignore-platform-reqs \ + --no-interaction \ + --no-scripts \ + --no-update args: chdir: "{{ ssp_path }}/" executable: /bin/bash register: composer_results changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr - when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0 + when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0 become: true tags: - install diff --git a/dbservers.yml b/dbservers.yml index f28fd914..5f8f1087 100644 --- a/dbservers.yml +++ b/dbservers.yml @@ -1,5 +1,6 @@ --- - -- hosts: db +# dbservers.yml +- name: Provision Database servers + hosts: db roles: - postgresql diff --git a/deep2samlservers.yml b/deep2samlservers.yml index f3df69b7..a4c5e657 100644 --- a/deep2samlservers.yml +++ b/deep2samlservers.yml @@ -1,8 +1,8 @@ # file: deep2samlservers.yml -# +# --- - -- hosts: deep2saml +- name: Provision Deep2saml servers + hosts: deep2saml roles: # - { role: apache, tags: apache } # - { role: php, tags: php } @@ -10,13 +10,19 @@ - { role: ssp-modules, tags: ssp-modules } tasks: - name: Install SSP mod authoauth2 v3.1.0 - shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 --ignore-platform-reqs --no-interaction --no-scripts + ansible.builtin.shell: > + set -o pipefail + php composer.phar \ + require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 \ + --ignore-platform-reqs \ + --no-interaction \ + --no-scripts args: chdir: "{{ ssp_path }}/" executable: /bin/bash register: composer_results changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr - when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0 + when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0 become: true tags: - install diff --git a/egi-igtf.yml b/egi-igtf.yml index 64f582ec..aeebaa33 100644 --- a/egi-igtf.yml +++ b/egi-igtf.yml @@ -1,5 +1,6 @@ --- - -- hosts: all +# egi-igtf.yml +- name: Provision EGI-IGTF certs + hosts: all roles: - - egi-igtf + - egi-igtf diff --git a/federation-registry.yml b/federation-registry.yml index 25166652..532d3889 100644 --- a/federation-registry.yml +++ b/federation-registry.yml @@ -1,8 +1,14 @@ --- -- hosts: federation-registry - become: yes +- name: Provision Federation Registry + hosts: federation-registry + become: true roles: - - {role: federation-registry, task: configure-environment} - - {role: federation-registry, task: postgres,tags: ['never','postgres']} - - {role: federation-registry, task: configure-ams} - - {role: federation-registry, task: deploy} + - role: federation-registry + task: configure-environment + - role: federation-registry + task: postgres + tags: ['never', 'postgres'] + - role: federation-registry + task: configure-ams + - role: federation-registry + task: deploy diff --git a/fedregagents.yml b/fedregagents.yml index 49bdf97f..f588d9dd 100644 --- a/fedregagents.yml +++ b/fedregagents.yml @@ -1,16 +1,13 @@ --- - -# This playbook deploy the RCIAM federation registry agent. - - +# This playbook deploys the RCIAM federation registry agent. - name: RCIAM federation registry agent demo hosts: fedreg_agents_demo roles: - - { role: fedreg-agent, tags: agent_demo } - + - role: fedreg-agent + tags: agent_demo - name: RCIAM federation registry agent production hosts: fedreg_agents_prod roles: - - { role: fedreg-agent, tags: agent_prod } - + - role: fedreg-agent + tags: agent_prod diff --git a/firewallservers.yml b/firewallservers.yml index 4f4344a2..2809afb1 100644 --- a/firewallservers.yml +++ b/firewallservers.yml @@ -1,7 +1,8 @@ # file: firewallservers.yml # --- - -- hosts: all +- name: Deploy Firewall + hosts: all roles: - - { role: ipr-cnrs.nftables, become: yes } + - role: ipr-cnrs.nftables + become: true diff --git a/google2samlservers.yml b/google2samlservers.yml index f823060b..69e2fac1 100644 --- a/google2samlservers.yml +++ b/google2samlservers.yml @@ -1,22 +1,30 @@ # file: google2samlservers.yml -# +# --- - -- hosts: google2saml +- name: Provision Google2Samle hosts + hosts: google2saml roles: # - { role: apache, tags: apache } # - { role: php, tags: php } - - { role: ssp, tags: ssp } - - { role: ssp-modules, tags: ssp-modules } + - role: ssp + tags: ssp + - role: ssp-modules + tags: ssp-modules tasks: - name: Install modules using composer - shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 league/oauth2-google --ignore-platform-reqs --no-interaction --no-scripts + ansible.builtin.shell: > + php composer.phar + require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 + league/oauth2-google + --ignore-platform-reqs + --no-interaction + --no-scripts args: chdir: "{{ ssp_path }}/" executable: /bin/bash register: composer_results changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr - when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0 + when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0 become: true tags: - install diff --git a/inventories/example/group_vars/authservers.yml b/inventories/example/group_vars/authservers.yml index 676c7e1d..f4e6632a 100644 --- a/inventories/example/group_vars/authservers.yml +++ b/inventories/example/group_vars/authservers.yml @@ -16,7 +16,7 @@ ssp_alias: proxy # Select where to store session information: # `phpsession` Uses the built-in session management in PHP (default). -# `memcache` Uses memcached to cache sessions in memory. +# `memcache` Uses memcached to cache sessions in memory. # Sessions can be distributed and replicated among several # memcached servers, enabling both load-balancing and fail-over. # `sql` Stores session information in a SQL database (WIP). @@ -74,7 +74,7 @@ ssp_authsources_saml: # Whether logout requests and logout responses received received by # this SP should be validated. Default is false. redirect_validate: true - # Whether to sign authentication requests sent from this SP. Default is + # Whether to sign authentication requests sent from this SP. Default is # false. sign_authnrequest: true # Whether to sign logout messages sent from this SP. Default is false. @@ -118,7 +118,7 @@ ssp_authsources_saml: attribute_values: - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" - "http://refeds.org/category/research-and-scholarship" - # Optional list of contacts in addition to the technical contact configured + # Optional list of contacts in addition to the technical contact configured # through config/config.php contacts: # The type of contact. The possible values are `technical`, `support`, @@ -136,7 +136,7 @@ ssp_authsources_saml: #telephone_numbers: "+31(0)12345678" # List of attributes this SP requests from the IdP. This list will be added # to the generated metadata. - # The attributes will be added without a `NameFormat` by default. Use the + # The attributes will be added without a `NameFormat` by default. Use the # name_format option to specify the `NameFormat` for the attributes. attributes: name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" @@ -153,7 +153,7 @@ ssp_authsources_saml: mail: "urn:oid:0.9.2342.19200300.100.1.3" #eduPersonEntitlement: "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" #eduPersonAssurance: "urn:oid:1.3.6.1.4.1.5923.1.1.1.11" - # The format of the NameID we request from the IdP. Defaults to the + # The format of the NameID we request from the IdP. Defaults to the # transient format if unspecified. #name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" @@ -165,7 +165,7 @@ ssp_idp_shib13_enabled: false # Hosted IdP metadata ssp_idp_hosts: # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`, - # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated + # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated # automatically. - entity_id: "__DYNAMIC:1__" # The hostname for this IdP. One of the IdPs can also have its `host` set @@ -189,7 +189,7 @@ ssp_idp_hosts: redirect_validate: true # The authentication source to be used to authenticate users on this IdP. auth: sso - # Optional list of contacts in addition to the technical contact configured + # Optional list of contacts in addition to the technical contact configured # through config/config.php contacts: # The type of contact. The possible values are `technical`, `support`, @@ -205,20 +205,20 @@ ssp_idp_hosts: email_address: "bob.builder@aai.example.eu" # Optional telephone number of the contact person. #telephone_numbers: "+31(0)12345678" - # A list with scopes for this IdP. The scopes will be added to the + # A list with scopes for this IdP. The scopes will be added to the # generated XML metadata. A scope can either be a domain name or a regular # expression matching a number of domains. scopes: - example.eu # Localised names of the organisation responsible for this IdP. - organization_name: + organization_name: en: Example.eu # Localised user-friendly names of the organisation responsible for this # IdP. - organization_display_name: + organization_display_name: en: Example.eu # Localised URLs of the organisation responsible for this IdP. - organization_url: + organization_url: en: "https://www.example.eu/" # SAML V2.0 Metadata Extensions for Login and Discovery # UIInfo Items @@ -255,7 +255,7 @@ ssp_idp_hosts: privacy_statement_url: en: "https://aai.example.eu/privacy/en" # DiscoHints items - # List of IPv4 and IPv6 addresses in CIDR notation serviced by or + # List of IPv4 and IPv6 addresses in CIDR notation serviced by or # associated with this IdP. #ip_hints: # - "83.212.96.0/19" @@ -286,41 +286,41 @@ ssp_idp_hosts: # from authentication sources. authproc: - "89": - # Maps attribute OIDs to names. + # Maps attribute OIDs to names. class: "core:AttributeMap" oid2name: - "90": # Requires `consent` in `ssp_mods_enabled`. class: "consent:Consent" - # The Consent storage backend. Currently only `consent:Cookie` is + # The Consent storage backend. Currently only `consent:Cookie` is # supported. This option is optional. If omitted, the user is still # asked to consent, but the decision is not saved. store: "consent:Cookie" # Optional flag that indicates whether the values of the attributes # should be used in calculating the unique hashes that identify the - # consent. If includeValues is set and the value of an attribute + # consent. If includeValues is set and the value of an attribute # changes, then the consent becomes invalid. Defaults to false. includeValues: true - # Optional flag that indicates whether the "Remember" consent + # Optional flag that indicates whether the "Remember" consent # checkbox is checkd by default. Defaults to false. #checked: false # Indicates whether the "Yes" or "No" button is in fucus by default. - # This option is optional and can take the value 'yes' or 'no'. + # This option is optional and can take the value 'yes' or 'no'. # If omitted, neither will recive focus. focus: "no" # Optional list of attributes whose values should be hidden. # Default behaviour is that all attribute values are shown. #hiddenAttributes: - "91": - # Maps attribute names to OIDs. + # Maps attribute names to OIDs. # Usually combined with SAML:2.0:attrname-format:uri class: "core:AttributeMap" name2oid: extra_parameters: | 'attributeencodings' => array( // eduPersonTargetedID with oid NameFormat. - 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw', - ), + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw', + ), # List of SSP modules to enable ssp_mods_enabled: @@ -329,11 +329,11 @@ ssp_mods_enabled: - discopower - consent - smartattributes - - memcacheMonitor + - memcacheMonitor #- authfacebook # Configuration options for automated SAML metadata management. -# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`. +# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`. # # Global blacklist: Optional list of entityIDs that should be excluded from ALL # metadata sets. @@ -349,7 +349,7 @@ ssp_mod_metarefresh_sets: sources: # The URL where the metadata will be fetched from. - url: "https://md.aai.example.eu/aggregates/edugain-metadata.xml" - # The fingerprint of the certificate used to sign the metadata. + # The fingerprint of the certificate used to sign the metadata. # You can omit this option if you don't want to validate the signature # on the metadata. #validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01" @@ -411,4 +411,3 @@ apache_vhosts_ssl: Require all granted - diff --git a/inventories/example/group_vars/cacheservers.yml b/inventories/example/group_vars/cacheservers.yml index dcff113f..a4426aec 100644 --- a/inventories/example/group_vars/cacheservers.yml +++ b/inventories/example/group_vars/cacheservers.yml @@ -3,12 +3,12 @@ # # See memcached default values in roles/memcached/defaults/main.yml # -# Log verbosity levels: +# Log verbosity levels: # `""` Don't log anything (Default) # `-v` Be verbose during the event loop; print out errors and warnings. # `-vv` Be even more verbose; same as -v but also print client commands and # responses. -# `-vvv` Be extremely verbose; same as -vv but also print internal state +# `-vvv` Be extremely verbose; same as -vv but also print internal state # transitions. #memcached_log_verbosity: "" diff --git a/keycloakservers.yml b/keycloakservers.yml index 69b820b3..ff15b034 100644 --- a/keycloakservers.yml +++ b/keycloakservers.yml @@ -1,7 +1,7 @@ # file: keycloakservers.yml # --- - -- hosts: keycloak +- name: Provision keycloak + hosts: keycloak roles: - - keycloak \ No newline at end of file + - keycloak diff --git a/logrotateservers.yml b/logrotateservers.yml index bc9e4170..43b7cc88 100644 --- a/logrotateservers.yml +++ b/logrotateservers.yml @@ -1,7 +1,7 @@ # file: logrotateservers.yml # --- - -- hosts: all +- name: Deploy logrotate + hosts: all roles: - { role: arillso.logrotate, tags: logrotate } diff --git a/metricsservers.yml b/metricsservers.yml index 919c3de9..ddcf5530 100644 --- a/metricsservers.yml +++ b/metricsservers.yml @@ -2,6 +2,7 @@ # --- -- hosts: rciam-metrics +- name: Deploy Metrics Servers + hosts: rciam-metrics roles: - { role: rciam-metrics, tags: rciam-metrics } diff --git a/monservers.yml b/monservers.yml index c7e0c4de..cd4620de 100644 --- a/monservers.yml +++ b/monservers.yml @@ -1,14 +1,13 @@ # --- -- hosts: monservers - +- name: Deploy monitoring servers + hosts: monservers vars: extra_yum_repositories: - "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" extra_yum_keys: - "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}" - roles: - { role: apache, tags: apache } - { role: php, tags: php } @@ -16,7 +15,7 @@ tasks: - name: Ensure Repositories are installed (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present loop: "{{ extra_yum_repositories }}" @@ -27,7 +26,7 @@ - never - name: Import repositories GPG key (RedHat). - rpm_key: + ansible.builtin.rpm_key: key: "{{ item }}" state: present loop: "{{ extra_yum_keys }}" @@ -38,9 +37,9 @@ - never - name: Upgrade all - yum: + ansible.builtin.yum: name: '*' - state: latest + state: latest # noqa package-latest update_cache: true become: true when: ansible_os_family == 'RedHat' @@ -49,7 +48,7 @@ - upgrade - name: Ensure common packages are installed (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present update_cache: true @@ -59,36 +58,38 @@ - ca-certificates - vim-enhanced - yum-utils - become: yes + become: true when: ansible_os_family == 'RedHat' tags: - common - never - - name: Configure timezone - timezone: + - name: Configure timezone # noqa syntax-check[unknown-module] + community.general.timezone: name: "{{ timezone }}" - become: yes + become: true notify: restart crond tags: - common - never - name: Register private connection uuid (RedHat) - command: "nmcli -g GENERAL.CON-UUID d show {{item}}" + ansible.builtin.command: "nmcli -g GENERAL.CON-UUID d show {{ item }}" loop: "{{ firewall_private_interfaces | default([]) }}" register: firewall_private_uuids when: ansible_os_family == 'RedHat' + changed_when: false tags: firewall - name: Set zone internal to connections on network managed private interfaces (RedHat) - command: "nmcli connection modify {{ item.stdout }} connection.zone internal" + ansible.builtin.command: "nmcli connection modify {{ item.stdout }} connection.zone internal" loop: "{{ firewall_private_uuids.results }}" + changed_when: false when: ansible_os_family == 'RedHat' tags: firewall - name: Clear firewall state (RedHat) - file: + ansible.builtin.file: path: "{{ item }}" state: absent loop: @@ -103,7 +104,7 @@ notify: restart firewall - name: Add default services to public zone (RedHat) - firewalld: + ansible.posix.firewalld: zone: public service: "{{ item }}" permanent: true @@ -115,35 +116,39 @@ when: ansible_os_family == 'RedHat' notify: restart firewall - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers when: ansible_os_family == 'RedHat' - name: Create firewall new zones (RedHat) - command: firewall-cmd --permanent --new-zone="{{ item }}" + ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}" loop: "{{ firewall_zones | default([]) }}" notify: restart firewall tags: firewall when: ansible_os_family == 'RedHat' - ignore_errors: true + ignore_errors: true # noqa ignore-errors + changed_when: false - name: Create firewall new services (RedHat) - command: firewall-cmd --permanent --new-service="{{item.name}}" + ansible.builtin.command: firewall-cmd --permanent --new-service="{{ item.name }}" loop: "{{ firewall_services | default([]) }}" notify: restart firewall tags: firewall when: ansible_os_family == 'RedHat' - ignore_errors: true + ignore_errors: true # noqa ignore-errors + changed_when: false - name: Add port to services (RedHat) - command: firewall-cmd --permanent --service="{{ item.name }}" --add-port={{ item.port }} + ansible.builtin.command: firewall-cmd --permanent --service="{{ item.name }}" --add-port={{ item.port }} loop: "{{ firewall_services | default([]) }}" notify: restart firewall tags: firewall when: ansible_os_family == 'RedHat' - ignore_errors: true + ignore_errors: true # noqa ignore-errors + changed_when: false - name: Firewall add services to zones (RedHat) - firewalld: + ansible.posix.firewalld: zone: "{{ item.zone }}" service: "{{ item.service }}" permanent: true @@ -154,7 +159,7 @@ notify: restart firewall - name: Add sources to zones (RedHat) - firewalld: + ansible.posix.firewalld: zone: "{{ item.zone }}" source: "{{ item.source }}" permanent: true @@ -165,7 +170,7 @@ notify: restart firewall - name: Add interfaces to zones (RedHat) - firewalld: + ansible.posix.firewalld: zone: "{{ item.zone }}" interface: "{{ item.interface }}" permanent: true @@ -176,16 +181,17 @@ notify: restart firewall handlers: - - name: reload firewall - command: "firewall-cmd --reload" + - name: Reload firewall + ansible.builtin.command: "firewall-cmd --reload" + changed_when: false - - name: restart firewall - service: + - name: Restart firewall + ansible.builtin.service: name: firewalld state: restarted - - name: restart crond - service: + - name: Restart crond + ansible.builtin.service: name: crond state: restarted - become: yes + become: true diff --git a/oauth2samlservers.yml b/oauth2samlservers.yml index ea03cc9e..158b4460 100644 --- a/oauth2samlservers.yml +++ b/oauth2samlservers.yml @@ -1,21 +1,29 @@ # file: oauth2samlservers.yml -# +# --- -- hosts: oauth2saml +- name: Deploy Oauth2Saml + hosts: oauth2saml roles: - { role: ssp, tags: ssp } - { role: ssp-modules, tags: ssp-modules } tasks: - name: Install modules using composer # shell: php composer.phar require oakhope/oauth2-wechat --ignore-platform-reqs --no-interaction --no-scripts - shell: php composer.phar require cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 league/oauth2-google oakhope/oauth2-wechat --ignore-platform-reqs --no-interaction --no-scripts + ansible.builtin.shell: >- # Better to declare dependencies here + php composer.phar require \ + cirrusidentity/simplesamlphp-module-authoauth2:v3.1.0 \ + league/oauth2-google \ + oakhope/oauth2-wechat \ + --ignore-platform-reqs \ + --no-interaction \ + --no-scripts args: chdir: "{{ ssp_path }}/" executable: /bin/bash register: composer_results changed_when: composer_results is changed and "Nothing to install, update or remove" not in composer_results.stderr - when: ssp_mods_extra_enabled | selectattr('name','equalto','authoauth2') | list | count > 0 + when: ssp_mods_extra_enabled | selectattr('name', 'equalto', 'authoauth2') | list | count > 0 become: true tags: - install diff --git a/openldapservers.yml b/openldapservers.yml index 6b5a75a6..8edcb85d 100644 --- a/openldapservers.yml +++ b/openldapservers.yml @@ -1,3 +1,5 @@ -- hosts: openldap +--- +- name: Deploy openldap + hosts: openldap roles: - - { role: openldap } \ No newline at end of file + - { role: openldap } diff --git a/orcid2samlservers.yml b/orcid2samlservers.yml index d1557d82..e680ff9d 100644 --- a/orcid2samlservers.yml +++ b/orcid2samlservers.yml @@ -1,8 +1,9 @@ # file: orcid2samlservers.yml -# +# --- -- hosts: orcid2saml +- name: Deploy ORCID 2 SAML hosts + hosts: orcid2saml roles: # - { role: apache, tags: apache } # - { role: php, tags: php } diff --git a/rciam-keycloak.yml b/rciam-keycloak.yml index 6e5ca9f5..b09edc48 100644 --- a/rciam-keycloak.yml +++ b/rciam-keycloak.yml @@ -2,10 +2,14 @@ # RCIAM deployment based on Keycloak --- -- import_playbook: firewallservers.yml +- name: Run Firewall Servers + ansible.builtin.import_playbook: firewallservers.yml -- import_playbook: dbservers.yml +- name: Deploy DBN Servers + ansible.builtin.import_playbook: dbservers.yml -- import_playbook: keycloakservers.yml +- name: Deploy Keycloak servers + ansible.builtin.import_playbook: keycloakservers.yml -- import_playbook: webproxyservers.yml +- name: Deploy Web Proxy Servers + ansible.builtin.import_playbook: webproxyservers.yml diff --git a/rciam-oidc-client.yml b/rciam-oidc-client.yml index 5ae5f6f1..e838a3b4 100644 --- a/rciam-oidc-client.yml +++ b/rciam-oidc-client.yml @@ -1,6 +1,7 @@ # file: rciam-oidc-client.yml # --- -- hosts: web +- name: Deploy OIDC client + hosts: web roles: - { role: rciam-oidc-client, tags: rciam-oidc-client } diff --git a/registryservers-roles-ui.yml b/registryservers-roles-ui.yml index f0fb4a48..c5d29c2b 100644 --- a/registryservers-roles-ui.yml +++ b/registryservers-roles-ui.yml @@ -2,9 +2,18 @@ # --- -- hosts: registry +- name: Deploy Regitry Server UI + hosts: registry roles: - { role: cm-role-ui, tags: cm-role-ui } # Deploy CM Roles simple UI -# ansible-playbook -v -u user --ask-become-pass -i inventories/openaire-dev/hosts.ini registryservers-roles-ui.yml --tags "cm-role-ui:configure" --ask-vault-pass --diff --extra-vars "git_user= git_pass=" \ No newline at end of file +# ansible-playbook \ +# -v -u user \ +# --ask-become-pass \ +# -i inventories/openaire-dev/hosts.ini \ +# registryservers-roles-ui.yml \ +# --tags "cm-role-ui:configure" \ +# --ask-vault-pass \ +# --diff \ +# --extra-vars "git_user= git_pass=" diff --git a/registryservers.yml b/registryservers.yml index 2f1b57c9..4e52d236 100644 --- a/registryservers.yml +++ b/registryservers.yml @@ -2,7 +2,8 @@ # --- -- hosts: registry +- name: Deploy Registry Servers + hosts: registry roles: - { role: git, tags: git } - { role: apache, tags: apache } @@ -15,4 +16,6 @@ # Deploy clean COmanage environment # ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml --tags "comanage-registry" --ask-vault-pass # Deploy changes. -# ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml --tags [comanage-registry,comanage-registry:install,comanage-registry:config,] --ask-vault-pass +# ansible-playbook -v -i inventories/instances/hosts.ini registryservers.yml \ +# --tags [comanage-registry,comanage-registry:install,comanage-registry:config,] \ +# --ask-vault-pass diff --git a/requirements.txt b/requirements.txt index 6b934edf..31b99066 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,39 @@ -ansible==2.10.7 -dnspython==2.1.0 -passlib==1.7.4 +ansible==9.3.0 +ansible-base==2.10.17 +ansible-compat==4.1.11 +ansible-core==2.17.6 +ansible-lint==24.2.1 +attrs==23.2.0 +black==24.3.0 +bracex==2.4 +cffi==1.16.0 +click==8.1.7 +cryptography==43.0.1 +dnspython==2.6.1 +filelock==3.13.1 +Jinja2==3.1.4 jmespath==0.10.0 +jsonschema==4.21.1 +jsonschema-specifications==2023.12.1 +markdown-it-py==3.0.0 +MarkupSafe==2.1.5 +mdurl==0.1.2 +mypy-extensions==1.0.0 +packaging==24.0 +passlib==1.7.4 +pathspec==0.12.1 +platformdirs==4.2.0 +pycparser==2.21 +Pygments==2.17.2 +PyYAML==6.0.1 +referencing==0.34.0 +resolvelib==1.0.1 +rich==13.7.1 +rpds-py==0.18.0 +ruamel.yaml==0.18.6 +ruamel.yaml.clib==0.2.8 +subprocess-tee==0.4.1 +tomli==2.0.1 +typing_extensions==4.10.0 +wcmatch==8.5.1 +yamllint==1.35.1 diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 00000000..b5f2a282 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,10 @@ +- name: ipr-cnrs.nftables + version: v2.2.1 +- name: arillso.logrotate + version: 1.6.1 +- name: geerlingguy.nodejs + version: 7.0.0 +- name: Oefenweb.yarn + version: v1.0.52 +- name: infOpen.openjdk-jdk + version: 0.4.0 diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml index f90655fe..c1c4d5b5 100644 --- a/roles/apache/defaults/main.yml +++ b/roles/apache/defaults/main.yml @@ -16,15 +16,15 @@ apache_listen_directives: | # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. -apache_server_tokens: "OS" -# Set to one of: On | Off | EMail +apache_server_tokens: OS +# Set to one of: On | Off | EMail # Set to "EMail" to also include a mailto: link to the ServerAdmin. apache_server_signature: "On" # Set to one of: On | Off | extended apache_trace_enable: "Off" apache_create_vhosts: true -apache_vhosts_filename: "vhosts.conf" +apache_vhosts_filename: vhosts.conf # On RedHat/Centos, a default Welcome Screen is included in Apache's configuration. # Set this to `true` to remove that default; otherwise `false`. apache_remove_default_page: false @@ -34,46 +34,45 @@ apache_remove_default_page: false apache_remove_default_vhost: true apache_vhosts: - # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`, + # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`, # `extra_parameters`. - servername: "{{ inventory_hostname }}" - documentroot: "/var/www/html" + documentroot: /var/www/html apache_vhosts_ssl: [] - # Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`, - # `extra_parameters`. - # - servername: "www.example.com" - # documentroot: "/var/www/html" - # certificate_file: "/path/to/certificate.crt" - # certificate_key_file: "/path/to/certificate.key" - # # Optional. - # certificate_chain_file: "/path/to/certificate_chain.crt" +# Additional properties: `serveradmin`, `serveralias`, `usecanonicalname`, +# `extra_parameters`. +# - servername: "www.example.com" +# documentroot: "/var/www/html" +# certificate_file: "/path/to/certificate.crt" +# certificate_key_file: "/path/to/certificate.key" +# # Optional. +# certificate_chain_file: "/path/to/certificate_chain.crt" # Name of the user that should own the file containing the SSL certificate -apache_ssl_certificate_file_owner: "root" +apache_ssl_certificate_file_owner: root # Name of the group that should own the file containing the SSL certificate -apache_ssl_certificate_file_group: "root" +apache_ssl_certificate_file_group: root # Permissions of the file containing the SSL certificate apache_ssl_certificate_file_mode: "0644" # Name of the user that should own the file containing the SSL certificate key -apache_ssl_certificate_key_file_owner: "root" +apache_ssl_certificate_key_file_owner: root # Name of the group that should own the file containing the SSL certificate key -apache_ssl_certificate_key_file_group: "root" +apache_ssl_certificate_key_file_group: root # Permissions of the file containing the SSL certificate key apache_ssl_certificate_key_file_mode: "0600" apache_ignore_missing_ssl_certificate: true -#apache_ssl_protocol: "All -SSLv2 -SSLv3" -#apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH" +# apache_ssl_protocol: "All -SSLv2 -SSLv3" +# apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH" # Initial apache state, i.e. `started`, `stopped`, `restarted`, or `reloaded` -apache_state: "started" +apache_state: started -#install additional modules +# install additional modules apache_mods_installed: [] - # Only used on Debian/Ubuntu. apache_mods_enabled: - ssl diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml index fc6b5f67..88812ae5 100644 --- a/roles/apache/handlers/main.yml +++ b/roles/apache/handlers/main.yml @@ -1,7 +1,6 @@ --- - -- name: restart apache - service: +- name: Restart apache + become: true + ansible.builtin.service: name: "{{ apache_service }}" state: restarted - become: yes diff --git a/roles/apache/tasks/configure-Debian.yml b/roles/apache/tasks/configure-Debian.yml index f163a61c..5bbdbd7f 100644 --- a/roles/apache/tasks/configure-Debian.yml +++ b/roles/apache/tasks/configure-Debian.yml @@ -1,78 +1,77 @@ --- - - name: Enable required Apache modules (Debian) - apache2_module: + become: true + community.general.apache2_module: state: present name: "{{ item }}" with_items: "{{ apache_mods_enabled }}" - become: yes notify: - - restart apache + - Restart apache - name: Disable unnecessary Apache modules (Debian) - apache2_module: - state: absent + become: true + community.general.apache2_module: + state: absent name: "{{ item }}" with_items: "{{ apache_mods_disabled }}" - become: yes notify: - - restart apache + - Restart apache - name: Remove default vhost from sites-enabled (Debian) - file: + become: true + ansible.builtin.file: path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}" state: absent - become: yes - notify: restart apache + notify: Restart apache when: apache_remove_default_vhost - name: Configure Apache ports (Debian) - template: - src: "ports.conf.j2" + become: true + ansible.builtin.template: + src: ports.conf.j2 dest: "{{ apache_conf_path }}/ports.conf" owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache - name: Configure Apache security settings (Debian) - template: - src: "security.conf.j2" + become: true + ansible.builtin.template: + src: security.conf.j2 dest: "{{ apache_conf_path }}/conf-available/security.conf" owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache - name: Enable Apache security configuration (Debian) - file: + become: true + ansible.builtin.file: src: "{{ apache_conf_path }}/conf-available/security.conf" dest: "{{ apache_conf_path }}/conf-enabled/security.conf" state: link - become: yes - notify: restart apache + notify: Restart apache - name: Add Apache vhosts configuration (Debian) - template: - src: "vhosts.conf.j2" + become: true + ansible.builtin.template: + src: vhosts.conf.j2 dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}" owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache when: apache_create_vhosts - name: Enable Apache vhosts configuration (Debian) - file: + become: true + ansible.builtin.file: src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}" dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}" state: link - become: yes - notify: restart apache + notify: Restart apache when: apache_create_vhosts diff --git a/roles/apache/tasks/configure-RedHat.yml b/roles/apache/tasks/configure-RedHat.yml index 2635b762..2a9afe83 100644 --- a/roles/apache/tasks/configure-RedHat.yml +++ b/roles/apache/tasks/configure-RedHat.yml @@ -1,88 +1,87 @@ --- - - name: Ensure sites-available and sites-enabled directories exist (RedHat) - file: + become: true + ansible.builtin.file: path: "{{ item }}" state: directory owner: root group: root + mode: "0775" loop: - "{{ apache_conf_path }}/sites-available" - - "{{ apache_conf_path }}/sites-enabled/" - become: yes + - "{{ apache_conf_path }}/sites-enabled" - name: Append extra parameters into Apache httpd.conf (RedHat) - blockinfile: + become: true + ansible.builtin.blockinfile: path: "{{ apache_conf_path }}/conf/httpd.conf" block: | IncludeOptional sites-enabled/*.conf IncludeOptional conf.d/security.conf owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache - name: Configure Apache security settings (RedHat) - template: - src: "security.conf.j2" + become: true + ansible.builtin.template: + src: security.conf.j2 dest: "{{ apache_conf_path }}/conf.d/security.conf" owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache # Configure Virtual Host SSL certificates - name: Include vhost SSL certificates configuration - include: configure-ssl-cert.yml + become: true + ansible.builtin.include_tasks: configure-ssl-cert.yml when: apache_create_vhosts and apache_vhosts_ssl is defined and apache_vhosts_ssl|length > 0 - name: Add Apache vhosts configuration (RedHat) - template: - src: "vhosts.conf.j2" + become: true + ansible.builtin.template: + src: vhosts.conf.j2 dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}" owner: root group: root - mode: 0644 - backup: yes - become: yes - notify: restart apache + mode: "0644" + backup: true + notify: Restart apache when: apache_create_vhosts - name: Enable Apache vhosts configuration (RedHat) - file: + become: true + ansible.builtin.file: src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}" dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}" state: link - become: yes - notify: restart apache + notify: Restart apache when: apache_create_vhosts - name: Disable default welcome page (RedHat) - file: + become: true + ansible.builtin.file: path: "{{ apache_conf_path }}/conf.d/welcome.conf" state: absent - become: yes when: apache_remove_default_page - notify: restart apache + notify: Restart apache - name: Enable required Apache modules (RedHat) - apache2_module: + become: true + community.general.apache2_module: state: present name: "{{ item }}" with_items: "{{ apache_mods_enabled }}" - become: yes - notify: - - restart apache + notify: Restart apache - name: Disable unnecessary Apache modules (RedHat) - apache2_module: + become: true + community.general.apache2_module: state: absent name: "{{ item }}" with_items: "{{ apache_mods_disabled }}" - become: yes - notify: - - restart apache \ No newline at end of file + notify: Restart apache diff --git a/roles/apache/tasks/configure-ssl-cert.yml b/roles/apache/tasks/configure-ssl-cert.yml index 1545e29a..04428f0d 100644 --- a/roles/apache/tasks/configure-ssl-cert.yml +++ b/roles/apache/tasks/configure-ssl-cert.yml @@ -1,54 +1,53 @@ --- - - name: Ensure apache SSL certificate directories exist - file: + become: true + ansible.builtin.file: path: "{{ item.certificate_file | dirname }}" owner: "{{ apache_ssl_certificate_file_owner }}" group: "{{ apache_ssl_certificate_file_group }}" state: directory + mode: "0775" with_items: - "{{ apache_vhosts_ssl }}" when: item.certificate_file is defined and item.certificate is defined - become: yes - name: Ensure apache SSL certificates are copied - copy: + become: true + ansible.builtin.copy: dest: "{{ item.certificate_file }}" content: "{{ item.certificate }}" owner: "{{ apache_ssl_certificate_file_owner }}" group: "{{ apache_ssl_certificate_file_group }}" mode: "{{ apache_ssl_certificate_file_mode }}" - backup: yes + backup: true with_items: - "{{ apache_vhosts_ssl }}" when: item.certificate_file is defined and item.certificate is defined - become: yes - notify: - - restart apache + notify: Restart apache - name: Ensure apache SSL certificate key directories exist - file: + become: true + ansible.builtin.file: path: "{{ item.certificate_key_file | dirname }}" owner: "{{ apache_ssl_certificate_key_file_owner }}" group: "{{ apache_ssl_certificate_key_file_group }}" state: directory + mode: "0775" with_items: - "{{ apache_vhosts_ssl }}" when: item.certificate_key_file is defined and item.certificate_key is defined - become: yes - name: Ensure apache SSL certificate keys are copied - copy: + become: true + ansible.builtin.copy: dest: "{{ item.certificate_key_file }}" - content: '{{ item.certificate_key }}' + content: "{{ item.certificate_key }}" owner: "{{ apache_ssl_certificate_key_file_owner }}" group: "{{ apache_ssl_certificate_key_file_group }}" mode: "{{ apache_ssl_certificate_key_file_mode }}" - backup: yes + backup: true with_items: - "{{ apache_vhosts_ssl }}" when: item.certificate_key_file is defined and item.certificate_key is defined - become: yes - no_log: yes - notify: - - restart apache + no_log: true + notify: Restart apache diff --git a/roles/apache/tasks/install-Debian.yml b/roles/apache/tasks/install-Debian.yml index 6d64e8e8..8b7482b6 100644 --- a/roles/apache/tasks/install-Debian.yml +++ b/roles/apache/tasks/install-Debian.yml @@ -1,19 +1,16 @@ --- - - name: Ensure Apache HTTP server is installed (Debian) - apt: + ansible.builtin.apt: name: apache2 - state: present - install_recommends: no - update_cache: yes + state: present + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true - name: Install Modules for Apache - apt: + ansible.builtin.apt: name: "{{ apache_mods_installed }}" - state: present - become: yes - notify: - - restart apache - \ No newline at end of file + state: present + become: true + notify: Restart apache diff --git a/roles/apache/tasks/install-RedHat.yml b/roles/apache/tasks/install-RedHat.yml index 92df6373..bf10c648 100644 --- a/roles/apache/tasks/install-RedHat.yml +++ b/roles/apache/tasks/install-RedHat.yml @@ -1,20 +1,17 @@ --- - - name: Ensure Apache HTTP server is installed (Redhat) - yum: + ansible.builtin.yum: name: httpd state: present - update_cache: yes - become: yes - notify: - - restart apache + update_cache: true + become: true + notify: Restart apache - name: Ensure Apache ssl module is installed (Redhat) - yum: + ansible.builtin.yum: name: mod_ssl state: present - update_cache: yes - become: yes + update_cache: true + become: true when: apache_vhosts_ssl is defined and apache_vhosts_ssl|length > 0 - notify: - - restart apache \ No newline at end of file + notify: Restart apache diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 17746231..7e03f929 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -1,23 +1,33 @@ --- - - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Install OS-specific packages -- include: install-Debian.yml +- name: Ensure Debian Installation + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -- include: install-RedHat.yml + +- name: Ensure RedHat Installation + ansible.builtin.include_tasks: install-RedHat.yml when: ansible_os_family == 'RedHat' +# Could be refactored as: +# - name: Include install tasks +# ansible.builtin.include_tasks: "install-{{ ansible_os_family }}.yml" + # Apply OS-specific configuration -- include: configure-Debian.yml +- name: Include Debian Configuration Tasks + ansible.builtin.include_tasks: configure-Debian.yml when: ansible_os_family == 'Debian' -- include: configure-RedHat.yml +- name: Include RedHat Configuration tasks + ansible.builtin.include_tasks: configure-RedHat.yml when: ansible_os_family == 'RedHat' +# Could be refactored as: +# - name: Include Configuration tasks +# ansible.builtin.include_tasks: "configure-{{ ansible_os_family }}.yml" - name: Ensure Apache service is at selected state and enabled on boot - service: + become: true + ansible.builtin.service: name: "{{ apache_service }}" state: "{{ apache_state }}" - enabled: yes - become: yes + enabled: true diff --git a/roles/apache/vars/Debian.yml b/roles/apache/vars/Debian.yml index 1e1a1133..b62452b6 100644 --- a/roles/apache/vars/Debian.yml +++ b/roles/apache/vars/Debian.yml @@ -2,7 +2,7 @@ apache_service: apache2 apache_conf_path: /etc/apache2 -apache_user: "www-data" -apache_group: "www-data" +apache_user: www-data +apache_group: www-data -apache_default_vhost_filename: 000-default.conf +apache_default_vhost_filename: "000-default.conf" diff --git a/roles/apache/vars/RedHat.yml b/roles/apache/vars/RedHat.yml index 2dea2476..caeffec5 100644 --- a/roles/apache/vars/RedHat.yml +++ b/roles/apache/vars/RedHat.yml @@ -2,5 +2,5 @@ apache_service: httpd apache_conf_path: /etc/httpd -apache_user: "apache" -apache_group: "apache" +apache_user: apache +apache_group: apache diff --git a/roles/cm-role-ui/defaults/main.yml b/roles/cm-role-ui/defaults/main.yml index 780b48fd..f8b71dc0 100644 --- a/roles/cm-role-ui/defaults/main.yml +++ b/roles/cm-role-ui/defaults/main.yml @@ -6,13 +6,13 @@ roles_repo: "https://github.com/rciam/comanage-registry-roles-portal.git" roles_root_dir: "/srv" roles_path: "{{ roles_root_dir }}/{{ roles_src }}" -#roles_api_base_url: "https://example.org/registry" -#roles_api_username: "api_user" -#roles_api_password: "api_pass" +# roles_api_base_url: "https://example.org/registry" +# roles_api_username: "api_user" +# roles_api_password: "api_pass" roles_db_host: "localhost" -#roles_db_username: "db_user" -#roles_db_password: "db_pass" +# roles_db_username: "db_user" +# roles_db_password: "db_pass" roles_db_name: "registry" roles_uid_key: "eduPersonPrincipalName" @@ -21,7 +21,7 @@ roles_username_key: "displayName" roles_email_host: "localhost" roles_email_port: 25 # leave blank the rest of the email options if not needed -# "", "ssl" or "tls" +# "", "ssl" or "tls" roles_email_security: "" roles_email_username: "" roles_email_password: "" diff --git a/roles/cm-role-ui/tasks/configure-common.yml b/roles/cm-role-ui/tasks/configure-common.yml index 53d36e2a..4069756c 100644 --- a/roles/cm-role-ui/tasks/configure-common.yml +++ b/roles/cm-role-ui/tasks/configure-common.yml @@ -1,14 +1,14 @@ --- - +# cm-role-ui/tasks/configure-common.yml - name: Configure cm-role-ui - template: + ansible.builtin.template: src: configuration.php.j2 dest: "{{ roles_path }}/configuration.php" owner: root group: root - mode: 0644 - backup: yes - force: yes - become: yes + mode: "0644" + backup: true + force: true + become: true tags: - cm-role-ui:configure diff --git a/roles/cm-role-ui/tasks/install-common.yml b/roles/cm-role-ui/tasks/install-common.yml index 47f58194..b78d6f16 100644 --- a/roles/cm-role-ui/tasks/install-common.yml +++ b/roles/cm-role-ui/tasks/install-common.yml @@ -1,34 +1,36 @@ --- - +# cm-role-ui - name: Ensure Roles root directory exists - file: + ansible.builtin.file: path: "{{ roles_root_dir }}" state: directory owner: root group: root - become: yes + mode: "0644" + become: true tags: - cm-role-ui:install - name: Ensure Roles source is cloned under root directory - git: + ansible.builtin.git: repo: "{{ roles_repo }}" dest: "{{ roles_root_dir }}/{{ roles_src }}-{{ roles_version }}" version: "{{ roles_version }}" - accept_hostkey: yes - ignore_errors: yes - become: yes + accept_hostkey: true + # ignore_errors: true + failed_when: false # noqa ignore-errors + become: true tags: - cm-role-ui:install - name: Ensure symbolic link to current Roles installation exists - file: + ansible.builtin.file: src: "{{ roles_root_dir }}/{{ roles_src }}-{{ roles_version }}" dest: "{{ roles_path }}" - force: yes + force: true state: link owner: root group: root - become: yes + become: true tags: - - cm-role-ui:install \ No newline at end of file + - cm-role-ui:install diff --git a/roles/cm-role-ui/tasks/main.yml b/roles/cm-role-ui/tasks/main.yml index 830bdf3e..7f58f4fe 100644 --- a/roles/cm-role-ui/tasks/main.yml +++ b/roles/cm-role-ui/tasks/main.yml @@ -1,16 +1,17 @@ --- +# cm-role-ui/tasks/main.yml -#- name: Include OS-specific variables -# include_vars: "{{ item }}" -# with_first_found: -# - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" -# - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" -# - "{{ ansible_distribution }}.yml" -# - "{{ ansible_os_family }}.yml" +# - name: Include OS-specific variables +# include_vars: "{{ item }}" +# with_first_found: +# - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" +# - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" +# - "{{ ansible_distribution }}.yml" +# - "{{ ansible_os_family }}.yml" # Run OS-independent installation tasks - name: Include Installation tasks - include_tasks: + ansible.builtin.include_tasks: file: install-common.yml apply: tags: @@ -20,7 +21,7 @@ # Apply OS-independent configuration - name: Include Configure tasks - include_tasks: + ansible.builtin.include_tasks: file: configure-common.yml apply: tags: diff --git a/roles/comanage-registry-plugins/defaults/main.yml b/roles/comanage-registry-plugins/defaults/main.yml index faa96279..c90dec2d 100644 --- a/roles/comanage-registry-plugins/defaults/main.yml +++ b/roles/comanage-registry-plugins/defaults/main.yml @@ -1,14 +1,14 @@ --- comanage_registry_plugins: [] -#comanage_registry_plugins: +# comanage_registry_plugins: # - name: ExamplePluginFolderName # version: master # repository: "https://github.com/project/examplePluginName" # status: init -#comanage_plugins_cron_jobs: +# comanage_plugins_cron_jobs: # - name: "Action Name" # minute: "0" # filename: "PluginName" @@ -16,9 +16,9 @@ comanage_registry_plugins: [] # job: | # cd {{ path_to_registry }}/app && Console/cake PluginName.action -#comanage_symlinks: +# comanage_symlinks: # - target: "/path/to/target" # link: "/path/to/symlink" # Whether to install COmanage plugins cron jobs; Enabled by default -comanage_plugins_cron_jobs_enabled: yes \ No newline at end of file +comanage_plugins_cron_jobs_enabled: true diff --git a/roles/comanage-registry-plugins/tasks/configure.yml b/roles/comanage-registry-plugins/tasks/configure.yml index c4ea5c60..671b0b2f 100644 --- a/roles/comanage-registry-plugins/tasks/configure.yml +++ b/roles/comanage-registry-plugins/tasks/configure.yml @@ -1,11 +1,10 @@ --- - - name: Add ENV vars in cron.d file - cron: + ansible.builtin.cron: name: "{{ item.name }}" job: "{{ item.job }}" user: "{{ item.user }}" - env: yes + env: true cron_file: "{{ item.filename }}" state: present loop: "{{ comanage_plugins_cron_env | default([]) }}" @@ -13,7 +12,7 @@ when: comanage_plugins_cron_env is defined and comanage_plugins_cron_jobs is defined and comanage_plugins_cron_jobs_enabled - name: Ensure COmanage Registry Plugins cron jobs are installed - cron: + ansible.builtin.cron: name: "{{ item.name }}" minute: "{{ item.minute | default(omit) }}" hour: "{{ item.hour | default(omit) }}" @@ -29,13 +28,13 @@ when: comanage_plugins_cron_jobs is defined and comanage_plugins_cron_jobs_enabled - name: Create Symbolic links - file: + ansible.builtin.file: src: "{{ item.target }}" dest: "{{ item.link }}" - force: yes + force: true state: link owner: root group: root loop: "{{ comanage_plugins_symlinks | default([]) }}" become: true - when: comanage_plugins_symlinks is defined \ No newline at end of file + when: comanage_plugins_symlinks is defined diff --git a/roles/comanage-registry-plugins/tasks/install.yml b/roles/comanage-registry-plugins/tasks/install.yml index 10a5b507..cb389642 100644 --- a/roles/comanage-registry-plugins/tasks/install.yml +++ b/roles/comanage-registry-plugins/tasks/install.yml @@ -1,31 +1,40 @@ --- - name: Clear cache of COmanage - command: su {{ comanage_registry_plugins_webuser }} -s /bin/sh -c ./Console/clearcache + ansible.builtin.command: su {{ comanage_registry_plugins_webuser }} -s /bin/sh -c ./Console/clearcache args: chdir: "{{ comanage_path }}/app" - become: yes + changed_when: false + become: true + become_user: "{{ comanage_registry_plugins_webuser }}" - name: Ensure COmanage Registry local/Plugins directory exists - file: + ansible.builtin.file: path: "{{ comanage_path }}/local/Plugin" state: directory owner: root group: root - become: yes + mode: "0644" + become: true -- name: Ensure {{ item.name }} is cloned under local/Plugins directory - git: +- name: "Ensure is cloned under local/Plugins directory - {{ item.name }}" + ansible.builtin.git: repo: "{{ item.repository }}" dest: "{{ comanage_path }}/local/Plugin/{{ item.name }}" version: "{{ item.version }}" - accept_hostkey: yes - become: yes + accept_hostkey: true + become: true - name: Create COmanage Registry Plugins schemata - shell: | - ./Console/cake schema create --file schema.php --path "{{ comanage_path }}/local/Plugin/{{ item.name }}/Config/Schema" -y + ansible.builtin.shell: | + set -o pipefail + ./Console/cake \ + schema create \ + --file schema.php \ + --path "{{ comanage_path }}/local/Plugin/{{ item.name }}/Config/Schema" \ + -y args: chdir: "{{ comanage_path }}/app" executable: /bin/sh when: item.status is defined and item.status == "init" - become: yes + changed_when: false # TODO Define change conditions + become: true diff --git a/roles/comanage-registry-plugins/tasks/main.yml b/roles/comanage-registry-plugins/tasks/main.yml index 3c5b5b5a..ae3b9727 100644 --- a/roles/comanage-registry-plugins/tasks/main.yml +++ b/roles/comanage-registry-plugins/tasks/main.yml @@ -1,36 +1,35 @@ --- - - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - - always + - always - name: Define COmanage Registry Plugins web user - set_fact: - comanage_registry_plugins_webuser: "{{ comanage_registry_plugins_default_webuser }}" + ansible.builtin.set_fact: + comanage_registry_plugins_webuser: "{{ comanage_registry_plugins_default_webuser }}" when: comanage_registry_plugins_webserver is not defined tags: - - always + - always # Include installation tasks - name: Include Installation tasks - include_tasks: + ansible.builtin.include_tasks: file: install.yml apply: tags: - comanage-registry-plugins:install - loop: "{{ comanage_registry_plugins|flatten(levels=1) }}" + loop: "{{ comanage_registry_plugins | flatten(levels=1) }}" tags: - - comanage-registry-plugins:install + - comanage-registry-plugins:install # Include configuration tasks - name: Include Configure tasks - include_tasks: + ansible.builtin.include_tasks: file: configure.yml apply: tags: diff --git a/roles/comanage-registry/defaults/main.yml b/roles/comanage-registry/defaults/main.yml index bb9dd172..474aa215 100644 --- a/roles/comanage-registry/defaults/main.yml +++ b/roles/comanage-registry/defaults/main.yml @@ -2,150 +2,150 @@ # See https://spaces.internet2.edu/display/COmanage/Organizational+Identity+Pooling comanage_org_identity_pooling: "No" -#comanage_admin: -# given_name: "Pat" -# family_name: "Jones Smith" -# username: "pat.jones.smith@university.edu" +# comanage_admin: +# given_name: "Pat" +# family_name: "Jones Smith" +# username: "pat.jones.smith@university.edu" # Override comanage_version with a tag name. This will result to a new directory name comanage-registry- # COmanage will be checked out under {{ comanage_root_dir }}/comanage-registry-{{ comanage_version }} -comanage_version: "rciam24-3.1.x" -comanage_repo: "https://github.com/rciam/comanage-registry.git" -comanage_root_dir: "/srv/comanage" +comanage_version: rciam24-3.1.x +comanage_repo: https://github.com/rciam/comanage-registry.git +comanage_root_dir: /srv/comanage comanage_path: "{{ comanage_root_dir }}/comanage-registry-current" -comanage_webroot: "/var/www/html/registry" -comanage_temp_dir: "/var/cache/registry" -comanage_app_base: "/registry" +comanage_webroot: /var/www/html/registry +comanage_temp_dir: /var/cache/registry +comanage_app_base: /registry comanage_log_engine: error: # Allowed values for handler: "FileLog" | "SyslogLog" - handler: "FileLog" - size: "10MB" + handler: FileLog + size: 10MB rotate: 10 # prefix: "comanage" debug: - handler: "FileLog" - size: "10MB" + handler: FileLog + size: 10MB rotate: 10 # prefix: "comanage" info: - handler: "FileLog" - size: "10MB" + handler: FileLog + size: 10MB rotate: 10 # prefix: "comanage" comanage_databases: - - instance: "default" + - instance: default # Either "Database/Postgres" or "Database/Mysql" - vendor: "Database/Mysql" - persistent: no - host: "localhost" - user: "user" - password: "password" - name: "database_name" - prefix: "cm_" - #encoding: "utf8" - - instance: "test" - vendor: "Database/Mysql" - persistent: no - host: "localhost" - user: "user" - password: "password" - name: "test_database_name" - prefix: "cm_" - #encoding: "utf8" + vendor: Database/Mysql + persistent: false + host: localhost + user: user + password: password + name: database_name + prefix: cm_ + # encoding: "utf8" + - instance: test + vendor: Database/Mysql + persistent: false + host: localhost + user: user + password: password + name: test_database_name + prefix: cm_ + # encoding: "utf8" comanage_mailers: - - instance: "default" + - instance: default # Transport configuration name - transport: "Mail" + transport: Mail # Email or array of sender - from: "you@localhost" - #charset: "utf-8" - #header_charset: "utf-8" - - instance: "smtp" - transport: "Smtp" + from: you@localhost + # charset: "utf-8" + # header_charset: "utf-8" + - instance: smtp + transport: Smtp from: - site@localhost: "My Site" - host: "localhost" + site@localhost: My Site + host: localhost port: 25 timeout: 30 - username: "user" - password: "secret" - client: null - log: no - #charset: "utf-8" - #header_charset: "utf-8" - - instance: "fast" - from: "you@localhost" - sender: null - to: null - cc: null - bcc: null - reply_to: null + username: user + password: secret + client: + log: false + # charset: "utf-8" + # header_charset: "utf-8" + - instance: fast + from: you@localhost + sender: + to: + cc: + bcc: + reply_to: # Email address(es) to receive the receipt of read - read_receipt: null + read_receipt: # Email address(es) to return in case of error - return_path: null + return_path: messageId: true - subject: null - message: null - headers: null - view_render: null - template: no - layout: no - view_vars: null - attachments: null - email_format: null - transport: "Smtp" - host: "localhost" + subject: + message: + headers: + view_render: + template: false + layout: false + view_vars: + attachments: + email_format: + transport: Smtp + host: localhost port: 25 timeout: 30 - username: "user" - password: "secret" - client: null - log: yes - #charset: "utf-8" - #header_charset: "utf-8" + username: user + password: secret + client: + log: true + # charset: "utf-8" + # header_charset: "utf-8" # Used in login.php and logout.php -comanage_session_name: "CAKEPHP" +comanage_session_name: CAKEPHP comanage_core_session_conf: - defaults: "php" + defaults: php # Ldap Provisioner Entitlements Configuration comanage_ldap_provisioner_entitlements: enable_vo_whitelist: false - vo_whitelist: '' # comma seperated list - vo_roles: '' # comma seperated roles - urn_namespace: '' - urn_authority: '' - vo_group_prefix: '' + vo_whitelist: "" # comma seperated list + vo_roles: "" # comma seperated roles + urn_namespace: "" + urn_authority: "" + vo_group_prefix: "" # Dis/Enable COmanage cache -#comanage_core_cache: true +# comanage_core_cache: true # Dis/Enable COmanage debug mode -#comanage_core_debug: 1 +# comanage_core_debug: 1 -#comanage_logout_location: "/registry.sso/Logout?return=%2Fregistry%2Fpages%2Fpublic%2Floggedout" +# comanage_logout_location: "/registry.sso/Logout?return=%2Fregistry%2Fpages%2Fpublic%2Floggedout" # Used in Controller/AppController.php, View/Layout/default.ctp, View/Layout/lightbox.ctp -#comanage_timezone_cookie_name: "cookie_tz_auto" +# comanage_timezone_cookie_name: "cookie_tz_auto" -#comanage_memcache_hosts: -# - ip: '127.0.0.1' -# port: 11211 -# - ip: '127.0.0.1' -# port: 11212 +# comanage_memcache_hosts: +# - ip: '127.0.0.1' +# port: 11211 +# - ip: '127.0.0.1' +# port: 11212 -#comanage_memcache_options: -# - key: "Memcached::OPT_NO_BLOCK" -# value: true -# - key: "Memcached::OPT_DISTRIBUTION" -# value: true +# comanage_memcache_options: +# - key: "Memcached::OPT_NO_BLOCK" +# value: true +# - key: "Memcached::OPT_DISTRIBUTION" +# value: true # Backup the Comanage directory -#comanage_backup: yes +# comanage_backup: yes # Security.cipherSeed is a random numeric string (digits only) used to encrypt/decrypt strings. # It is read from the file app/Config/security.seed and should be at least 29 @@ -161,7 +161,7 @@ comanage_ldap_provisioner_entitlements: # Salt: cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1 | xargs echo -n # comanage_security_salt: "defaultsecretsalt" -#comanage_cron_jobs: +# comanage_cron_jobs: # - name: "Action Name" # minute: "0" # filename: "registry" @@ -170,4 +170,4 @@ comanage_ldap_provisioner_entitlements: # cd {{ path_to_registry }}/app && Console/cake action # Whether to install COmanage cron jobs; Enabled by default -comanage_cron_jobs_enabled: yes \ No newline at end of file +comanage_cron_jobs_enabled: true diff --git a/roles/comanage-registry/tasks/configure.yml b/roles/comanage-registry/tasks/configure.yml index 5af7a99e..fdcfeaae 100644 --- a/roles/comanage-registry/tasks/configure.yml +++ b/roles/comanage-registry/tasks/configure.yml @@ -1,51 +1,51 @@ --- - - name: Configure COmanage Registry database connections - template: - src: "database.php.j2" + ansible.builtin.template: + src: database.php.j2 dest: "{{ comanage_path }}/local/Config/database.php" owner: "{{ comanage_webserver_user }}" group: "{{ comanage_webserver_group }}" - mode: 0600 - backup: yes - become: yes + mode: "0600" + backup: true + become: true tags: - - comanage-registry:config:db + - comanage-registry:config:db - name: Configure COmanage Registry email settings - template: - src: "email.php.j2" + ansible.builtin.template: + src: email.php.j2 dest: "{{ comanage_path }}/local/Config/email.php" owner: "{{ comanage_webserver_user }}" group: "{{ comanage_webserver_group }}" - mode: 0600 - backup: yes - become: yes + mode: "0600" + backup: true + become: true tags: - - comanage-registry:config:email + - comanage-registry:config:email - name: Configure COmanage Registry ldap entitlement settings - template: - src: "ldap.php.j2" + ansible.builtin.template: + src: ldap.php.j2 dest: "{{ comanage_path }}/local/Config/ldap.php" owner: "{{ comanage_webserver_user }}" group: "{{ comanage_webserver_group }}" - mode: 0600 - backup: yes - become: yes + mode: "0600" + backup: true + become: true tags: - - comanage-registry:config:ldap + - comanage-registry:config:ldap # Seed: cat /dev/urandom | tr -dc '0-9' | fold -w 29 | head -n 1 | xargs echo -n # Salt: cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1 | xargs echo -n - name: Configure COmanage Registry security.salt and security.seed - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ comanage_path }}/local/Config/{{ item }}" owner: "{{ comanage_webserver_user }}" group: "{{ comanage_webserver_group }}" - backup: yes - become: yes + mode: "0600" + backup: true + become: true loop: - security.salt - security.seed @@ -53,82 +53,84 @@ - comanage-registry:config:security - name: Configure COmanage Registry app/webroot/.htaccess - blockinfile: + ansible.builtin.blockinfile: dest: "{{ comanage_path }}/app/webroot/.htaccess" - backup: yes + backup: true marker: "# {mark} ANSIBLE MANAGED BLOCK" - insertafter: "EOF" + insertafter: EOF block: "{{ comanage_app_webroot_htaccess }}" when: comanage_app_webroot_htaccess is defined - become: yes + become: true tags: - - comanage-registry:config:webroot + - comanage-registry:config:webroot - name: Configure COmanage Registry auth session name - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" - regexp: "^session_name" - line: 'session_name("{{ comanage_session_name }}");' + regexp: ^session_name + line: session_name("{{ comanage_session_name }}"); with_items: - - "{{ comanage_path }}/app/webroot/auth/login/index.php" - - "{{ comanage_path }}/app/webroot/auth/logout/index.php" - become: yes + - "{{ comanage_path }}/app/webroot/auth/login/index.php" + - "{{ comanage_path }}/app/webroot/auth/logout/index.php" + become: true tags: - - comanage-registry:config:webroot + - comanage-registry:config:webroot - name: Configure COmanage Registry logout location - replace: + ansible.builtin.replace: dest: "{{ comanage_path }}/app/webroot/auth/logout/index.php" - backup: yes - regexp: '\/registry\/users\/logout' + backup: true + regexp: \/registry\/users\/logout replace: "{{ comanage_logout_location }}" when: comanage_logout_location is defined - become: yes + become: true tags: - - comanage-registry:config:webroot + - comanage-registry:config:webroot - name: Configure COmanage Registry timezone cookie name - replace: + ansible.builtin.replace: dest: "{{ item }}" - backup: yes - regexp: "cm_registry_tz_auto" + backup: true + regexp: cm_registry_tz_auto replace: "{{ comanage_timezone_cookie_name }}" with_items: - - "{{ comanage_path }}/app/Controller/AppController.php" - - "{{ comanage_path }}/app/View/Layouts/default.ctp" - - "{{ comanage_path }}/app/View/Layouts/lightbox.ctp" + - "{{ comanage_path }}/app/Controller/AppController.php" + - "{{ comanage_path }}/app/View/Layouts/default.ctp" + - "{{ comanage_path }}/app/View/Layouts/lightbox.ctp" when: comanage_timezone_cookie_name is defined - become: yes + become: true # According to COmanage this is not a mandatory step for the setup - name: Configure COmanage Registry core.php - template: - src: "core.php.j2" + ansible.builtin.template: + src: core.php.j2 dest: "{{ comanage_path }}/app/Config/core.php" owner: root group: root - backup: yes - become: yes + backup: true + mode: "0600" + become: true tags: - - comanage-registry:config:core + - comanage-registry:config:core - name: Configure COmanage Registry bootstrap.php - template: - src: "bootstrap.php.j2" + ansible.builtin.template: + src: bootstrap.php.j2 dest: "{{ comanage_path }}/app/Config/bootstrap.php" owner: root group: root - backup: yes - become: yes + mode: "0600" + backup: true + become: true tags: - - comanage-registry:config:bootstrap + - comanage-registry:config:bootstrap - name: Add ENV vars in cron.d file - cron: + ansible.builtin.cron: name: "{{ item.name }}" job: "{{ item.job }}" user: "{{ item.user }}" - env: yes + env: true cron_file: "{{ item.filename }}" state: present loop: "{{ comanage_cron_env | default([]) }}" @@ -136,7 +138,7 @@ when: comanage_cron_env is defined and comanage_cron_jobs is defined and comanage_cron_jobs_enabled - name: Ensure COmanage Registry cron jobs are installed - cron: + ansible.builtin.cron: name: "{{ item.name }}" minute: "{{ item.minute | default(omit) }}" hour: "{{ item.hour | default(omit) }}" @@ -153,10 +155,10 @@ # Tasks adding/copying/replacing files - name: Update/Copy tasks - include_tasks: + ansible.builtin.include_tasks: file: static_files.yml apply: tags: - - comanage-registry:config:staticfiles + - comanage-registry:config:staticfiles tags: - - comanage-registry:config:staticfiles \ No newline at end of file + - comanage-registry:config:staticfiles diff --git a/roles/comanage-registry/tasks/initialize.yml b/roles/comanage-registry/tasks/initialize.yml index 01728ecf..7e578de6 100644 --- a/roles/comanage-registry/tasks/initialize.yml +++ b/roles/comanage-registry/tasks/initialize.yml @@ -1,18 +1,24 @@ --- - - name: Configure COmanage Registry database schema - shell: Console/cake database + ansible.builtin.command: Console/cake database args: chdir: "{{ comanage_path }}/app" - become: yes + become: true + changed_when: false become_user: "{{ comanage_webserver_user }}" tags: - comanage-registry:init:db - name: Configure COmanage Registry platform admin and org identity pooling - shell: Console/cake setup --admin-given-name "{{ comanage_admin.given_name }}" --admin-family-name "{{ comanage_admin.family_name }}" --admin-username "{{ comanage_admin.username }}" --enable-pooling={{ comanage_org_identity_pooling }} + ansible.builtin.command: |- + Console/cake setup \ + --admin-given-name "{{ comanage_admin.given_name }}" \ + --admin-family-name "{{ comanage_admin.family_name }}" \ + --admin-username "{{ comanage_admin.username }}" \ + --enable-pooling={{ comanage_org_identity_pooling }} + changed_when: false args: chdir: "{{ comanage_path }}/app" - become: yes + become: true tags: - - comanage-registry:init:admin \ No newline at end of file + - comanage-registry:init:admin diff --git a/roles/comanage-registry/tasks/install.yml b/roles/comanage-registry/tasks/install.yml index 025dc481..9e167296 100644 --- a/roles/comanage-registry/tasks/install.yml +++ b/roles/comanage-registry/tasks/install.yml @@ -1,64 +1,64 @@ --- - - name: Ensure COmanage Registry root directory exists - file: + ansible.builtin.file: path: "{{ comanage_root_dir }}" state: directory owner: root group: root - become: yes + mode: "0755" + become: true - name: Ensure COmanage Registry source is cloned under root directory - git: + ansible.builtin.git: repo: "{{ comanage_repo }}" dest: "{{ comanage_root_dir }}/comanage-registry-{{ comanage_version }}" version: "{{ comanage_version }}" - accept_hostkey: yes - ignore_errors: yes - become: yes + accept_hostkey: true + ignore_errors: true # noqa ignore-errors + become: true - name: Ensure symbolic link to current COmanage Registry installation exists - file: + ansible.builtin.file: src: "{{ comanage_root_dir }}/comanage-registry-{{ comanage_version }}" dest: "{{ comanage_path }}" - force: yes + force: true state: link owner: root group: root - become: yes + become: true - name: Ensure COmanage Registry webroot directory exists - file: + ansible.builtin.file: src: "{{ comanage_path }}/app/webroot" dest: "{{ comanage_webroot }}" state: link - force: yes + force: true owner: root group: root - become: yes + become: true - name: Ensure COmanage Registry temp directory tree is initialised - command: "cp -r {{ comanage_path }}/app/tmp.dist {{ comanage_temp_dir }}" + ansible.builtin.command: cp -r {{ comanage_path }}/app/tmp.dist {{ comanage_temp_dir }} args: creates: "{{ comanage_temp_dir }}" - become: yes + become: true - name: Ensure COmanage Registry temp directory exists and is writable by webserver only - file: + ansible.builtin.file: path: "{{ comanage_temp_dir }}" state: directory owner: "{{ comanage_webserver_user }}" group: "{{ comanage_webserver_group }}" - mode: 0700 - recurse: yes - become: yes + mode: "0700" + recurse: true + become: true - name: Ensure link to COmanage Registry temp directory exists - file: + ansible.builtin.file: src: "{{ comanage_temp_dir }}" dest: "{{ comanage_path }}/local/tmp" state: link owner: root group: root - follow: no - become: yes + follow: false + become: true diff --git a/roles/comanage-registry/tasks/main.yml b/roles/comanage-registry/tasks/main.yml index e74a8315..28868d2d 100644 --- a/roles/comanage-registry/tasks/main.yml +++ b/roles/comanage-registry/tasks/main.yml @@ -1,55 +1,54 @@ --- - - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - - always + - always # Check if COmanage current is available - name: Check if COmanage Current directory is present - stat: + ansible.builtin.stat: path: "{{ comanage_path }}" register: comanage_current_dir tags: - always - name: COmanage Current directory exists? - debug: - msg: "COmanage Current Exists: {{comanage_current_dir.stat.exists}}" + ansible.builtin.debug: + msg: "COmanage Current Exists: {{ comanage_current_dir.stat.exists }}" tags: - always -#Create a task to take backup of the directory first +# Create a task to take backup of the directory first - name: Backup comanage directory - copy: + ansible.builtin.copy: src: "{{ comanage_current_dir.stat.lnk_target }}" dest: "{{ comanage_current_dir.stat.lnk_target }}.{{ ansible_date_time.iso8601 }}" - remote_src: yes - force: yes + remote_src: true + force: true owner: root mode: preserve backup: true - become: yes + become: true when: - comanage_backup is defined - comanage_backup|bool - comanage_current_dir.stat.exists tags: - - always + - always -- name: COmanage clear cache - shell: Console/clearcache +- name: COmanage clear cache # noqa no-changed-when + ansible.builtin.shell: Console/clearcache args: executable: /bin/bash chdir: "{{ comanage_path }}/app" - become: yes + become: true become_user: "{{ comanage_webserver_user }}" - ignore_errors: yes + ignore_errors: true # noqa ignore-errors when: - comanage_current_dir.stat.exists tags: @@ -57,17 +56,17 @@ # Tasks deploying COmanage framework. There is none conditional task. - name: Include OS-independent installation tasks - include_tasks: + ansible.builtin.include_tasks: file: install.yml apply: tags: - - comanage-registry:install + - comanage-registry:install tags: - - comanage-registry:install + - comanage-registry:install - # Tasks required for basic Framework functionality +# Tasks required for basic Framework functionality - name: Include OS-independent initialize tasks - include_tasks: + ansible.builtin.include_tasks: file: initialize.yml apply: tags: @@ -77,10 +76,10 @@ # Tasks that are Deployment Specific - name: Include OS-independent configuration tasks - include_tasks: + ansible.builtin.include_tasks: file: configure.yml apply: tags: - - comanage-registry:config + - comanage-registry:config tags: - - comanage-registry:config + - comanage-registry:config diff --git a/roles/comanage-registry/tasks/static_files.yml b/roles/comanage-registry/tasks/static_files.yml index 5c1f4b41..de658173 100644 --- a/roles/comanage-registry/tasks/static_files.yml +++ b/roles/comanage-registry/tasks/static_files.yml @@ -1,36 +1,35 @@ --- - - name: Register COmanage files to be copied - find: + ansible.builtin.find: paths: "{{ inventory_dir }}/files/comanage-registry" file_type: file - recurse: yes + recurse: true register: comanage_files - ignore_errors: yes + ignore_errors: true delegate_to: 127.0.0.1 vars: ansible_connection: local - name: Display files to be copied - debug: + ansible.builtin.debug: msg: "{{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}" verbosity: 1 loop: "{{ comanage_files.files }}" loop_control: - label: "Copied file {{ item.path }}" + label: Copied file {{ item.path }} when: comanage_files is defined - name: Copy COmanage files - copy: + ansible.builtin.copy: src: "{{ item.path }}" dest: "{{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}" - force: yes + force: true owner: root - mode: 0664 + mode: "0664" backup: true loop: "{{ comanage_files.files }}" loop_control: - label: "Added file {{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\\2') }}" - become: yes - ignore_errors: yes + label: Added file {{ comanage_path }}/{{ item.path | regex_replace('(.*)[/]files[/]comanage-registry[/](.*)', '\2') }} + become: true + ignore_errors: true # noqa ignore-errors when: comanage_files is defined diff --git a/roles/comanage-registry/templates/bootstrap.php.j2 b/roles/comanage-registry/templates/bootstrap.php.j2 index 90aac8b7..3421b376 100644 --- a/roles/comanage-registry/templates/bootstrap.php.j2 +++ b/roles/comanage-registry/templates/bootstrap.php.j2 @@ -2,7 +2,7 @@ /** * This file is loaded automatically by the app/webroot/index.php file after core.php * - * This file should load/create any application wide configuration settings, such as + * This file should load/create any application wide configuration settings, such as * Caching, Logging, loading additional configuration files. * * You should also use this file to include any files that provide global functions/constants @@ -163,5 +163,3 @@ CakeLog::config('error', array( 'rotate' => {{ comanage_log_engine.error.rotate }}, {% endif %} )); - - diff --git a/roles/comanage-registry/vars/Debian.yml b/roles/comanage-registry/vars/Debian.yml index 3a7bb5ed..dae8a17e 100644 --- a/roles/comanage-registry/vars/Debian.yml +++ b/roles/comanage-registry/vars/Debian.yml @@ -1,4 +1,4 @@ --- -comanage_webserver_user: "www-data" -comanage_webserver_group: "www-data" +comanage_webserver_user: www-data +comanage_webserver_group: www-data diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 53aa9a00..cf182dd6 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,3 +1,2 @@ --- - -common_tz: "Europe/Amsterdam" +common_tz: Europe/Amsterdam diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 66bbab2f..cdc96ea5 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,5 +1,5 @@ --- - -- name: Update timezone - command: "{{ common_set_tz_cmd }}" - become: yes +- name: Update timezone # noqa syntax-check[unknown-module] + community.general.timezone: # noqa syntax-check[unknown-module] + name: "{{ common_tz }}" + become: true diff --git a/roles/common/tasks/configure-Debian.yml b/roles/common/tasks/configure-Debian.yml index e64ecf85..ad1d316d 100644 --- a/roles/common/tasks/configure-Debian.yml +++ b/roles/common/tasks/configure-Debian.yml @@ -1,12 +1,11 @@ --- - - name: Configure timezone - template: + ansible.builtin.template: src: etc/timezone.j2 dest: /etc/timezone owner: root - group: root - mode: 0644 - become: yes + group: root + mode: "0644" + become: true notify: - - Update timezone + - Update timezone diff --git a/roles/common/tasks/configure-common.yml b/roles/common/tasks/configure-common.yml index b06f073e..08f4eee7 100644 --- a/roles/common/tasks/configure-common.yml +++ b/roles/common/tasks/configure-common.yml @@ -1,10 +1,9 @@ --- - - name: Configure Vim system-wide defaults - template: + ansible.builtin.template: src: etc/vim/vimrc.j2 dest: /etc/vim/vimrc owner: root group: root - mode: 0644 - become: yes + mode: "0644" + become: true diff --git a/roles/common/tasks/install-Debian.yml b/roles/common/tasks/install-Debian.yml index 6f68fd64..e00aebe6 100644 --- a/roles/common/tasks/install-Debian.yml +++ b/roles/common/tasks/install-Debian.yml @@ -1,17 +1,16 @@ --- - - name: Update package cache (Debian) - apt: - update_cache: yes + ansible.builtin.apt: + update_cache: true cache_valid_time: 86400 - become: yes + become: true - name: Ensure common packages are installed (Debian) - apt: + ansible.builtin.apt: pkg: - aptitude - ca-certificates - vim-nox state: present - install_recommends: no + install_recommends: false become: true diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index aff77b66..4af47137 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,22 +1,21 @@ --- - - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Install OS-specific packages -- include: install-Debian.yml +- name: Include Debian-specific tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml +# - include: install-CentOS.yml # when: ansible_os_family == 'CentOS' # Run OS-independent installation tasks -#- include: install-common.yml +# - include: install-common.yml -# Apply OS-specific configuration -- include: configure-Debian.yml +- name: Apply OS-specific configuration + ansible.builtin.include_tasks: configure-Debian.yml when: ansible_os_family == 'Debian' -#- include: configure-CentOS.yml +# - include: configure-CentOS.yml # when: ansible_os_family == 'CentOS' -# Apply OS-independent configuration -- include: configure-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml diff --git a/roles/common/vars/Debian.yml b/roles/common/vars/Debian.yml index 7d0c449b..d3c04433 100644 --- a/roles/common/vars/Debian.yml +++ b/roles/common/vars/Debian.yml @@ -1,3 +1,2 @@ --- - -common_set_tz_cmd: "dpkg-reconfigure --frontend noninteractive tzdata" +common_set_tz_cmd: dpkg-reconfigure --frontend noninteractive tzdata diff --git a/roles/dirmngr/tasks/install-Debian.yml b/roles/dirmngr/tasks/install-Debian.yml index 974a99ae..0972c15a 100644 --- a/roles/dirmngr/tasks/install-Debian.yml +++ b/roles/dirmngr/tasks/install-Debian.yml @@ -1,11 +1,16 @@ --- - name: Update package cache (Debian) - apt: update_cache=yes cache_valid_time=86400 - become: yes + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + become: true - name: Ensure dirmngr is installed (Debian) - apt: name={{ item }} state=present install_recommends=no + ansible.builtin.apt: + name: "{{ item }}" + state: present + install_recommends: false with_items: - dirmngr - become: yes + become: true diff --git a/roles/dirmngr/tasks/main.yml b/roles/dirmngr/tasks/main.yml index d4cdedb6..270496d5 100644 --- a/roles/dirmngr/tasks/main.yml +++ b/roles/dirmngr/tasks/main.yml @@ -1,7 +1,6 @@ --- - -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-RedHat.yml +# - include: install-RedHat.yml # when: ansible_os_family == 'RedHat' diff --git a/roles/egi-igtf/handlers/main.yml b/roles/egi-igtf/handlers/main.yml new file mode 100644 index 00000000..914b3a32 --- /dev/null +++ b/roles/egi-igtf/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Update /etc/ssl/certs and certificates.crt with EGI Trust Anchors (Debian) # noqa no-changed-when + ansible.builtin.command: "/usr/sbin/update-ca-certificates -f" + become: true + listen: Update certs diff --git a/roles/egi-igtf/tasks/configure-Debian.yml b/roles/egi-igtf/tasks/configure-Debian.yml index 967000fe..747a6ae6 100644 --- a/roles/egi-igtf/tasks/configure-Debian.yml +++ b/roles/egi-igtf/tasks/configure-Debian.yml @@ -1,21 +1,25 @@ --- - +# egi-igtf/tasks/configure-Debian.yml - name: Ensure dir for EGI Trust Anchor symlinks exists (Debian) - file: path="/usr/local/share/ca-certificates/egi-igtf" state=directory - become: yes + ansible.builtin.file: + path: /usr/local/share/ca-certificates/egi-igtf + state: directory + mode: "0755" + owner: root + group: root + become: true - name: Register EGI Trust Anchors to symlink (Debian) - shell: "ls /etc/grid-security/certificates/*.0" + ansible.builtin.shell: "ls /etc/grid-security/certificates/*.0" # noqa register: egi_igtf_certs changed_when: false - name: Ensure symlinks to EGI Trust Anchors exist (Debian) - file: path="/usr/local/share/ca-certificates/egi-igtf/{{ item | basename}}.crt" src="{{ item }}" state=link + ansible.builtin.file: + path: "/usr/local/share/ca-certificates/egi-igtf/{{ item | basename }}.crt" + src: "{{ item }}" + state: link with_items: "{{ egi_igtf_certs.stdout_lines }}" register: egi_igtf_cert_symlinks - become: yes - -- name: Update /etc/ssl/certs and certificates.crt with EGI Trust Anchors (Debian) - command: "/usr/sbin/update-ca-certificates -f" - when: egi_igtf_cert_symlinks is changed - become: yes + become: true + notify: Update certs diff --git a/roles/egi-igtf/tasks/install-Debian.yml b/roles/egi-igtf/tasks/install-Debian.yml index fc7ce639..64db212b 100644 --- a/roles/egi-igtf/tasks/install-Debian.yml +++ b/roles/egi-igtf/tasks/install-Debian.yml @@ -1,19 +1,19 @@ --- - name: Ensure EUGridPMA apt key is installed (Debian) - apt_key: + ansible.builtin.apt_key: url: "{{ egi_igtf_repo_key_url }}" - state: present - become: yes + state: present + become: true - name: Ensure EGI Trust Anchor repository is included (Debian) - apt_repository: - repo: "deb {{ egi_igtf_repo_url }} egi-igtf {{ egi_igtf_components }}" - state: present - become: yes + ansible.builtin.apt_repository: + repo: "deb {{ egi_igtf_repo_url }} egi-igtf {{ egi_igtf_components }}" + state: present + become: true - name: Ensure latest versions of EGI Trust Anchors are installed (Debian) - apt: - name: ca-policy-egi-core - state: latest - update_cache: yes - become: yes + ansible.builtin.apt: + name: ca-policy-egi-core # This really needs a version attached to it! + state: present + update_cache: true + become: true diff --git a/roles/egi-igtf/tasks/main.yml b/roles/egi-igtf/tasks/main.yml index 817b6083..59b53fdf 100644 --- a/roles/egi-igtf/tasks/main.yml +++ b/roles/egi-igtf/tasks/main.yml @@ -1,12 +1,12 @@ --- - +# egi-igtf/tasks/main.yml - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Run OS-specific installation tasks -- include: install-Debian.yml +- name: Run OS-specific installation tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -# Apply OS-specific configuration -- include: configure-Debian.yml +- name: Apply OS-specific configuration + ansible.builtin.include_tasks: configure-Debian.yml when: ansible_os_family == 'Debian' diff --git a/roles/federation-registry/README.md b/roles/federation-registry/README.md index 3f185a1a..6af1d7a3 100644 --- a/roles/federation-registry/README.md +++ b/roles/federation-registry/README.md @@ -1,35 +1,35 @@ ### Description -This role deploys the [Federation Registry](https://github.com/rciam/rciam-federation-registry) project. +This role deploys the [Federation Registry](https://github.com/rciam/rciam-federation-registry) project. ### Task Analysis - **configure-environment** : + **configure-environment** : - Installs necessary packages - Set's up github ssh key to clone repo (Can do it manually beforehand or Change to Https) - -**postgres** : (To run this tast include the postgres tag when running the playbook) -- Runs initialization script that creates the necessary SQL tables + +**postgres** : (To run this tast include the postgres tag when running the playbook) +- Runs initialization script that creates the necessary SQL tables - Runs initialization script for tenants -**configure-ams:** +**configure-ams:** - Creates Deployment Result Topic and Push Subscription in the Ams Messaging Service - -**deploy**: -- Clones Repo -- Runs Express Backend instance with pm2 serving at http://localhost:5000 -- Builds React Frontend -- Runs Ams Agent node.js agent with pm2 + +**deploy**: +- Clones Repo +- Runs Express Backend instance with pm2 serving at http://localhost:5000 +- Builds React Frontend +- Runs Ams Agent node.js agent with pm2 - Activates Push Subscription for Deployment Result Topic ### Configuring the Inventory - **main.yml:** + **main.yml:** - Ams Configuration (federation_registry_ams): - - Set host of the AMS instance + - Set host of the AMS instance - A preconfigured project and an admin user is needed. Set project name and admin_token accordingly - agent_key is the Authorisation Key used for the communitation of the Ams Agent and the Federation Registry Backend - - Folder Paths: + - Folder Paths: - Set deployment Path for each component - Git (federation_registry_git): - Set url for ssh or https @@ -38,6 +38,6 @@ This role deploys the [Federation Registry](https://github.com/rciam/rciam-feder **config.json:** Configure the file based on the tenant information and instance requirements - **hosts.ini:** + **hosts.ini:** - federation-registry: Federation Registry Backend and Frontend gets deployed for hosts in this group - ams-agent: Ams Agent Instance is deployed for hosts in this group (maximun of 1 instance) diff --git a/roles/federation-registry/defaults/config.json b/roles/federation-registry/defaults/config.json index ece87fac..2af4e079 100644 --- a/roles/federation-registry/defaults/config.json +++ b/roles/federation-registry/defaults/config.json @@ -14,7 +14,7 @@ "service_integration_notification": { "enabled": false, "email": "ticketing-system@mail.com", - "integration_environments": ["devel"], + "integration_environments": ["devel"], "template": "" }, "restricted_env": ["production"], @@ -155,7 +155,7 @@ "tag":"coc", "error": "The service must comply with this policy" } - + } } }, @@ -170,4 +170,3 @@ "deployment_fields":["service_name","service_description","client_id","allow_introspection","code_challenge_method","device_code_validity_seconds","access_token_validity_seconds","refresh_token_validity_seconds","client_secret","reuse_refresh_token","clear_access_tokens_on_refresh","id_token_timeout_seconds","entity_id","metadata_url","grant_types","scope","contacts","redirect_uris","token_endpoint_auth_method","token_endpoint_auth_signing_alg","jwks","jwks_uri","website_url","aup_uri","policy_uri","country","logo_uri","application_type","requested_attributes","post_logout_redirect_uris"], "multivalue_fields": ["grant_types","scope","contacts","redirect_uris","post_logout_redirect_uris"] } - \ No newline at end of file diff --git a/roles/federation-registry/defaults/main.yml b/roles/federation-registry/defaults/main.yml index b70aac49..f044fa1a 100644 --- a/roles/federation-registry/defaults/main.yml +++ b/roles/federation-registry/defaults/main.yml @@ -6,12 +6,12 @@ federation_registry_known_hosts_path: "~/.ssh/known_hosts" # Ams Configuration federation_registry_ams: # Consumer/Publisher for deployment tasks and deployment results topics - authorized_users : + authorized_users: - username: "ams-user" # Authentication key for the ams agent process - agent_key : "authentication_key_for_ams_agent" + agent_key: "authentication_key_for_ams_agent" # Admin User token for setting the topics, subscriptions and ACL - admin_token : "ams-admin-token" + admin_token: "ams-admin-token" # Consumer/Publisher User Token token: "ams-users-token" # Base Url of the Ams @@ -22,16 +22,16 @@ federation_registry_ams: federation_registry_pm2_conf_path: "/home/debian" federation_registry_react_folder: "federation-registry-frontend" federation_registry_project_path: "/var/www/rciam-federation-registry" -federation_registry_react_path: "{{federation_registry_project_path}}/{{federation_registry_react_folder}}" +federation_registry_react_path: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}" federation_registry_express_folder: "federation-registry-backend-api" -federation_registry_express_path: "{{federation_registry_project_path}}/{{federation_registry_express_folder}}" +federation_registry_express_path: "{{ federation_registry_project_path }}/{{ federation_registry_express_folder }}" federation_registry_ams_agent_folder: "federation-registry-backend-ams-agent" -federation_registry_ams_agent_path: "{{federation_registry_project_path}}/{{federation_registry_ams_agent_folder}}" +federation_registry_ams_agent_path: "{{ federation_registry_project_path }}/{{ federation_registry_ams_agent_folder }}" federation_registry_git: git_repo: "https://github.com/rciam/rciam-federation-registry.git" git_branch: "devel" clone_dest: "/var/www/rciam-federation-registry" -federation_registry_deployment_env : "dev/demo/production" +federation_registry_deployment_env: "dev/demo/production" federation_registry_key_title: "env-vm" federation_registry_init_script: "setup_tenant.sql" federation_registry_admin_key: "authentication_for_admin_endpoints" @@ -52,5 +52,3 @@ federation_registry_tenant_config: backend_uri: "https://tenant1/federation-backend/" - name: "tenant2_name" backend_uri: "https://tenant2/federation-backend/" - - diff --git a/roles/federation-registry/defaults/setup_tenant.sql b/roles/federation-registry/defaults/setup_tenant.sql index 506c2833..c59231b3 100644 --- a/roles/federation-registry/defaults/setup_tenant.sql +++ b/roles/federation-registry/defaults/setup_tenant.sql @@ -45,7 +45,7 @@ VALUES(1 , 'get_user'), INSERT INTO tenant_deployer_agents (tenant,integration_environment,type,entity_type,hostname,entity_protocol,deployer_name) -VALUES +VALUES ('tenant_name', 'production', 'keycloak', 'service', 'test_deployer','oidc',null ), ('tenant_name', 'demo', 'keycloak', 'service', 'test_deployer','oidc',null ), ('tenant_name', 'development', 'keycloak', 'service', 'test_deployer','oidc',null ), @@ -54,4 +54,3 @@ VALUES ('tenant_name', 'demo', 'ssp', 'service', 'test_deployer','saml','1' ), ('tenant_name', 'demo', 'ssp', 'service', 'test_deployer','saml','2'), ('tenant_name', 'development', 'ssp', 'service', 'test_deployer','saml',null ); - diff --git a/roles/federation-registry/tasks/configure-ams.yml b/roles/federation-registry/tasks/configure-ams.yml index 9f303557..049f7c35 100644 --- a/roles/federation-registry/tasks/configure-ams.yml +++ b/roles/federation-registry/tasks/configure-ams.yml @@ -1,87 +1,88 @@ --- - - name: Create deployment_response topic - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}" - method: PUT - return_content: yes - headers: - x-api-key: "{{ federation_registry_ams.admin_token }}" - register: response - run_once: true - failed_when: response.status != 409 and response.status != 200 +- name: Create deployment_response topic + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}" + method: PUT + return_content: true + headers: + x-api-key: "{{ federation_registry_ams.admin_token }}" + register: response + run_once: true + failed_when: response.status != 409 and response.status != 200 - - name: Modify acl for topic - run_once: true - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}:modifyAcl" - body: "{{lookup('template','ams_authorized_users.j2')}}" - method: POST - return_content: yes - headers: - Content-Type: "application/json" - x-api-key: "{{ federation_registry_ams.admin_token }}" - body_format: json +- name: Modify acl for topic + run_once: true + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/topics/{{ federation_registry_ams.topic }}:modifyAcl" + body: "{{ lookup('template', 'ams_authorized_users.j2') }}" + method: POST + return_content: true + headers: + Content-Type: "application/json" + x-api-key: "{{ federation_registry_ams.admin_token }}" + body_format: json - - name: Delete express push subscription - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" - method: DELETE - return_content: yes - headers: - x-api-key: "{{ federation_registry_ams.admin_token }}" - register: response - run_once: true - failed_when: response.status != 409 and response.status != 200 and response.status != 404 +- name: Delete express push subscription + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" + method: DELETE + return_content: true + headers: + x-api-key: "{{ federation_registry_ams.admin_token }}" + register: response + run_once: true + failed_when: response.status != 409 and response.status != 200 and response.status != 404 - - name: Create express push subscription - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" - method: PUT - body: "{{lookup('template','ams_push_body.j2')}}" - headers: - Content-Type: "application/json" - x-api-key: "{{ federation_registry_ams.admin_token }}" - body_format: json - return_content: yes - run_once: true - register: post_ams_push_config_response +- name: Create express push subscription + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" + method: PUT + body: "{{ lookup('template', 'ams_push_body.j2') }}" + headers: + Content-Type: "application/json" + x-api-key: "{{ federation_registry_ams.admin_token }}" + body_format: json + return_content: true + run_once: true + register: post_ams_push_config_response - - name: Get express push subscription - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" - method: GET - return_content: yes - headers: - x-api-key: "{{ federation_registry_ams.admin_token }}" - register: get_ams_push_response - ignore_errors: yes - run_once: true - when: "post_ams_push_config_response is defined" +- name: Get express push subscription + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}" + method: GET + return_content: true + headers: + x-api-key: "{{ federation_registry_ams.admin_token }}" + register: get_ams_push_response + ignore_errors: true + run_once: true + when: "post_ams_push_config_response is defined" - - name: Modify Acl for Push Subscription - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:modifyAcl" - body: "{{lookup('template','ams_authorized_users.j2')}}" - method: POST - headers: - Content-Type: "application/json" - x-api-key: "{{ federation_registry_ams.admin_token }}" - body_format: json - run_once: true +- name: Modify Acl for Push Subscription + ansible.builtin.uri: + url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:modifyAcl" + body: "{{ lookup('template', 'ams_authorized_users.j2') }}" + method: POST + headers: + Content-Type: "application/json" + x-api-key: "{{ federation_registry_ams.admin_token }}" + body_format: json + run_once: true - - name: Save Ams Facts - run_once: true - set_fact: - ams_auth_key: "{{get_ams_push_response.json.pushConfig.authorizationHeader.value}}" - ams_verif_hash: "{{get_ams_push_response.json.pushConfig.verificationHash}}" - when: - - "get_ams_push_response.json.pushConfig.authorizationHeader.value is defined" - - "get_ams_push_response.json.pushConfig.verificationHash is defined" - - - debug: - var: ams_verif_hash - - name: Save Ams verified - run_once: true - set_fact: - ams_is_verif: "{{get_ams_push_response.json.pushConfig.verified}}" - when: "get_ams_push_response.json.pushConfig.verified is defined" +- name: Save Ams Facts + run_once: true + ansible.builtin.set_fact: + ams_auth_key: "{{ get_ams_push_response.json.pushConfig.authorizationHeader.value }}" + ams_verif_hash: "{{ get_ams_push_response.json.pushConfig.verificationHash }}" + when: + - "get_ams_push_response.json.pushConfig.authorizationHeader.value is defined" + - "get_ams_push_response.json.pushConfig.verificationHash is defined" + +- name: Debug + ansible.builtin.debug: + var: ams_verif_hash +- name: Save Ams verified + run_once: true + ansible.builtin.set_fact: + ams_is_verif: "{{ get_ams_push_response.json.pushConfig.verified }}" + when: "get_ams_push_response.json.pushConfig.verified is defined" diff --git a/roles/federation-registry/tasks/configure-environment.yml b/roles/federation-registry/tasks/configure-environment.yml index 1d7dc293..0a4172de 100644 --- a/roles/federation-registry/tasks/configure-environment.yml +++ b/roles/federation-registry/tasks/configure-environment.yml @@ -1,27 +1,26 @@ --- +- name: Install dependencies + ansible.builtin.apt: + pkg: + - curl + - git + - nginx - - name: Install dependencies - apt: - pkg: - - curl - - git - - nginx - - - name: Add node repository - shell: curl -sL https://deb.nodesource.com/setup_14.x | sudo bash - - args: - warn: no - - - name: Install node and npm - apt: - pkg: - - build-essential - - nodejs - - npm - - - name: Install pm2 - npm: - name: pm2 - global: yes +- name: Add node repository # noqa no-changed-when + ansible.builtin.shell: > + set -o pipefail + curl -sL https://deb.nodesource.com/setup_14.x | sudo bash - + args: + warn: false +- name: Install node and npm + ansible.builtin.apt: + pkg: + - build-essential + - nodejs + - npm +- name: Install pm2 + community.general.npm: + name: pm2 + global: true diff --git a/roles/federation-registry/tasks/deploy.yml b/roles/federation-registry/tasks/deploy.yml index 126342f3..5d68515b 100644 --- a/roles/federation-registry/tasks/deploy.yml +++ b/roles/federation-registry/tasks/deploy.yml @@ -1,169 +1,210 @@ --- - - name: Check if project exists - stat: - path: "{{ federation_registry_git.clone_dest }}" - register: project_stat - - - name: Clean clone directory - file: - state: absent - path: "{{ federation_registry_git.clone_dest }}" - when: project_stat.stat.exists - - - name: Clean Frontend Folder - file: - state: absent - path: "{{federation_registry_project_path}}/{{federation_registry_react_folder}}" - ignore_errors: true - - - name: Clean Backend Folder - file: - state: absent - path: "{{federation_registry_project_path}}/{{federation_registry_express_folder}}" - ignore_errors: true - - - name: Clean Ams Agent Folder - file: - state: absent - path: "{{federation_registry_project_path}}/{{federation_registry_ams_agent_folder}}" - ignore_errors: true - - - name: Clone the repository - git: - repo: "{{federation_registry_git.git_repo}}" - version: "{{federation_registry_git.git_branch}}" - dest: "{{federation_registry_git.clone_dest}}" - force: yes - - - name: Move Federation Backend to /var/www - shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_express_folder}} {{federation_registry_project_path}} - - - name: Move Ams Agent to /var/www - shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_ams_agent_folder}} {{federation_registry_project_path}} - - - name: Move Swagger File to /var/www - shell: mv {{federation_registry_git.clone_dest}}/swagger.json {{federation_registry_project_path}} - - - name: Create React Folder - shell: mkdir {{federation_registry_project_path}}/{{federation_registry_react_folder}} - ignore_errors: True - - - name: Load package.json contents to package variable - slurp: - src: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/package.json" - register: imported_var - - - name: Append homepage value to package variable - set_fact: - imported_var: "{{ imported_var.content|b64decode|from_json | default([]) | combine({ 'homepage': federation_registry_react_base_url}) }}" - - - name: Write package variable to package.json - copy: - content: "{{ imported_var | to_nice_json }}" - dest: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/package.json" - - - name: Install node modules for react - npm: - path: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}" - - - name: Install node modules for express - npm: - path: "{{federation_registry_express_path}}" - - - name: Install node modules for ams-agent - npm: - path: "{{federation_registry_ams_agent_path}}" - - - name: React config - template: - src: react-config.j2 - dest: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/src/config.json" - backup: yes - - - name: Configure express db_config - template: - src: db_config.j2 - dest: "{{federation_registry_express_path}}/db-config/db-config.json" - backup: yes - - - name: Copy Tenant Configuration - copy: - src: "{{ inventory_dir }}/files/config.json" - dest: "{{federation_registry_express_path}}/JavaScript/config.json" - force: yes - owner: root - mode: 0664 - backup: true - - - name: Agent env - template: - src: ams-env.j2 - dest: "{{federation_registry_ams_agent_path}}/.env" - backup: yes - - - name: Agent config - template: - src: ams_authorized_users.j2 - dest: "{{federation_registry_ams_agent_path}}/config.json" - backup: yes - - - name: delete existing pm2 processes if running - command: "pm2 delete all" - ignore_errors: True - - - name: Create pm2 ecosystem - template: - src: pm2_config.j2 - dest: "{{federation_registry_pm2_conf_path}}/ecosystem.config.js" - backup: yes - - - name: react build - shell: "npm run build" - args: - chdir: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}" - executable: /bin/bash - - - name: Creates federation directory - file: - path: "{{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}}" - state: directory - when: federation_registry_react_base_url != "/" - - - name: Move files from build folder to base folder - shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/build/* {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}} - when: federation_registry_react_base_url != "/" - - - name: Move base folder inside build folder - shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}} {{federation_registry_project_path}}/{{federation_registry_react_folder}}{{federation_registry_react_base_url}} - when: federation_registry_react_base_url != "/" - - - name: Move base folder inside build folder - shell: mv {{federation_registry_git.clone_dest}}/{{federation_registry_react_folder}}/build/* {{federation_registry_project_path}}/{{federation_registry_react_folder}} - when: federation_registry_react_base_url == "/" - - - name: Express env - template: - src: express-env.j2 - dest: "{{federation_registry_express_path}}/JavaScript/.env" - backup: yes - - - name: start Pm2 processes - command: "pm2 start ecosystem.config.js" - - - name: restart Pm2 processes - command: "pm2 restart all" - - - debug: - msg: ams_is_verif - - - name: Verify push endpoint if not verified - run_once: true - uri: - url: "{{ federation_registry_ams.host }}/projects/{{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:verifyPushEndpoint?key={{ federation_registry_ams.admin_token }}" - method: POST - return_content: yes - headers: - Content-Type: "application/json" - body_format: json - when: - - "not ams_is_verif" +- name: Check if project exists + ansible.builtin.stat: + path: "{{ federation_registry_git.clone_dest }}" + register: project_stat + +- name: Clean clone directory + ansible.builtin.file: + state: absent + path: "{{ federation_registry_git.clone_dest }}" + when: project_stat.stat.exists + +- name: Clean Frontend Folder + ansible.builtin.file: + state: absent + path: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}" + ignore_errors: false + +- name: Clean Backend Folder + ansible.builtin.file: + state: absent + path: "{{ federation_registry_project_path }}/{{ federation_registry_express_folder }}" + ignore_errors: false + +- name: Clean Ams Agent Folder + ansible.builtin.file: + state: absent + path: "{{ federation_registry_project_path }}/{{ federation_registry_ams_agent_folder }}" + ignore_errors: false + +- name: Clone the repository + ansible.builtin.git: + repo: "{{ federation_registry_git.git_repo }}" + version: "{{ federation_registry_git.git_branch }}" + dest: "{{ federation_registry_git.clone_dest }}" + force: true + +- name: Move things to /var/www + ansible.builtin.shell: |- + "mv {{ federation_registry_git.clone_dest }}/{{ item }} \ + {{ federation_registry_project_path }}" + loop: + - "{{ federation_registry_express_folder }}" + - "{{ federation_registry_ams_agent_folder }}" + - swagger.json + +# Refactored by task above +# - name: Move Federation Backend to /var/www # noqa command-instead-of-shell no-changed-when +# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_express_folder }} {{ federation_registry_project_path }}" +# changed_when: false + +# - name: Move Ams Agent to /var/www # noqa command-instead-of-shell no-changed-when +# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_ams_agent_folder }} {{ federation_registry_project_path }}" +# changed_when: false + +# - name: Move Swagger File to /var/www # noqa command-instead-of-shell no-changed-when +# ansible.builtin.shell: "mv {{ federation_registry_git.clone_dest }}/swagger.json {{ federation_registry_project_path }}" + +- name: Create React Folder + ansible.bultin.file: + dest: "{{ federation_registry_project_path }}/{{ federation_registry_react_folder }}" + state: directory + mode: "0755" + +- name: Load package.json contents to package variable + ansible.builtin.slurp: + src: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/package.json" + register: imported_var + +- name: Append homepage value to package variable + ansible.builtin.set_fact: + imported_var: "{{ imported_var.content | b64decode | from_json | default([]) | combine({'homepage': federation_registry_react_base_url}) }}" + +- name: Write package variable to package.json + ansible.builtin.copy: + content: "{{ imported_var | to_nice_json }}" + dest: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/package.json" + mode: "0644" + +- name: Install node modules for react + community.general.npm: + path: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}" + +- name: Install node modules for express + community.general.npm: + path: "{{ federation_registry_express_path }}" + +- name: Install node modules for ams-agent + community.general.npm: + path: "{{ federation_registry_ams_agent_path }}" + +- name: React config + ansible.builtin.template: + src: react-config.j2 + dest: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/src/config.json" + backup: true + mode: "0644" + +- name: Configure express db_config + ansible.builtin.template: + src: db_config.j2 + dest: "{{ federation_registry_express_path }}/db-config/db-config.json" + backup: true + mode: "0644" + +- name: Copy Tenant Configuration + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/config.json" + dest: "{{ federation_registry_express_path }}/JavaScript/config.json" + force: true + owner: root + mode: "0664" + backup: true + +- name: Agent env + ansible.builtin.template: + src: ams-env.j2 + dest: "{{ federation_registry_ams_agent_path }}/.env" + backup: true + mode: "0600" + +- name: Agent config + ansible.builtin.template: + src: ams_authorized_users.j2 + dest: "{{ federation_registry_ams_agent_path }}/config.json" + backup: true + mode: "0644" + +- name: Delete existing pm2 processes if running + ansible.builtin.command: "pm2 delete all" + changed_when: false + +- name: Create pm2 ecosystem + ansible.builtin.template: + src: pm2_config.j2 + dest: "{{ federation_registry_pm2_conf_path }}/ecosystem.config.js" + backup: true + mode: "0644" + +- name: React build + ansible.builtin.shell: "npm run build" + args: + chdir: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}" + executable: /bin/bash + changed_when: false + +- name: Creates federation directory + ansible.builtin.file: + path: "{{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}{{ federation_registry_react_base_url }}" + state: directory + mode: "0644" + when: federation_registry_react_base_url != "/" + +# this should be a loop +- name: Move files from build folder to base folder + ansible.builtin.shell: >- + mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/build/* + {{ federation_registry_git.clone_dest }}/ + {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }} + when: federation_registry_react_base_url != "/" + changed_when: false + +- name: Move base folder inside build folder # noqa command-instead-of-shell + ansible.builtin.shell: >- + mv {{ federation_registry_git.clone_dest }}/ + {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }} + {{ federation_registry_project_path }}/\ + {{ federation_registry_react_folder }}{{ federation_registry_react_base_url }} + when: federation_registry_react_base_url != "/" + changed_when: false + +- name: Move base folder inside build folder + ansible.builtin.shell: >- + mv {{ federation_registry_git.clone_dest }}/{{ federation_registry_react_folder }}/build/* + {{ federation_registry_project_path }}/{{ federation_registry_react_folder }} + when: federation_registry_react_base_url == "/" + changed_when: false + +- name: Template Express env + ansible.builtin.template: + src: express-env.j2 + dest: "{{ federation_registry_express_path }}/JavaScript/.env" + backup: true + mode: "0644" + +- name: Start Pm2 processes + ansible.builtin.command: "pm2 start ecosystem.config.js" + changed_when: false + +- name: Restart Pm2 processes + ansible.builtin.command: "pm2 restart all" + changed_when: false + +- name: Debug + ansible.builtin.debug: + msg: ams_is_verif + +- name: Verify push endpoint if not verified + run_once: true + ansible.builtin.uri: + url: >- + "{{ federation_registry_ams.host }}/projects/ + {{ federation_registry_ams.project }}/subscriptions/{{ federation_registry_ams.sub }}:verifyPushEndpoint?key={{ federation_registry_ams.admin_token }}" + method: POST + return_content: true + headers: + Content-Type: "application/json" + body_format: json + when: + - "not ams_is_verif" diff --git a/roles/federation-registry/tasks/main.yml b/roles/federation-registry/tasks/main.yml index f6ed3892..1d11bffb 100644 --- a/roles/federation-registry/tasks/main.yml +++ b/roles/federation-registry/tasks/main.yml @@ -1,3 +1,5 @@ --- - - include: "{{task}}.yml" - become: yes +# this has got to be the weirdest way I've seen tasks included. +- name: "Include {{ task }}" + ansible.builtin.include_tasks: "{{ task }}.yml" + # become: true diff --git a/roles/federation-registry/tasks/postgres.yml b/roles/federation-registry/tasks/postgres.yml index 654efc7f..993204c4 100644 --- a/roles/federation-registry/tasks/postgres.yml +++ b/roles/federation-registry/tasks/postgres.yml @@ -1,46 +1,49 @@ --- - name: Make sure psycopg2 is installed - command: pip install psycopg2==2.7.5 --ignore-installed + ansible.builtin.pip: + name: psycopg2 + version: 2.7.5 run_once: true - name: Send Create Tables SQL File - copy: + ansible.builtin.copy: src: create_tables.sql - dest: "{{rciam_dbs.federation.script_path}}" + dest: "{{ rciam_dbs.federation.script_path }}" + mode: "0644" run_once: true - name: Create PostgreSQL tables for Federation Registry via SQL scripts run_once: true - postgresql_query: + community.postgresql.postgresql_script: db: "{{ rciam_dbs.federation.name }}" login_user: "{{ rciam_dbs.federation.owner_username }}" login_password: "{{ rciam_dbs.federation.owner_password }}" - path_to_script: "{{ rciam_dbs.federation.script_path }}" + path: "{{ rciam_dbs.federation.script_path }}" login_host: "{{ rciam_dbs.federation.host }}" register: postgresql_result failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg" - name: Send Tenant Initialization Data run_once: true - copy: - src: private_files/{{federation_registry_init_script}} - dest: "{{rciam_dbs.federation.script_path}}" + ansible.builtin.copy: + src: private_files/{{ federation_registry_init_script }} + dest: "{{ rciam_dbs.federation.script_path }}" + mode: "0644" - name: Initialise Tenant Data via SQL scripts run_once: true - postgresql_query: + community.postgresql.postgresql_script: db: "{{ rciam_dbs.federation.name }}" login_user: "{{ rciam_dbs.federation.owner_username }}" login_password: "{{ rciam_dbs.federation.owner_password }}" - path_to_script: "{{ rciam_dbs.federation.script_path }}" - login_host: "{{ rciam_dbs.federation.host }}" - path_to_script: "{{rciam_dbs.federation.script_path}}" login_host: "{{ rciam_dbs.federation.host }}" + path: "{{ rciam_dbs.federation.script_path }}" register: postgresql_result failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg" - name: Delete database configuration file run_once: true - file: - path: "{{rciam_dbs.federation.script_path}}" + ansible.builtin.file: + path: "{{ rciam_dbs.federation.script_path }}" state: absent + mode: "0644" diff --git a/roles/federation-registry/templates/ams_authorized_users.j2 b/roles/federation-registry/templates/ams_authorized_users.j2 index 0b51eb1a..3e8b5cd4 100644 --- a/roles/federation-registry/templates/ams_authorized_users.j2 +++ b/roles/federation-registry/templates/ams_authorized_users.j2 @@ -1,7 +1,7 @@ { "authorized_users": [ {% for user in federation_registry_ams.authorized_users %} - "{{ user.username }}" {% if federation_registry_ams.authorized_users|length != loop.index %} , {% endif %} + "{{ user.username }}" {% if federation_registry_ams.authorized_users|length != loop.index %} , {% endif %} {% endfor %} ] } diff --git a/roles/federation-registry/templates/react-config.j2 b/roles/federation-registry/templates/react-config.j2 index d15dd50f..dc4a790b 100644 --- a/roles/federation-registry/templates/react-config.j2 +++ b/roles/federation-registry/templates/react-config.j2 @@ -1,7 +1,7 @@ { "host": { {% for tenant in federation_registry_tenant_config %} - "{{ tenant.name }}":"{{tenant.backend_uri}}" {% if federation_registry_tenant_config|length != loop.index %} , {% endif %} + "{{ tenant.name }}":"{{tenant.backend_uri}}" {% if federation_registry_tenant_config|length != loop.index %} , {% endif %} {% endfor %} }, "basename": "{{federation_registry_react_base_url}}" diff --git a/roles/fedreg-agent/defaults/main.yml b/roles/fedreg-agent/defaults/main.yml index 743735cc..cca18a98 100644 --- a/roles/fedreg-agent/defaults/main.yml +++ b/roles/fedreg-agent/defaults/main.yml @@ -17,9 +17,9 @@ fedreg_agent_registry_requirements_url: "https://raw.githubusercontent.com/rciam # Service fedreg_agent_services_path: /etc/systemd/system fedreg_agent_log_conf: "{{ fedreg_agent_conf_dir }}/logger.conf" -fedreg_agent_enable_ssp: no -fedreg_agent_enable_mitreid: no -fedreg_agent_enable_keycloak: no +fedreg_agent_enable_ssp: false +fedreg_agent_enable_mitreid: false +fedreg_agent_enable_keycloak: false ## Federation registry agent parameters # fedreg_agent_ams: diff --git a/roles/fedreg-agent/handlers/main.yml b/roles/fedreg-agent/handlers/main.yml index ae97cc84..f0fcd77b 100644 --- a/roles/fedreg-agent/handlers/main.yml +++ b/roles/fedreg-agent/handlers/main.yml @@ -1,2 +1,10 @@ --- # handlers file for fedreg-agent +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: true + become: true + tags: + - agent + - service + - daemon-reload diff --git a/roles/fedreg-agent/tasks/configure-common.yml b/roles/fedreg-agent/tasks/configure-common.yml index 3f21bb87..841dbdd4 100644 --- a/roles/fedreg-agent/tasks/configure-common.yml +++ b/roles/fedreg-agent/tasks/configure-common.yml @@ -1,35 +1,34 @@ --- # tasks file for fedreg-agent - - name: Install basic common utils - package: + ansible.builtin.package: name: "{{ item }}" - state: latest + state: preset loop: - git - python3-pip - become: yes + become: true tags: - agent - basic_common_utils - name: Upgrade pip3 - pip: + ansible.builtin.pip: name: pip - state: latest + state: present extra_args: --upgrade --user executable: pip3 - become: yes + become: true tags: - agent - python - name: Install Virtualenv via pip3 - pip: + ansible.builtin.pip: name: virtualenv - state: latest + state: present executable: pip3 - become: yes + become: true tags: - agent - python diff --git a/roles/fedreg-agent/tasks/deploy.yml b/roles/fedreg-agent/tasks/deploy.yml index c7469cb7..d2af24f0 100644 --- a/roles/fedreg-agent/tasks/deploy.yml +++ b/roles/fedreg-agent/tasks/deploy.yml @@ -1,70 +1,73 @@ --- # tasks file for fedreg-agent - - name: Download only the requirements.txt from rciam-federation-registry-agent repository - get_url: + ansible.builtin.get_url: url: "{{ fedreg_agent_registry_requirements_url }}" dest: /tmp/requirements_{{ build_branch }}.txt - become: yes + mode: "0644" + become: true tags: - agent - python - requirements - name: Install python requirements - pip: + ansible.builtin.pip: requirements: /tmp/requirements_{{ build_branch }}.txt virtualenv: "{{ fedreg_agent_venv_path }}" virtualenv_python: "{{ fedreg_agent_venv_python }}" - become: yes + become: true tags: - agent - python - requirements +# This should be packaged as a release instead of a branch - name: Install rciam-federation-registry-agent (test.pypi.org) when: build_branch == "devel" - pip: + ansible.builtin.pip: name: rciam-federation-registry-agent virtualenv: "{{ fedreg_agent_venv_path }}" virtualenv_python: "{{ fedreg_agent_venv_python }}" extra_args: -i https://test.pypi.org/simple/ - state: latest - become: yes + state: present + become: true tags: - agent - python - requirements +# This should be packaged as a release instead of a branch - name: Install rciam-federation-registry-agent when: build_branch == "master" - pip: + ansible.builtin.pip: name: rciam-federation-registry-agent virtualenv: "{{ fedreg_agent_venv_path }}" virtualenv_python: "{{ fedreg_agent_venv_python }}" - state: latest - become: yes + state: present + become: true tags: - - agent - - python - - requirements - + - agent + - python + - requirements -- name: "Ensure {{ fedreg_agent_conf_dir }} dir exists" - file: +- name: "Ensure dir exists: {{ fedreg_agent_conf_dir }}" + ansible.builtin.file: path: "{{ fedreg_agent_conf_dir }}" state: directory - become: yes + mode: "0755" + become: true tags: - agent - config - name: Copy logger.conf file - copy: + ansible.builtin.copy: src: logger.conf dest: "{{ fedreg_agent_conf_dir }}/logger.conf" - force: no - become: yes + force: false + mode: "0644" + become: true tags: - agent - config diff --git a/roles/fedreg-agent/tasks/main.yml b/roles/fedreg-agent/tasks/main.yml index 7d351e77..7bd93b88 100644 --- a/roles/fedreg-agent/tasks/main.yml +++ b/roles/fedreg-agent/tasks/main.yml @@ -1,12 +1,10 @@ --- # tasks file for fedreg-agent - - name: Configuration tasks - include: "configure-common.yml" + ansible.builtin.include_tasks: "configure-common.yml" - name: Deploy tasks - include: "deploy.yml" + ansible.builtin.include_tasks: "deploy.yml" - name: Setup services - include: "services.yml" - + ansible.builtin.include_tasks: "services.yml" diff --git a/roles/fedreg-agent/tasks/services.yml b/roles/fedreg-agent/tasks/services.yml index e9cee049..597d9bc2 100644 --- a/roles/fedreg-agent/tasks/services.yml +++ b/roles/fedreg-agent/tasks/services.yml @@ -1,91 +1,90 @@ - name: Create deployer configuration file - template: + ansible.builtin.template: src: deployers.config.json.j2 dest: "{{ fedreg_agent_conf_dir }}/{{ deployers_config_name }}" - backup: yes + backup: true + mode: "0644" when: fedreg_agent_enable_ssp or fedreg_agent_enable_mitreid or fedreg_agent_enable_keycloak - become: yes + become: true tags: - agent - config + notify: Reload systemd - name: Create MITREid deployer service file - template: + ansible.builtin.template: src: deployer_mitreid.service.j2 dest: "{{ fedreg_agent_services_path }}/{{ deployer_mitreid_name }}.service" - backup: yes + backup: true + mode: "0644" register: mitreid_service when: fedreg_agent_enable_mitreid - become: yes + become: true tags: - agent - service + notify: Reload systemd - name: Create Keycloak deployer service file - template: + ansible.builtin.template: src: deployer_keycloak.service.j2 dest: "{{ fedreg_agent_services_path }}/{{ deployer_keycloak_name }}.service" - backup: yes + backup: true + mode: "0644" register: keycloak_service when: fedreg_agent_enable_keycloak - become: yes + become: true tags: - agent - service + notify: Reload systemd - name: Create SSP deployer service file - template: + ansible.builtin.template: src: deployer_ssp.service.j2 dest: "{{ fedreg_agent_services_path }}/{{ deployer_ssp_name }}.service" - backup: yes + backup: true + mode: "0644" register: ssp_service when: fedreg_agent_enable_ssp - become: yes + become: true tags: - agent - service - -- name: Reload systemd - command: systemctl daemon-reload - when: mitreid_service.changed or ssp_service.changed or keycloak_service.changed - become: yes - tags: - - agent - - service - - daemon-reload + notify: Reload systemd - name: MitreId federation registry service enable - service: + ansible.builtin.service: name: '{{ deployer_mitreid_name }}' - enabled: yes + enabled: true state: restarted when: fedreg_agent_enable_mitreid - become: yes + become: true tags: - agent - service - service_enable - name: Keycloak deployer service enable - service: + ansible.builtin.service: name: '{{ deployer_keycloak_name }}' - enabled: yes + enabled: true state: restarted when: fedreg_agent_enable_keycloak - become: yes + become: true tags: - agent - service - service_enable - name: SSP federation registry service enable - service: + ansible.builtin.service: name: '{{ deployer_ssp_name }}' - enabled: yes + enabled: true state: restarted when: fedreg_agent_enable_ssp - become: yes + become: true tags: - agent - service diff --git a/roles/git/tasks/install-Debian.yml b/roles/git/tasks/install-Debian.yml index fed08aa7..442bf7d4 100644 --- a/roles/git/tasks/install-Debian.yml +++ b/roles/git/tasks/install-Debian.yml @@ -1,9 +1,14 @@ --- - +# git/tasks/install-Debian.yml - name: Update package cache (Debian) - apt: update_cache=yes cache_valid_time=86400 - become: yes + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + become: true - name: Ensure latest Git is installed (Debian) - apt: name=git state=present install_recommends=no - become: yes + ansible.builtin.apt: + name: git + state: present + install_recommends: false + become: true diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index e6daa2e5..c2640203 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1,7 +1,7 @@ --- - -# Install OS-specific packages -- include: install-Debian.yml +# git/tasks/main.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml -# when: ansible_os_family == 'CentOS' +# - include: install-CentOS.yml +# when: ansible_os_family == 'CentOS' diff --git a/roles/jq/tasks/install-Debian.yml b/roles/jq/tasks/install-Debian.yml index a9f22b4a..71887eb2 100644 --- a/roles/jq/tasks/install-Debian.yml +++ b/roles/jq/tasks/install-Debian.yml @@ -1,11 +1,15 @@ --- - - name: Update package cache (Debian) - apt: update_cache=yes cache_valid_time=86400 - become: yes + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + become: true - name: Ensure jq is installed (Debian) - apt: name={{ item }} state=present install_recommends=no + ansible.builtin.apt: + name: "{{ item }}" + state: present + install_recommends: false with_items: - - jq - become: yes + - jq # TODO - define in defaults + become: true diff --git a/roles/jq/tasks/main.yml b/roles/jq/tasks/main.yml index e6daa2e5..0755941b 100644 --- a/roles/jq/tasks/main.yml +++ b/roles/jq/tasks/main.yml @@ -1,7 +1,6 @@ --- - -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml +# - include: install-CentOS.yml # when: ansible_os_family == 'CentOS' diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 8623c77e..044761a8 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -1,5 +1,5 @@ --- -##in format X.Y.Z +## in format X.Y.Z ## make sure the corresponding templates/X.Y.Z folder and vars/keycloak/X.Y.Z.yml exist keycloak_version: "18.0.0" @@ -8,12 +8,13 @@ keycloak_archive_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_service_user: "keycloak" -# Extra run params used in the keycloak systemd service. Multiple `-D` params can be specified. E.g. uncomment the following to enable technology preview features -#keycloak_extra_run_params: "-Dkeycloak.profile=preview" +# Extra run params used in the keycloak systemd service. +# Multiple `-D` params can be specified. +# E.g. uncomment the following to enable technology preview features +# keycloak_extra_run_params: "-Dkeycloak.profile=preview" keycloak_base_url_path: "auth" # The base URL path for frontend and backend requests. Note that this cannot be empty. - keycloak_admin: user: "" pass: "" @@ -38,15 +39,15 @@ keycloak_syslog_identifier: "keycloak" keycloak_logs_folder: "/var/log/keycloak" -keycloak_logs_max_days: 548 # that's ~18 months +keycloak_logs_max_days: 548 # that's ~18 months keycloak_log_level: saml: INFO keycloak_keystores: "/srv/keycloak-keys" -# If the server should expose health check endpoints. Defaults to false -keycloak_health_enabled: no +# If the server should expose health check endpoints. Defaults to false +keycloak_health_enabled: false # Themes to apply to all realms defined under 'keycloak_config.realms'. # You can override theme settings for specific realms by defining @@ -54,11 +55,10 @@ keycloak_health_enabled: no keycloak_themes: login: "rciam" account: "rciam" - #email: "keycloak" # Uncomment and customise if necessary - + # email: "keycloak" # Uncomment and customise if necessary ### plugins ### wayf plugin works ONLY with "stage" branch of keycloak (need to have commit fe055820980dbcb79d5aae2b4dce78b840b912b0) -#keycloak_plugins: +# keycloak_plugins: # wayf: # enabled: true # name: "keycloak-theme-vanilla" #PLEASE, do not change this @@ -106,7 +106,7 @@ keycloak_themes: ### Remaining configuration (enc keys, social IdPs, AUP config, SMTP config, etc) ### you can have more than one realms configured here (if it doesn't exist, it will be created). just copy the format of the master and add it in the list. ### also, you can just comment out any of the {key, aup, smtp} sub trees and let the remaining get configured -#keycloak_config: +# keycloak_config: # realms: # - name: master # defaultIdPAlias: "" #setting this to an IdP's name, will skip the WAYF and redirect to that IdP @@ -142,8 +142,11 @@ keycloak_themes: # eventsExpiration: 47347200 # this is 548 days in seconds # adminEventsDetailsEnabled: false # adminEventsEnabled: true -# eventsListeners: ["jboss-logging"] # optional. if you want you can override with the array with the desired ones. Add "metrics-communication" for metrics plugin -# enabledEventTypes: ["UPDATE_CONSENT_ERROR", "SEND_RESET_PASSWORD", "GRANT_CONSENT",…] # optional. if you want you can override with the array with the desired ones +# eventsListeners: ["jboss-logging"] +# optional. if you want you can override with the array with the desired ones. +# Add "metrics-communication" for metrics plugin +# enabledEventTypes: ["UPDATE_CONSENT_ERROR", "SEND_RESET_PASSWORD", "GRANT_CONSENT",…] +# optional. if you want you can override with the array with the desired ones # client_registration_policies: # create_update: # - name: "Allowed Client Scopes" @@ -189,11 +192,17 @@ keycloak_themes: # - "manage-account-2fa" # remove: # - "view-profile" -# # For key rotation: whenever you need to rotate keys, this should normally be done as follows: -# # Step 1: You need to add new keypairs, so you need to have both the new and the previous keys (4 keypairs) active in the realm. So you rename the placeholders "current" keys (in vault and in this file) as "previous", and you add two new keypairs (sig and enc) which will get the "current" linking in the vault. -# # Step 2: Transition period is over, so you just mark the "previous" keys as (enabled: false) and (active: false). This means that the keys exist in the realm, but they are never used. -# # Step 3: Rotation day has come, so you need to add new keys, thus, perform step 1. -# keys: ### if the (providerId,name) entry already exists in the realm, ansible updates it. If not, it creates the key. So, in any subsequent run, it updates all the config parameters of the key. +# For key rotation: whenever you need to rotate keys, this should normally be done as follows: +# Step 1: You need to add new keypairs, so you need to have both the new and the previous keys (4 keypairs) active in the realm. +# So you rename the placeholders "current" keys (in vault and in this file) as "previous", +# and you add two new keypairs (sig and enc) which will get the "current" linking in the vault. +# Step 2: Transition period is over, so you just mark the "previous" keys as (enabled: false) and (active: false). +# This means that the keys exist in the realm, but they are never used. +# Step 3: Rotation day has come, so you need to add new keys, thus, perform step 1. +# keys: +### if the (providerId,name) entry already exists in the realm, ansible updates it. +# If not, it creates the key. +# So, in any subsequent run, it updates all the config parameters of the key. # - name: "rsa-sig" # providerId: "rsa" #DO NOT CHANGE THIS # config: @@ -722,7 +731,8 @@ keycloak_themes: # disableUserInfo: "" #boolean # hideOnLoginPage: "" #boolean # promotedLoginbutton: "" #boolean -# #Each entry of idp_mappers list is a IdentityProviderMapperRepresentation, see here: https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identityprovidermapperrepresentation +# Each entry of idp_mappers list is a IdentityProviderMapperRepresentation, +# see here: https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identityprovidermapperrepresentation # idp_mappers: # - name: # identityProviderAlias: diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml index dd80e343..6fe04eee 100644 --- a/roles/keycloak/handlers/main.yml +++ b/roles/keycloak/handlers/main.yml @@ -1,32 +1,31 @@ --- - - name: Start keycloak - systemd: + ansible.builtin.systemd: name: keycloak state: started - become: yes + become: true - name: Stop keycloak - systemd: + ansible.builtin.systemd: name: keycloak state: stopped - become: yes + become: true - name: Restart keycloak - systemd: + ansible.builtin.systemd: name: keycloak state: restarted - become: yes + become: true - name: Reload keycloak - systemd: + ansible.builtin.systemd: name: keycloak state: restarted - daemon_reload: yes - become: yes + daemon_reload: true + become: true - name: Clear Keycloak cache ansible.builtin.file: path: "{{ keycloak_home }}/data/tmp/" state: absent - become: yes \ No newline at end of file + become: true diff --git a/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml b/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml index 13975e52..aafd4aa7 100644 --- a/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml +++ b/roles/keycloak/tasks/blocks/client_registration_policies/create_update_client_reg_policy.yml @@ -4,27 +4,50 @@ # current_cli_reg_pol = the current client registration policy (loop item) of the config # found_cli_reg_pols = all the found client registration policies found on the server for the current_realm -- set_fact: +- name: Set reg pool match fact + ansible.builtin.set_fact: cli_reg_pol_match: "{{ found_cli_reg_pols | json_query(query) | first | default({}) }}" vars: - query: '[? (name == `{{ current_cli_reg_pol.name }}` && providerId == `{{ current_cli_reg_pol.providerId }}` && subType == `{{ current_cli_reg_pol.subType }}`) ]' + query: >- + '[? (name == `{{ current_cli_reg_pol.name }}` && + providerId == `{{ current_cli_reg_pol.providerId }}` && + subType == `{{ current_cli_reg_pol.subType }}`) + ]' -- set_fact: +- name: Set reg pool found fact + ansible.builtin.set_fact: cli_reg_pol_isfound: "{{ lookup('dict', cli_reg_pol_match) | length > 0 }}" -- name: "{% if cli_reg_pol_isfound %} Update {% else %} Create {% endif %}client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components{% if cli_reg_pol_isfound %}/{{ cli_reg_pol_match.id }}{% endif %}" - method: "{% if cli_reg_pol_isfound %}PUT{% else %}POST{% endif %}" +# This task is very difficult to understand and maintain. +# Propose specific tasks based on the cli_reg_pol_isfound variable +- name: "Update client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components/{{ cli_reg_pol_match.id }}" + method: PUT body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: # if found a match, fuse the existing with the match and overwrite (care, need to append the provided configuration on the existing/found one... not the opposite) - "{%if cli_reg_pol_isfound %}{{ cli_reg_pol_match | combine(current_cli_reg_pol , recursive=True ) }}{% else %}{{ current_cli_reg_pol | combine(realm_parentId , recursive=True ) }}{% endif %}" - status_code: "{% if cli_reg_pol_isfound %}204{% else %}201{% endif %}" + # if found a match, fuse the existing with the match and overwrite + # (care, need to append the provided configuration on the existing/found one... not the opposite) + body: "{{ cli_reg_pol_match | combine(current_cli_reg_pol, recursive=True) }}" + status_code: 204 vars: - realm_parentId: - parentId: "{{ current_realm.name }}" - - + realm_parentId: # noqa var-naming[pattern] + parentId: "{{ current_realm.name }}" # noqa var-naming[pattern] + when: cli_reg_pol_isfound +- name: "Create client registration policy {{ current_cli_reg_pol.name }} on realm {{ current_realm.name }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components" + method: POST + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + # if found a match, fuse the existing with the match and overwrite + # (care, need to append the provided configuration on the existing/found one... not the opposite) + body: "{{ current_cli_reg_pol | combine(realm_parentId, recursive=True) }}" + status_code: 201 + vars: + realm_parentId: # noqa var-naming[pattern] + parentId: "{{ current_realm.name }}" # noqa var-naming[pattern] + when: not cli_reg_pol_isfound diff --git a/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml b/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml index ab8737a5..db1971df 100644 --- a/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml +++ b/roles/keycloak/tasks/blocks/client_registration_policies/delete_client_reg_policy.yml @@ -3,23 +3,27 @@ # current_realm = the current realm (loop item) of the config # del_cli_reg_policy = the current client registration policy (loop item) of the config # found_cli_reg_pols = all the found client registration policies found on the server for the current_realm - - -- set_fact: +- name: Set cli_reg_pol_match fact + ansible.builtin.set_fact: cli_reg_pol_match: "{{ found_cli_reg_pols | json_query(query) | first | default({}) }}" vars: - query: '[? (name == `{{ del_cli_reg_policy.name }}` && providerId == `{{ del_cli_reg_policy.providerId }}` && subType == `{{ del_cli_reg_policy.subType }}`) ]' + query: >- + '[? + (name == `{{ del_cli_reg_policy.name }}` && + providerId == `{{ del_cli_reg_policy.providerId }}` && + subType == `{{ del_cli_reg_policy.subType }}`) ]' -- set_fact: +- name: Set cli_reg_pol_isfound fact + ansible.builtin.set_fact: cli_reg_pol_isfound: "{{ lookup('dict', cli_reg_pol_match) | length > 0 }}" -- name: "Delete client registration policy {{ del_cli_reg_policy.name }} with type {{ del_cli_reg_policy.subtype }} of realm {{ current_realm.name }}" - uri: +- name: Delete client registration policy + # {{ del_cli_reg_policy.name }} with type {{ del_cli_reg_policy.subtype }} of realm {{ current_realm.name }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components/{{ cli_reg_pol_match.id }}" - method: "DELETE" + method: DELETE body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "204" + status_code: 204 when: cli_reg_pol_isfound - diff --git a/roles/keycloak/tasks/blocks/configure_basic_realm.yml b/roles/keycloak/tasks/blocks/configure_basic_realm.yml index dcfda8e5..b7dd7898 100644 --- a/roles/keycloak/tasks/blocks/configure_basic_realm.yml +++ b/roles/keycloak/tasks/blocks/configure_basic_realm.yml @@ -1,10 +1,9 @@ --- - - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Check if realm {{ current_realm_item.name }} already exists" - uri: +- name: "Check if realm already exists: {{ current_realm_item.name }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}" method: GET headers: @@ -12,11 +11,12 @@ status_code: [200, 404] register: "current_realm_search_result" -- set_fact: +- name: Set current_realm_exists fact + ansible.builtin.set_fact: current_realm_exists: "{% if current_realm_search_result.status == 200 %}true{% else %}false{% endif %}" - name: "Initialize realm '{{ current_realm_item.name }}'" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms" method: POST body_format: json @@ -27,11 +27,10 @@ id: "{{ current_realm_item.name }}" realm: "{{ current_realm_item.name }}" status_code: 201 - when: current_realm_exists == false - + when: not current_realm_exists -- name: "Get realm {{ current_realm_item.name }} config" - uri: +- name: "Get realm config: {{ current_realm_item.name }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}" method: GET headers: @@ -40,15 +39,14 @@ register: "current_realm_search_result" -#at this point, we have a realm, either a created or an existing, loaded into the current_realm_search_result variable - -- name: "Fuse realm '{{ current_realm_item.name }}' configurations (existing and ansible's)" - set_fact: - realm_config_to_set: "{{ current_realm_search_result.json | combine(current_realm_item.config | default({}) , recursive=True ) }}" +# at this point, we have a realm, either a created or an existing, loaded into the current_realm_search_result variable +- name: "Fuse realm configurations (existing and ansible's): '{{ current_realm_item.name }}'" + ansible.builtin.set_fact: + realm_config_to_set: "{{ current_realm_search_result.json | combine(current_realm_item.config | default({}), recursive=True) }}" -#now HTTP PUT the information (either the fused or the ansible's original config) to the realm's REST API +# now HTTP PUT the information (either the fused or the ansible's original config) to the realm's REST API - name: "Update realm {{ current_realm_item.name }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}" method: "PUT" body_format: json @@ -57,6 +55,3 @@ body: "{{ realm_config_to_set }}" status_code: "204" - - - diff --git a/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml b/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml index 65e10da8..a0752629 100644 --- a/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml +++ b/roles/keycloak/tasks/blocks/configure_client_reg_policies.yml @@ -3,30 +3,31 @@ # current_realm = the current realm (loop item) of the config - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: "Get all existing client registration policies of realm {{ current_realm.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components?type=org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/components?type=org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" # noqa yaml[line-length] method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: [200] register: "found_cli_reg_pols" -- set_fact: +- name: Set found_cli_reg_pols fact + ansible.builtin.set_fact: found_cli_reg_pols: "{{ found_cli_reg_pols.json | default([]) }}" -- include_tasks: blocks/client_registration_policies/create_update_client_reg_policy.yml +- name: Include create update client tasks + ansible.builtin.include_tasks: blocks/client_registration_policies/create_update_client_reg_policy.yml with_items: "{{ current_realm.client_registration_policies.create_update | default([]) }}" loop_control: loop_var: current_cli_reg_pol run_once: true -- include_tasks: blocks/client_registration_policies/delete_client_reg_policy.yml +- name: Include client registration tasks + ansible.builtin.include_tasks: blocks/client_registration_policies/delete_client_reg_policy.yml with_items: "{{ current_realm.client_registration_policies.delete | default([]) }}" loop_control: loop_var: del_cli_reg_policy run_once: true - - diff --git a/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml b/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml index 5ebfcf65..a70e6210 100644 --- a/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml +++ b/roles/keycloak/tasks/blocks/configure_client_scope_mappers.yml @@ -2,31 +2,52 @@ # item[0] -> whole realm config (ansible variable) # item[1] -> current client_scope config (loop's item of ansible realm's client_scopes[] config) # mapper -> the current mapper config (loop item of item[1].mappers[] above) -# client_scope_matches -> if the current client_scope of the configuration is found in keycloak, it return a single-element array with a trimmed object client_scope.{id,name, protocolMappers} instance) +# client_scope_matches -> if the current client_scope of the configuration is found in keycloak, +# it return a single-element array with a trimmed object client_scope.{id,name, protocolMappers} instance) -- set_fact: +- name: Set mapper matches + ansible.builtin.set_fact: mapper_matches: "{{ client_scope_matches[0].protocolMappers | json_query(query) | default([]) }}" vars: query: '[?name == `{{ mapper.name }}` ].{id: id, name: name }' -- set_fact: - mapper_exists: "{{mapper_matches | length > 0 }}" +- name: Set existgs fact + ansible.builtin.set_fact: + mapper_exists: "{{ mapper_matches | length > 0 }}" -- set_fact: +- name: Set additional info fact + ansible.builtin.set_fact: additional_info: - id: "{{mapper_matches[0].id}}" + id: "{{ mapper_matches[0].id }}" when: mapper_exists -- set_fact: - body: "{% if mapper_exists %}{{ mapper | combine(additional_info , recursive=True ) }}{% else %}{{ mapper }}{% endif %}" +- name: Set body fact + ansible.builtin.set_fact: + body: |- + "{% if mapper_exists %} + {{ mapper | combine(additional_info, recursive=True) }} + {% else %} + {{ mapper }} + {% endif %}" + # body: "mapper_exists | ternary(mapper | combine(additional_info , recursive=True), mapper)" +- name: "Update client scope mapper {{ mapper.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models/{{ body.id }}" # noqa yaml[line-length] + method: PUT + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ body }}" + status_code: 204 + when: mapper_exists | bool -- name: "{% if mapper_exists %} Update {% else %} Create {% endif %} client scope mapper {{ mapper.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models{% if mapper_exists %}/{{body.id}}{% endif %}" - method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}" +- name: "Create client scope mapper {{ mapper.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ client_scope_matches[0].id }}/protocol-mappers/models" # noqa yaml[line-length] + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ body }}" - status_code: "{% if mapper_exists %}204{% else %}201{% endif %}" + body: "{{ body }}" + status_code: 201 + when: (not mapper_exists) | bool diff --git a/roles/keycloak/tasks/blocks/configure_client_scopes.yml b/roles/keycloak/tasks/blocks/configure_client_scopes.yml index 2aebd65a..bca6ca0a 100644 --- a/roles/keycloak/tasks/blocks/configure_client_scopes.yml +++ b/roles/keycloak/tasks/blocks/configure_client_scopes.yml @@ -1,82 +1,100 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Get current client scopes of realm: {{item[0].name}}" - include_tasks: blocks/helpers/get_client_scopes_list.yml +- name: "Get current client scopes of realm: {{ item[0].name }}" + ansible.builtin.include_tasks: blocks/helpers/get_client_scopes_list.yml -- set_fact: - client_scope_exists: "{{client_scope_matches | length > 0 }}" +- name: Set fact + ansible.builtin.set_fact: + client_scope_exists: "{{ client_scope_matches | length > 0 }}" -- set_fact: +- name: Set fact + ansible.builtin.set_fact: additional_info: - id: "{{client_scope_matches[0].id}}" + id: "{{ client_scope_matches[0].id }}" when: client_scope_exists -- set_fact: - body: "{{ item[1] | combine(additional_info , recursive=True ) }}" +- name: Set fact + ansible.builtin.set_fact: + body: "{{ item[1] | combine(additional_info, recursive=True) }}" when: client_scope_exists -- set_fact: +- name: Set fact + ansible.builtin.set_fact: body: "{{ item[1] }}" when: not client_scope_exists -- set_fact: # remove the 'mappers' field from the body (if it exists) - body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}' +- name: Remove the 'mappers' field from the body (if it exists) + ansible.builtin.set_fact: + body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}' -- set_fact: # remove the 'set_as' field from the body (if it exists) - body: '{{ body | dict2items | rejectattr("key", "equalto", "set_as") | list | items2dict }}' +- name: Remove the 'set_as' field from the body (if it exists) + ansible.builtin.set_fact: + body: '{{ body | dict2items | rejectattr("key", "equalto", "set_as") | list | items2dict }}' -- name: "{% if client_scope_exists %}Update{% else %}Add{% endif %} client scope: {{ item[1].name }} in realm: {{item[0].name}}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes{% if client_scope_exists %}/{{body.id}}{% endif %}" - method: "{% if client_scope_exists %}PUT{% else %}POST{% endif %}" +- name: "Update client scope: {{ item[1].name }} in realm: {{ item[0].name }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes/{{ body.id }}" + method: "PUT" body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ body }}" - status_code: "{% if client_scope_exists %}204{% else %}201{% endif %}" + body: "{{ body }}" + status_code: 204 + when: client_scope_exists | bool -- name: "Get again the client_scopes if there was a newly created just before of realm: {{item[0].name}}" - include_tasks: blocks/helpers/get_client_scopes_list.yml +- name: "Add client scope: {{ item[1].name }} in realm: {{ item[0].name }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes" + method: POST + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ body }}" + status_code: 201 + when: (not client_scope_exists) | bool + +- name: "Get again the client_scopes if there was a newly created just before of realm: {{ item[0].name }}" + ansible.builtin.include_tasks: blocks/helpers/get_client_scopes_list.yml when: not client_scope_exists - name: "Clear from all the default client scopes list (if applicable)" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/default-{{ client_scope_mode }}-client-scopes/{{ client_scope_matches[0].id }}" method: "DELETE" headers: Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "204" + status_code: 204 with_items: - optional - default loop_control: loop_var: client_scope_mode - ignore_errors: yes + ignore_errors: true # noqa ignore-errors # set default or optional (if defined) - name: "Configuring default/optional client-scope as '{{ item[1].set_as }}'" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/default-{{ item[1].set_as }}-client-scopes/{{ client_scope_matches[0].id }}" - method: "PUT" + method: PUT body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" body: - { realm: "{{ item[0].name }}", clientScopeId: "{{ client_scope_matches[0].id }}" } - status_code: "204" + realm: "{{ item[0].name }}" + clientScopeId: "{{ client_scope_matches[0].id }}" + status_code: 204 when: not item[1].set_as is undefined # now update its mappers -- name: "Setup mappers of the client scope {{ item[1].name }} of the realm: {{item[0].name}}" - include_tasks: blocks/configure_client_scope_mappers.yml +- name: "Setup mappers of the client scope {{ item[1].name }} of the realm: {{ item[0].name }}" # noqa name[template] + ansible.builtin.include_tasks: blocks/configure_client_scope_mappers.yml with_items: "{{ item[1].mappers | default([]) }}" loop_control: loop_var: mapper run_once: true - when: "item[1].mappers | default([]) | length > 0" + when: item[1].mappers | default([]) | length > 0 diff --git a/roles/keycloak/tasks/blocks/configure_default_idp.yml b/roles/keycloak/tasks/blocks/configure_default_idp.yml index 350214f2..fade4fb7 100644 --- a/roles/keycloak/tasks/blocks/configure_default_idp.yml +++ b/roles/keycloak/tasks/blocks/configure_default_idp.yml @@ -1,36 +1,37 @@ --- - -- block: - +- name: Tasks + when: (current_realm.defaultIdPAlias is defined) and (current_realm.defaultIdPAlias | length > 0) + block: - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml - - - name: "Get all executions of the 'browser' authentication flow of the realm {{ current_realm.name }}" + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml + - ansible.builtin.name: "Get all executions of the 'browser' authentication flow of the realm {{ current_realm.name }}" uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/flows/browser/executions" method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 - register: "current_realm_browser_executions" + register: current_realm_browser_executions - - set_fact: + - name: Set Fact + ansible.builtin.set_fact: idp_redirector_matches: "{{ current_realm_browser_executions.json | json_query(query) | default([]) }}" vars: query: '[?providerId == `identity-provider-redirector` ]' - - set_fact: + - name: Set fact + ansible.builtin.set_fact: idp_redirector_id: "{{ idp_redirector_matches[0].id }}" when: idp_redirector_matches | length > 0 - - set_fact: + - name: Set Fact + ansible.builtin.set_fact: idp_redirector_config_id: "{{ idp_redirector_matches[0].authenticationConfig }}" when: idp_redirector_id is defined and idp_redirector_matches[0].authenticationConfig is defined - # if idp_redirector_config_id is defined, it's an update, else it is a new one - - name: "Updating default IdP redirector for the realm {{ current_realm.name }} to the IdP {{ current_realm.defaultIdPAlias }}" - uri: + - name: "Updating default IdP redirector for the realm {{ current_realm.name }} to the IdP {{ current_realm.defaultIdPAlias }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/config/{{ idp_redirector_config_id }}" method: PUT body_format: json @@ -38,24 +39,22 @@ Authorization: "Bearer {{ tokens.json.access_token }}" body: id: "{{ idp_redirector_config_id }}" - alias: "idp-redirector" + alias: idp-redirector config: defaultProvider: "{{ current_realm.defaultIdPAlias }}" status_code: 204 when: idp_redirector_id is defined and idp_redirector_config_id is defined - - name: "Setting the IdP {{ current_realm.defaultIdPAlias }} as default IdP redirector for the realm {{ current_realm.name }}" - uri: + - name: "Setting the IdP {{ current_realm.defaultIdPAlias }} as default IdP redirector for the realm {{ current_realm.name }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/authentication/executions/{{ idp_redirector_id }}/config" method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" body: - alias: "idp-redirector" + alias: idp-redirector config: defaultProvider: "{{ current_realm.defaultIdPAlias }}" status_code: 201 when: idp_redirector_id is defined and idp_redirector_config_id is undefined - - when: (current_realm.defaultIdPAlias is defined) and (current_realm.defaultIdPAlias | length > 0) diff --git a/roles/keycloak/tasks/blocks/configure_event_logging.yml b/roles/keycloak/tasks/blocks/configure_event_logging.yml index c521ab24..7484c81c 100644 --- a/roles/keycloak/tasks/blocks/configure_event_logging.yml +++ b/roles/keycloak/tasks/blocks/configure_event_logging.yml @@ -1,32 +1,32 @@ --- # current_realm_item: is the current realm of the looping of the realms in the configuration -- block: - - - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml - - - name: "Get current event logging configuration of realm: {{ current_realm_item.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config" - method: "GET" - headers: - Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "200" - register: current_events_logging - - - set_fact: - new_events_logging: "{{ current_events_logging.json | combine(current_realm_item.events_logging , recursive=True ) }}" +# Unnecessary block - use then when in the include_tasks task.`` +- name: Tasks + when: current_realm_item.events_logging is defined + block: + - name: Acquire tokens + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - - name: "Update event logging configuration of realm: {{ current_realm_item.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config" - method: "PUT" - body_format: json - body: - "{{ new_events_logging }}" - headers: - Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "204" + - name: "Get current event logging configuration of realm: {{ current_realm_item.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config" + method: GET + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + status_code: 200 + register: current_events_logging - when: current_realm_item.events_logging is defined + - name: Set Fact + ansible.builtin.set_fact: + new_events_logging: "{{ current_events_logging.json | combine(current_realm_item.events_logging, recursive=True) }}" + - name: "Update event logging configuration of realm: {{ current_realm_item.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm_item.name }}/events/config" + method: PUT + body_format: json + body: + "{{ new_events_logging }}" + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + status_code: 204 diff --git a/roles/keycloak/tasks/blocks/configure_federation_mapper.yml b/roles/keycloak/tasks/blocks/configure_federation_mapper.yml index 8c2249f3..8fa69765 100644 --- a/roles/keycloak/tasks/blocks/configure_federation_mapper.yml +++ b/roles/keycloak/tasks/blocks/configure_federation_mapper.yml @@ -2,45 +2,61 @@ # item[0] -> whole realm config (ansible variable) # item[1] -> current federation config (loop's item of ansible realm's federation config) # federation_exists -> boolean flag (it's always true in this file) -# realm_federation_matches -> it's always a single element array (since federation_exists==true) with: [{"alias": "federation_alias", "internalId": "federation_internalId" }] +# realm_federation_matches -> it's always a single element array +# (since federation_exists==true) with: [{"alias": "federation_alias", "internalId": "federation_internalId" }] # existing_mappers_name_id -> contains the current federation mappers id,name pairs i.e. [{id:"mapper_id", name:"mapper_name"}, ...] -# mapper -> contains the new mapper json (from ansible config vars) i.e. {"config":{},"identityProviderMapper":"hardcoded-attribute-idp-mapper","name":"test_mapper2"} +# mapper -> contains the new mapper json (from ansible config vars) +# i.e. {"config":{},"identityProviderMapper":"hardcoded-attribute-idp-mapper","name":"test_mapper2"} -- set_fact: +- name: Set mapper matches fact + ansible.builtin.set_fact: mapper_matches: "{{ existing_mappers_name_id | json_query(query) | default([]) }}" vars: - query: '[?name == `{{ mapper.name }}` ].{id: id, name: name }' + query: '[?name == `{{ mapper.name }}`].{id: id, name: name}' +- name: Set mapper exists fact + ansible.builtin.set_fact: + mapper_exists: "{{ mapper_matches | length > 0 | bool }}" -- set_fact: - mapper_exists: "{{ mapper_matches | length > 0 }}" - -- set_fact: +- name: Set additional info fact + ansible.builtin.set_fact: additional_info: id: "{{ mapper_matches[0].id }}" when: mapper_exists -- set_fact: - body: "{% if mapper_exists %}{{ mapper | combine(additional_info , recursive=True ) }}{% else %}{{ mapper }}{% endif %}" +# Merge this set fact with the previous one. +- name: Set body fact + ansible.builtin.set_fact: + body: "{% if mapper_exists %}{{ mapper | combine(additional_info, recursive=True) }}{% else %}{{ mapper }}{% endif %}" +- name: "Updatefederation mapper {{ mapper.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}" # noqa yaml[line-length] + method: PUT + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ body }}" + status_code: 204 + when: mapper_exists | bool -- name: "{% if mapper_exists %} Update {% else %} Create {% endif %} federation mapper {{ mapper.name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers{% if mapper_exists %}/{{ body.id }}{% endif %}" - method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}" +- name: "Create federation mapper {{ mapper.name }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers" # noqa yaml[line-length] + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ body }}" - status_code: "{% if mapper_exists %}204{% else %}201{% endif %}" + body: "{{ body }}" + status_code: 201 + when: not (mapper_exists | bool) # this is meant to run after a successful first deployment of the federations and the mappers (that's why the "when: mapper_exists") # You should execute it only when you are sure that the federation(s) are fully populated - name: Apply mappers (propagate) to federation IdP(s) - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}/idp/add" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers/{{ body.id }}/idp/add" # noqa yaml[line-length] method: POST headers: Authorization: "Bearer {{ tokens.json.access_token }}" diff --git a/roles/keycloak/tasks/blocks/configure_federations.yml b/roles/keycloak/tasks/blocks/configure_federations.yml index edf0948b..20f1baf2 100644 --- a/roles/keycloak/tasks/blocks/configure_federations.yml +++ b/roles/keycloak/tasks/blocks/configure_federations.yml @@ -1,63 +1,64 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Initiating federation search in keycloak" - include_tasks: blocks/helpers/search_realm_federations.yml +- name: Initiating federation search in keycloak + ansible.builtin.include_tasks: blocks/helpers/search_realm_federations.yml -- set_fact: +- name: Check if federation exists + ansible.builtin.set_fact: federation_exists: "{{ realm_federation_matches | length > 0 }}" -- set_fact: +- name: Set additional info + ansible.builtin.set_fact: additional_info: internalId: "{{ realm_federation_matches[0].internalId }}" when: federation_exists -- set_fact: - body: "{% if federation_exists %}{{ item[1] | combine(additional_info , recursive=True ) }}{% else %}{{ item[1] }}{% endif %}" - -- set_fact: # remove the 'mappers' field from the body (if it exists) +- name: Set body fact + ansible.builtin.set_fact: + # body: "{% if federation_exists %}{{ item[1] | combine(additional_info, recursive=True) }}{% else %}{{ item[1] }}{% endif %}" + body: "{{ federation_exists | ternary((item[1] | combine(additional_info, recursive=True)), item[1]) }}" +- name: Remove the 'mappers' field from the body (if it exists) + ansible.builtin.set_fact: body: '{{ body | dict2items | rejectattr("key", "equalto", "mappers") | list | items2dict }}' - name: "Configuring federation {{ item[1].alias }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances" method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ body }}" + body: "{{ body }}" status_code: 201 - #get once more the federation_matches. now federation_matches should contain exactly one object in the list with the internalId and alias of the current federation -- name: "Initiating federation search in keycloak" - include_tasks: blocks/helpers/search_realm_federations.yml +# get once more the federation_matches. +# now federation_matches should contain exactly one object in the list with the internalId and alias of the current federation +- name: Initiating federation search in keycloak + ansible.builtin.include_tasks: blocks/helpers/search_realm_federations.yml -- name: "Configuring mappers of the federation {{ item[1].alias }} of the realm: {{ item[0].name }}" +- name: "Configuring mappers of the federation {{ item[1].alias }} of the realm: {{ item[0].name }}" # noqa name[template] + when: (realm_federation_matches | length) > 0 block: - - - name: "Get list of federation {{ item[1].alias }} mappers" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers" + - name: "Get list of federation {{ item[1].alias }} mappers" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/{{ keycloak_federation.saml.api_path }}/instances/{{ realm_federation_matches[0].internalId }}/mappers" # noqa yaml[line-length] method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 register: existing_mappers - - set_fact: + - name: Set fact + ansible.builtin.set_fact: existing_mappers_name_id: "{{ existing_mappers.json | json_query(query) | default([]) }}" vars: query: '[].{name: name, id: id }' - - name: Setup federation mapper - include_tasks: blocks/configure_federation_mapper.yml + ansible.builtin.include_tasks: blocks/configure_federation_mapper.yml with_items: "{{ item[1].mappers | default([]) }}" loop_control: loop_var: mapper run_once: true - - when: "realm_federation_matches | length > 0" - diff --git a/roles/keycloak/tasks/blocks/configure_idp_mappers.yml b/roles/keycloak/tasks/blocks/configure_idp_mappers.yml index 67425cc2..3577eea0 100644 --- a/roles/keycloak/tasks/blocks/configure_idp_mappers.yml +++ b/roles/keycloak/tasks/blocks/configure_idp_mappers.yml @@ -1,44 +1,49 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: "Get current mappers of idp: {{ item[0].name }}" - include_tasks: blocks/helpers/get_idp_mappers_list.yml + ansible.builtin.include_tasks: blocks/helpers/get_idp_mappers_list.yml -- set_fact: +- name: Set Fact + ansible.builtin.set_fact: mapper_exists: "{{ idp_mapper_match | length > 0 }}" -- set_fact: +- name: Set Fact + ansible.builtin.set_fact: additional_info: id: "{{ idp_mapper_match[0].id }}" - when: mapper_exists + when: mapper_exists | bool -- set_fact: - body: "{{ item[1] | combine(additional_info , recursive=True ) }}" - when: mapper_exists +- name: Set Fact + ansible.builtin.set_fact: + body: "{{ item[1] | combine(additional_info, recursive=True) }}" + when: mapper_exists | bool -- set_fact: +- name: Set Fact + ansible.builtin.set_fact: body: "{{ item[1] }}" - when: not mapper_exists + when: not (mapper_exists | bool) -- name: "{% if mapper_exists %}Update{% else %}Add{% endif %} idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers{% if mapper_exists %}/{{ body.id }}{% endif %}" - method: "{% if mapper_exists %}PUT{% else %}POST{% endif %}" +- name: "Update idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers/{{ body.id }}" + method: PUT body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ body }}" - status_code: "{% if mapper_exists %}204{% else %}201{% endif %}" - - - - - - - - - - + body: "{{ body }}" + status_code: 204 + when: mapper_exists | bool + +- name: "Add idp mapper: {{ item[1].name }} for idp: {{ item[1].identityProviderAlias }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ body.identityProviderAlias }}/mappers" + method: POST + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ body }}" + status_code: 201 + when: not (mapper_exists | bool) diff --git a/roles/keycloak/tasks/blocks/configure_saml_idps.yml b/roles/keycloak/tasks/blocks/configure_saml_idps.yml index 355ff84b..3b1efb12 100644 --- a/roles/keycloak/tasks/blocks/configure_saml_idps.yml +++ b/roles/keycloak/tasks/blocks/configure_saml_idps.yml @@ -1,18 +1,19 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: "Get current IdPs list of realm: {{ item[0].name }}" - include_tasks: blocks/helpers/get_realm_idps_list.yml + ansible.builtin.include_tasks: blocks/helpers/get_realm_idps_list.yml -- set_fact: - new_idp: "{% if item[1].data.alias not in idps_list %}true{% else %}false{% endif %}" +- name: Set fact + ansible.builtin.set_fact: + new_idp: "({% if item[1].data.alias not in idps_list %}true{% else %}false{% endif %}) | bool" - name: "{% if new_idp %}Installing{% else %}Updating{% endif %} saml IdP: {{ item[1].data.alias }}" block: - name: "Get config from url: {{ item[1].metadataUrl }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/import-config" method: POST body_format: json @@ -24,13 +25,24 @@ status_code: 200 register: saml_idp_result - - name: "Setup saml IdP {{ item[1].data.alias }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].data.alias }}{% endif %}" - method: "{% if new_idp %}POST{% else %}PUT{% endif %}" + - name: "Create saml IdP {{ item[1].data.alias }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances" + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ { 'config': saml_idp_result.json } | combine( item[1].data, recursive=True ) }}" - status_code: "{% if new_idp %}201{% else %}204{% endif %}" + body: "{{ {'config': saml_idp_result.json} | combine(item[1].data, recursive=True) }}" + status_code: 201 + when: new_idp + + - name: "Update saml IdP {{ item[1].data.alias }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ item[1].data.alias }}" + method: PUT + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ {'config': saml_idp_result.json} | combine(item[1].data, recursive=True) }}" + status_code: 204 + when: not new_idp diff --git a/roles/keycloak/tasks/blocks/configure_social_idps.yml b/roles/keycloak/tasks/blocks/configure_social_idps.yml index db6c24f6..9fea8001 100644 --- a/roles/keycloak/tasks/blocks/configure_social_idps.yml +++ b/roles/keycloak/tasks/blocks/configure_social_idps.yml @@ -1,21 +1,33 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Configuring IdP: {{ item[1].alias }} Get current IdPs list for realm: {{ item[0].name }}" - include_tasks: blocks/helpers/get_realm_idps_list.yml +- name: "Configuring IdP: {{ item[1].alias }} Get current IdPs list for realm: {{ item[0].name }}" # noqa name[template] + ansible.builtin.include_tasks: blocks/helpers/get_realm_idps_list.yml -- set_fact: +- name: Set new idp fact + ansible.builtin.set_fact: new_idp: "{% if item[1].alias not in idps_list %}true{% else %}false{% endif %}" -- name: "{% if new_idp %}Add{% else %}Update{% endif %} idp: {{ item[1].alias }}" - uri: +- name: "Add idp: {{ item[1].alias }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].alias }}{% endif %}" - method: "{% if new_idp %}POST{% else %}PUT{% endif %}" + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ item[1] }}" - status_code: "{% if new_idp %}201{% else %}204{% endif %}" + body: "{{ item[1] }}" + status_code: 201 + when: new_idp + +- name: "Update idp: {{ item[1].alias }}" + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances{% if new_idp %}{% else %}/{{ item[1].alias }}{% endif %}" + method: PUT + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ item[1] }}" + status_code: 204 + when: not new_idp diff --git a/roles/keycloak/tasks/blocks/configure_theme.yml b/roles/keycloak/tasks/blocks/configure_theme.yml index 48c50ad6..9212b2b1 100644 --- a/roles/keycloak/tasks/blocks/configure_theme.yml +++ b/roles/keycloak/tasks/blocks/configure_theme.yml @@ -1,15 +1,16 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml ## we should issue the configuration calls from all host machines locally (and not through the proxy), ## because we want to be absolutely sure that all calls have been executed on all keycloak nodes at least once. -- ansible.builtin.set_fact: +- name: Ensure local host fact + ansible.builtin.set_fact: keycloak_local_host: "http://{{ keycloak_local_address }}:{{ keycloak_bind_port }}/{{ keycloak_base_url_path }}" -- name: "Add {{keycloak_plugins.wayf.theme.name}} theme's terms of use for the realm {{ item.name }}" - uri: +- name: "Add {{ keycloak_plugins.wayf.theme.name }} theme's terms of use for the realm {{ item.name }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/terms-of-use" method: POST body_format: raw @@ -20,8 +21,8 @@ status_code: 201 when: not item.terms is undefined -- name: "Add {{keycloak_plugins.wayf.theme.name}} theme's configuration for the realm {{ item.name }}" - uri: +- name: "Add {{ keycloak_plugins.wayf.theme.name }} theme's configuration for the realm {{ item.name }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/theme-config" method: POST body_format: json @@ -32,7 +33,7 @@ when: not item.config is undefined - name: "Add resource files" - uri: + ansible.builtin.uri: url: "{{ keycloak_local_host }}/realms/{{ item.name }}/theme-info/resource/{{ theme_realm_resource.filename }}" method: POST headers: @@ -46,5 +47,3 @@ loop_control: loop_var: theme_realm_resource with_items: "{{ item.resources | default([]) }}" - - diff --git a/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml b/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml index fd54d353..614eafcc 100644 --- a/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml +++ b/roles/keycloak/tasks/blocks/helpers/get_client_scopes_list.yml @@ -1,6 +1,6 @@ --- - name: "Get list of client scopes" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/client-scopes" method: GET headers: @@ -8,7 +8,8 @@ status_code: 200 register: "client_scopes_list" -- set_fact: +- name: Set Fact + ansible.builtin.set_fact: client_scope_matches: "{{ client_scopes_list.json | json_query(query) | default([]) }}" vars: query: '[?name == `{{ item[1].name }}` ]' diff --git a/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml b/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml index aca59cba..69e5f5b4 100644 --- a/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml +++ b/roles/keycloak/tasks/blocks/helpers/get_idp_mappers_list.yml @@ -1,7 +1,6 @@ --- - -- name: "Get list of idp's mappers" - uri: +- name: Get list of idp's mappers + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances/{{ item[1].identityProviderAlias }}/mappers" method: GET headers: @@ -9,7 +8,8 @@ status_code: 200 register: "idp_mappers_result" -- set_fact: +- name: Set Fact + ansible.builtin.set_fact: idp_mapper_match: "{{ idp_mappers_result.json | json_query(query) | default([]) }}" vars: query: '[?name == `{{ item[1].name }}` ].{name: name, id: id }' diff --git a/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml b/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml index a712cb74..ba12e58f 100644 --- a/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml +++ b/roles/keycloak/tasks/blocks/helpers/get_realm_idps_list.yml @@ -1,7 +1,7 @@ --- - name: "Get list of idps" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/identity-provider/instances" method: GET headers: @@ -9,5 +9,6 @@ status_code: 200 register: "idps_result" -- set_fact: - idps_list: "{{ idps_result.json | json_query('[].alias') }}" \ No newline at end of file +- name: Set fact + ansible.builtin.set_fact: + idps_list: "{{ idps_result.json | json_query('[].alias') }}" diff --git a/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml b/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml index bdbfcee1..808e6a6d 100644 --- a/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml +++ b/roles/keycloak/tasks/blocks/helpers/get_realm_keys.yml @@ -1,6 +1,6 @@ --- - name: "Get list of keys of realm: {{ item[0].name }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/components?parent={{ item[0].name }}&type=org.keycloak.keys.KeyProvider" method: GET headers: @@ -8,8 +8,9 @@ status_code: 200 register: "keys_result" -- set_fact: - keys_provideridName2id: "{{ keys_provideridName2id | default({}) | combine( { current_key.providerId + ':' + current_key.name : current_key.id } ) }}" +- name: Set Fact + ansible.builtin.set_fact: + keys_providerid_name_2_id: "{{ keys_providerid_name_2_id | default({}) | combine({current_key.providerId + ':' + current_key.name: current_key.id}) }}" loop_control: loop_var: current_key with_items: diff --git a/roles/keycloak/tasks/blocks/helpers/get_tokens.yml b/roles/keycloak/tasks/blocks/helpers/get_tokens.yml index 6e2d025f..deba711a 100644 --- a/roles/keycloak/tasks/blocks/helpers/get_tokens.yml +++ b/roles/keycloak/tasks/blocks/helpers/get_tokens.yml @@ -1,13 +1,12 @@ --- - - name: Acquire tokens - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/realms/master/protocol/openid-connect/token" method: POST body_format: form-urlencoded body: - client_id: "admin-cli" - username: "{{keycloak_admin.user}}" - password: "{{keycloak_admin.pass}}" - grant_type: "password" - register: "tokens" # token is in "tokens.json.access_token" + client_id: admin-cli + username: "{{ keycloak_admin.user }}" + password: "{{ keycloak_admin.pass }}" + grant_type: password + register: tokens # token is in "tokens.json.access_token" diff --git a/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml b/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml index c545bf87..2a22090a 100644 --- a/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml +++ b/roles/keycloak/tasks/blocks/helpers/search_realm_federations.yml @@ -1,16 +1,16 @@ --- -- name: "Search federation {{ item[1].alias }} in keycloak" - uri: +- name: "Search federation in keycloak - {{ item[1].alias }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}" method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 - register: "realm_result" + register: realm_result -- set_fact: +- name: Set real federation matches + ansible.builtin.set_fact: realm_federation_matches: "{{ realm_result.json[keycloak_federation.saml.representation_entity] | json_query(query) | default([]) }}" vars: query: '[?alias == `{{ item[1].alias }}` ].{alias: alias, internalId: internalId }' - diff --git a/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml b/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml index 450d4e7b..b41ec150 100644 --- a/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml +++ b/roles/keycloak/tasks/blocks/helpers/setup_logs_folder.yml @@ -1,34 +1,30 @@ --- -- block: - ##### Setup logs directory - - name: "Create {{ keycloak_logs_folder }} (if it doesn't exist)" - file: - path: "{{ keycloak_logs_folder }}" - owner: "{{ keycloak_service_user }}" - group: "{{ keycloak_service_user }}" - mode: 0750 - recurse: yes - state: directory - become: yes - - - name: "Move existing logs in default location to new location, if needed (that's for backwards compatibility)" - block: - - - stat: - path: "{{ keycloak_home }}/standalone/log" - register: keycloak_old_logs_folder - - - name: "Copy everything from {{ keycloak_home }}/standalone/log to {{ keycloak_logs_folder }}" - copy: - src: "{{ keycloak_home }}/standalone/log/" - dest: "{{ keycloak_logs_folder }}" +- name: Setup logs directory + ansible.builtin.block: + - name: "Create {{ keycloak_logs_folder }} (if it doesn't exist)" + ansible.builtin.file: + path: "{{ keycloak_logs_folder }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - remote_src: true - mode: 0640 - become: yes - when: keycloak_old_logs_folder.stat.exists - - tags: "keycloak:setup_logs_folder" + mode: "0750" + recurse: true + state: directory + become: true + - name: Move existing logs in default location to new location, if needed (that's for backwards compatibility) + ansible.builtin.block: + - ansible.builtin.stat: + path: "{{ keycloak_home }}/standalone/log" + register: keycloak_old_logs_folder + - name: "Copy everything from {{ keycloak_home }}/standalone/log to {{ keycloak_logs_folder }}" + ansible.builtin.copy: + src: "{{ keycloak_home }}/standalone/log/" + dest: "{{ keycloak_logs_folder }}" + owner: "{{ keycloak_service_user }}" + group: "{{ keycloak_service_user }}" + remote_src: true + mode: "0640" + become: true + when: keycloak_old_logs_folder.stat.exists + tags: keycloak:setup_logs_folder diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml index 4d36b127..c5a8a2ef 100644 --- a/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml +++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_client_scopes.yml @@ -1,9 +1,10 @@ --- - -- include_tasks: blocks/helpers/get_tokens.yml +# this is included below - not idempotent should be a handler with flush +- name: Include get tokens tasks + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: "Get all default optional client-scopes list" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-optional-client-scopes" method: "GET" headers: @@ -12,26 +13,25 @@ register: "default_optional_list" - name: "Clear all from the default optional client scopes list" - include_tasks: blocks/helpers/unassign_default_optional_client_scope.yml + ansible.builtin.include_tasks: blocks/helpers/unassign_default_optional_client_scope.yml with_items: "{{ default_optional_list.json | default([]) }}" loop_control: loop_var: current_default_optional +- name: Include get_tokens + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- include_tasks: blocks/helpers/get_tokens.yml - -- name: "Get all default default client-scopes list" - uri: +- name: Get all default default client-scopes list + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-default-client-scopes" method: "GET" headers: Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "200" + status_code: 200 register: "default_default_list" - -- name: "Clear all from the default default client scopes list" - include_tasks: blocks/helpers/unassign_default_default_client_scope.yml +- name: Clear all from the default default client scopes list + ansible.builtin.include_tasks: blocks/helpers/unassign_default_default_client_scope.yml with_items: "{{ default_default_list.json | default([]) }}" loop_control: loop_var: current_default_default diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml index 5414b2b8..10fab4cd 100644 --- a/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml +++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_default_client_scope.yml @@ -1,11 +1,12 @@ --- +# tasks/blocks/helpers/unassign_default_default_client_scope.yml +- name: Include tokens tasks + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- include_tasks: blocks/helpers/get_tokens.yml - -- name: "Clear {{ current_default_default.name }} from the default default client scopes list" - uri: +- name: "Clear from the default client scopes list: {{ current_default_default.name }}" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-default-client-scopes/{{ current_default_default.id }}" - method: "DELETE" + method: DELETE headers: Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "204" \ No newline at end of file + status_code: 204 diff --git a/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml b/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml index b0acdd83..550e4210 100644 --- a/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml +++ b/roles/keycloak/tasks/blocks/helpers/unassign_default_optional_client_scope.yml @@ -1,11 +1,12 @@ --- -- include_tasks: blocks/helpers/get_tokens.yml +- name: Keycloak | helpers | unassign default | include get tokens + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Clear {{ current_default_optional.name }} from the default optional client scopes list" - uri: +- name: "Clear {{ current_default_optional.name }} from the default optional client scopes list" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ current_realm.name }}/default-optional-client-scopes/{{ current_default_optional.id }}" - method: "DELETE" + method: DELETE headers: Authorization: "Bearer {{ tokens.json.access_token }}" - status_code: "204" \ No newline at end of file + status_code: 204 diff --git a/roles/keycloak/tasks/blocks/keys/configure_keys.yml b/roles/keycloak/tasks/blocks/keys/configure_keys.yml index 226da57c..02e3f08d 100644 --- a/roles/keycloak/tasks/blocks/keys/configure_keys.yml +++ b/roles/keycloak/tasks/blocks/keys/configure_keys.yml @@ -1,20 +1,22 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Get current keys list of realm: {{item[0].name}}" - include_tasks: blocks/helpers/get_realm_keys.yml +- name: "Get current keys list of realm: {{ item[0].name }}" + ansible.builtin.include_tasks: blocks/helpers/get_realm_keys.yml -- set_fact: +- name: Keycloak | keys | configure | set fact + ansible.builtin.set_fact: item0: "{{ item[0] }}" item1: "{{ item[1] }}" -- include_tasks: blocks/keys/create_javakeystores.yml +- name: Keycloak | keys | configure | set fact + ansible.builtin.include_tasks: blocks/keys/create_javakeystores.yml when: item1.keystore_config is defined -- name: "Install {{ item1.providerId }} key with name '{{ item1.name }}'" - uri: +- name: "Install {{ item1.providerId }} key with name '{{ item1.name }}'" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components" method: POST body_format: json @@ -23,28 +25,27 @@ body: name: "{{ item1.name }}" providerId: "{{ item1.providerId }}" - providerType: org.keycloak.keys.KeyProvider #never change this + providerType: org.keycloak.keys.KeyProvider # never change this parentId: "{{ item0.name }}" config: "{{ item1.config }}" status_code: 201 run_once: true - when: keys_provideridName2id[item1.providerId + ':' + item1.name] is not defined + when: keys_providerid_name_2_id[item1.providerId + ':' + item1.name] is not defined - -- name: "Update {{ item1.providerId }} key with name '{{ item1.name }}'" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components/{{ keys_provideridName2id[item1.providerId + ':' + item1.name] }}" +- name: "Update {{ item1.providerId }} key with name '{{ item1.name }}'" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item0.name }}/components/{{ keys_providerid_name_2_id[item1.providerId + ':' + item1.name] }}" method: PUT body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" body: - id: "{{ keys_provideridName2id[item1.providerId + ':' + item1.name] }}" + id: "{{ keys_providerid_name_2_id[item1.providerId + ':' + item1.name] }}" name: "{{ item1.name }}" providerId: "{{ item1.providerId }}" - providerType: org.keycloak.keys.KeyProvider #never change this + providerType: org.keycloak.keys.KeyProvider # never change this parentId: "{{ item0.name }}" config: "{{ item1.config }}" status_code: 204 run_once: true - when: keys_provideridName2id[item1.providerId + ':' + item1.name] is defined + when: keys_providerid_name_2_id[item1.providerId + ':' + item1.name] is defined diff --git a/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml b/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml index 7a499f56..a31523f6 100644 --- a/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml +++ b/roles/keycloak/tasks/blocks/keys/create_javakeystores.yml @@ -1,17 +1,17 @@ --- - +# tasks/blocks/keys/create_javakeystores.yml - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: Create the java keystores folder (if it doesn't exist) ansible.builtin.file: path: "{{ keycloak_keystores }}/{{ item[0].name }}" - recurse: yes + recurse: true state: directory - mode: 0500 + mode: "0500" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - become: yes + become: true run_once: false - name: Create a keystore for the given certificate/private key pair (inline) @@ -22,17 +22,18 @@ private_key_passphrase: "{{ item[1].keystore_config.key_passphrase }}" password: "{{ item[1].keystore_config.keystore_password }}" dest: "{{ keycloak_keystores }}/{{ item[0].name }}/{{ item[1].keystore_config.key_alias }}.jks" - mode: 0400 + mode: "0400" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - become: yes + become: true run_once: false # Now modify the item[1] to match the expected one # 1) assemble the correct item[1].config (fuse with keystore_config) # 2) remove the item[1].keystore_config -- set_fact: +- name: Keycloak | keys | modify to match the expected + ansible.builtin.set_fact: additional_config: config: keystore: @@ -44,19 +45,23 @@ keyPassword: - "{{ item[1].keystore_config.key_passphrase }}" -- set_fact: # add the correct - item1_fused: "{{ item[1] | combine(additional_config, recursive=True ) }}" +- name: Keycloak | keys | add the correct + ansible.builtin.set_fact: + item1_fused: "{{ item[1] | combine(additional_config, recursive=True) }}" -- set_fact: +- name: Keycloak | keys | + ansible.builtin.set_fact: item1_fused_cleaned: {} -- set_fact: +- name: Keycloak | keys | + ansible.builtin.set_fact: item1_fused_cleaned: "{{ item1_fused_cleaned | combine({keypair.key: keypair.value}) }}" when: keypair.key != "keystore_config" loop_control: loop_var: keypair with_dict: "{{ item1_fused }}" -- set_fact: +- name: Keycloak | keys | + ansible.builtin.set_fact: item0: "{{ item[0] }}" item1: "{{ item1_fused_cleaned }}" diff --git a/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml index 9d1a7243..19926217 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/clients/add_remove_client_default_roles.yml @@ -8,20 +8,21 @@ - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- set_fact: +- name: Keycloak | roles | clients | set fact + ansible.builtin.set_fact: body: "{{ client_roles | json_query(query) | default([]) }}" vars: - query: "{% if client_default_role_mode=='add' %}[?contains(`{{ realm_and_client_roles[1].add | to_json }}`, name)]{% elif client_default_role_mode=='remove' %}[?contains(`{{ realm_and_client_roles[1].remove | to_json }}`, name)]{% endif %}" + query: "{% if client_default_role_mode == 'add' %}[?contains(`{{ realm_and_client_roles[1].add | to_json }}`, name )]{% elif client_default_role_mode == 'remove' %}[?contains(`{{ realm_and_client_roles[1].remove | to_json }}`, name )]{% endif %}" # noqa yaml[line-length] -- name: "{{ client_default_role_mode }} default-roles in realm {{ realm_and_client_roles[0].name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/roles/default-roles-{{ realm_and_client_roles[0].name | lower }}/composites" - method: "{% if client_default_role_mode=='add' %}POST{% elif client_default_role_mode=='remove' %}DELETE{% endif %}" +- name: "{{ client_default_role_mode }} default-roles in realm {{ realm_and_client_roles[0].name }}" # noqa name[template] + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/roles/default-roles-{{ realm_and_client_roles[0].name | lower }}/composites" # noqa yaml[line-length] + method: "{% if client_default_role_mode == 'add' %}POST{% elif client_default_role_mode == 'remove' %}DELETE{% endif %}" body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" body: "{{ body }}" - status_code: 204 \ No newline at end of file + status_code: 204 diff --git a/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml index 3ccf499e..b9f65b2e 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/clients/configure_client_default_roles.yml @@ -4,38 +4,40 @@ # realm_and_client_roles[1] : the current element of the client_default_roles list - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: "Find client {{ realm_and_client_roles[1].name }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/clients?clientId={{ realm_and_client_roles[1].name }}&max=20&search=true" - method: "GET" + method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 register: found_clients -- set_fact: +- name: Keycloak | roles | clients | set found_client fact + ansible.builtin.set_fact: found_client: "{{ found_clients.json[0] | default() }}" - name: "Find roles of client {{ found_client.clientId }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ realm_and_client_roles[0].name }}/clients/{{ found_client.id }}/roles" - method: "GET" + method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 register: client_roles -- set_fact: - client_roles: "{{ client_roles.json| default([]) }}" +- name: Keycloak | roles | clients | set client_roles fact + ansible.builtin.set_fact: + client_roles: "{{ client_roles.json | default([]) }}" -- name: "Call default client roles updater (mode 'add')" - include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml +- name: Call default client roles updater (mode 'add') + ansible.builtin.include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml vars: client_default_role_mode: add -- name: "Call default client roles updater (mode 'remove')" - include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml +- name: Call default client roles updater (mode 'remove') + ansible.builtin.include_tasks: blocks/roles_configuration/clients/add_remove_client_default_roles.yml vars: client_default_role_mode: remove diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure.yml index 1ef08d0c..13199d28 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/configure.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/configure.yml @@ -1,7 +1,7 @@ --- - name: Setup roles - include_tasks: configure_roles.yml + ansible.builtin.include_tasks: configure_roles.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "role_management.roles" @@ -9,7 +9,7 @@ run_once: true - name: Setup default roles (add) - include_tasks: configure_default_roles.yml + ansible.builtin.include_tasks: configure_default_roles.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "role_management.default_roles.add" @@ -19,7 +19,7 @@ run_once: true - name: Setup default roles (remove) - include_tasks: configure_default_roles.yml + ansible.builtin.include_tasks: configure_default_roles.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "role_management.default_roles.remove" @@ -29,7 +29,7 @@ run_once: true - name: Setup composite roles - include_tasks: configure_role_composites.yml + ansible.builtin.include_tasks: configure_role_composites.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "role_management.composite_roles" @@ -37,7 +37,7 @@ run_once: true - name: Setup client default roles - include_tasks: blocks/roles_configuration/clients/configure_client_default_roles.yml + ansible.builtin.include_tasks: blocks/roles_configuration/clients/configure_client_default_roles.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "role_management.client_default_roles" diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml index f7a4b823..d438054c 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_default_roles.yml @@ -1,10 +1,10 @@ --- - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Find full payload of all roles in the '{{ default_role_mode }}' list" - uri: +- name: "Find full payload of all roles in the list '{{ default_role_mode }}'" + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ default_role_name }}" method: "GET" headers: @@ -15,20 +15,20 @@ with_items: "{{ item[1] }}" register: search_results -- set_fact: +- name: Keycloak | roles | set default_roles_list fact + ansible.builtin.set_fact: default_roles_list_complete: "{{ search_results | json_query(query) | default([]) }}" vars: query: 'results[].json' + +# Better to have two separate tasks here. - name: "Edit default-roles in realm {{ item[0].name }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/default-roles-{{ item[0].name | lower }}/composites" - method: "{% if default_role_mode=='add' %}POST{% elif default_role_mode=='remove' %}DELETE{% endif %}" + method: "{% if default_role_mode == 'add' %}POST{% elif default_role_mode == 'remove' %}DELETE{% endif %}" body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ default_roles_list_complete }}" + body: "{{ default_roles_list_complete }}" status_code: 204 - - diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml index bcedad79..a0cf2aa6 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_role_composites.yml @@ -1,12 +1,11 @@ --- - - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Find full payload of all roles in the composite list" - uri: +- name: Find full payload of all roles in the composite list + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ composite_name }}" - method: "GET" + method: GET headers: Authorization: "Bearer {{ tokens.json.access_token }}" status_code: 200 @@ -15,14 +14,15 @@ with_items: "{{ item[1].composites }}" register: search_results -- set_fact: +- name: Keycloak | roles | Set composite_list_complete fact + ansible.builtin.set_fact: composite_list_complete: "{{ search_results | json_query(query) | default([]) }}" vars: query: 'results[].json' -- name: "Add composites of role {{ item[1].name }} in realm {{ item[0].name }}" - uri: +- name: "Add composites of role {{ item[1].name }} in realm {{ item[0].name }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}/composites" method: "POST" body_format: json diff --git a/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml b/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml index 7eaf6f87..e7263bf0 100644 --- a/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml +++ b/roles/keycloak/tasks/blocks/roles_configuration/configure_roles.yml @@ -1,10 +1,9 @@ --- - - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml -- name: "Get the role {{ item[1].name }} from realm {{ item[0].name }}" - uri: +- name: "Get the role {{ item[1].name }} from realm {{ item[0].name }}" # noqa name[template] + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}" method: "GET" headers: @@ -12,16 +11,29 @@ status_code: [200, 404] register: realm_role_inquiry -- set_fact: +- name: Keycloak | Roles configuration | set role exists + ansible.builtin.set_fact: current_role_exists: "{% if realm_role_inquiry.status == 200 %}true{% else %}false{% endif %}" -- name: "{% if current_role_exists %}Update{% else %}Update{% endif %} the role {{ item[1].name }} in realm {{ item[0].name }}" - uri: - url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles{% if current_role_exists %}/{{ item[1].name }}{% endif %}" - method: "{% if current_role_exists %}PUT{% else %}POST{% endif %}" +# Probably better to define separate tasks and skip based on the fact +- name: Update the role in realm + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles" + method: PUT + body_format: json + headers: + Authorization: "Bearer {{ tokens.json.access_token }}" + body: "{{ item[1] }}" + status_code: 204 + when: (current_role_exists | bool) + +- name: Create role in realm + ansible.builtin.uri: + url: "{{ keycloak_proxy_host }}/admin/realms/{{ item[0].name }}/roles/{{ item[1].name }}" + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" - body: - "{{ item[1] }}" - status_code: "{% if current_role_exists %}204{% else %}201{% endif %}" + body: "{{ item[1] }}" + status_code: 201 + when: not (current_role_exists | bool) diff --git a/roles/keycloak/tasks/configure.yml b/roles/keycloak/tasks/configure.yml index 771b86fd..d63139dd 100644 --- a/roles/keycloak/tasks/configure.yml +++ b/roles/keycloak/tasks/configure.yml @@ -1,55 +1,52 @@ --- - # this is an important block! Do not remove - name: Wait for keycloak to initialize block: - - name: Ensure Keycloak service is running - systemd: - name: "keycloak" - state: "started" - become: yes - #wait for port to open - - name: Waiting for service port to be opened... - wait_for: - host: "{{ keycloak_local_address }}" - port: 8080 - delay: 10 - timeout: 180 - #wait for service to respond - - name: Waiting for service to be up and running... - uri: - url: "http://{{ keycloak_local_address }}:8080/{{ keycloak_base_url_path }}" - status_code: "200" - timeout: 600 - + - name: Ensure Keycloak service is running + ansible.builtin.systemd: + name: keycloak + state: started + become: true + - name: Waiting for service port to be opened... + ansible.builtin.wait_for: + host: "{{ keycloak_local_address }}" + port: 8080 + delay: 10 + timeout: 180 + - name: Waiting for service to be up and running... + ansible.builtin.uri: + url: "http://{{ keycloak_local_address }}:8080/{{ keycloak_base_url_path }}" + status_code: 200 + timeout: 600 # configure AUP, realm keys, etc - name: Configure the keycloak (AUP, realm keys, etc) + tags: + - keycloak:config:realm block: - - name: Apply realm.config parameters - include_tasks: blocks/configure_basic_realm.yml + ansible.builtin.include_tasks: blocks/configure_basic_realm.yml with_items: "{{ keycloak_config.realms | default([]) }}" loop_control: loop_var: current_realm_item run_once: true - name: Configure keys - include_tasks: blocks/keys/configure_keys.yml + ansible.builtin.include_tasks: blocks/keys/configure_keys.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - - "keys" - - skip_missing: True + - keys + - skip_missing: true - name: Configure events logging - include_tasks: blocks/configure_event_logging.yml + ansible.builtin.include_tasks: blocks/configure_event_logging.yml with_items: "{{ keycloak_config.realms | default([]) }}" loop_control: loop_var: current_realm_item run_once: true - name: Configure AUP (Terms and Conditions) - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item.name }}/authentication/required-actions/{{ keycloak_api.terms_and_conditions.endpoint }}" method: PUT body_format: json @@ -71,66 +68,66 @@ run_once: true - name: Setup roles - include_tasks: blocks/roles_configuration/configure.yml + ansible.builtin.include_tasks: blocks/roles_configuration/configure.yml - name: Setup federations - include_tasks: blocks/configure_federations.yml + ansible.builtin.include_tasks: blocks/configure_federations.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "federations" - - skip_missing: True + - skip_missing: true run_once: true - name: Setup social IdPs - include_tasks: blocks/configure_social_idps.yml + ansible.builtin.include_tasks: blocks/configure_social_idps.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - "social_idps" - - skip_missing: True + - skip_missing: true run_once: true - name: Setup saml IdPs - include_tasks: blocks/configure_saml_idps.yml + ansible.builtin.include_tasks: blocks/configure_saml_idps.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - - "saml_idps" - - skip_missing: True + - saml_idps + - skip_missing: true run_once: true - name: Setup IdP mappers - include_tasks: blocks/configure_idp_mappers.yml + ansible.builtin.include_tasks: blocks/configure_idp_mappers.yml with_subelements: - "{{ keycloak_config.realms | default([]) }} " - - "idp_mappers" - - skip_missing: True + - idp_mappers + - skip_missing: true run_once: true - name: "Check if there is any default IdP (will skip the WAYF and redirect to that one) defined" - include_tasks: blocks/configure_default_idp.yml + ansible.builtin.include_tasks: blocks/configure_default_idp.yml with_items: "{{ keycloak_config.realms | default([]) }}" loop_control: loop_var: current_realm - name: "Configure client scopes (block)" + tags: + - "keycloak:config:realm:client_scopes" block: - name: "Clear all assigned default and optional client scopes" - include_tasks: blocks/helpers/unassign_default_client_scopes.yml + ansible.builtin.include_tasks: blocks/helpers/unassign_default_client_scopes.yml with_items: "{{ keycloak_config.realms | default([]) }}" loop_control: loop_var: current_realm run_once: true - name: "Add new / update existing client scopes" - include_tasks: blocks/configure_client_scopes.yml + ansible.builtin.include_tasks: blocks/configure_client_scopes.yml with_subelements: - - "{{keycloak_config.realms | default([])}} " + - "{{ keycloak_config.realms | default([]) }} " - "client_scopes" - - skip_missing: True + - skip_missing: true run_once: true - tags: - - "keycloak:config:realm:client_scopes" - name: "Configure client registration policies" - include_tasks: blocks/configure_client_reg_policies.yml + ansible.builtin.include_tasks: blocks/configure_client_reg_policies.yml with_items: "{{ keycloak_config.realms | default([]) }}" loop_control: loop_var: current_realm @@ -138,33 +135,36 @@ tags: - "keycloak:config:realm:client_reg_policies" - tags: "keycloak:config:realm" - ### wayf plugin configuration - name: Configure wayf plugin - block: - - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml - - name: "Configure wayf plugin" - include_tasks: blocks/configure_theme.yml - with_items: "{{ keycloak_plugins.wayf.theme.add_to_realms }}" - - when: wayf_enabled == true + when: wayf_enabled | bool vars: wayf_enabled: "{{ keycloak_plugins.wayf.enabled | default(false) }}" tags: - "keycloak:config:plugin" - "keycloak:config:plugin:wayf" + block: + - name: Acquire tokens + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml + - name: "Configure wayf plugin" + ansible.builtin.include_tasks: blocks/configure_theme.yml + with_items: "{{ keycloak_plugins.wayf.theme.add_to_realms }}" ### advanced group management plugin - name: Configure advanced group management plugin + when: group_enabled | bool + vars: + group_enabled: "{{ keycloak_plugins.group.enabled | default(false) }}" + tags: + - keycloak:config:plugin + - keycloak:config:plugin:group block: - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: Configure user attribute configuration for advanced group management plugin - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/realms/{{ item.name }}/agm/admin/member-user-attribute/configuration" - method: "POST" + method: POST body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" @@ -174,26 +174,22 @@ with_items: "{{ keycloak_plugins.group.add_to_realms }}" run_once: true vars: - - body_payload: - userAttribute: "{{ item.member_user_attribute_configuration.userAttribute }}" - urnNamespace: "{{ item.member_user_attribute_configuration.urnNamespace }}" - authority: "{{ item.member_user_attribute_configuration.authority }}" - - when: group_enabled == true - vars: - group_enabled: "{{ keycloak_plugins.group.enabled | default(false) }}" - tags: - - "keycloak:config:plugin" - - "keycloak:config:plugin:group" + body_payload: + userAttribute: "{{ item.member_user_attribute_configuration.userAttribute }}" + urnNamespace: "{{ item.member_user_attribute_configuration.urnNamespace }}" + authority: "{{ item.member_user_attribute_configuration.authority }}" - name: Configure Keycloak themes + tags: + - keycloak:config:realm + - keycloak:config:realm:themes block: - name: Acquire tokens - include_tasks: blocks/helpers/get_tokens.yml + ansible.builtin.include_tasks: blocks/helpers/get_tokens.yml - name: Configure Keycloak themes - uri: + ansible.builtin.uri: url: "{{ keycloak_proxy_host }}/admin/realms/{{ item.name }}" - method: "PUT" + method: PUT body_format: json headers: Authorization: "Bearer {{ tokens.json.access_token }}" @@ -203,10 +199,7 @@ with_items: "{{ keycloak_config.realms | default([]) }}" run_once: true vars: - - body_payload: - loginTheme: "{{ item.themes.login | default(keycloak_themes.login) | default(omit) }}" - accountTheme: "{{ item.themes.account | default(keycloak_themes.account) | default(omit) }}" - emailTheme: "{{ item.themes.email | default(keycloak_themes.email) | default(omit) }}" - tags: - - "keycloak:config:realm" - - "keycloak:config:realm:themes" + body_payload: + loginTheme: "{{ item.themes.login | default(keycloak_themes.login) | default(omit) }}" + accountTheme: "{{ item.themes.account | default(keycloak_themes.account) | default(omit) }}" + emailTheme: "{{ item.themes.email | default(keycloak_themes.email) | default(omit) }}" diff --git a/roles/keycloak/tasks/java/Debian-bookworm.yml b/roles/keycloak/tasks/java/Debian-bookworm.yml index c221e002..4a273c80 100644 --- a/roles/keycloak/tasks/java/Debian-bookworm.yml +++ b/roles/keycloak/tasks/java/Debian-bookworm.yml @@ -1,8 +1,7 @@ --- - - name: Ensure Java 17 is installed - apt: + ansible.builtin.apt: name: openjdk-17-jdk state: present - update_cache: yes - become: yes \ No newline at end of file + update_cache: true + become: true diff --git a/roles/keycloak/tasks/java/Debian-bullseye.yml b/roles/keycloak/tasks/java/Debian-bullseye.yml index 9a2d0c23..cf51bfc5 100644 --- a/roles/keycloak/tasks/java/Debian-bullseye.yml +++ b/roles/keycloak/tasks/java/Debian-bullseye.yml @@ -1,8 +1,7 @@ --- - - name: Ensure Java 11 is installed - apt: + ansible.builtin.apt: name: openjdk-11-jdk state: present - update_cache: yes - become: yes + update_cache: true + become: true diff --git a/roles/keycloak/tasks/java/Debian-buster.yml b/roles/keycloak/tasks/java/Debian-buster.yml index eecb7f68..042c3d06 100644 --- a/roles/keycloak/tasks/java/Debian-buster.yml +++ b/roles/keycloak/tasks/java/Debian-buster.yml @@ -1,9 +1,8 @@ --- - - name: Ensure that the vm has java 11 - apt: + ansible.builtin.apt: name: openjdk-11-jdk state: present - update_cache: yes + update_cache: true cache_valid_time: 86400 - become: yes + become: true diff --git a/roles/keycloak/tasks/java/Ubuntu-focal.yml b/roles/keycloak/tasks/java/Ubuntu-focal.yml index eecb7f68..042c3d06 100644 --- a/roles/keycloak/tasks/java/Ubuntu-focal.yml +++ b/roles/keycloak/tasks/java/Ubuntu-focal.yml @@ -1,9 +1,8 @@ --- - - name: Ensure that the vm has java 11 - apt: + ansible.builtin.apt: name: openjdk-11-jdk state: present - update_cache: yes + update_cache: true cache_valid_time: 86400 - become: yes + become: true diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 40faa2a8..681cb095 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -1,162 +1,172 @@ --- - ## start the installation of keycloak - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "os/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" - "os/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "os/{{ ansible_distribution }}.yml" - "os/{{ ansible_os_family }}.yml" - ignore_errors: yes + ignore_errors: true # noqa ignore-errors tags: - always -- block: +- name: Keycloak | Set vars + tags: + - always + block: - name: Split Keycloak version string into parts - set_fact: + ansible.builtin.set_fact: keycloak_version_parts: "{{ keycloak_version.split('.') }}" - name: Define Keycloak major version number - set_fact: + ansible.builtin.set_fact: keycloak_major_version: "{{ keycloak_version_parts[0] }}" tags: - always - name: Define Keycloak minor version number - set_fact: + ansible.builtin.set_fact: keycloak_minor_version: "{{ keycloak_version_parts[1] }}" tags: - always - name: Define Keycloak patch version number only when specified in version string - set_fact: + ansible.builtin.set_fact: keycloak_patch_version: "{{ keycloak_version_parts[2] | default(omit) }}" - tags: - - always - name: Include keycloak-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "keycloak-{{ keycloak_major_version }}.{{ keycloak_minor_version }}.yml" - "keycloak-{{ keycloak_major_version }}.yml" - ignore_errors: yes + ignore_errors: true # noqa ignore-errors tags: - always -### Install Java with OS-specific packages -- include: "java/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" +- name: Install Java with OS-specific packages + ansible.builtin.include_tasks: "java/{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" tags: - always - name: Find local keycloak address - set_fact: - keycloak_local_address: "{% if ansible_facts.default_ipv4.address is defined %}{{ ansible_facts.default_ipv4.address }}{% elif ansible_facts.default_ipv6.address is defined %}{{ ansible_facts.default_ipv6.address }}{% else %}localhost{% endif %}" + ansible.builtin.set_fact: + keycloak_local_address: >- + {% if ansible_facts.default_ipv4.address is defined %} + {{ ansible_facts.default_ipv4.address }} + {% elif ansible_facts.default_ipv6.address is defined %} + {{ ansible_facts.default_ipv6.address }} + {% else %} + localhost + {% endif %} tags: - always ### create keycloak_service_user - name: Create Keycloak service user/group - user: + ansible.builtin.user: name: "{{ keycloak_service_user }}" home: /nonexistent shell: /usr/sbin/nologin - system: yes - create_home: no - become: yes + system: true + create_home: false + become: true tags: - always ### setup the logs folder (also do some actions to preserve backwards compatibility) -- name: "Setup logs folder" - include_tasks: "blocks/helpers/setup_logs_folder.yml" +- name: Setup logs folder + ansible.builtin.include_tasks: "blocks/helpers/setup_logs_folder.yml" tags: "keycloak:install:setup_logs_folder" -#### Extract keycloak from archive -- block: +- name: Extract keycloak from archive + block: - name: "Task block: Download keycloak" + become: true block: - name: Create keycloak temp directory - file: + ansible.builtin.file: path: "/tmp/keycloak-tmp" state: directory + mode: "0755" - name: Download keycloak archive file - get_url: + ansible.builtin.get_url: url: "{{ keycloak_archive_url }}" - dest: "/tmp/keycloak_archive" + dest: /tmp/keycloak_archive timeout: 30 + mode: "0644" - name: Compute sha1 hash of archive - stat: + ansible.builtin.stat: path: "/tmp/keycloak_archive" checksum_algorithm: sha1 register: keycloak_sha1 - name: Create keycloak_home if not exists - file: + ansible.builtin.file: path: "{{ keycloak_home }}" state: directory - - name: create empty file if not exists + mode: "0755" + - name: Create empty file if not exists ansible.builtin.copy: dest: "{{ keycloak_home }}/sha1" content: "" - force: no - - name: Previous sha1 - shell: "cat {{ keycloak_home }}/sha1" + force: false + mode: "0644" + - name: Previous sha1 # noqa command-instead-of-shell + ansible.builtin.shell: "cat {{ keycloak_home }}/sha1" + changed_when: false register: previous_sha1 - - name: "Compare sha1" - set_fact: + - name: Compare sha1 + ansible.builtin.set_fact: is_same_archive: "{{ true if keycloak_sha1.stat.checksum == previous_sha1.stdout else false }}" - become: yes - name: "Task block: Extract keycloak" + become: true + when: not is_same_archive block: - - name: unpack keycloak - unarchive: - src: "/tmp/keycloak_archive" - dest: "/tmp/keycloak-tmp" + - name: Unpack keycloak + ansible.builtin.unarchive: + src: /tmp/keycloak_archive + dest: /tmp/keycloak-tmp owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - remote_src: yes - extra_opts: "--no-same-owner" #since it's run with elevated priviledges, to avoid preserving ownership from the archive + remote_src: true + extra_opts: "--no-same-owner" # since it's run with elevated priviledges, to avoid preserving ownership from the archive - name: Find keycloak extracted folder name - find: + ansible.builtin.find: paths: /tmp/keycloak-tmp - patterns: 'keycloak*' + patterns: "keycloak*" file_type: directory - recurse: no + recurse: false register: find_result - name: Remove any previous installation ansible.builtin.file: path: "{{ keycloak_home }}" state: absent - name: Move extracted keycloak to final keycloak folder - command: "mv {{ find_result.files[0].path }} {{ keycloak_home }}" + ansible.builtin.command: "mv {{ find_result.files[0].path }} {{ keycloak_home }}" args: removes: "{{ find_result.files[0].path }}" creates: "{{ keycloak_home }}" - name: Store previous sha1 - copy: + ansible.builtin.copy: dest: "{{ keycloak_home }}/sha1" content: "{{ keycloak_sha1.stat.checksum }}" - become: yes - when: not is_same_archive - + mode: "0644" always: - name: Delete downloaded archive ansible.builtin.file: - path: "/tmp/keycloak_archive" + path: /tmp/keycloak_archive state: absent - become: yes - tags: "keycloak:install:download_extract" - -- import_tasks: "quarkus/install.yml" +- name: Keycloak | import quarkus install tasks + ansible.builtin.import_tasks: "quarkus/install.yml" when: keycloak_version.split('.')[0] | int >= 18 -- import_tasks: "wildfly/install.yml" +- name: Keycloak | import wildfly install + ansible.builtin.import_tasks: wildfly/install.yml when: keycloak_version.split('.')[0] | int < 18 - ##### configure keycloak - name: Configure various keycloak aspects - import_tasks: "configure.yml" + ansible.builtin.import_tasks: "configure.yml" tags: "keycloak:config" diff --git a/roles/keycloak/tasks/quarkus/install.yml b/roles/keycloak/tasks/quarkus/install.yml index 76c7c3d2..72b5c250 100644 --- a/roles/keycloak/tasks/quarkus/install.yml +++ b/roles/keycloak/tasks/quarkus/install.yml @@ -1,92 +1,89 @@ --- - -##### Set service user as owner of keycloak base dir -- block: +- name: Set service user as owner of keycloak base dir + become: true + tags: "keycloak:install:setup_file_permissions" + block: - name: "Setting everything under keycloak_home dir to belong to user: {{ keycloak_service_user }}" - file: + ansible.builtin.file: dest: "{{ keycloak_home }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - recurse: yes - become: yes - tags: "keycloak:install:setup_file_permissions" + recurse: true ######### Install configuration templates -- block: - +- name: Install configuration templates + tags: "keycloak:install:config" + block: - name: Set the appropriate permissions for the keycloak's config folder - file: + ansible.builtin.file: path: "{{ keycloak_home }}/conf" state: directory - mode: 0700 - become: yes + mode: "0700" + become: true - name: Installing keycloak main configuration (keycloak.conf) - template: - mode: 0600 + ansible.builtin.template: + mode: "0600" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" src: "templates/{{ keycloak_version }}/keycloak.conf.j2" dest: "{{ keycloak_home }}/conf/keycloak.conf" - become: yes + become: true - name: Installing keycloak cache configuration (cache-ispn-jdbc-ping.xml) - template: - mode: 0600 + ansible.builtin.template: + mode: "0600" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" src: "templates/{{ keycloak_version }}/cache-ispn-jdbc-ping.xml.j2" dest: "{{ keycloak_home }}/conf/cache-ispn-jdbc-ping.xml" - become: yes + become: true - name: Installing keycloak quarkus configuration (quarkus.properties) - template: - mode: 0600 + ansible.builtin.template: + mode: "0600" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" src: "templates/{{ keycloak_version }}/quarkus.properties.j2" dest: "{{ keycloak_home }}/conf/quarkus.properties" - become: yes - - tags: "keycloak:install:config" - + become: true #### Setup logcleaner script - name: "Task block: Setup logcleaner script" + become: true + tags: "keycloak:install:setup_logcleaner" block: - name: "Ensure the logs folder exists" - file: + ansible.builtin.file: path: "{{ keycloak_logs_folder }}" state: directory mode: '0755' owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - recurse: yes + recurse: true - name: "Install the logcleaner script template" - template: + ansible.builtin.template: owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - mode: 0644 + mode: "0644" src: templates/logcleaner.sh.j2 dest: "{{ keycloak_home }}/logcleaner.sh" - name: "Create the cronjob" - cron: + ansible.builtin.cron: name: keycloak logcleaner day: "*" hour: "0" minute: "0" user: "{{ keycloak_service_user }}" job: "sh {{ keycloak_home }}/logcleaner.sh {{ keycloak_logs_folder }} {{ keycloak_logs_max_days }}" - become: yes - tags: "keycloak:install:setup_logcleaner" ### install other plugins # would loop over block of tasks within install_plugin.yml, but looping on blocks is not allowed in ansible - name: Install other plugins - include_tasks: "quarkus/install_plugin.yml" + ansible.builtin.include_tasks: quarkus/install_plugin.yml when: keycloak_plugins is defined loop: "{{ lookup('dict', keycloak_plugins, wantlist=True) }}" tags: "keycloak:install:plugins" @@ -94,37 +91,33 @@ #### setup admin user (it's just adding a file with env variables which are picked up by keycloak upon startup) - name: "Set env variables for admin user configuration" - template: + ansible.builtin.template: owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - mode: 0600 + mode: "0600" src: "templates/{{ keycloak_version }}/env.conf.j2" dest: "{{ keycloak_home }}/conf/env.conf" - become: yes + become: true tags: "keycloak:config:setup_admin_user" ############### Setup keycloak as a service - name: "Setup keycloak as a service" - template: + ansible.builtin.template: owner: root group: root - mode: 0644 + mode: "0644" src: templates/keycloak.service.quarkus.j2 dest: /etc/systemd/system/keycloak.service - become: yes + become: true tags: "keycloak:install:systemd_service" - name: "Restart keycloak" - systemd: + ansible.builtin.systemd: name: keycloak state: restarted - daemon_reload: yes - enabled: yes - become: yes + daemon_reload: true + enabled: true + become: true tags: "keycloak:install:restart_sys_service" - - - - diff --git a/roles/keycloak/tasks/quarkus/install_plugin.yml b/roles/keycloak/tasks/quarkus/install_plugin.yml index 247941e3..3587c837 100644 --- a/roles/keycloak/tasks/quarkus/install_plugin.yml +++ b/roles/keycloak/tasks/quarkus/install_plugin.yml @@ -1,20 +1,21 @@ --- - -- block: - - - name: "Installing plugin {{ item.value.name }} with hot deploy" +# keycloak/tasks/quarkus/install_plugin.yml +- name: Why do we have this block? + become: true + when: not item is undefined + tags: "keycloak:install:plugins" + block: + - name: "Installing plugin with hot deploy: {{ item.value.name }}" + when: item.value.hotdeploy is defined block: - name: "Download plugin jar into folder /tmp (for plugin: {{ item.value.name }})" - get_url: + ansible.builtin.get_url: url: "{{ item.value.hotdeploy.jar_url }}" dest: "/tmp/" + mode: "0644" register: download_result - #do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken) + # do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken) - name: "Move into deployment folder (for plugin: {{ item.value.name }})" - command: "mv {{download_result.dest}} {{keycloak_home}}/providers/" - notify: Clear Keycloak cache - when: item.value.hotdeploy is defined - - when: not item is undefined - become: yes - tags: "keycloak:install:plugins" \ No newline at end of file + ansible.builtin.command: "mv {{ download_result.dest }} {{ keycloak_home }}/providers/" + notify: Clear Keycloak cache # This is a really bad idea + changed_when: true # Gonna have to trigger this always diff --git a/roles/keycloak/tasks/wildfly/install.yml b/roles/keycloak/tasks/wildfly/install.yml index 2eafb6a9..5a6098ec 100644 --- a/roles/keycloak/tasks/wildfly/install.yml +++ b/roles/keycloak/tasks/wildfly/install.yml @@ -1,84 +1,90 @@ --- ######## Create postgresql plugin -- name: "Task block: Create postgresql plugin" - block: - - name: create postresql plugin dir with parent directories - file: - path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main" - state: directory - - name: Download postgresql JDBC driver - get_url: - url: "https://jdbc.postgresql.org/download/{{ keycloak_postgresql_jar_name }}" - dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main" - - name: Installing postgresql plugin - template: - src: templates/module.xml.j2 - dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main/module.xml" - become: yes +- name: Task block | Create postgresql plugin + become: true tags: "keycloak:install:postgresql_plugin" + block: + - name: Ceate postresql plugin dir with parent directories + ansible.builtin.file: + path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main" + state: directory + mode: "0755" + - name: Download postgresql JDBC driver + ansible.builtin.get_url: + url: "https://jdbc.postgresql.org/download/{{ keycloak_postgresql_jar_name }}" + dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main" + mode: "0644" + - name: Installing postgresql plugin + ansible.builtin.template: + src: templates/module.xml.j2 + dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/postgresql/main/module.xml" + mode: "0600" -######## Install template standalone-ha.xml +######## Install template standalone-ha.xml - name: Installing keycloak configuration (standalone-ha.xml) - template: - mode: 0600 + ansible.builtin.template: + mode: "0600" src: "templates/{{ keycloak_version }}/standalone-ha.xml.j2" dest: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml" - become: yes + become: true tags: "keycloak:install:standaloneha" ##### Set keycloak working dir and logs writable for service user -- name: "Setting standalone folder writable for user: {{ keycloak_service_user }} - where it's internal temporary files are created" - file: +- name: "Setting standalone folder writable for user: where it's internal temporary files are created: {{ keycloak_service_user }}" + ansible.builtin.file: dest: "{{ keycloak_home }}/standalone" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - recurse: yes - become: yes + recurse: true + become: true tags: "keycloak:install:setup_file_permissions" ############### Setup admin user -- name: "Task block: Setup admin user" - block: - - name: Remove file (delete file if exists) - file: - path: "{{ keycloak_home }}/standalone/configuration/keycloak-add-user.json" - state: absent - - name: Create admin user - shell: "{{ keycloak_home }}/bin/add-user-keycloak.sh -u {{ keycloak_admin.user }} -p {{ keycloak_admin.pass }}" - args: - executable: /bin/bash - become: yes +- name: Task block | Setup admin user" + become: true tags: "keycloak:install:setup_admin" + block: + - name: Remove file (delete file if exists) + ansible.builtin.file: + path: "{{ keycloak_home }}/standalone/configuration/keycloak-add-user.json" + state: absent + - name: Create admin user + ansible.builtin.shell: >- + "{{ keycloak_home }}/bin/add-user-keycloak.sh \ + -u {{ keycloak_admin.user }} \ + -p {{ keycloak_admin.pass }}" + args: + executable: /bin/bash + changed_when: false #### Setup logcleaner script - name: "Task block: Setup logcleaner script" + become: true + tags: "keycloak:install:setup_logcleaner" block: - name: "Install the logcleaner script template" - template: + ansible.builtin.template: owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_user }}" - mode: 0640 + mode: "0640" src: templates/logcleaner.sh.j2 dest: "{{ keycloak_home }}/logcleaner.sh" - name: "Create the cronjob" - cron: + ansible.builtin.cron: name: keycloak logcleaner day: "*" hour: "0" minute: "0" user: "{{ keycloak_service_user }}" job: "sh {{ keycloak_home }}/logcleaner.sh {{ keycloak_logs_folder }} {{ keycloak_logs_max_days }}" - become: yes - tags: "keycloak:install:setup_logcleaner" - ### install other plugins # would loop over block of tasks within install_plugin.yml, but looping on blocks is not allowed in ansible - name: Install other plugins - include_tasks: "wildfly/install_plugin.yml" + ansible.builtin.include_tasks: "wildfly/install_plugin.yml" when: not keycloak_plugins is undefined loop: "{{ lookup('dict', keycloak_plugins, wantlist=True) }}" tags: "keycloak:install:plugins" @@ -87,24 +93,20 @@ ############### Setup keycloak as a service - name: "Setup keycloak as a service" - template: + ansible.builtin.template: owner: root group: root - mode: 0644 + mode: "0644" src: templates/keycloak.service.wildfly.j2 dest: /etc/systemd/system/keycloak.service - become: yes + become: true tags: "keycloak:install:setup_sys_service" - name: "Restart keycloak" - systemd: + ansible.builtin.systemd: name: keycloak state: restarted - daemon_reload: yes - enabled: yes - become: yes + daemon_reload: true + enabled: true + become: true tags: "keycloak:install:restart_sys_service" - - - - diff --git a/roles/keycloak/tasks/wildfly/install_plugin.yml b/roles/keycloak/tasks/wildfly/install_plugin.yml index 1f315cfd..e7923c33 100644 --- a/roles/keycloak/tasks/wildfly/install_plugin.yml +++ b/roles/keycloak/tasks/wildfly/install_plugin.yml @@ -1,26 +1,32 @@ --- - -- block: - - name: "Installing plugin {{ item.value.name }} as a module" - block: - +# keycloak/tasks/widlfly/install-plugin.yml +- name: Install widlfly plugin + when: not item is undefined + become: true + tags: "keycloak:install:plugins" + ansible.builtin.block: + - name: "Installing plugin as a module: {{ item.value.name }}" + ansible.builtin.block: - name: "Create plugin dir with parent directories (for plugin: {{ item.value.name }})" - file: + ansible.builtin.file: path: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main" state: directory + mode: "0755" - name: "Download plugin jar (of plugin: {{ item.value.name }})" - get_url: + ansible.builtin.get_url: url: "{{ item.value.module.jar_url }}" dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main/" + mode: "0644" - name: "Install module.xml (for plugin: {{ item.value.name }})" - get_url: + ansible.builtin.get_url: url: "{{ item.value.module.modulexml_url }}" dest: "{{ keycloak_home }}/modules/system/layers/keycloak/org/keycloak/{{ item.value.name }}/main/" + mode: "0644" - name: "Setup keycloak xml providers (for plugin: {{ item.value.name }})" - xml: + community.general.xml: path: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml" xpath: /srv:server/srv:profile/sub:subsystem/sub:providers input_type: xml @@ -31,7 +37,7 @@ sub: "{{ namespaces.domain_server }}" - name: "Setup keycloak xml theme modules (for plugin: {{ item.value.name }})" - xml: + community.general.xml: path: "{{ keycloak_home }}/standalone/configuration/standalone-ha.xml" xpath: /srv:server/srv:profile/sub:subsystem/sub:theme input_type: xml @@ -41,22 +47,17 @@ srv: "{{ namespaces.domain }}" sub: "{{ namespaces.domain_server }}" when: item.value.theme is defined - when: item.value.module is defined - - name: "Installing plugin {{ item.value.name }} with hot deploy" + - name: "Installing plugin with hot deploy: {{ item.value.name }}" block: - name: "Download plugin jar into folder /tmp (for plugin: {{ item.value.name }})" - get_url: + ansible.builtin.get_url: url: "{{ item.value.hotdeploy.jar_url }}" dest: "/tmp/" register: download_result - #do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken) + # do not download directly to deployment folder (if it's downloaded slowly or the file is large, the deployment might be broken) - name: "Move into deployment folder (for plugin: {{ item.value.name }})" - command: "mv {{download_result.dest}} {{keycloak_home}}/standalone/deployments/" + ansible.builtin.command: "mv {{ download_result.dest }} {{ keycloak_home }}/standalone/deployments/" when: item.value.hotdeploy is defined - - when: not item is undefined - become: yes - tags: "keycloak:install:plugins" \ No newline at end of file diff --git a/roles/keycloak/vars/keycloak-13.yml b/roles/keycloak/vars/keycloak-13.yml index a158abb1..659bff0d 100644 --- a/roles/keycloak/vars/keycloak-13.yml +++ b/roles/keycloak/vars/keycloak-13.yml @@ -1,7 +1,6 @@ # file: keycloak/vars/13.yml # --- - -namespaces: +namespaces: # noqa var-naming[no-role-prefix] domain: "urn:jboss:domain:16.0" domain_server: "urn:jboss:domain:keycloak-server:1.1" diff --git a/roles/keycloak/vars/keycloak-14.yml b/roles/keycloak/vars/keycloak-14.yml index 91898e4d..6deb2d6f 100644 --- a/roles/keycloak/vars/keycloak-14.yml +++ b/roles/keycloak/vars/keycloak-14.yml @@ -2,6 +2,6 @@ # --- -namespaces: +namespaces: # noqa var-naming[no-role-prefix] domain: "urn:jboss:domain:16.0" domain_server: "urn:jboss:domain:keycloak-server:1.1" diff --git a/roles/keycloak/vars/keycloak-15.yml b/roles/keycloak/vars/keycloak-15.yml index 17b6b981..f451a32c 100644 --- a/roles/keycloak/vars/keycloak-15.yml +++ b/roles/keycloak/vars/keycloak-15.yml @@ -1,8 +1,7 @@ # file: keycloak/vars/15.yml # --- - -namespaces: +namespaces: # noqa var-naming[no-role-prefix] domain: "urn:jboss:domain:16.0" domain_server: "urn:jboss:domain:keycloak-server:1.1" diff --git a/roles/keycloak/vars/keycloak-16.yml b/roles/keycloak/vars/keycloak-16.yml index 0bdab65f..40a1c2b4 100644 --- a/roles/keycloak/vars/keycloak-16.yml +++ b/roles/keycloak/vars/keycloak-16.yml @@ -1,8 +1,7 @@ # file: keycloak/vars/16.yml # --- - -namespaces: +namespaces: # noqa var-naming[no-role-prefix] domain: "urn:jboss:domain:19.0" domain_server: "urn:jboss:domain:keycloak-server:1.1" diff --git a/roles/keycloak/vars/os/Debian-buster.yml b/roles/keycloak/vars/os/Debian-buster.yml index 16e57ba5..f67f5985 100644 --- a/roles/keycloak/vars/os/Debian-buster.yml +++ b/roles/keycloak/vars/os/Debian-buster.yml @@ -1,4 +1,4 @@ --- - -#this jar should match with the default version of postgresql of the target machine. i.e. for debian 10, it's the postgresql-42.2.22.jar +# this jar should match with the default version of postgresql of the target machine. +# i.e. for debian 10, it's the postgresql-42.2.22.jar keycloak_postgresql_jar_name: "postgresql-42.2.22.jar" diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 399fd148..4ccda14c 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,9 @@ --- # this should have value either "snap" or "os_repo" -install_from: "snap" +letsencrypt_install_from: "snap" -# Email address for important account notifications. For example, Let’s Encrypt will automatically send expiry notices to this email address when your certificate is coming up for renewal -#letsencrypt_email: "bob.builder@example.org" +# Email address for important account notifications. +# For example, Let’s Encrypt will automatically send expiry notices +# to this email address when your certificate is coming up for renewal +# letsencrypt_email: "bob.builder@example.org" diff --git a/roles/letsencrypt/tasks/install-Debian.yml b/roles/letsencrypt/tasks/install-Debian.yml index fea74409..5f55ae77 100644 --- a/roles/letsencrypt/tasks/install-Debian.yml +++ b/roles/letsencrypt/tasks/install-Debian.yml @@ -1,43 +1,56 @@ --- - - name: Install certbot from snap + become: true + when: letsencrypt_install_from == "snap" block: - - name: "Required packages" - apt: + - name: Required packages + ansible.builtin.apt: name: - snapd - python-simplejson state: present - name: Ensure versions of certbot from apt are not present - apt: + ansible.builtin.apt: name: - certbot state: absent - - name: snap install core - snap: + - name: Snap install core + community.general.snapsnap: name: core - - name: snap install certbot - snap: + - name: Snap install certbot + community.general.snap: name: certbot - classic: yes + classic: true - name: Prepare certbot folders - shell: "ln -sf /snap/bin/certbot /usr/bin/certbot" - when: {{ install_from }} == "snap" + ansible.builtin.file: + src: /snap/bin/certbot + dest: /usr/bin/certbot + owner: root + group: root + state: link - name: Install certbot from debian repo + become: true + when: letsencrypt_install_from == "os_repo" block: - - name: "Installing certbot from apt" - apt: - name: - - certbot - state: present - when: {{ install_from }} == "os_repo" - - + - name: "Installing certbot from apt" + ansible.builtin.apt: + name: + - certbot + state: present -- name: Run certbot script and create certificates - shell: "certbot certonly --standalone --email {{ letsencrypt_email }} --agree-tos -d {{ inventory_hostname }} --non-interactive" +- name: Run certbot script and create certificates # noqa command-instead-of-shell + become: true + ansible.builtin.shell: >- + certbot + certonly + --standalone + --email "{{ letsencrypt_email }}" + --agree-tos + -d "{{ inventory_hostname }}" + --non-interactive + changed_when: false diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index abf9a163..f5375282 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -1,7 +1,5 @@ --- -- name: "Detected Debian - Running debian installation file" - include: install-Debian.yml +- name: Detected Debian - Running debian installation file + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' - become: yes - diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 0f4b3478..cd67383d 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -1,12 +1,11 @@ --- - memcached_log_file: "/var/log/memcached.log" -# Log verbosity levels: +# Log verbosity levels: # `""` Don't log anything (Default) # `-v` Be verbose during the event loop; print out errors and warnings. # `-vv` Be even more verbose; same as -v but also print client commands and # responses. -# `-vvv` Be extremely verbose; same as -vv but also print internal state +# `-vvv` Be extremely verbose; same as -vv but also print internal state # transitions. memcached_log_verbosity: "" @@ -20,7 +19,7 @@ memcached_listen_port_udp: 11211 # IP address to listen on; the default is to listen on all IP addresses. # Binding to an internal or firewalled network interface is suggested. -#memcached_listen_address: 127.0.0.1 +# memcached_listen_address: 127.0.0.1 # Max number of simultaneous connections. memcached_connections_max: 1024 diff --git a/roles/memcached/handlers/main.yml b/roles/memcached/handlers/main.yml index 48d36004..663bb3bb 100644 --- a/roles/memcached/handlers/main.yml +++ b/roles/memcached/handlers/main.yml @@ -1,7 +1,6 @@ --- - - name: Restart memcached - service: - name: memcached + ansible.builtin.service: + name: memcached state: restarted - become: yes + become: true diff --git a/roles/memcached/tasks/configure-common.yml b/roles/memcached/tasks/configure-common.yml index ce376ab3..f13436c9 100644 --- a/roles/memcached/tasks/configure-common.yml +++ b/roles/memcached/tasks/configure-common.yml @@ -1,11 +1,10 @@ --- - - name: Ensure memcached service is configured - template: + ansible.builtin.template: src: memcached-{{ ansible_os_family }}.conf.j2 dest: "{{ memcached_config_file }}" owner: root group: root - mode: 0644 - become: yes + mode: "0644" + become: true notify: Restart memcached diff --git a/roles/memcached/tasks/install-Debian.yml b/roles/memcached/tasks/install-Debian.yml index 3ca5825b..04531ed0 100644 --- a/roles/memcached/tasks/install-Debian.yml +++ b/roles/memcached/tasks/install-Debian.yml @@ -1,7 +1,6 @@ --- - - name: Update package cache (Debian) - apt: - update_cache: yes + ansible.builtin.apt: + update_cache: true cache_valid_time: 86400 - become: yes + become: true diff --git a/roles/memcached/tasks/install-common.yml b/roles/memcached/tasks/install-common.yml index 0dcbec29..2a5250cd 100644 --- a/roles/memcached/tasks/install-common.yml +++ b/roles/memcached/tasks/install-common.yml @@ -1,7 +1,6 @@ --- - - name: Ensure memcached server is installed - package: - name: memcached + ansible.builtin.package: + name: memcached state: present - become: yes + become: true diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index ba2ee25a..bd560e59 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -1,21 +1,21 @@ --- - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Run OS-specific installation tasks -- include: install-Debian.yml +- name: OS-specific installation tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -# Run OS-independent installation tasks -- include: install-common.yml +- name: OS-independent installation tasks + ansible.builtin.include_tasks: install-common.yml -# Apply OS-independent configuration -- include: configure-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml - name: Ensure memcached service is at selected state and enabled on boot - service: + ansible.builtin.service: name: memcached state: started - enabled: yes - become: yes + enabled: true + become: true diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 92a02a28..1b6e0709 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -12,7 +12,7 @@ nginx_remove_default_vhost: false # SSL protocols that should be enabled nginx_ssl_protocols: "TLSv1.3 TLSv1.2" # SSL ciphers that should be enabled -nginx_ssl_ciphers: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" +nginx_ssl_ciphers: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" # noqa yaml[line-length] # Name servers used to resolve names of upstream servers into addresses nginx_resolver: "8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]" @@ -32,21 +32,21 @@ nginx_ssl_certificate_key_file_group: "root" nginx_ssl_certificate_key_file_mode: "0600" # Uncomment to generate file with custom DH parameters for DHE ciphers -#nginx_dhparam_file: "dhparam.pem" +# nginx_dhparam_file: "dhparam.pem" # Number of bits used for generating DH parameter set nginx_dhparam_size: 2048 nginx_enable_rsyslog_pgsql_logs: false -#nginx_upstream_groups: +# nginx_upstream_groups: # - name: "web_backend" # servers: -# - address: "192.168.0.1" +# - address: "192.168.0.1" # weight: 1 -# - address: "192.168.0.2" +# - address: "192.168.0.2" # weight: 1 -#nginx_vhosts: +# nginx_vhosts: # - server_name: "www.example.org" # listen: # - "443 ssl default_server" diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index 7c2fa2bd..391e14b3 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Restart nginx - service: - name: nginx + ansible.builtin.service: + name: nginx state: restarted - become: yes + become: true diff --git a/roles/nginx/tasks/configure-common.yml b/roles/nginx/tasks/configure-common.yml index c5b37225..9c60f675 100644 --- a/roles/nginx/tasks/configure-common.yml +++ b/roles/nginx/tasks/configure-common.yml @@ -1,58 +1,57 @@ # file: nginx/tasks/configure-common.yml # --- - -- name: Ensure file with custom DH parameters for DHE ciphers exists - shell: openssl dhparam -dsaparam -out {{ nginx_dhparam_file }} {{ nginx_dhparam_size }} +- name: Ensure file with custom DH parameters for DHE ciphers exists # noqa command-instead-of-shell + ansible.builtin.shell: openssl dhparam -dsaparam -out {{ nginx_dhparam_file }} {{ nginx_dhparam_size }} args: chdir: "{{ nginx_conf_path }}" creates: "{{ nginx_conf_path }}/{{ nginx_dhparam_file }}" - become: yes + become: true notify: Restart nginx when: nginx_dhparam_file is defined - name: Ensure nginx service is configured - template: + ansible.builtin.template: src: nginx-{{ ansible_os_family }}.conf.j2 dest: "{{ nginx_conf_path }}/nginx.conf" owner: root group: root - mode: 0644 - backup: yes - become: yes + mode: "0644" + backup: true + become: true notify: Restart nginx - name: Disable default nginx Virtual Host configuration - file: + ansible.builtin.file: path: "{{ nginx_conf_path }}/sites-enabled/{{ nginx_default_vhost_filename }}" state: absent - become: yes + become: true notify: Restart nginx when: nginx_remove_default_vhost -# Configure nginx Virtual Host SSL certificates -- include: configure-ssl-cert.yml +- name: Configure nginx Virtual Host SSL certificates + ansible.builtin.include_tasks: configure-ssl-cert.yml when: nginx_vhosts is defined tags: - nginx:config:cert - name: Add nginx Virtual Host configuration - template: + ansible.builtin.template: src: "vhosts.conf.j2" dest: "{{ nginx_conf_path }}/sites-available/{{ nginx_vhosts_filename }}" owner: root group: root - mode: 0644 - backup: yes - become: yes + mode: "0644" + backup: true + become: true notify: Restart nginx when: nginx_create_vhosts - name: Enable nginx Virtual Host configuration - file: + ansible.builtin.file: src: "{{ nginx_conf_path }}/sites-available/{{ nginx_vhosts_filename }}" dest: "{{ nginx_conf_path }}/sites-enabled/{{ nginx_vhosts_filename }}" state: link - become: yes + become: true notify: Restart nginx when: nginx_create_vhosts diff --git a/roles/nginx/tasks/configure-ssl-cert.yml b/roles/nginx/tasks/configure-ssl-cert.yml index 2b03b756..63614738 100644 --- a/roles/nginx/tasks/configure-ssl-cert.yml +++ b/roles/nginx/tasks/configure-ssl-cert.yml @@ -3,54 +3,56 @@ --- - name: Ensure nginx SSL certificate directories exist - file: + ansible.builtin.file: path: "{{ item.certificate_file | dirname }}" owner: "{{ nginx_ssl_certificate_file_owner }}" group: "{{ nginx_ssl_certificate_file_group }}" state: directory + mode: "0755" with_items: - "{{ nginx_vhosts }}" when: item.certificate_file is defined and item.certificate is defined - become: yes + become: true - name: Ensure nginx SSL certificates are copied - copy: + ansible.builtin.copy: dest: "{{ item.certificate_file }}" content: "{{ item.certificate }}" owner: "{{ nginx_ssl_certificate_file_owner }}" group: "{{ nginx_ssl_certificate_file_group }}" mode: "{{ nginx_ssl_certificate_file_mode }}" - backup: yes + backup: true with_items: - "{{ nginx_vhosts }}" when: item.certificate_file is defined and item.certificate is defined - become: yes + become: true notify: - Restart nginx - name: Ensure nginx SSL certificate key directories exist - file: + ansible.builtin.file: path: "{{ item.certificate_key_file | dirname }}" owner: "{{ nginx_ssl_certificate_key_file_owner }}" group: "{{ nginx_ssl_certificate_key_file_group }}" state: directory + mode: "0755" with_items: - "{{ nginx_vhosts }}" when: item.certificate_key_file is defined and item.certificate_key is defined - become: yes + become: true - name: Ensure nginx SSL certificate keys are copied - copy: + ansible.builtin.copy: dest: "{{ item.certificate_key_file }}" content: '{{ item.certificate_key }}' owner: "{{ nginx_ssl_certificate_key_file_owner }}" group: "{{ nginx_ssl_certificate_key_file_group }}" mode: "{{ nginx_ssl_certificate_key_file_mode }}" - backup: yes + backup: true with_items: - "{{ nginx_vhosts }}" when: item.certificate_key_file is defined and item.certificate_key is defined - become: yes - no_log: yes + become: true + no_log: true notify: - Restart nginx diff --git a/roles/nginx/tasks/install-Debian.yml b/roles/nginx/tasks/install-Debian.yml index 0c1e4347..7ae0adb7 100644 --- a/roles/nginx/tasks/install-Debian.yml +++ b/roles/nginx/tasks/install-Debian.yml @@ -1,11 +1,11 @@ --- - name: Ensure nginx server is installed (Debian) - apt: + ansible.builtin.apt: name: - nginx state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 0f52adf2..ce3f091d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,20 +1,21 @@ --- - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml -# when: ansible_os_family == 'CentOS' -# Apply OS-independent configuration -- include: configure-common.yml +# - include: install-CentOS.yml +# when: ansible_os_family == 'CentOS' + +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml - name: Ensure nginx service is started and enabled on boot - service: + ansible.builtin.service: name: "{{ nginx_service }}" state: started - enabled: yes - become: yes + enabled: true + become: true diff --git a/roles/nginx/templates/vhosts.conf.j2 b/roles/nginx/templates/vhosts.conf.j2 index d185cb65..f98b8a5c 100644 --- a/roles/nginx/templates/vhosts.conf.j2 +++ b/roles/nginx/templates/vhosts.conf.j2 @@ -8,7 +8,7 @@ upstream {{ upstream_group.name }} { {{ upstream_group.load_balancing_method }}; {% endif %} {% for upstream_server in upstream_group.servers %} - server {{ upstream_server.address }} + server {{ upstream_server.address }} weight={{ upstream_server.weight | default(1) }} {% if upstream_server.backup is defined and upstream_server.backup %} backup diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml index 31d65b39..b4fb752b 100644 --- a/roles/openldap/defaults/main.yml +++ b/roles/openldap/defaults/main.yml @@ -1,26 +1,26 @@ --- # defaults file for ansible-openldap -openldap_init: false #when enabled it will initialise the LDAP directory. If already installed, the LDAP directory contents will be backed up -#openldap_admin_password: 'secret' -#openldap_admin_password_salt: 'defaultsecretsalt' +openldap_init: false # when enabled it will initialise the LDAP directory. If already installed, the LDAP directory contents will be backed up +# openldap_admin_password: 'secret' +# openldap_admin_password_salt: 'defaultsecretsalt' openldap_admin_user: 'admin' openldap_org: 'example.test' openldap_tld: 'org' openldap_base: 'dc=example,dc=test,dc={{ openldap_tld }}' openldap_uri: 'ldap://example.test.org' openldap_bind_id: 'cn={{ openldap_admin_user }},{{ openldap_base }}' -openldap_organizationalunits: #defines OU's to populate +openldap_organizationalunits: # defines OU's to populate - people - groups -openldap_populate: false #defines if openldap DB should be populated with openldap_organizationalunits, openldap_posixgroups -openldap_schema: false #defines if additional schemas should be added +openldap_populate: false # defines if openldap DB should be populated with openldap_organizationalunits, openldap_posixgroups +openldap_schema: false # defines if additional schemas should be added openldap_acl: false -openldap_posixgroups: #defines groups to create within OU's +openldap_posixgroups: # defines groups to create within OU's - name: admin-CO:COU:example.org:members ou: roles - gidNum: 500 #start group numbers at 500 and up + gidNum: 500 # start group numbers at 500 and up -openldap_adminusers: #defines admin users +openldap_adminusers: # defines admin users - cn: client-example sn: Example displayName: 'Client Example' @@ -37,4 +37,4 @@ openldap_certificate: [] openldap_certificate_key_file: 'cert_key.key' openldap_certificate_key: [] openldap_slapd_services: "ldap://127.0.0.1:389/ ldaps:/// ldapi:///" -pri_domain_name: '{{ openldap_org }}.{{ openldap_tld }}' +openldap_pri_domain_name: '{{ openldap_org }}.{{ openldap_tld }}' diff --git a/roles/openldap/handlers/main.yml b/roles/openldap/handlers/main.yml index 92294dbe..b1708a9f 100644 --- a/roles/openldap/handlers/main.yml +++ b/roles/openldap/handlers/main.yml @@ -1,8 +1,19 @@ --- # handlers file for ansible-openldap - name: Restart slapd - service: + ansible.builtin.service: name: slapd state: restarted - become: yes + become: true +- name: Enable Attribute Options to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapmodify \ + -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/olc_attribute_options.ldif + ignore_errors: true # noqa ignore-errors + changed_when: false + when: olc_attribute_options_file is changed # noqa no-handler + become: true + run_once: true diff --git a/roles/openldap/tasks/configure.yml b/roles/openldap/tasks/configure.yml index 3eeeb035..aa977a46 100644 --- a/roles/openldap/tasks/configure.yml +++ b/roles/openldap/tasks/configure.yml @@ -1,277 +1,328 @@ --- - name: Configure openLDAP file - template: - src: "etc/ldap/ldap.conf.j2" - dest: "/etc/ldap/ldap.conf" + ansible.builtin.template: + src: etc/ldap/ldap.conf.j2 + dest: /etc/ldap/ldap.conf owner: root group: root - mode: 0644 - backup: yes - become: yes + mode: "0644" + backup: true + become: true - name: Enable SSL port for openLDAP - template: - src: 'etc/default/slapd/slapd.j2' - dest: '/etc/default/slapd' + ansible.builtin.template: + src: etc/default/slapd/slapd.j2 + dest: /etc/default/slapd owner: root group: root - backup: yes - become: yes + mode: "0644" + backup: true + become: true - name: Ensure /etc/ldap/certs dir exists - file: + ansible.builtin.file: path: /etc/ldap/certs state: directory owner: openldap group: openldap - become: yes + mode: "0755" + become: true when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0 - name: Copy certificates config file - template: + ansible.builtin.template: src: "etc/ldap/certs/certs.ldif.j2" dest: "/etc/ldap/slapd.d/certs.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0 - name: Ensure /etc/ldap/cacerts dir exists - file: + ansible.builtin.file: path: /etc/ldap/cacerts state: directory owner: openldap group: openldap - become: yes + mode: "0755" + become: true when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0 - name: Ensure CA certificate is copied - copy: + ansible.builtin.copy: dest: "/etc/ldap/cacerts/{{ openldap_ca_certificate_file }}" content: "{{ openldap_ca_certificate }}" owner: openldap group: openldap mode: '0600' - backup: yes + backup: true when: openldap_ca_certificate_file is defined and openldap_ca_certificate is defined and openldap_ca_certificate|length > 0 - become: yes + become: true - name: Ensure certificate is copied - copy: + ansible.builtin.copy: dest: "/etc/ldap/certs/{{ openldap_certificate_file }}" content: "{{ openldap_certificate }}" owner: openldap group: openldap mode: '0600' - backup: yes + backup: true when: openldap_certificate_file is defined and openldap_certificate is defined and openldap_certificate|length > 0 - become: yes + become: true - name: Ensure certificate key is copied - copy: + ansible.builtin.copy: dest: "/etc/ldap/certs/{{ openldap_certificate_key_file }}" content: "{{ openldap_certificate_key }}" owner: openldap group: openldap - mode: '0600' - backup: yes - when: openldap_certificate_key_file is defined and openldap_certificate_key is defined - and openldap_certificate_key|length > 0 - become: yes - no_log: yes + mode: "0600" + backup: true + when: openldap_certificate_key_file is defined and openldap_certificate_key is defined and openldap_certificate_key|length > 0 + become: true + no_log: true -- name: Add certificate config file to OpenLDAP - shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/certs.ldif' - ignore_errors: yes #set to get around erroring out that items already exist +- name: Add certificate config file to OpenLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapmodify \ + -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/certs.ldif + ignore_errors: true # noqa ignore-errors when: openldap_ca_certificate is defined and openldap_ca_certificate|length > 0 and openldap_certificate is defined and openldap_certificate|length > 0 and openldap_certificate_key is defined and openldap_certificate_key|length > 0 - become: yes + become: true + changed_when: false # TODO define change conditions notify: Restart slapd - name: Copy admin_password to /etc/ldap/slapd.d/.slapdadmin - copy: - content: "{{ openldap_admin_password | password_hash('ldap_salted_sha1', openldap_admin_password_salt) }}" + ansible.builtin.copy: + content: "{{ openldap_admin_password | password_hash('ldap_salted_sha1', openldap_admin_password_salt) }}" dest: "/etc/ldap/slapd.d/.slapdadmin" owner: root group: root - mode: 400 - become: yes + mode: "0400" + become: true register: admin_pass_file - name: Copy the ldif template to set the admin password - template: - src: "etc/ldap/slapd.d/modify_password.ldif.j2" - dest: "/etc/ldap/slapd.d/adminpwd_ldif.tmpl" - become: yes + ansible.builtin.template: + src: etc/ldap/slapd.d/modify_password.ldif.j2 + dest: /etc/ldap/slapd.d/adminpwd_ldif.tmpl + mode: "0644" + become: true when: openldap_admin_password is defined and admin_pass_file is changed -- name: Create the ldif file to set the admin password - shell: export ADMIN_PASS=$( cat /etc/ldap/slapd.d/.slapdadmin ); sed -e "s|@ADMINPWD@|$ADMIN_PASS|" /etc/ldap/slapd.d/adminpwd_ldif.tmpl > /etc/ldap/slapd.d/adminpwd.ldif ; chmod 400 /etc/ldap/slapd.d/adminpwd.ldif +- name: Create the ldif file to set the admin password # noqa command-instead-of-shell + ansible.builtin.shell: >- + set -o pipefail ; \ + export ADMIN_PASS=$( cat /etc/ldap/slapd.d/.slapdadmin ); \ + sed -e "s|@ADMINPWD@|$ADMIN_PASS|" /etc/ldap/slapd.d/adminpwd_ldif.tmpl \ + > /etc/ldap/slapd.d/adminpwd.ldif ; \ + chmod 400 /etc/ldap/slapd.d/adminpwd.ldif when: openldap_admin_password is defined and admin_pass_file is changed - become: yes + changed_when: false # TODO define changed conditions + become: true -- name: Finally set the admin password - shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/adminpwd.ldif +- name: Finally set the admin password # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapmodify \ + -Q \ + -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/adminpwd.ldif when: openldap_admin_password is defined and admin_pass_file is changed - become: yes + become: true + changed_when: false # TODO define change conditions - name: Run replicate tasks - when: "groups['openldap'] | length > 1" + when: (groups['openldap'] | length) > 1 block: - name: Copy config_olc_server_id file - template: - src: "etc/ldap/slapd.d/config_olc_server_id.ldif.j2" - dest: "/etc/ldap/slapd.d/config_olc_server_id.ldif" + ansible.builtin.template: + src: etc/ldap/slapd.d/config_olc_server_id.ldif.j2 + dest: /etc/ldap/slapd.d/config_olc_server_id.ldif owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: config_olc_server_id_file - name: Copy mod_syncprov file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/mod_syncprov.ldif.j2" dest: "/etc/ldap/slapd.d/mod_syncprov.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: mod_syncprov_file - name: Copy replicate_configuration file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/replicate_configuration.ldif.j2" dest: "/etc/ldap/slapd.d/replicate_configuration.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: replicate_configuration_file - name: Copy replicate_database file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/replicate_database.ldif.j2" dest: "/etc/ldap/slapd.d/replicate_database.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: replicate_database_file run_once: true - name: Copy trigger_replicate file - template: - src: "etc/ldap/slapd.d/trigger_replicate.ldif.j2" - dest: "/etc/ldap/slapd.d/trigger_replicate.ldif" + ansible.builtin.template: + src: etc/ldap/slapd.d/trigger_replicate.ldif.j2 + dest: /etc/ldap/slapd.d/trigger_replicate.ldif owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true run_once: true - - name: Add olcServerId to openLDAP - shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/config_olc_server_id.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - become: yes - when: config_olc_server_id_file is changed + - name: Add olcServerId to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapadd -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/config_olc_server_id.ldif + ignore_errors: true # noqa ignore-errors + changed_when: false + become: true + when: config_olc_server_id_file is changed # noqa no-handler - - name: Add syncprov module to openLDAP - shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/mod_syncprov.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - become: yes - when: mod_syncprov_file is changed + - name: Add syncprov module to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapadd -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/mod_syncprov.ldif + ignore_errors: true # noqa ignore-errors + become: true + changed_when: false + when: mod_syncprov_file is changed # noqa no-handler - - name: Add replicate configuration to openLDAP - shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/replicate_configuration.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - become: yes - when: replicate_configuration_file is changed + - name: Add replicate configuration to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapadd -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/replicate_configuration.ldif + ignore_errors: true # noqa ignore-errors + become: true + changed_when: false + when: replicate_configuration_file is changed # noqa no-handler - - name: Add replicate database to openLDAP - shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/replicate_database.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - become: yes - when: replicate_database_file is changed + - name: Add replicate database to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapadd -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/replicate_database.ldif + ignore_errors: true # noqa ignore-errors set to get around erroring out that items already exist + become: true + changed_when: false # TODO - define change criteria + when: replicate_database_file is changed # noqa no-handler run_once: true - + - name: Restart slapd - systemd: + ansible.builtin.systemd: name: slapd - enabled: yes - daemon_reload: yes + enabled: true + daemon_reload: true state: restarted - become: yes + become: true - name: Trigger replicate to openLDAP - shell: 'ldapadd -c -x -H ldapi:/// -D {{ openldap_bind_id }} -w "{{ openldap_admin_password }}" -f /etc/ldap/slapd.d/trigger_replicate.ldif' - become: yes + ansible.builtin.shell: >- # noqa command-isntead-of-shell + ldapadd -c -x \ + -H ldapi:/// \ + -D {{ openldap_bind_id }} \ + -w "{{ openldap_admin_password }}" \ + -f /etc/ldap/slapd.d/trigger_replicate.ldif' + become: true run_once: true - name: Copy additional schemas file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/modify_schemas.ldif.j2" dest: "/etc/ldap/slapd.d/modify_schemas.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: additional_schemas_file run_once: true - name: Copy ACL config file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/access_control_list.ldif.j2" dest: "/etc/ldap/slapd.d/access_control_list.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: acl_file run_once: true - name: Copy Attribute Options config file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/olc_attribute_options.ldif.j2" dest: "/etc/ldap/slapd.d/olc_attribute_options.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: olc_attribute_options_file run_once: true + notify: Enable Attribute Options to openLDAP -- name: Add schemas to openLDAP - shell: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/modify_schemas.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - when: > - openldap_schema is defined and - openldap_schema and - additional_schemas_file is changed - become: yes +- name: Add schemas to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapadd -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/modify_schemas.ldif + ignore_errors: true # noqa ignore-errors + changed_when: false + when: + - openldap_schema is defined + - openldap_schema and + - additional_schemas_file is changed + become: true run_once: true -- name: Add ACL to openLDAP - shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/access_control_list.ldif' - ignore_errors: yes #set to get around erroring out that items already exist +- name: Add ACL to openLDAP # noqa command-instead-of-shell + ansible.builtin.shell: >- + ldapmodify -Y EXTERNAL \ + -H ldapi:/// \ + -f /etc/ldap/slapd.d/access_control_list.ldif + ignore_errors: true # noqa ignore-errors set to get around erroring out that items already exist when: > openldap_acl is defined and openldap_acl and acl_file is changed - become: yes + become: true run_once: true + changed_when: false -- name: Enable Attribute Options to openLDAP - shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/olc_attribute_options.ldif' - ignore_errors: yes #set to get around erroring out that items already exist - when: olc_attribute_options_file is changed - become: yes - run_once: true - - +# TODO Should do a stat - set to get around erroring out that items already exist +# Moved to handler +# - name: Enable Attribute Options to openLDAP +# ansible.builtin.shell: 'ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/olc_attribute_options.ldif' +# ignore_errors: true # noqa ignore-errors +# changed_when: false +# when: olc_attribute_options_file is changed +# become: true +# run_once: true diff --git a/roles/openldap/tasks/install-Debian.yml b/roles/openldap/tasks/install-Debian.yml index 42826b2c..0a65445f 100644 --- a/roles/openldap/tasks/install-Debian.yml +++ b/roles/openldap/tasks/install-Debian.yml @@ -1,14 +1,14 @@ --- - name: "Gather the package facts" - package_facts: + ansible.builtin.package_facts: manager: "auto" - name: "Run Initialise tasks" - when: ('slapd' not in ansible_facts.packages or 'ldap-utils' not in ansible_facts.packages) or openldap_init == true + when: ('slapd' not in ansible_facts.packages or 'ldap-utils' not in ansible_facts.packages) or openldap_init block: # run these tasks only when initialise variable is true or slapd/ldap-utils are not installed - name: Define slapd installation settings - debconf: + ansible.builtin.debconf: name: "slapd" question: "{{ item.question }}" value: "{{ item.value }}" @@ -27,52 +27,57 @@ value: 'true' vtype: 'boolean' - question: "slapd/domain" - value: "{{ pri_domain_name }}" + value: "{{ openbldap_pri_domain_name }}" vtype: 'string' - question: "shared/organization" value: "{{ openldap_org }}" vtype: 'string' - become: yes + become: true - name: Install required packages - apt: + ansible.builtin.apt: name: "{{ openldap_debian_packages }}" state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true - name: Find /var/backups ending with .ldapdb or matching with slapd-*+* - find: + ansible.builtin.find: paths: /var/backups patterns: "*.ldapdb,slapd-*+*" file_type: directory - become: yes + become: true register: backup_files - name: Ensure /var/backups/openldap dir exists - file: + ansible.builtin.file: path: /var/backups/openldap state: directory owner: openldap group: openldap - become: yes + mode: "0755" + become: true - name: Move Backup Files to another folder - command: mv {{ item.path }} /var/backups/openldap/{{ item.path | replace("/var/backups/","") }}.{{ ansible_date_time.epoch }} + ansible.builtin.command: >- + mv {{ item.path }} \ + /var/backups/openldap/{{ item.path | replace("/var/backups/", "") }}.{{ ansible_date_time.epoch }} with_items: "{{ backup_files.files }}" - ignore_errors: true - become: yes + ignore_errors: true # noqa ignore-errors + changed_when: false + become: true - - name: Reconfigure slapd - command: dpkg-reconfigure -f noninteractive slapd - become: yes + - name: Reconfigure slapd # TODO - should be a handler + ansible.builtin.command: dpkg-reconfigure -f noninteractive slapd + changed_when: false + become: true - - name: Restart slapd - systemd: + - name: Restart slapd # TODO - should be a handler + ansible.builtin.systemd: name: slapd - enabled: yes - daemon_reload: yes + enabled: true + daemon_reload: true state: restarted - become: yes + become: true diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 2a6b776f..681b653d 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -1,24 +1,27 @@ --- # tasks file for ansible-openldap - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" -- include: install-Debian.yml - when: ansible_os_family == "Debian" +- name: Install Debian + ansible.builtin.include_tasks: install-Debian.yml + when: ansible_os_family == 'Debian' tags: - install - openldap:install -- include: configure.yml +- name: Configure + ansible.builtin.include_tasks: configure.yml tags: - config - openldap:config -- include: populate.yml +- name: Populate + ansible.builtin.include_tasks: populate.yml tags: - openldap:populate diff --git a/roles/openldap/tasks/populate.yml b/roles/openldap/tasks/populate.yml index dc045db5..0bbd2013 100644 --- a/roles/openldap/tasks/populate.yml +++ b/roles/openldap/tasks/populate.yml @@ -1,21 +1,28 @@ - name: Copy database population config file - template: + ansible.builtin.template: src: "etc/ldap/slapd.d/populate_content.ldif.j2" dest: "/etc/ldap/slapd.d/populate_content.ldif" owner: root group: root - mode: 0640 - become: yes + mode: "0640" + become: true register: populate_content_file run_once: true # This operation may return "FAILED" if an entry already exists but it will continue to add non existing entries -- name: Populate openLDAP with groups and users - shell: "ldapadd -c -x -H ldapi:/// -D {{ openldap_bind_id }} -w '{{ openldap_admin_password }}' -f /etc/ldap/slapd.d/populate_content.ldif" - ignore_errors: yes #set to get around erroring out that items already exist +- name: Populate openLDAP with groups and users # noqa ignore-errors + # Use a different module + ansible.builtin.shell: >- # noqa command-instead-of-shell + ldapadd -c -x \ + -H ldapi:/// \ + -D {{ openldap_bind_id }} \ + -w '{{ openldap_admin_password }}' \ + -f /etc/ldap/slapd.d/populate_content.ldif" + ignore_errors: true # set to get around erroring out that items already exist <- this should be tested + changed_when: false when: > openldap_populate is defined and openldap_populate and populate_content_file is changed - become: yes - run_once: true \ No newline at end of file + become: true + run_once: true diff --git a/roles/openldap/vars/Debian.yml b/roles/openldap/vars/Debian.yml index ab92fb14..a23246c9 100644 --- a/roles/openldap/vars/Debian.yml +++ b/roles/openldap/vars/Debian.yml @@ -1,3 +1,3 @@ openldap_debian_packages: - slapd - - ldap-utils \ No newline at end of file + - ldap-utils diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 6aad55ad..adccc432 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -1,18 +1,17 @@ --- # Whether to install PHP packages from alternative repository -php_alt_repo: no +php_alt_repo: false # Override default list of PHP packages to install. # See php_default_packages in php/vars/ -#php_packages: +# php_packages: # List of PHP extensions to install php_extensions: [] - # Override default PHP configuration scan directory. # See php_default_conf_scan_dir in php/vars/ -#php_conf_scan_dir: +# php_conf_scan_dir: # List of PHP configuration files to load php_conf_files: [] diff --git a/roles/php/handlers/main.yml b/roles/php/handlers/main.yml index 8578faad..fda70f62 100644 --- a/roles/php/handlers/main.yml +++ b/roles/php/handlers/main.yml @@ -1,7 +1,6 @@ --- - -- name: restart webserver - service: +- name: Restart webserver + ansible.builtin.service: name: "{{ php_webserver }}" state: restarted - become: yes + become: true diff --git a/roles/php/tasks/configure.yml b/roles/php/tasks/configure.yml index 064a723c..f28fd4ae 100644 --- a/roles/php/tasks/configure.yml +++ b/roles/php/tasks/configure.yml @@ -1,13 +1,12 @@ --- - - name: Ensure PHP configuration files exist - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ php_conf_scan_dir }}/" - owner: "root" - group: "root" - mode: 0644 - with_items: "{{ php_conf_files }}" - become: yes + owner: root + group: root + mode: "0644" + with_items: "{{ php_conf_files }}" + become: true notify: - restart webserver diff --git a/roles/php/tasks/install-Debian.yml b/roles/php/tasks/install-Debian.yml index 48571947..bd7875b6 100644 --- a/roles/php/tasks/install-Debian.yml +++ b/roles/php/tasks/install-Debian.yml @@ -1,46 +1,45 @@ --- - - name: Install apt packages required for alternative PHP repo (Debian) - apt: + ansible.builtin.apt: name: "{{ php_apt_packages }}" state: present - update_cache: yes + update_cache: true when: php_alt_repo and php_apt_packages is defined and php_apt_packages|length - become: yes + become: true - name: Install apt key for PHP repo (Debian) - apt_key: - url: '{{ php_apt_key }}' + ansible.builtin.apt_key: + url: "{{ php_apt_key }}" state: present when: php_alt_repo and php_apt_key is defined - become: yes + become: true - name: Add alternative PHP repo (Debian) - apt_repository: + ansible.builtin.apt_repository: repo: "{{ item }}" state: present - update_cache: yes - filename: "php" + update_cache: true + filename: php loop: "{{ php_apt_repositories }}" when: php_alt_repo and php_apt_repositories is defined and php_apt_repositories|length - become: yes + become: true - name: Ensure PHP packages are installed (Debian) - apt: + ansible.builtin.apt: name: "{{ php_packages }}" state: present - update_cache: yes - install_recommends: no - become: yes + update_cache: true + install_recommends: false + become: true notify: - restart webserver - name: Ensure PHP extensions are installed (Debian) - apt: + ansible.builtin.apt: pkg: "{{ php_extensions }}" state: present - update_cache: yes - install_recommends: no - become: yes + update_cache: true + install_recommends: false + become: true notify: - restart webserver diff --git a/roles/php/tasks/install-RedHat.yml b/roles/php/tasks/install-RedHat.yml index 8cad451b..222e0817 100644 --- a/roles/php/tasks/install-RedHat.yml +++ b/roles/php/tasks/install-RedHat.yml @@ -1,7 +1,6 @@ --- - - name: Ensure Repositories are installed (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present loop: "{{ php_yum_repositories }}" @@ -9,7 +8,7 @@ become: true - name: Import remi GPG key. - rpm_key: + ansible.builtin.rpm_key: key: "{{ item }}" state: present loop: "{{ php_yum_keys }}" @@ -17,11 +16,11 @@ become: true - name: Ensure PHP packages are installed (RedHat) - yum: - enablerepo: "remi,remi-safe,remi-php{{ php_version }}" + ansible.builtin.yum: + enablerepo: remi,remi-safe,remi-php{{ php_version }} name: "{{ item }}" state: present - update_cache: yes + update_cache: true become: true loop: "{{ php_packages }}" when: php_alt_repo and php_yum_repositories is defined and php_yum_repositories|length @@ -29,10 +28,10 @@ - restart webserver - name: Ensure PHP packages are installed (default repo) (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present - update_cache: yes + update_cache: true become: true loop: "{{ php_packages }}" when: not php_alt_repo and php_yum_repositories is not defined @@ -40,11 +39,11 @@ - restart webserver - name: Ensure PHP extensions are installed (RedHat) - yum: - enablerepo: "remi,remi-safe,remi-php{{ php_version }}" + ansible.builtin.yum: + enablerepo: remi,remi-safe,remi-php{{ php_version }} name: "{{ php_extensions }}" state: present - update_cache: yes + update_cache: true become: true loop: "{{ php_extensions | default([]) }}" when: php_alt_repo and php_yum_repositories is defined and php_yum_repositories|length @@ -52,10 +51,10 @@ - restart webserver - name: Ensure PHP extensions are installed (default repo) (RedHat) - yum: + ansible.builtin.yum: name: "{{ php_extensions }}" state: present - update_cache: yes + update_cache: true become: true loop: "{{ php_extensions | default([]) }}" when: not php_alt_repo and php_yum_repositories is not defined diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 13b2337f..7ece0459 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,28 +1,32 @@ --- - - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" - name: Define PHP packages - set_fact: + ansible.builtin.set_fact: php_packages: "{{ php_default_packages | list }}" when: php_packages is not defined - name: Define PHP configuration scan dir - set_fact: + ansible.builtin.set_fact: php_conf_scan_dir: "{{ php_default_conf_scan_dir }}" when: php_conf_scan_dir is not defined # Include OS-specific installation tasks -- include: install-Debian.yml +- name: Include Debian Install Tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -- include: install-RedHat.yml +- name: Include RedHat Install Tasks + ansible.builtin.include_tasks: install-RedHat.yml when: ansible_os_family == 'RedHat' +# Could be refactored + # Include OS-independent configuration tasks -- include: configure.yml +- name: Include Configure Tasks + ansible.builtin.include_tasks: configure.yml diff --git a/roles/php/vars/Debian-bookworm.yml b/roles/php/vars/Debian-bookworm.yml index 0d0a2e19..84971add 100644 --- a/roles/php/vars/Debian-bookworm.yml +++ b/roles/php/vars/Debian-bookworm.yml @@ -1,17 +1,17 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php8.2" + - libapache2-mod-php8.2 -php_default_conf_scan_dir: "/etc/php/8.2/apache2/conf.d" +php_default_conf_scan_dir: /etc/php/8.2/apache2/conf.d # Only when php_alt_repo is set to true php_apt_repositories: - - "deb https://packages.sury.org/php/ bookworm main" + - deb https://packages.sury.org/php/ bookworm main -php_apt_key: "https://packages.sury.org/php/apt.gpg" +php_apt_key: https://packages.sury.org/php/apt.gpg php_apt_packages: - apt-transport-https diff --git a/roles/php/vars/Debian-bullseye.yml b/roles/php/vars/Debian-bullseye.yml index 886dc438..28206672 100644 --- a/roles/php/vars/Debian-bullseye.yml +++ b/roles/php/vars/Debian-bullseye.yml @@ -1,17 +1,17 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php7.4" + - libapache2-mod-php7.4 -php_default_conf_scan_dir: "/etc/php/7.4/apache2/conf.d" +php_default_conf_scan_dir: /etc/php/7.4/apache2/conf.d # Only when php_alt_repo is set to true php_apt_repositories: - - "deb https://packages.sury.org/php/ bullseye main" + - deb https://packages.sury.org/php/ bullseye main -php_apt_key: "https://packages.sury.org/php/apt.gpg" +php_apt_key: https://packages.sury.org/php/apt.gpg php_apt_packages: - apt-transport-https diff --git a/roles/php/vars/Debian-buster.yml b/roles/php/vars/Debian-buster.yml index f6596041..b1cdeb9f 100644 --- a/roles/php/vars/Debian-buster.yml +++ b/roles/php/vars/Debian-buster.yml @@ -1,17 +1,17 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php7.3" + - libapache2-mod-php7.3 -php_default_conf_scan_dir: "/etc/php/7.3/apache2/conf.d" +php_default_conf_scan_dir: /etc/php/7.3/apache2/conf.d # Only when php_alt_repo is set to true php_apt_repositories: - - "deb https://packages.sury.org/php/ buster main" + - deb https://packages.sury.org/php/ buster main -php_apt_key: "https://packages.sury.org/php/apt.gpg" +php_apt_key: https://packages.sury.org/php/apt.gpg php_apt_packages: - apt-transport-https diff --git a/roles/php/vars/Debian-jessie.yml b/roles/php/vars/Debian-jessie.yml index b0d0c287..bc23037e 100644 --- a/roles/php/vars/Debian-jessie.yml +++ b/roles/php/vars/Debian-jessie.yml @@ -1,8 +1,8 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php5" + - libapache2-mod-php5 -php_default_conf_scan_dir: "/etc/php5/apache2/conf.d" +php_default_conf_scan_dir: /etc/php5/apache2/conf.d diff --git a/roles/php/vars/Debian-stretch.yml b/roles/php/vars/Debian-stretch.yml index 4bc9ea7f..0c8b6b0e 100644 --- a/roles/php/vars/Debian-stretch.yml +++ b/roles/php/vars/Debian-stretch.yml @@ -1,17 +1,17 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php7.0" + - libapache2-mod-php7.0 -php_default_conf_scan_dir: "/etc/php/7.0/apache2/conf.d" +php_default_conf_scan_dir: /etc/php/7.0/apache2/conf.d # Only when php_alt_repo is set to true php_apt_repositories: - - "deb https://packages.sury.org/php/ stretch main" + - deb https://packages.sury.org/php/ stretch main -php_apt_key: "https://packages.sury.org/php/apt.gpg" +php_apt_key: https://packages.sury.org/php/apt.gpg php_apt_packages: - apt-transport-https diff --git a/roles/php/vars/RedHat.yml b/roles/php/vars/RedHat.yml index e31ecad1..5b6e0714 100644 --- a/roles/php/vars/RedHat.yml +++ b/roles/php/vars/RedHat.yml @@ -1,8 +1,8 @@ --- -php_webserver: "httpd" +php_webserver: httpd php_default_packages: - - "php" + - php -php_default_conf_scan_dir: "/etc/php.d" +php_default_conf_scan_dir: /etc/php.d diff --git a/roles/php/vars/Ubuntu-focal.yml b/roles/php/vars/Ubuntu-focal.yml index d2c0b69b..f6a22829 100644 --- a/roles/php/vars/Ubuntu-focal.yml +++ b/roles/php/vars/Ubuntu-focal.yml @@ -1,15 +1,15 @@ --- -php_webserver: "apache2" +php_webserver: apache2 php_default_packages: - - "libapache2-mod-php7.4" + - libapache2-mod-php7.4 -php_default_conf_scan_dir: "/etc/php/7.4/apache2/conf.d" +php_default_conf_scan_dir: /etc/php/7.4/apache2/conf.d # Only when php_alt_repo is set to true php_apt_repositories: - - "ppa:ondrej/php" + - ppa:ondrej/php php_apt_packages: - - "software-properties-common" + - software-properties-common diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml index c94b71bc..126eaf98 100644 --- a/roles/postgresql/defaults/main.yml +++ b/roles/postgresql/defaults/main.yml @@ -4,47 +4,47 @@ # Override default PostgreSQL version # See postgresql_default_version defined in postgresql/vars/ -#postgresql_version: "11" +# postgresql_version: "11" # Override default PostgreSQL configuration path # See postgresql_default_conf_path in postgresql/vars/ -#postgresql_conf_path: "/etc/postgresql/{{ postgresql_version }}" +# postgresql_conf_path: "/etc/postgresql/{{ postgresql_version }}" # Override default PostgreSQL data path # See postgresql_default_data_path in postgresql/vars/ -#postgresql_data_path: "/var/lib/postgresql/{{ postgresql_version }}" +# postgresql_data_path: "/var/lib/postgresql/{{ postgresql_version }}" # Override default PostgreSQL service name # See postgresql_default_service in postgresql/vars/ -#postgresql_service: "postgresql" +# postgresql_service: "postgresql" # Override default PostgreSQL user # See postgresql_default_user in postgresql/vars/ -#postgresql_user: "postgresql" +# postgresql_user: "postgresql" # Override default PostgreSQL group # See postgresql_default_group in postgresql/vars/ -#postgresql_group: "postgresql" +# postgresql_group: "postgresql" postgresql_clients: # Connection type: # - "local": Unix-domain socket # - "host": plain or SSL-encrypted TCP/IP socket - # - "hostssl": SSL-encrypted TCP/IP socket - # - "hostnossl": plain TCP/IP socket + # - "hostssl": SSL-encrypted TCP/IP socket + # - "hostnossl": plain TCP/IP socket - connection_type: "local" # Database: "all", "sameuser", "samerole", "replication", a database name, - # or a comma-separated list thereof. The "all" keyword does not match + # or a comma-separated list thereof. The "all" keyword does not match # "replication". Access to replication must be enabled in a separate record database: "all" # User: "all", a user name, a group name prefixed with "+", or a # comma-separated list thereof. In both the database and user fields you - # can also write a file name prefixed with "@" to include names from a + # can also write a file name prefixed with "@" to include names from a # separate file. user: "postgres" # Address (for non-"local" connection_type only): the set of hosts the # client matches. It can be a host name, or it is made up of an IP address - # and a CIDR mask that is an integer (between 0 and 32 (IPv4) or 128 + # and a CIDR mask that is an integer (between 0 and 32 (IPv4) or 128 # (IPv6) inclusive) that specifies the number of significant bits in the # mask. A host name that starts with a dot (.) matches a suffix of the # actual host name. Alternatively, you can write an IP address and netmask @@ -52,10 +52,10 @@ postgresql_clients: # CIDR-address, you can write "samehost" to match any of the server's own # IP addresses, or "samenet" to match any address in any subnet that the # server is directly connected to. - #address: - # Method: "trust", "reject", "md5", "password", "gss", "sspi", "ident", + # address: + # Method: "trust", "reject", "md5", "password", "gss", "sspi", "ident", # "peer", "pam", "ldap", "radius" or "cert". Note that # "password" sends - # passwords in clear text; "md5" is preferred since it sends encrypted + # passwords in clear text; "md5" is preferred since it sends encrypted # passwords. method: "peer" - connection_type: "local" @@ -73,22 +73,22 @@ postgresql_clients: address: "::1/128" method: "md5" -#postgresql_replication_user: "repuser" -#postgresql_replication_password: "repuser" +# postgresql_replication_user: "repuser" +# postgresql_replication_password: "repuser" postgresql_users: [] # Username - #- name: "theuser" + # - name: "theuser" # (Optional) Whether the password is stored hashed in the database - #encrypted: yes + # encrypted: yes # (Optional) User password - #password: "thepassword" + # password: "thepassword" # (Optional) Name of database where permissions will be granted - #db: "thedatabase" - # (Optional) Privileges string in the format: + # db: "thedatabase" + # (Optional) Privileges string in the format: # "table:priv1,priv2" - #priv: - # (Optional) Role attributes string in the format: + # priv: + # (Optional) Role attributes string in the format: # "CREATEDB,CREATEROLE,SUPERUSER" # Available options: # - [NO]SUPERUSER @@ -98,40 +98,40 @@ postgresql_users: [] # - [NO]INHERIT # - [NO]LOGIN # - [NO]REPLICATION - #role_attr_flags: + # role_attr_flags: postgresql_databases: [] # Name of the database - #- name: "thedatabase" + # - name: "thedatabase" # (Optional) Name of the role to set as owner of the database - #owner: "theuser" + # owner: "theuser" # (Optional) Encoding of the database - #encoding: "UTF8" + # encoding: "UTF8" # (Optional) Collation order (LC_COLLATE) to use in the database. Must # match collation order of template database unless template0 is used as # template. - #lc_collate: "en_US.UTF-8" + # lc_collate: "en_US.UTF-8" # (Optional) Character classification (LC_CTYPE) to use in the database. # Must match LC_CTYPE of template database unless template0 is used as # template. - #lc_ctype: "en_US.UTF-8" + # lc_ctype: "en_US.UTF-8" # (Optional) Template used to create the database - #template: "thetemplate" + # template: "thetemplate" postgresql_privs: [] - # Name of database to connect to - #- database: "thedatabase" + # Name of database to connect to + # - database: "thedatabase" # Comma separated list of role (user/group) names to set permissions for. # The special value PUBLIC can be provided instead to set permissions for # the implicitly defined PUBLIC group. - #roles: "theuser" + # roles: "theuser" # (Optional) Whether role may grant/revoke the specified privileges/group # memberships to others. Set to no to revoke GRANT OPTION, leave # unspecified to make no changes. grant_option only has an effect if state # is present. - #grant_option: yes + # grant_option: yes # (Optional) Comma separated list of privileges to grant/revoke. - #privs: + # privs: # Type of database object to set privileges on: # - table # - sequence @@ -141,20 +141,20 @@ postgresql_privs: [] # - language # - tablespace # - group - #type: "table" + # type: "table" # (Optional) Comma separated list of database objects to set privileges on. # If type is table or sequence, the special value ALL_IN_SCHEMA can be # provided instead to specify all database objects of type type in the - # schema specified via schema. + # schema specified via schema. # If type is database, this parameter can be omitted, in which case # privileges are set for the database specified via database. # If type is function, colons (":") in object names will be replaced with # commas - #objs: + # objs: # (Optional) Schema that contains the database objects specified via objs. # May only be provided if type is table, sequence or function. Defaults to - # public in these cases. - #schema: public + # public in these cases. + # schema: public # What IP address(es) to listen on postgresql_listen_addresses: "localhost" @@ -166,9 +166,9 @@ postgresql_max_connections: 100 # Min 128kB postgresql_shared_buffers: "128MB" -# Enables/disables the use of huge memory pages for PostgreSQL. -# Valid values are: -# - try (default) +# Enables/disables the use of huge memory pages for PostgreSQL. +# Valid values are: +# - try (default) # - on # - off # The use of huge pages results in smaller page tables and less CPU time spent @@ -176,7 +176,7 @@ postgresql_shared_buffers: "128MB" postgresql_huge_pages_mode: "try" # Number of huge memory pages to be allocated -#postgresql_huge_pages_number: 0 +# postgresql_huge_pages_number: 0 # Min 64kB postgresql_work_mem: "4MB" @@ -204,23 +204,27 @@ postgresql_wal_keep_segments: 0 # Standby server settings (ignored on a master server) -# Master/primary server host +# Master/primary server host postgresql_master_host: "{{ groups['dbmaster'][0] }}" -# Master/primary server port +# Master/primary server port postgresql_master_port: "{{ hostvars[groups['dbmaster'][0]]['postgresql_port'] | default(postgresql_port) }}" - + # "on" allows queries during recovery postgresql_hot_standby_mode: "off" # If set, the PostgreSQL server will try to connect to the master using this # connection string and receive XLOG records continuously. # e.g. 'host={{ postgresql_master_host }} port={{ postgresql_master_port }}' -#postgresql_master_conninfo: "host={{ postgresql_master_host }} port={{ postgresql_master_port }} user={{ postgresql_replication_user }} password={{ postgresql_replication_password }}" +# postgresql_master_conninfo: # This should be done with a join + # "host={{ postgresql_master_host }} + # port={{ postgresql_master_port }} + # user={{ postgresql_replication_user }} + # password={{ postgresql_replication_password }}" # By default, a standby server keeps restoring XLOG records from the primary # indefinitely. If you want to stop the standby mode, finish recovery and open # the system in read/write mode, specify a path to a trigger file. The server # will poll the trigger file path periodically and start as a primary server # when it's found. -#postgresql_trigger_file: "/tmp/postgresql.trigger.5432" +# postgresql_trigger_file: "/tmp/postgresql.trigger.5432" diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml index 3686ebd8..e30379ad 100644 --- a/roles/postgresql/handlers/main.yml +++ b/roles/postgresql/handlers/main.yml @@ -1,13 +1,13 @@ --- - +# postgresql - name: Reload PostgreSQL - service: + ansible.builtin.service: name: "{{ postgresql_service }}" state: "reloaded" - become: yes + become: true - name: Restart PostgreSQL - service: + ansible.builtin.service: name: "{{ postgresql_service }}" - state: "restarted" - become: yes + state: restarted + become: true diff --git a/roles/postgresql/tasks/configure-common.yml b/roles/postgresql/tasks/configure-common.yml index 79a1ed36..4a261c7a 100644 --- a/roles/postgresql/tasks/configure-common.yml +++ b/roles/postgresql/tasks/configure-common.yml @@ -1,25 +1,24 @@ # file: postgresql/tasks/configure-common.yml # --- - - name: Configure PostgreSQL client authentication - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ postgresql_user }}" group: "{{ postgresql_group }}" - mode: 0640 - backup: yes + mode: "0640" + backup: true with_items: - { src: "pg_hba.conf.j2", dest: "{{ postgresql_conf_path }}/main/pg_hba.conf" } - become: yes + become: true notify: - Reload PostgreSQL tags: - - postgresql:pg_hba + - postgresql:pg_hba - name: Create PostgreSQL databases - postgresql_db: + community.postgresql.postgresql_db: state: present name: "{{ item.name }}" encoding: "{{ item.encoding | default(omit) }}" @@ -27,31 +26,33 @@ lc_ctype: "{{ item.lc_ctype | default(omit) }}" template: "{{ item.template | default(omit) }}" with_items: "{{ postgresql_databases }}" - become: yes + become: true become_user: "{{ postgresql_user }}" - name: Configure PostgreSQL users - postgresql_user: + community.postgresql.postgresql_user: state: present name: "{{ item.name }}" - encrypted: "{{ item.encrypted | default(omit) }}" + encrypted: "{{ item.encrypted | default(omit) }}" password: "{{ item.password | default(omit) }}" - db: "{{ item.db | default(omit) }}" + db: "{{ item.db | default(omit) }}" priv: "{{ item.priv | default(omit) }}" role_attr_flags: "{{ item.role_attr_flags | default(omit) }}" + conn_limit: "{{ item.connection_limit }}" # Should force a default here with_items: "{{ postgresql_users }}" - become: yes + become: true become_user: "{{ postgresql_user }}" -- name: Configure connection limit of PostgreSQL users - command: psql -U {{ postgresql_user }} -c 'ALTER ROLE {{ item.name }} WITH CONNECTION LIMIT {{ item.connection_limit }}' - with_items: "{{ postgresql_users }}" - when: "item.connection_limit is defined" - become: yes - become_user: "{{ postgresql_user }}" +# This task deprecated by conn_limit arg in previous task. +# - name: Configure connection limit of PostgreSQL users +# ansible.builtin.command: psql -U {{ postgresql_user }} -c 'ALTER ROLE {{ item.name }} WITH CONNECTION LIMIT {{ item.connection_limit }}' +# with_items: "{{ postgresql_users }}" +# when: "item.connection_limit is defined" +# become: true +# become_user: "{{ postgresql_user }}" - name: Configure privileges of PostgreSQL users - postgresql_privs: + community.postgresql.postgresql_privs: state: present database: "{{ item.database }}" roles: "{{ item.roles }}" @@ -61,20 +62,27 @@ privs: "{{ item.privs | default(omit) }}" schema: "{{ item.schema | default(omit) }}" with_items: "{{ postgresql_privs }}" - when: item.target is not defined - become: yes + when: item.target is not defined + become: true become_user: "{{ postgresql_user }}" # See https://github.com/ansible/ansible-modules-core/issues/4493 -- name: Configure default privileges of PostgreSQL users - command: psql -U {{ postgresql_user }} -c 'ALTER DEFAULT PRIVILEGES FOR USER {{ item.target }} IN SCHEMA {{ item.schema | default("public") }} GRANT {{ item.privs }} ON {{ item.type }} TO {{ item.roles }};' - with_items: "{{ postgresql_privs }}" - when: item.target is defined - become: yes - become_user: "{{ postgresql_user }}" +# The above repo is deprecated, this task is probably obsolete +# - name: Configure default privileges of PostgreSQL users +# ansible.builtin.command: |- + # psql -U {{ postgresql_user }} \ + # -c 'ALTER DEFAULT PRIVILEGES FOR USER {{ item.target }} \ + # IN SCHEMA {{ item.schema | default("public") }} \ + # GRANT {{ item.privs }} \ + # ON {{ item.type }} \ + # TO {{ item.roles }};' +# with_items: "{{ postgresql_privs }}" +# when: item.target is defined +# become: true +# become_user: "{{ postgresql_user }}" - name: Configure PostgreSQL databases - postgresql_db: + community.postgresql.postgresql_db: state: present name: "{{ item.name }}" owner: "{{ item.owner | default(omit) }}" @@ -83,44 +91,48 @@ lc_ctype: "{{ item.lc_ctype | default(omit) }}" template: "{{ item.template | default(omit) }}" with_items: "{{ postgresql_databases }}" - become: yes + become: true become_user: "{{ postgresql_user }}" - name: Configure number of huge memory pages to be allocated - sysctl: + ansible.posix.sysctl: name: vm.nr_hugepages value: "{{ postgresql_huge_pages_number }}" state: present when: postgresql_huge_pages_number is defined - become: yes + become: true - name: Configure PostgreSQL - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ postgresql_user }}" + ansible.builtin.template: + src: "postgresql-{{ postgresql_version }}.conf.j2" + dest: "{{ postgresql_conf_path }}/main/postgresql.conf" + owner: "{{ postgresql_user }}" group: "{{ postgresql_group }}" - mode: 0644 - backup: yes - with_items: - - { src: "postgresql-{{ postgresql_version }}.conf.j2", dest: "{{ postgresql_conf_path }}/main/postgresql.conf" } - become: yes + mode: "0644" + backup: true + # unnecessary loop - disabled + # with_items: + # - src: "postgresql-{{ postgresql_version }}.conf.j2" + # dest: "{{ postgresql_conf_path }}/main/postgresql.conf" + become: true notify: - Restart PostgreSQL -- name: Check if PostreSQL standby server is in recovery - command: psql -U {{ postgresql_user }} -c 'SELECT pg_is_in_recovery();' +# This should be done with an assertion on an output +- name: Check if PostreSQL standby server is in recovery + ansible.builtin.command: psql -U {{ postgresql_user }} -c 'SELECT pg_is_in_recovery();' when: "'dbstandby' in group_names" register: postgresql_is_in_recovery_status - ignore_errors: yes - changed_when: no - become: yes + ignore_errors: true + changed_when: false + become: true become_user: "{{ postgresql_user }}" - name: Register PostgreSQL standby server recovery status - set_fact: + ansible.builtin.set_fact: postgresql_is_in_recovery: "{{ postgresql_is_in_recovery_status is success and postgresql_is_in_recovery_status.stdout_lines[2].find('t') == 1 }}" when: "'dbstandby' in group_names" -- include: init-standby-common.yml +- name: Init Standby + ansible.builtin.include_tasks: init-standby-common.yml when: "'dbstandby' in group_names and not postgresql_is_in_recovery" diff --git a/roles/postgresql/tasks/init-standby-common.yml b/roles/postgresql/tasks/init-standby-common.yml index e0177571..2d7bb318 100644 --- a/roles/postgresql/tasks/init-standby-common.yml +++ b/roles/postgresql/tasks/init-standby-common.yml @@ -1,32 +1,42 @@ --- - name: Stop PostgreSQL - service: + ansible.builtin.service: name: "{{ postgresql_service }}" state: "stopped" - become: yes + become: true - name: Remove PostgreSQL data dir - file: + ansible.builtin.file: path: "{{ postgresql_data_path }}/main" state: absent - become: yes + become: true - name: Take base backup of PostgreSQL database - shell: "{{ item }}" + ansible.builtin.shell: "{{ item }}" # noqa command-instead-of-shell environment: PGPASSWORD: "{{ postgresql_replication_password }}" - become: yes + become: true become_user: "{{ postgresql_user }}" + changed_when: false with_items: - - pg_basebackup -h {{ postgresql_master_host }} -p {{ postgresql_master_port }} -D {{ postgresql_data_path }}/main -U {{ postgresql_replication_user }} -X stream -R + - |- + pg_basebackup \ + -h {{ postgresql_master_host }} \ + -p {{ postgresql_master_port }} \ + -D {{ postgresql_data_path }}/main \ + -U {{ postgresql_replication_user }} \ + -X stream \ + -R - sleep 15 +# sleep should be a wait_for task after this one + - name: Configure PostgreSQL replication - template: - src: recovery.conf.j2 + ansible.builtin.template: + src: recovery.conf.j2 dest: "{{ postgresql_data_path }}/main/recovery.conf" owner: "{{ postgresql_user }}" group: "{{ postgresql_group }}" - mode: 0640 - become: yes + mode: "0640" + become: true when: postgresql_version is version('12', '<') diff --git a/roles/postgresql/tasks/install-Debian.yml b/roles/postgresql/tasks/install-Debian.yml index 30dd2dc7..44c3363b 100644 --- a/roles/postgresql/tasks/install-Debian.yml +++ b/roles/postgresql/tasks/install-Debian.yml @@ -1,25 +1,24 @@ # file: postgresql/tasks/install-Debian.yml # --- - - name: Ensure PostgreSQL is installed (Debian) - apt: + ansible.builtin.apt: name: "postgresql-{{ postgresql_version }}" state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true -# The postgresql_user module requires psycopg2, a Python PostgreSQL database +# The postgresql_user module requires psycopg2, a Python PostgreSQL database # adapter. We must ensure that psycopg2 is installed on the remote host before # using this module. - name: Ensure PostgreSQL python module is installed (Debian) - apt: + ansible.builtin.apt: name: "{{ postgresql_psycopg2_package }}" state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 when: postgresql_users | length > 0 - become: yes + become: true diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index 493c1281..03d0673c 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -1,9 +1,8 @@ # file: postgresql/tasks/main.yml # --- - - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" @@ -13,66 +12,67 @@ - always - name: Define PostgreSQL version - set_fact: + ansible.builtin.set_fact: postgresql_version: "{{ postgresql_default_version }}" when: postgresql_version is not defined tags: - always - name: Define PostgreSQL configuration path - set_fact: + ansible.builtin.set_fact: postgresql_conf_path: "{{ postgresql_default_conf_path }}" when: postgresql_conf_path is not defined tags: - always - name: Define PostgreSQL data path - set_fact: + ansible.builtin.set_fact: postgresql_data_path: "{{ postgresql_default_data_path }}" when: postgresql_data_path is not defined tags: - always - name: Define PostgreSQL service name - set_fact: + ansible.builtin.set_fact: postgresql_service: "{{ postgresql_default_service }}" when: postgresql_service is not defined tags: - always - name: Define PostgreSQL user - set_fact: + ansible.builtin.set_fact: postgresql_user: "{{ postgresql_default_user }}" when: postgresql_user is not defined tags: - always - name: Define PostgreSQL group - set_fact: + ansible.builtin.set_fact: postgresql_group: "{{ postgresql_default_group }}" when: postgresql_group is not defined tags: - always - name: Define PostgreSQL python module version - set_fact: + ansible.builtin.set_fact: postgresql_psycopg2_package: "{{ postgresql_default_psycopg2_package }}" when: postgresql_psycopg2_package is not defined tags: - always -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml +# - include: install-CentOS.yml # when: ansible_os_family == 'CentOS -# Apply OS-independent configuration -- include: configure-common.yml +# +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml - name: Ensure PostgreSQL service is started and enabled on boot - service: + ansible.builtin.service: name: "{{ postgresql_service }}" state: "started" - enabled: yes - become: yes + enabled: true + become: true diff --git a/roles/postgresql/templates/postgresql-11.conf.j2 b/roles/postgresql/templates/postgresql-11.conf.j2 index 1764fde0..c0f16512 100644 --- a/roles/postgresql/templates/postgresql-11.conf.j2 +++ b/roles/postgresql/templates/postgresql-11.conf.j2 @@ -122,7 +122,7 @@ huge_pages = {{ postgresql_huge_pages_mode }} # on, off, or try #temp_buffers = 8MB # min 800kB #max_prepared_transactions = 0 # zero disables the feature # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless| +# Caution: it is not advisable to set max_prepared_transactions nonzero unless| # you actively intend to use prepared transactions. work_mem = {{ postgresql_work_mem }} # min 64kB #maintenance_work_mem = 64MB # min 1MB diff --git a/roles/postgresql/templates/postgresql-12.conf.j2 b/roles/postgresql/templates/postgresql-12.conf.j2 index 7ba45837..54a219f7 100644 --- a/roles/postgresql/templates/postgresql-12.conf.j2 +++ b/roles/postgresql/templates/postgresql-12.conf.j2 @@ -127,7 +127,7 @@ huge_pages = {{ postgresql_huge_pages_mode }} # on, off, or try #temp_buffers = 8MB # min 800kB #max_prepared_transactions = 0 # zero disables the feature # (change requires restart) -# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# Caution: it is not advisable to set max_prepared_transactions nonzero unless # you actively intend to use prepared transactions. work_mem = {{ postgresql_work_mem }} # min 64kB #maintenance_work_mem = 64MB # min 1MB diff --git a/roles/rciam-metrics/defaults/main.yml b/roles/rciam-metrics/defaults/main.yml index 0d4112ae..01a33fa9 100644 --- a/roles/rciam-metrics/defaults/main.yml +++ b/roles/rciam-metrics/defaults/main.yml @@ -1,7 +1,5 @@ # file: group_vars/metrics/main.yml - --- - metrics_path: /srv/rciam-metrics-client/rciam-metrics metrics_repo: https://github.com/rciam/rciam-metrics-dev metrics_release: 1.0.0 @@ -9,7 +7,7 @@ metrics_fast_api_folder_name: app metrics_ip2country_dir: ip2country_directory # Whether to install RCIAM metrics cron job; Enabled by default -metrics_cron_enabled: yes +metrics_cron_enabled: true metrics_api: address: "localhost" @@ -30,7 +28,7 @@ metrics_config: admin: metrics_dev_admin password: "{{ vault_metrics_db_password }}" host: db.rciam.noc.grnet.gr - pool_size : 15 + pool_size: 15 max_overflow: 5 log: level: DEBUG @@ -129,6 +127,6 @@ metrics_user: month: "*" weekday: "*" -#metrics_symlinks: +# metrics_symlinks: # - target: "/path/to/target" # link: "/path/to/symlink" diff --git a/roles/rciam-metrics/handlers/main.yml b/roles/rciam-metrics/handlers/main.yml index 09ca680d..aeb99312 100644 --- a/roles/rciam-metrics/handlers/main.yml +++ b/roles/rciam-metrics/handlers/main.yml @@ -1,10 +1,10 @@ --- # handlers file for rciam-metrics -- name: fastapi.service restart - systemd: +- name: Fastapi.service restart + ansible.builtin.systemd: name: fastapi state: restarted - enabled: yes - daemon_reload: yes - become: yes + enabled: true + daemon_reload: true + become: true diff --git a/roles/rciam-metrics/tasks/bootstrap.yml b/roles/rciam-metrics/tasks/bootstrap.yml index 7a44ab67..58ded1ac 100644 --- a/roles/rciam-metrics/tasks/bootstrap.yml +++ b/roles/rciam-metrics/tasks/bootstrap.yml @@ -1,40 +1,39 @@ # file: tasks/bootstrap.yml --- - - name: Ensure util groups exist - group: + ansible.builtin.group: name: "{{ metrics_user.group }}" - system: yes - become: yes + system: true + become: true - name: Ensure metrics user exists - user: + ansible.builtin.user: name: "{{ metrics_user.name }}" groups: "{{ metrics_user.group }}" - comment: "{{ metrics_user.gecos }}" + comment: "{{ metrics_user.gecos }}" shell: "{{ metrics_user.shell }}" home: "{{ metrics_user.path }}" - system: yes - create_home: yes + system: true + create_home: true skeleton: "/empty" - become: yes + become: true - name: Upgrade pip3 - pip: + ansible.builtin.pip: name: pip - state: latest + state: present virtualenv: "{{ metrics_path }}/.venv" extra_args: --upgrade - become: yes + become: true -- name: fastapi systemd setup - template: - owner: "www-data" - group: "www-data" - mode: 0644 - src: templates/fastapi/fastapi.service.j2 - dest: /etc/systemd/system/fastapi.service +- name: Fastapi systemd setup + ansible.builtin.template: + owner: "www-data" + group: "www-data" + mode: "0644" + src: templates/fastapi/fastapi.service.j2 + dest: /etc/systemd/system/fastapi.service notify: fastapi.service restart - become: yes + become: true tags: - fastapi_service diff --git a/roles/rciam-metrics/tasks/configure-local.yml b/roles/rciam-metrics/tasks/configure-local.yml index 098d0654..70e30e2d 100644 --- a/roles/rciam-metrics/tasks/configure-local.yml +++ b/roles/rciam-metrics/tasks/configure-local.yml @@ -3,12 +3,12 @@ # After creating react configuration, github action will move the file to the react application # before building - name: Create react configuration file locally - template: - src: "react/config.json.j2" + ansible.builtin.template: + src: react/config.json.j2 dest: "{{ inventory_dir }}/files/config.{{ item.tenant }}.json" - mode: 0400 - backup: yes + mode: "0400" + backup: true loop: "{{ metrics_config | default([]) }}" when: item.frontend is defined - no_log: yes - delegate_to: localhost \ No newline at end of file + no_log: true + delegate_to: localhost diff --git a/roles/rciam-metrics/tasks/deploy-backend.yml b/roles/rciam-metrics/tasks/deploy-backend.yml index 8465f385..999cb97f 100644 --- a/roles/rciam-metrics/tasks/deploy-backend.yml +++ b/roles/rciam-metrics/tasks/deploy-backend.yml @@ -2,104 +2,106 @@ --- # This needs the metrics_release, only github actions can know or if you set it manually - name: Download and unarchive latest release zip file - unarchive: + ansible.builtin.unarchive: src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/backend-release-build.tar.gz" dest: "{{ metrics_path }}" remote_src: true owner: "{{ metrics_user.name }}" group: "{{ metrics_user.name }}" - become: yes + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:unarchive - name: Ensure metrics python requirements are installed in virtualenv - pip: + ansible.builtin.pip: requirements: "{{ metrics_path }}/requirements.txt" virtualenv: "{{ metrics_path }}/.venv" virtualenv_command: python3 -m venv state: present - become: yes + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:requirements - name: Ensure configurations (fastapi) are configured - template: + ansible.builtin.template: src: "fastapi/config.py.j2" dest: "{{ metrics_path }}/config.{{ item.tenant }}.py" owner: "{{ metrics_user.name }}" group: "{{ metrics_user.group }}" - mode: 0400 - backup: yes + mode: "0400" + backup: true loop: "{{ metrics_config | default([]) }}" - no_log: yes - become: yes + no_log: true + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:config - name: Ensure authorizations are configured - template: + ansible.builtin.template: src: "fastapi/authorize.py.j2" dest: "{{ metrics_path }}/authorize.{{ item.tenant }}.py" owner: "{{ metrics_user.name }}" group: "{{ metrics_user.group }}" - mode: 0400 - backup: yes + mode: "0400" + backup: true loop: "{{ metrics_config | default([]) }}" - become: yes + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:authorize - name: Ensure ip to country database file(s) are copied - copy: + become: true + ansible.builtin.copy: src: "{{ metrics_ip2country_dir }}/" dest: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/ip_databases/" owner: "{{ metrics_user.name }}" group: "{{ metrics_user.group }}" - mode: 0400 - backup: yes - become: yes + mode: "0400" + backup: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:iptocountry - name: Ensure log path exists - file: - path: "{{ metrics_path }}/{{metrics_fast_api_folder_name}}/logs" + ansible.builtin.file: + path: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/logs" state: directory owner: "{{ metrics_user.name }}" group: "{{ metrics_user.group }}" - become: yes + mode: "0755" + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:logging - name: Ensure log file exists - file: - path: "{{ metrics_path }}/{{metrics_fast_api_folder_name}}/logs/metrics.log" + ansible.builtin.file: + path: "{{ metrics_path }}/{{ metrics_fast_api_folder_name }}/logs/metrics.log" state: touch owner: "{{ metrics_user.name }}" group: "{{ metrics_user.group }}" - become: yes + mode: "0644" + become: true notify: - fastapi.service restart tags: - rciam-metrics:deploy-backend:logging - name: Create Symbolic links - file: + ansible.builtin.file: src: "{{ item.symlink.target }}" dest: "{{ item.symlink.link }}" - force: yes + force: true state: link owner: root group: root @@ -110,11 +112,11 @@ - rciam-metrics:deploy-backend:symlink - name: Add ENV vars in cron.d file - cron: + ansible.builtin.cron: name: "{{ item.name }}" job: "{{ item.job }}" user: "{{ item.user }}" - env: yes + env: true cron_file: "{{ item.filename }}" state: present loop: "{{ metrics_user.cron_env | default([]) }}" @@ -124,10 +126,10 @@ - rciam-metrics:deploy-backend:cron - name: Ensure util cron jobs are installed - cron: + ansible.builtin.cron: name: "{{ metrics_user.name }}" user: "{{ metrics_user.name }}" - cron_file: "{{ metrics_user.name}}" + cron_file: "{{ metrics_user.name }}" job: "{{ metrics_user.cron.job }}" minute: "{{ metrics_user.cron.minute | default(omit) }}" hour: "{{ metrics_user.cron.hour | default(omit) }}" @@ -135,8 +137,6 @@ month: "{{ metrics_user.cron.month | default(omit) }}" backup: true when: metrics_user.cron is defined and metrics_cron_enabled - become: yes + become: true tags: - rciam-metrics:deploy-backend:cron - - diff --git a/roles/rciam-metrics/tasks/deploy-frontend.yml b/roles/rciam-metrics/tasks/deploy-frontend.yml index a318c42a..894a7b6f 100644 --- a/roles/rciam-metrics/tasks/deploy-frontend.yml +++ b/roles/rciam-metrics/tasks/deploy-frontend.yml @@ -1,27 +1,28 @@ --- - name: Ensure release directory exists - file: - path: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}" + ansible.builtin.file: + path: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}" state: directory - become: yes + mode: "0755" + become: true # This needs the metrics_release, only github actions can know or if you set it manually # This needs the tenant_environment, only github actions can know or if you set it manually - name: Download and unarchive latest release zip file - unarchive: - src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/frontend-{{tenant_environment}}-release-build.tar.gz" - dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}" + ansible.builtin.unarchive: + src: "{{ metrics_repo }}/releases/download/{{ metrics_release }}/frontend-{{ tenant_environment }}-release-build.tar.gz" + dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}" remote_src: true owner: "{{ metrics_user.name }}" group: "{{ metrics_user.name }}" - become: yes + become: true - name: Ensure symbolic link to latest metrics package exists - file: - src: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics-{{metrics_release}}" - dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{tenant_environment | replace('.','_')}}/metrics" - force: yes + ansible.builtin.file: + src: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics-{{ metrics_release }}" + dest: "{{ metrics_path }}/{{ metrics_react_folder_name }}/{{ tenant_environment | replace('.', '_') }}/metrics" + force: true state: link owner: "{{ metrics_user.name }}" group: "{{ metrics_user.name }}" - become: yes + become: true diff --git a/roles/rciam-metrics/tasks/install-Debian.yml b/roles/rciam-metrics/tasks/install-Debian.yml index 45d12421..47d04a91 100644 --- a/roles/rciam-metrics/tasks/install-Debian.yml +++ b/roles/rciam-metrics/tasks/install-Debian.yml @@ -1,10 +1,9 @@ # file: metrics/tasks/install-Debian.yml # --- - - name: Ensure metrics dependencies are installed - apt: - name: + ansible.builtin.apt: + name: # Should be declared in defaults - git - python3-venv - build-essential @@ -14,7 +13,7 @@ - python3-virtualenv - libpq-dev state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true diff --git a/roles/rciam-metrics/tasks/main.yml b/roles/rciam-metrics/tasks/main.yml index 3995d27c..259f01b0 100644 --- a/roles/rciam-metrics/tasks/main.yml +++ b/roles/rciam-metrics/tasks/main.yml @@ -1,17 +1,15 @@ --- - -# Include OS-specific installation tasks -- include_tasks: install-Debian.yml +- name: Include OS-specific installation tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' tags: - rciam-metrics:install -# Include OS-independent installation tasks -- import_tasks: bootstrap.yml +- name: Include OS-independent installation tasks + ansible.builtin.import_tasks: bootstrap.yml tags: - rciam-metrics:bootstrap -# Include OS-independent configuration tasks # NOTE: The first time this task has to run manually using the --extra-var parameter # of ansible cmd command # e.g. ansible-playbook -u debian @@ -22,18 +20,19 @@ # --extra-vars metrics_release="metrics-api-deploy_changes-rc-deploy_changes-6335295151" # --diff # --check -- import_tasks: deploy-backend.yml +- name: Include OS-independent configuration tasks + ansible.builtin.import_tasks: deploy-backend.yml tags: - rciam-metrics:deploy-backend - # Include OS-independent configuration tasks # NOTE: Runs through github actions ONLY -- import_tasks: configure-local.yml +- name: Include OS-independent configuration tasks + ansible.builtin.import_tasks: configure-local.yml tags: - rciam-metrics:config-local - # Include OS-independent configuration tasks # NOTE: Runs through github actions ONLY -- import_tasks: deploy-frontend.yml +- name: Include OS-independent configuration tasks + ansible.builtin.import_tasks: deploy-frontend.yml tags: - rciam-metrics:deploy-frontend diff --git a/roles/rciam-oidc-client/tasks/configure-common.yml b/roles/rciam-oidc-client/tasks/configure-common.yml index 837a2d40..a8d7942d 100644 --- a/roles/rciam-oidc-client/tasks/configure-common.yml +++ b/roles/rciam-oidc-client/tasks/configure-common.yml @@ -1,9 +1,10 @@ # file: tasks/configure.yml --- - name: Configure webapp - template: + ansible.builtin.template: src: "{{ item.src_config_path }}" dest: "{{ item.dest_config_path }}" - backup: yes + backup: true + mode: "0644" loop: "{{ rciam_oidc_clients }}" - become: yes + become: true diff --git a/roles/rciam-oidc-client/tasks/install-common-client.yml b/roles/rciam-oidc-client/tasks/install-common-client.yml index 5c340d03..c5d85272 100644 --- a/roles/rciam-oidc-client/tasks/install-common-client.yml +++ b/roles/rciam-oidc-client/tasks/install-common-client.yml @@ -3,46 +3,48 @@ --- - name: Create RCIAM OIDC Client temp directory - file: + ansible.builtin.file: path: "/tmp/{{ item.item.name }}" state: directory - become: yes + mode: "0755" + become: true - name: Download & unarchive RCIAM OIDC Client to temp directory - unarchive: + ansible.builtin.unarchive: src: "{{ item.item.release }}" dest: "/tmp/{{ item.item.name }}" - remote_src: yes - list_files: yes + remote_src: true + list_files: true register: rciam_oidc_client_unarchive - become: yes + become: true - name: Setting RCIAM OIDC Client temp directory - set_fact: + ansible.builtin.set_fact: rciam_oidc_client_tmp_dir: "/tmp/{{ item.item.name }}/{{ rciam_oidc_client_unarchive.files[0].split('/')[0] }}" - name: Backup old version of RCIAM OIDC Client - command: + ansible.builtin.command: cmd: "mv {{ item.item.path }} {{ item.item.path }}.{{ ansible_date_time.iso8601 }}" removes: "{{ item.item.path }}" - become: yes + become: true - name: Move RCIAM OIDC Client from temp directory to target path - command: "mv {{ rciam_oidc_client_tmp_dir }} {{ item.item.path }}" - become: yes + ansible.builtin.command: "mv {{ rciam_oidc_client_tmp_dir }} {{ item.item.path }}" + changed_when: false + become: true - name: Create a file with the version of the RCIAM OIDC Client - copy: + ansible.builtin.copy: content: "" dest: "{{ item.item.path }}/{{ item.item.version }}" - force: no - owner: "root" - group: "root" + force: false + owner: root + group: root mode: "0644" - become: yes + become: true - name: Ensure RCIAM OIDC Client temp directory is absent - file: + ansible.builtin.file: path: "/tmp/{{ item.item.name }}" state: absent - become: yes + become: true diff --git a/roles/rciam-oidc-client/tasks/install-common.yml b/roles/rciam-oidc-client/tasks/install-common.yml index cce56a17..dff42eb7 100644 --- a/roles/rciam-oidc-client/tasks/install-common.yml +++ b/roles/rciam-oidc-client/tasks/install-common.yml @@ -3,18 +3,18 @@ --- - name: Ensure unzip is installed - package: + ansible.builtin.package: name: unzip state: present become: true -- name: Check which RCIAM OIDC Clients need to be installed - stat: - path: "{{ item.path }}/{{ item.version }}" +- name: Check which RCIAM OIDC Clients need to be installed + ansible.builtin.stat: + path: "{{ item.path }}/{{ item.version }}" loop: "{{ rciam_oidc_clients }}" register: rciam_oidc_client_stats - name: Ensure RCIAM OIDC Client is installed - include_tasks: install-common-client.yml + ansible.builtin.include_tasks: install-common-client.yml loop: "{{ rciam_oidc_client_stats.results }}" when: not item.stat.exists diff --git a/roles/rciam-oidc-client/tasks/main.yml b/roles/rciam-oidc-client/tasks/main.yml index ae049d80..6e186782 100644 --- a/roles/rciam-oidc-client/tasks/main.yml +++ b/roles/rciam-oidc-client/tasks/main.yml @@ -1,12 +1,12 @@ # file: rciam-oidc-client/tasks/main.yml # --- -# Include OS-specific installation tasks -- include: install-common.yml +- name: Include OS-specific installation tasks + ansible.builtin.include_tasks: install-common.yml tags: - install -# Include OS-independent configuration tasks -- include: configure-common.yml +- name: Include OS-independent configuration tasks + ansible.builtin.include_tasks: configure-common.yml tags: - config diff --git a/roles/rciam-probes/defaults/main.yml b/roles/rciam-probes/defaults/main.yml index b2b78493..5dfb3272 100644 --- a/roles/rciam-probes/defaults/main.yml +++ b/roles/rciam-probes/defaults/main.yml @@ -4,7 +4,7 @@ timezone: "UTC" nagios_home: "/home/nagios" rciam_probes_log_dir: "/var/log/rciam_probes" -#argo_environment: "devel" +# argo_environment: "devel" repos: - name: "argo-{{ argo_environment }}" @@ -12,4 +12,4 @@ repos: file: "argo" baseurl: "http://rpm-repo.argo.grnet.gr/ARGO/{{ argo_environment }}/centos{{ ansible_distribution_major_version }}/" gpgcheck: 0 - enabled: 1 \ No newline at end of file + enabled: 1 diff --git a/roles/rciam-probes/handlers/main.yml b/roles/rciam-probes/handlers/main.yml index 849169c7..ed97d539 100644 --- a/roles/rciam-probes/handlers/main.yml +++ b/roles/rciam-probes/handlers/main.yml @@ -1,3 +1 @@ --- - - diff --git a/roles/rciam-probes/tasks/configure-RedHat.yml b/roles/rciam-probes/tasks/configure-RedHat.yml index 3f4feb39..9ca4d658 100644 --- a/roles/rciam-probes/tasks/configure-RedHat.yml +++ b/roles/rciam-probes/tasks/configure-RedHat.yml @@ -1,11 +1,11 @@ --- - name: Add ENV vars in cron.d file (REDHAD) - cron: + ansible.builtin.cron: name: "{{ item.name }}" job: "{{ item.job }}" user: "{{ item.user }}" - env: yes + env: true cron_file: "{{ item.filename }}" state: present loop: "{{ cron_env | default([]) }}" @@ -13,7 +13,7 @@ when: cron_env is defined - name: Add cron jobs (RedHat) - cron: + ansible.builtin.cron: name: "{{ item.name }}" minute: "{{ item.minute }}" job: "{{ item.job }}" @@ -25,19 +25,19 @@ when: cron_jobs is defined - name: Set a universal Apache policy (RedHat) - command: "setsebool -P httpd_unified 1" + ansible.builtin.command: "setsebool -P httpd_unified 1" become: true changed_when: false - name: Ensure nagios home directory has search permissions on (RedHat) - file: + ansible.builtin.file: path: "{{ nagios_registered.home }}" state: directory mode: "0701" become: true - name: Ensure html directory exists under nagios home directory (RedHat) - file: + ansible.builtin.file: path: "{{ nagios_registered.home }}/{{ item }}" state: directory owner: nagios @@ -48,7 +48,7 @@ become: true - name: Install policycoreutils-python (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present update_cache: true @@ -58,17 +58,18 @@ # semanage fcontext -a -t httpd_sys_content_t "/var/spool/nagios/html(/.*)?" # /etc/selinux/targeted/contexts/files/file_contexts.local - name: Set selinux policy for directories (RedHat) - sefcontext: - target: "{{ item.target }}(/.*)?" - setype: "{{ item.setype }}" - reload: True - state: present + community.general.sefcontext: + target: "{{ item.target }}(/.*)?" + setype: "{{ item.setype }}" + reload: true + state: present become: true with_items: - - { target: "{{ nagios_registered.home }}/html", setype: "httpd_sys_content_t" } + - { target: "{{ nagios_registered.home }}/html", setype: "httpd_sys_content_t" } - name: Apply new SELinux file context to filesystem (RedHat) - command: "restorecon -irv {{ item }}" + ansible.builtin.command: "restorecon -irv {{ item }}" + changed_when: false loop: - "{{ nagios_registered.home }}/html" - become: true \ No newline at end of file + become: true diff --git a/roles/rciam-probes/tasks/install-RedHat.yml b/roles/rciam-probes/tasks/install-RedHat.yml index 5736f6da..17074f8c 100644 --- a/roles/rciam-probes/tasks/install-RedHat.yml +++ b/roles/rciam-probes/tasks/install-RedHat.yml @@ -1,34 +1,34 @@ --- - name: Ensure Repos are installed (RedHat) - yum_repository: + ansible.builtin.yum_repository: name: "{{ item.name }}" description: "{{ item.description }}" file: "{{ item.file }}" baseurl: "{{ item.baseurl }}" - gpgcheck: "{{ item.gpgcheck}}" + gpgcheck: "{{ item.gpgcheck }}" enabled: "{{ item.enabled }}" - loop: "{{ repos | default([])}}" - become: yes + loop: "{{ repos | default([]) }}" + become: true - name: Install dependencies (RedHat) - yum: + ansible.builtin.yum: name: "{{ item }}" state: present - validate_certs: no + validate_certs: false update_cache: true loop: "{{ dependencies | default([]) }}" when: dependencies is defined - name: Ensure nagios group is present (RedHat) - group: + ansible.builtin.group: name: nagios state: present become: true - name: Ensure nagios user is present and member of nagios and apache groups (RedHat) - user: + ansible.builtin.user: name: nagios state: present home: "{{ nagios_home }}" @@ -38,19 +38,19 @@ become: true - name: Echo nagios home directory (RedHat) - debug: + ansible.builtin.debug: var: nagios_registered verbosity: 1 - name: Install rciam_probes (RedHat) - yum: + ansible.builtin.yum: name: rciam_probes - state: latest + state: present update_cache: true become: true - name: Ensure log file owned by nagios user (RedHat) - file: + ansible.builtin.file: dest: "{{ rciam_probes_log_dir }}" state: directory mode: "0744" @@ -59,14 +59,14 @@ become: true - name: Upgrade pip3 (RedHat) - pip: + ansible.builtin.pip: name: pip executable: pip3 extra_args: --upgrade # Ensuring the umask is 0022 (to ensure other users can use it) - name: Install python3 packages (RedHat) - pip: + ansible.builtin.pip: name: "{{ item.name }}" version: "{{ item.version }}" umask: "0022" @@ -74,4 +74,3 @@ loop: "{{ pip_dependencies | default([]) }}" become: true when: pip_dependencies is defined - diff --git a/roles/rciam-probes/tasks/main.yml b/roles/rciam-probes/tasks/main.yml index a0077fd5..0dc49523 100644 --- a/roles/rciam-probes/tasks/main.yml +++ b/roles/rciam-probes/tasks/main.yml @@ -3,34 +3,34 @@ --- - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" - - "{{ ansible_os_family }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - always -# Install OS-specific packages -- include: install-RedHat.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-RedHat.yml when: ansible_os_family == 'RedHat' -#- include: install-Debian.yml +# - include: install-Debian.yml # when: ansible_os_family == 'Debian' -# Configure OS-specific packages -- include: configure-RedHat.yml +- name: Configure RedHat + ansible.builtin.include_tasks: configure-RedHat.yml when: ansible_os_family == 'RedHat' -#- include: configure-Debian.yml +# - include: configure-Debian.yml # when: ansible_os_family == 'Debian' # Tasks adding/copying/replacing files - name: Include OS-independent Update/Copy tasks - include_tasks: + ansible.builtin.include_tasks: file: update-static.yml apply: tags: - - update + - update tags: - - update \ No newline at end of file + - update diff --git a/roles/rciam-probes/tasks/update-static.yml b/roles/rciam-probes/tasks/update-static.yml index 7ef51d5b..1a4bc045 100644 --- a/roles/rciam-probes/tasks/update-static.yml +++ b/roles/rciam-probes/tasks/update-static.yml @@ -1,16 +1,16 @@ --- - name: Register static files to be copied - find: + ansible.builtin.find: paths: "{{ inventory_dir }}/files/monservers" file_type: file - recurse: yes + recurse: true register: static_files - ignore_errors: yes + ignore_errors: true delegate_to: 127.0.0.1 - name: Display files to be copied - debug: + ansible.builtin.debug: msg: "/{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}" verbosity: 1 loop: "{{ static_files.files }}" @@ -19,16 +19,16 @@ when: static_files is defined - name: Copy static files - copy: + ansible.builtin.copy: src: "{{ item.path }}" dest: "/{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}" - force: yes + force: true owner: root - mode: 0664 + mode: "0664" backup: true loop: "{{ static_files.files }}" loop_control: label: "Added file /{{ item.path | regex_replace('(.*)[/]files[/]monservers[/](.*)', '\\2') }}" - become: yes - ignore_errors: yes + become: true + ignore_errors: true # noqa ignore-errors when: static_files is defined diff --git a/roles/rciam-probes/vars/RedHat-7.yml b/roles/rciam-probes/vars/RedHat-7.yml index b7d11469..7d5ef101 100644 --- a/roles/rciam-probes/vars/RedHat-7.yml +++ b/roles/rciam-probes/vars/RedHat-7.yml @@ -5,4 +5,4 @@ apache_user: "apache" apache_group: "apache" core_utils: - - policycoreutils-python \ No newline at end of file + - policycoreutils-python diff --git a/roles/rciam-probes/vars/RedHat-8.yml b/roles/rciam-probes/vars/RedHat-8.yml index cfdf94bb..a2d79c0f 100644 --- a/roles/rciam-probes/vars/RedHat-8.yml +++ b/roles/rciam-probes/vars/RedHat-8.yml @@ -1,9 +1,9 @@ --- -clean_cache_cmd: "yum clean all" -apache_user: "apache" -apache_group: "apache" +clean_cache_cmd: yum clean all +apache_user: apache +apache_group: apache # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index core_utils: - - policycoreutils-python-utils \ No newline at end of file + - policycoreutils-python-utils diff --git a/roles/rciam-probes/vars/RedHat.yml b/roles/rciam-probes/vars/RedHat.yml index 89d1fbb9..1999494e 100644 --- a/roles/rciam-probes/vars/RedHat.yml +++ b/roles/rciam-probes/vars/RedHat.yml @@ -1,6 +1,5 @@ --- -clean_cache_cmd: "yum clean all" -apache_user: "apache" -apache_group: "apache" - +clean_cache_cmd: yum clean all +apache_user: apache +apache_group: apache diff --git a/roles/rciam-utils/defaults/main.yml b/roles/rciam-utils/defaults/main.yml index 6fec3de7..121b6a0a 100644 --- a/roles/rciam-utils/defaults/main.yml +++ b/roles/rciam-utils/defaults/main.yml @@ -22,7 +22,7 @@ rciam_utils: [] # #month: # Configuration for https://github.com/rciam/rciam-sync-voms.git -#rciam_utils_sync_voms: +# rciam_utils_sync_voms: # vomses_file: # url: "https://{{ rciam_hostname }}/static/diracVOs.json" # # Uncomment the following line to use the specified CA_BUNDLE file or @@ -49,7 +49,7 @@ rciam_utils: [] # level: "DEBUG" # Whether to install RCIAM util cron jobs; Enabled by default -rciam_utils_cron_enabled: yes +rciam_utils_cron_enabled: true rciam_utils_sync_client_names: # Type of OP: "mitreid" or "keycloak". Defaults to "mitreid". diff --git a/roles/rciam-utils/tasks/configure.yml b/roles/rciam-utils/tasks/configure.yml index 63d81b76..6a6d0824 100644 --- a/roles/rciam-utils/tasks/configure.yml +++ b/roles/rciam-utils/tasks/configure.yml @@ -2,86 +2,89 @@ --- - name: Ensure utils are configured - template: + ansible.builtin.template: src: "{{ item.name }}/config.py.j2" dest: "{{ item.path }}/config.py" owner: "{{ item.user.name }}" group: "{{ item.user.group }}" - mode: 0400 - backup: yes + mode: "0400" + backup: true loop: "{{ rciam_utils }}" - become: yes + become: true - name: Ensure util SSL certificate directories exist - file: + ansible.builtin.file: path: "{{ item.ssl.cert.path | dirname }}" owner: "{{ item.ssl.cert.owner }}" group: "{{ item.ssl.cert.group }}" state: directory + mode: "0750" loop: "{{ rciam_utils }}" when: item.ssl is defined - become: yes + become: true - name: Ensure util SSL certificates are copied - copy: + ansible.builtin.copy: dest: "{{ item.ssl.cert.path }}" content: "{{ item.ssl.cert.content }}" owner: "{{ item.ssl.cert.owner }}" group: "{{ item.ssl.cert.group }}" mode: "{{ item.ssl.cert.mode }}" - backup: yes + backup: true loop: "{{ rciam_utils }}" when: item.ssl is defined - become: yes + become: true - name: Ensure util SSL certificate key directories exist - file: + ansible.builtin.file: path: "{{ item.ssl.cert_key.path | dirname }}" owner: "{{ item.ssl.cert_key.owner }}" group: "{{ item.ssl.cert_key.group }}" state: directory + mode: "0750" loop: "{{ rciam_utils }}" when: item.ssl is defined - become: yes + become: true - name: Ensure util SSL certificate keys are copied - copy: + ansible.builtin.copy: dest: "{{ item.ssl.cert_key.path }}" content: "{{ item.ssl.cert_key.content }}" owner: "{{ item.ssl.cert_key.owner }}" group: "{{ item.ssl.cert_key.group }}" mode: "{{ item.ssl.cert_key.mode }}" - backup: yes + backup: true loop: "{{ rciam_utils }}" when: item.ssl is defined - become: yes - no_log: yes + become: true + no_log: true -- name: Ensure tables have been created for rciam-ip2country - shell: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/.venv/bin/python -m Utils.install" +- name: Ensure tables have been created for rciam-ip2country # noqa command-instead-of-shell + ansible.builtin.shell: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/.venv/bin/python -m Utils.install" # noqa yaml[line-length] args: chdir: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}" when: rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1 - become: yes + become: true become_user: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.name') | list)[0] }}" + changed_when: false tags: - rciam_utils:config:ip2country:db - name: Ensure database files are copied for rciam-ip2country - copy: + ansible.builtin.copy: src: "{{ rciam_utils_ip2country.database_files_dir }}/{{ rciam_utils_ip2country.db_file_extension }}/" dest: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='path') | list)[0] }}/databases/" owner: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.name') | list)[0] }}" group: "{{ (rciam_utils | selectattr(\"name\", \"equalto\", \"rciam-ip2country\") | map(attribute='user.group') | list)[0] }}" - mode: 0400 - backup: yes + mode: "0400" + backup: true when: '(rciam_utils_ip2country.database_files_dir is defined) and (rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1)' - become: yes + become: true tags: - rciam_utils:config:ip2country:files - name: Ensure util cron jobs are installed - cron: + ansible.builtin.cron: name: "{{ item.name }}" user: "{{ item.user.name | default('root') }}" cron_file: "{{ item.name }}" @@ -92,4 +95,4 @@ month: "{{ item.cron.month | default(omit) }}" loop: "{{ rciam_utils }}" when: item.cron is defined and rciam_utils_cron_enabled - become: yes + become: true diff --git a/roles/rciam-utils/tasks/install-Debian.yml b/roles/rciam-utils/tasks/install-Debian.yml index 3405de1d..657d3bcb 100644 --- a/roles/rciam-utils/tasks/install-Debian.yml +++ b/roles/rciam-utils/tasks/install-Debian.yml @@ -3,51 +3,51 @@ --- - name: Ensure util dependencies are installed - apt: + ansible.builtin.apt: name: - git - python3-venv state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes + become: true - name: Ensure PPA is installed for MaxMind (required for rciam-ip2country) - apt_repository: + ansible.builtin.apt_repository: repo: 'ppa:maxmind/ppa' state: present - update_cache: yes + update_cache: true codename: trusty - when: + when: - rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1 - rciam_utils_ip2country.db_file_extension is defined and rciam_utils_ip2country.db_file_extension == "dat" - become: yes + become: true - name: Ensure dependencies for rciam-ip2country are installed - apt: + ansible.builtin.apt: name: - build-essential - python3-dev state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - when: + when: - rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1 - become: yes + become: true - name: Ensure additional dependencies for rciam-ip2country (legacy version only) are installed - apt: + ansible.builtin.apt: name: - libgeoip1 - libgeoip-dev - geoip-bin state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - when: + when: - rciam_utils | selectattr("name", "equalto", "rciam-ip2country") | list | length == 1 - rciam_utils_ip2country.db_file_extension is defined and rciam_utils_ip2country.db_file_extension == "dat" - become: yes + become: true diff --git a/roles/rciam-utils/tasks/install-common.yml b/roles/rciam-utils/tasks/install-common.yml index dd92c2ff..45c5b70e 100644 --- a/roles/rciam-utils/tasks/install-common.yml +++ b/roles/rciam-utils/tasks/install-common.yml @@ -2,40 +2,40 @@ --- - name: Ensure util groups exist - group: + ansible.builtin.group: name: "{{ item.user.group }}" - system: yes + system: true loop: "{{ rciam_utils }}" - become: yes + become: true - name: Ensure util users exist - user: + ansible.builtin.user: name: "{{ item.user.name }}" groups: "{{ item.user.group }}" - comment: "{{ item.user.gecos }}" + comment: "{{ item.user.gecos }}" shell: "{{ item.user.shell }}" home: "{{ item.user.path }}" - system: yes - create_home: yes + system: true + create_home: true skeleton: "/empty" loop: "{{ rciam_utils }}" - become: yes + become: true - name: Ensure util code checkouts are up-to-date - git: + ansible.builtin.git: repo: "{{ item.repo }}" dest: "{{ item.path }}" version: "{{ item.version }}" loop: "{{ rciam_utils }}" - become: yes + become: true become_user: "{{ item.user.name }}" - name: Ensure util python requirements are installed in virtualenvs - pip: + ansible.builtin.pip: requirements: "{{ item.path }}/requirements.txt" virtualenv: "{{ item.path }}/.venv" virtualenv_command: python3 -m venv - state: latest + state: present loop: "{{ rciam_utils }}" - become: yes + become: true become_user: "{{ item.user.name }}" diff --git a/roles/rciam-utils/tasks/main.yml b/roles/rciam-utils/tasks/main.yml index 9f377d85..c94d26da 100644 --- a/roles/rciam-utils/tasks/main.yml +++ b/roles/rciam-utils/tasks/main.yml @@ -1,24 +1,23 @@ # file: tasks/main.yml # --- - -# Include OS-specific installation tasks -- include: install-Debian.yml +- name: Include OS-specific installation tasks + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-RedHat.yml +# - include: install-RedHat.yml # when: ansible_os_family == 'RedHat' tags: - install - rciam_utils:install -# Include OS-independent installation tasks -- include: install-common.yml +- name: Include OS-independent installation tasks + ansible.builtin.include_tasks: install-common.yml tags: - install - rciam_utils:install -# Include OS-independent configuration tasks -- include: configure.yml +- name: Include OS-independent configuration tasks + ansible.builtin.include_tasks: configure.yml tags: - config - rciam_utils:config diff --git a/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2 b/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2 index e3e5fda7..098d5930 100644 --- a/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2 +++ b/roles/rciam-utils/templates/rciam-sync-client-names/config.py.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} -mitreid_config = { +mitreid_config = { {% if rciam_utils_sync_client_names.op == "mitreid" %} "dbname": "{{ rciam_dbs.oidc.name }}", "user": "{{ rciam_dbs.oidc.owner_username }}", @@ -9,7 +9,7 @@ mitreid_config = { {% endif %} } -keycloak_config = { +keycloak_config = { {% if rciam_utils_sync_client_names.op == "keycloak" %} "dbname": "{{ rciam_dbs.keycloak.name }}", "user": "{{ rciam_dbs.keycloak.owner_username }}", @@ -19,7 +19,7 @@ keycloak_config = { {% endif %} } -proxystats_config = { +proxystats_config = { "dbname": "{{ rciam_dbs.proxy.name }}", "user": "{{ rciam_dbs.proxy.owner_username }}", "host": "{{ rciam_dbs.proxy.host }}", diff --git a/roles/rsyslog-pgsql/handlers/main.yml b/roles/rsyslog-pgsql/handlers/main.yml index e17f0c55..753f9f9c 100644 --- a/roles/rsyslog-pgsql/handlers/main.yml +++ b/roles/rsyslog-pgsql/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - become: yes + become: true diff --git a/roles/rsyslog-pgsql/tasks/configure-common.yml b/roles/rsyslog-pgsql/tasks/configure-common.yml index e4e1caae..a87c6216 100644 --- a/roles/rsyslog-pgsql/tasks/configure-common.yml +++ b/roles/rsyslog-pgsql/tasks/configure-common.yml @@ -1,10 +1,10 @@ --- - name: Remove pgsql.conf file if exists - file: + ansible.builtin.file: path: "{{ rsyslogd_path }}/pgsql.conf" state: absent - become: yes - when: rsyslog_pgsql_enable_logs == true + become: true + when: rsyslog_pgsql_enable_logs - name: Ensure /dev/xconsole exists ansible.builtin.file: @@ -13,17 +13,17 @@ owner: syslog group: adm mode: u=rw,g=rw,o=r - when: rsyslog_pgsql_enable_logs == true - become: yes + when: rsyslog_pgsql_enable_logs + become: true - name: Ensure rsyslog for nginx logs is configured - template: + ansible.builtin.template: src: rsyslogd-nginx-{{ ansible_os_family }}.conf.j2 dest: "{{ rsyslogd_path }}/51-nginx.conf" owner: root group: root - mode: 0644 - backup: yes - become: yes + mode: "0644" + backup: true + become: true notify: Restart rsyslog - when: rsyslog_pgsql_enable_logs == true + when: rsyslog_pgsql_enable_logs diff --git a/roles/rsyslog-pgsql/tasks/install-Debian.yml b/roles/rsyslog-pgsql/tasks/install-Debian.yml index 9eff3c04..d061a11c 100644 --- a/roles/rsyslog-pgsql/tasks/install-Debian.yml +++ b/roles/rsyslog-pgsql/tasks/install-Debian.yml @@ -1,8 +1,11 @@ --- - name: Ensure rsyslog & rsyslog-pgsql is installed (Debian) - apt: name={{item}} state=present install_recommends=no - loop: + ansible.builtin.apt: + name: "{{ item }}" + state: present + install_recommends: false + loop: # TODO - define in defaults - rsyslog - rsyslog-pgsql - become: yes - when: rsyslog_pgsql_enable_logs == true + become: true + when: rsyslog_pgsql_enable_logs diff --git a/roles/rsyslog-pgsql/tasks/main.yml b/roles/rsyslog-pgsql/tasks/main.yml index 5b3a3726..40d6c944 100644 --- a/roles/rsyslog-pgsql/tasks/main.yml +++ b/roles/rsyslog-pgsql/tasks/main.yml @@ -1,19 +1,19 @@ --- - name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}.yml" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml -# when: ansible_os_family == 'CentOS' +# - include: install-CentOS.yml +# when: ansible_os_family == 'CentOS' -# Apply OS-independent configuration -- include: configure-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml - name: Ensure rsyslog service is started and enabled on boot - service: + ansible.builtin.service: name: "{{ rsyslog_service }}" state: started - enabled: yes - become: yes + enabled: true + become: true diff --git a/roles/shibboleth-sp/defaults/main.yml b/roles/shibboleth-sp/defaults/main.yml index 46a34777..9173a863 100644 --- a/roles/shibboleth-sp/defaults/main.yml +++ b/roles/shibboleth-sp/defaults/main.yml @@ -2,42 +2,42 @@ # Set to yes/true to generate self-signed SSL certificate for signing requests/ # response received from/sent to the IdP, as well as for receiving encrypted # responses. -shibboleth_sp_ssl_cert_generate: no +shibboleth_sp_ssl_cert_generate: false # SSL certificate subject (ignored when shibboleth_sp_ssl_cert_generate is set # to no) -#shibboleth_sp_ssl_cert_subj: "/C=/ST=/L=/O=/CN=sp.example.org" +# shibboleth_sp_ssl_cert_subj: "/C=/ST=/L=/O=/CN=sp.example.org" # SSL certificate (ignored when shibboleth_sp_ssl_cert_generate is set to yes) -#shibboleth_sp_ssl_cert: | -# -----BEGIN CERTIFICATE----- -# ... -# -----END CERTIFICATE----- +# shibboleth_sp_ssl_cert: | +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- # SSL certificate key (ignored when shibboleth_sp_ssl_cert_generate is set to # yes) -#shibboleth_sp_ssl_cert_key: | -# -----BEGIN PRIVATE KEY----- -# ... -# -----END PRIVATE KEY----- +# shibboleth_sp_ssl_cert_key: | +# -----BEGIN PRIVATE KEY----- +# ... +# -----END PRIVATE KEY----- # ApplicationDefaults # The SAML entityID of this SP -shibboleth_sp_entity_id: "https://sp.example.org/shibboleth" +shibboleth_sp_entity_id: https://sp.example.org/shibboleth # One or more attributes used for the primary identifier of the browser user # passed through the REMOTE_USER server variable. -# Set to null to disable setting the variable. -shibboleth_sp_remote_user: "eppn persistent-id targeted-id" +# Set to null to disable setting the variable. +shibboleth_sp_remote_user: eppn persistent-id targeted-id # Where the SP redirects the client to when there is nothing else that can be # done with a request and can be set to a standard home page or index page. -#shibboleth_sp_home_url: "/" +# shibboleth_sp_home_url: "/" shibboleth_sp_session: # The base location on the server that dispatches requests to the handlers # configured inside the element. The location is specified as a # relative or absolute URL. The default is "/Shibboleth.sso" on v2.4+, # required otherwise. -# handler_url: "/Shibboleth.sso" + # handler_url: "/Shibboleth.sso" # When handlerSSL is set to true, only web requests over SSL/TLS will be # processed by handlers. Other requests may be blocked, or possibly ignored # (and usually result in a 404 error) depending on the web server, but will @@ -62,7 +62,7 @@ shibboleth_sp_session: # this limits the amount of time between the act of authentication and the # attempt to access the SP. This can be useful to ensure that the SAML 2.0 # ForceAuthn flag was honored. -# max_time_since_authn: + # max_time_since_authn: # The IdP will place the IP address of the user agent it authenticated into # the assertions it issues. When true, the SP will check this address # against the address of the client presenting an assertion before creating @@ -75,21 +75,21 @@ shibboleth_sp_session: # associated with this session come from the same address. This can help # protect against cookie theft and is less likely than the checkAddress # setting to block legitimate access. Default is true. -# consistent_address: "true" + # consistent_address: "true" # Meta-properties like path or the secure and HttpOnly flags to attach to # the cookies. Defautls to "; path=/; HttpOnly". If set to a custom string, # the string is appended to the cookie values maintained by the SP. A common # value for SSL-only use is "; path=/; secure; HttpOnly". As of v2.5, this # property can be set to a pair of built-in values, "http" and "https", # which expand to the default and SSL-only properties respectively. - cookie_props: "http" + cookie_props: http # Cookie lifetime in seconds. If set, cookies used for session management # will be created with the designated lifetime. When omitted, which is the # default, such cookies are in-memory only and do not persist across browser # restarts (assuming various session restore features aren't in use). Note # that this will not affect "transitory" cookies used for maintaining state # across redirects. -# cookie_lifetime: + # cookie_lifetime: # Controls how information associated with requests for authentication, # primarily the original resource accessed, is preserved for the completion # of the authentication process. If not specified, the resource URL is @@ -100,41 +100,41 @@ shibboleth_sp_session: # element, typically "ss:mem". As of v2.5, the "cookie" # option can include a ":n" suffix, where n specifies the number of cookies # to permit before purging old ones, defaulting to 25. - relay_state: "ss:mem" + relay_state: ss:mem # V3.2+: One of "none", "exact", "host", "allow", "exact+allow", "host+allow" # Earlier: One of "none", "exact", "host", "whitelist", "exact+whitelist", # "host+whitelist". # "none" is the default and does no limiting # N.B. Consider carefully before using this option as it can allow malicious # use of your SP as an open redirect - #redirect_limit: "none" + # redirect_limit: "none" # SSO settings. To allow for >1 IdP, remove entity_id property and adjust # discovery_url to point to discovery service. shibboleth_sp_sso: - protocols: "SAML2 SAML1" - entity_id: "https://idp.example.org/idp/shibboleth" - discovery_protocol: "SAMLDS" - discovery_url: "https://ds.example.org/DS/WAYF" + protocols: SAML2 SAML1 + entity_id: https://idp.example.org/idp/shibboleth + discovery_protocol: SAMLDS + discovery_url: https://ds.example.org/DS/WAYF shibboleth_sp_logout: - protocols: "SAML2 Local" + protocols: SAML2 Local # See https://wiki.shibboleth.net/confluence/display/SP3/Handler shibboleth_sp_handlers: - - type: "MetadataGenerator" - location: "/Metadata" + - type: MetadataGenerator + location: /Metadata signing: "false" - - type: "Status" - location: "/Status" - acl: "127.0.0.1 ::1" - - type: "Session" - location: "/Session" + - type: Status + location: /Status + acl: 127.0.0.1 ::1 + - type: Session + location: /Session show_attributes: "false" - - type: "DiscoveryFeed" - location: "/DiscoFeed" + - type: DiscoveryFeed + location: /DiscoFeed -shibboleth_sp_supportcontact_email: "root@localhost" +shibboleth_sp_supportcontact_email: root@localhost # TODO Add support for metadata filters shibboleth_sp_metadata_providers: [] @@ -142,18 +142,18 @@ shibboleth_sp_metadata_providers: [] # uri: "http://federation.org/federation-metadata.xml" # backing_file_path: "federation-metadata.xml" # reload_interval: 7200 -# - type: "XML" +# - type: "XML" # file: "partner-metadata.xml" shibboleth_sp_attribute_extractors: - - type: "XML" + - type: XML params: validate: "true" reloadChanges: "false" - path: "attribute-map.xml" + path: attribute-map.xml shibboleth_sp_attribute_resolvers: - - type: "Query" + - type: Query subject_match: "true" # The default settings can be overridden by creating ApplicationOverride @@ -188,14 +188,14 @@ shibboleth_sp_overrides: [] # name: "Local" # handlers: # - handler: -# type: "MetadataGenerator" +# type: "MetadataGenerator" # location: "/Metadata" # signing: "false" # - handler: # type: "Status" # location: "/Status" # acl: "127.0.0.1 ::1" -# - handler: +# - handler: # type: "Session" # location: "/Session" # show_attributes: "true" @@ -211,7 +211,7 @@ shibboleth_sp_ext_libraries: [] # fatal: "false" # Path to file containing attribute mappings -shibboleth_sp_attribute_map_file: "attribute-map.xml" +shibboleth_sp_attribute_map_file: attribute-map.xml # Path to file containing attribute policies -shibboleth_sp_attribute_policy_file: "attribute-policy.xml" +shibboleth_sp_attribute_policy_file: attribute-policy.xml diff --git a/roles/shibboleth-sp/files/attribute-map.xml b/roles/shibboleth-sp/files/attribute-map.xml index ccb3b375..5d15065a 100644 --- a/roles/shibboleth-sp/files/attribute-map.xml +++ b/roles/shibboleth-sp/files/attribute-map.xml @@ -8,13 +8,13 @@ th a few exceptions for newer attributes where the name is the same for both versions. You will usually want to uncomment or map the names for both SAML versions as a unit. --> - + - + @@ -37,12 +37,12 @@ th a - + - + @@ -52,7 +52,7 @@ th a - + - + - + - + diff --git a/roles/shibboleth-sp/files/attribute-policy.xml b/roles/shibboleth-sp/files/attribute-policy.xml index a2d1742e..7e855b83 100644 --- a/roles/shibboleth-sp/files/attribute-policy.xml +++ b/roles/shibboleth-sp/files/attribute-policy.xml @@ -16,7 +16,7 @@ - + @@ -106,10 +106,10 @@ Note that while we default checkAddress to "false", this has a negative impact on the security of your site. Stealing sessions via cookie theft is much easier with this disabled. --> - - {{ shibboleth_sp_logout.protocols }} - + {% for handler in shibboleth_sp_handlers | default([]) %} - + {% for metadata in shibboleth_sp_metadata_providers %} - =') %} url="{{ metadata.uri }}" @@ -187,7 +187,7 @@ {% endif %} {% endif %} {% if metadata.backing_file_path is defined %} - backingFilePath="{{ metadata.backing_file_path }}" + backingFilePath="{{ metadata.backing_file_path }}" {% endif %} {% if metadata.reload_interval is defined %} reloadInterval="{{ metadata.reload_interval }}" @@ -208,7 +208,7 @@ {% endfor %} {% for resolver in shibboleth_sp_attribute_resolvers %} - - + diff --git a/roles/shibboleth-sp/vars/Debian-buster.yml b/roles/shibboleth-sp/vars/Debian-buster.yml index 2bf78f4a..080b33eb 100644 --- a/roles/shibboleth-sp/vars/Debian-buster.yml +++ b/roles/shibboleth-sp/vars/Debian-buster.yml @@ -3,7 +3,7 @@ --- shibboleth_sp_default_version: "3.0" -shibboleth_sp_default_service: "shibd" -shibboleth_sp_default_conf_path: "/etc/shibboleth" -shibboleth_sp_default_user: "_shibd" -shibboleth_sp_default_group: "_shibd" +shibboleth_sp_default_service: shibd +shibboleth_sp_default_conf_path: /etc/shibboleth +shibboleth_sp_default_user: _shibd +shibboleth_sp_default_group: _shibd diff --git a/roles/shibboleth-sp/vars/Debian-jessie.yml b/roles/shibboleth-sp/vars/Debian-jessie.yml index 98c38454..3ef4e035 100644 --- a/roles/shibboleth-sp/vars/Debian-jessie.yml +++ b/roles/shibboleth-sp/vars/Debian-jessie.yml @@ -3,7 +3,7 @@ --- shibboleth_sp_default_version: "2.5" -shibboleth_sp_default_service: "shibd" -shibboleth_sp_default_conf_path: "/etc/shibboleth" -shibboleth_sp_default_user: "_shibd" -shibboleth_sp_default_group: "_shibd" +shibboleth_sp_default_service: shibd +shibboleth_sp_default_conf_path: /etc/shibboleth +shibboleth_sp_default_user: _shibd +shibboleth_sp_default_group: _shibd diff --git a/roles/shibboleth-sp/vars/Debian-stretch.yml b/roles/shibboleth-sp/vars/Debian-stretch.yml index deafcfd5..69a26d78 100644 --- a/roles/shibboleth-sp/vars/Debian-stretch.yml +++ b/roles/shibboleth-sp/vars/Debian-stretch.yml @@ -3,7 +3,7 @@ --- shibboleth_sp_default_version: "2.6" -shibboleth_sp_default_service: "shibd" -shibboleth_sp_default_conf_path: "/etc/shibboleth" -shibboleth_sp_default_user: "_shibd" -shibboleth_sp_default_group: "_shibd" +shibboleth_sp_default_service: shibd +shibboleth_sp_default_conf_path: /etc/shibboleth +shibboleth_sp_default_user: _shibd +shibboleth_sp_default_group: _shibd diff --git a/roles/ssp-module-proxystatistics/defaults/main.yml b/roles/ssp-module-proxystatistics/defaults/main.yml index 5a170668..11640db5 100644 --- a/roles/ssp-module-proxystatistics/defaults/main.yml +++ b/roles/ssp-module-proxystatistics/defaults/main.yml @@ -12,15 +12,15 @@ ssp_module_proxystatistics_mode: "PROXY" # REQUIRED FOR "IDP" MODE # EntityId of IdP -#ssp_module_proxystatistics_idp_entity_id: "https://idp.example.org" +# ssp_module_proxystatistics_idp_entity_id: "https://idp.example.org" # Name of IdP -#ssp_module_proxystatistics_idp_entity_name: "IDP NAME" +# ssp_module_proxystatistics_idp_entity_name: "IDP NAME" # REQUIRED FOR "SP" MODE # EntityId of SP -#ssp_module_proxystatistics_sp_entity_id: "https://sp.example.org" +# ssp_module_proxystatistics_sp_entity_id: "https://sp.example.org" # Name of SP -#ssp_module_proxystatistics_sp_entity_name: "SP NAME" +# ssp_module_proxystatistics_sp_entity_name: "SP NAME" ssp_module_proxystatistics_db: name: "STATS" @@ -28,9 +28,9 @@ ssp_module_proxystatistics_db: username: "stats" password: "stats" prefix: "" - persistent: no - #slaves: - # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8" + persistent: false + # slaves: + # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8" # username: "stats" # password: "stats" # persistent: no @@ -48,5 +48,5 @@ ssp_module_proxystatistics_table_name: ssp_module_proxystatistics_oidc_issuer: "http://example.org/openidconnect/sp" # Ignore from statistics calculations the list of identifiers below. -#ssp_module_proxystatistics_user_id_blacklist: +# ssp_module_proxystatistics_user_id_blacklist: # - xxxxxx@example.org diff --git a/roles/ssp-module-proxystatistics/tasks/configure-common.yml b/roles/ssp-module-proxystatistics/tasks/configure-common.yml index 9108edab..4de00688 100644 --- a/roles/ssp-module-proxystatistics/tasks/configure-common.yml +++ b/roles/ssp-module-proxystatistics/tasks/configure-common.yml @@ -1,19 +1,20 @@ --- - name: Configure SSP proxystatistics module - template: + ansible.builtin.template: src: "config/module_statisticsproxy-{{ ssp_module_proxystatistics_version }}.php.j2" dest: "{{ ssp_path }}/config/module_statisticsproxy.php" - backup: yes - force: yes - become: yes + backup: true + force: true + mode: "0644" + become: true -- name: Enable SSP proxystatistics module - copy: +- name: Enable SSP proxystatistics module + ansible.builtin.copy: content: "" dest: "{{ ssp_module_proxystatistics_path }}/enable" - force: no - owner: "root" - group: "root" + force: false + owner: root + group: root mode: "0644" - become: yes + become: true diff --git a/roles/ssp-module-proxystatistics/tasks/install-common.yml b/roles/ssp-module-proxystatistics/tasks/install-common.yml index d2cb3105..c75aeea2 100644 --- a/roles/ssp-module-proxystatistics/tasks/install-common.yml +++ b/roles/ssp-module-proxystatistics/tasks/install-common.yml @@ -1,16 +1,16 @@ --- - name: Checkout SSP proxystatistics module source - git: + ansible.builtin.git: repo: "{{ ssp_module_proxystatistics_repo_url }}" dest: "{{ ssp_module_proxystatistics_path }}" version: "{{ ssp_module_proxystatistics_repo_version }}" - accept_hostkey: yes - force: no - update: yes - become: yes + accept_hostkey: true + force: false + update: true + become: true -#- name: Create SSP proxystatistics statistics table +# - name: Create SSP proxystatistics statistics table # postgresql_table: # db: "ssp_module_proxystatistics_db.name" # name: "{{ ssp_module_proxystatistics_table_name.statistics }}" diff --git a/roles/ssp-module-proxystatistics/tasks/main.yml b/roles/ssp-module-proxystatistics/tasks/main.yml index 7a606c93..45821db2 100644 --- a/roles/ssp-module-proxystatistics/tasks/main.yml +++ b/roles/ssp-module-proxystatistics/tasks/main.yml @@ -1,6 +1,5 @@ --- -# Run OS-independent installation tasks -- include: install-common.yml - -# Apply OS-independent configuration -- include: configure-common.yml +- name: Run OS-independent installation tasks + ansible.builtin.include_tasks: install-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml diff --git a/roles/ssp-modules/defaults/main.yml b/roles/ssp-modules/defaults/main.yml index fe289c1e..d17de6d3 100644 --- a/roles/ssp-modules/defaults/main.yml +++ b/roles/ssp-modules/defaults/main.yml @@ -1,14 +1,13 @@ --- - +# ssp-modules/defaults/main.yml ssp_mods_extra_enabled: [] ssp_modules_db: [] - # Examples of use cases: ## Modules -#ssp_mods_extra_enabled: +# ssp_mods_extra_enabled: # - name: "module1" # path: "{{ ssp_path }}/modules/module1_directory" # repo_url: "https://github.com/example/module1.git" @@ -53,7 +52,7 @@ ssp_mods_extra_files: [] # dest_path: "{{ ssp_path }}/modules/theme/dictionaries/default.definition.json" ## Database -#ssp_modules_db: +# ssp_modules_db: # - db_host: "127.0.0.1" or "{{ lookup('dig', groups['dbmaster'][0]) }}" # db_name: database_name or "{{ rciam_dbs.proxy.name }}" # db_username: database_username or "{{ rciam_dbs.proxy.owner_username }}" @@ -138,7 +137,7 @@ ssp_mods_extra_files: [] # prefix: "" # persistent: no # #slaves: -# # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8" +# # - dsn: "mysql:host=slavedbhost;port=3306;dbname=STATS;charset=utf8" # # username: "stats" # # password: "stats" # # persistent: no @@ -202,4 +201,4 @@ ssp_mods_extra_files: [] # Required # ssp_module_rciammetrics_ams_base_url: 'https://example.com/' # Optional -# ssp_module_rciammetrics_ams_datatype: 'login|registration|membership' \ No newline at end of file +# ssp_module_rciammetrics_ams_datatype: 'login|registration|membership' diff --git a/roles/ssp-modules/handlers/main.yml b/roles/ssp-modules/handlers/main.yml index c11453f3..edc894c3 100644 --- a/roles/ssp-modules/handlers/main.yml +++ b/roles/ssp-modules/handlers/main.yml @@ -1,10 +1,7 @@ --- - - -- name: restart webserver - service: +# ssp-modules/handlers/main.yml +- name: Restart webserver + ansible.builtin.service: name: "{{ ssp_webserver }}" state: restarted - become: yes - - + become: true diff --git a/roles/ssp-modules/tasks/configure-common.yml b/roles/ssp-modules/tasks/configure-common.yml index daac1778..e8e4387a 100644 --- a/roles/ssp-modules/tasks/configure-common.yml +++ b/roles/ssp-modules/tasks/configure-common.yml @@ -1,47 +1,47 @@ # file: ssp-modules/tasks/configure-common.php # --- - - - name: Configure SSP modules - template: + ansible.builtin.template: src: "{{ item.src_config_path }}" dest: "{{ item.dest_config_path }}" - backup: yes - force: yes - become: yes + backup: true + force: true + mode: "0644" + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: item.src_config_path is defined and item.dest_config_path is defined - name: Enable SSP modules - copy: + ansible.builtin.copy: content: "" dest: "{{ item.path }}/enable" - force: no + force: false owner: "root" group: "root" mode: "0644" - become: yes + become: true with_items: "{{ ssp_mods_extra_enabled }}" - when: "{{ ssp_major_version|float < 2}}" + when: ssp_major_version | float < 2 tags: - ssp-modules:config:enable - name: Ensure SSP module extra files are copied - copy: + ansible.builtin.copy: src: "{{ item.src_path }}" dest: "{{ item.dest_path }}" - backup: yes + backup: true + mode: "0644" with_items: "{{ ssp_mods_extra_files }}" when: item.src_path is defined and item.dest_path is defined - become: yes + become: true tags: - ssp-modules:config:files - name: About Themes - debug: + ansible.builtin.debug: msg: - The role also installs Themes, but doesn't produce the CSS files. - To produce them, you must install `sass` and follow the installation instructions for each theme. diff --git a/roles/ssp-modules/tasks/install-common-Ubuntu.yml b/roles/ssp-modules/tasks/install-common-Ubuntu.yml index a176c9b8..1d87f488 100644 --- a/roles/ssp-modules/tasks/install-common-Ubuntu.yml +++ b/roles/ssp-modules/tasks/install-common-Ubuntu.yml @@ -1,17 +1,16 @@ --- - - name: Define PostgreSQL python module version (Ubuntu) - set_fact: + ansible.builtin.set_fact: postgresql_psycopg2_package: "{{ postgresql_default_psycopg2_package }}" when: postgresql_psycopg2_package is not defined tags: - always - name: Ensure PostgreSQL python module is installed (Ubuntu) - apt: + ansible.builtin.apt: name: "{{ postgresql_psycopg2_package }}" state: present - install_recommends: no - update_cache: yes + install_recommends: false + update_cache: true cache_valid_time: 86400 - become: yes \ No newline at end of file + become: true diff --git a/roles/ssp-modules/tasks/install-common.yml b/roles/ssp-modules/tasks/install-common.yml index c6aa7e23..5c9bfbf1 100644 --- a/roles/ssp-modules/tasks/install-common.yml +++ b/roles/ssp-modules/tasks/install-common.yml @@ -1,22 +1,21 @@ --- - - +# ssp-modules/tasks/install-common.yml - name: Install unzip - package: + ansible.builtin.package: name: unzip - state: latest - become: yes + state: present + become: true - name: Checkout SSP modules source - git: + ansible.builtin.git: repo: "{{ item.repo_url }}" dest: "{{ item.path }}" version: "{{ item.version }}" - accept_hostkey: yes - force: no - update: yes - become: yes + accept_hostkey: true + force: false + update: true + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: item.repo_url is defined tags: @@ -24,43 +23,45 @@ - name: Download & unarchive to /tmp/ ( zip only ) - unarchive: + ansible.builtin.unarchive: src: "{{ item.zip_url }}" dest: "/tmp/" creates: "{{ item.path }}/{{ item.version }}" - remote_src: yes - become: yes + remote_src: true + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: item.zip_url is defined register: zip_downloaded tags: - ssp-modules:install:zip +# This is a series of very sus actions. # We need to create the directory if it does not exists - name: Ensure Theme Directory exists ( zip only ) [1/5] - file: + ansible.builtin.file: path: "{{ item.path }}" state: directory owner: root group: root - become: yes + mode: "0750" + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: item.zip_url is defined register: directory_created tags: - ssp-modules:install:zip -- name: Backup old version (zip only) [2/5] - command: "mv {{ item.path }} {{ item.path }}.{{ ansible_date_time.iso8601 }}" - become: yes +- name: Backup old version (zip only) [2/5] # noqa no-changed-when + ansible.builtin.command: "mv {{ item.path }} {{ item.path }}.{{ ansible_date_time.iso8601 }}" + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: zip_downloaded.changed and item.zip_url is defined and item.fullname is defined tags: - ssp-modules:install:zip -- name: Move unarchived module files from /tmp/ to module directory (zip only) [3/5] - command: "mv /tmp/{{ item.fullname }} {{ item.path }}" - become: yes +- name: Move unarchived module files from /tmp/ to module directory (zip only) [3/5] # noqa no-changed-when + ansible.builtin.command: "mv /tmp/{{ item.fullname }} {{ item.path }}" + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: - zip_downloaded.changed or directory_created.changed @@ -70,14 +71,14 @@ - ssp-modules:install:zip - name: Set a version file in module directory (zip only) [4/5] - copy: + ansible.builtin.copy: content: "" dest: "{{ item.path }}/{{ item.version }}" - force: no + force: false owner: "root" group: "root" mode: "0644" - become: yes + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: - zip_downloaded.changed or directory_created.changed @@ -87,10 +88,11 @@ - ssp-modules:install:zip - name: Remove unused directories from /tmp/ (zip only) [5/5] - file: + ansible.builtin.file: path: "/tmp/{{ item.fullname }}" state: absent - become: yes + mode: "0644" + become: true with_items: "{{ ssp_mods_extra_enabled }}" when: - zip_downloaded.changed or directory_created.changed diff --git a/roles/ssp-modules/tasks/install-db.yml b/roles/ssp-modules/tasks/install-db.yml index 1630f8d3..2970a601 100644 --- a/roles/ssp-modules/tasks/install-db.yml +++ b/roles/ssp-modules/tasks/install-db.yml @@ -1,15 +1,14 @@ --- - - +# ssp-modules/tasks/install-db.yml - name: Create PostgreSQL tables for SSP modules via SQL scripts - postgresql_query: + community.postgresql.postgresql_script: db: "{{ item.db_name }}" login_user: "{{ item.db_username }}" login_password: "{{ item.db_password }}" - path_to_script: "{{ item.db_script_path }}" + path: "{{ item.db_script_path }}" login_host: "{{ item.db_host }}" - #positional_args: - #- 1 + # positional_args: + # - 1 register: postgresql_result failed_when: "postgresql_result is failed and 'already exists' not in postgresql_result.msg" with_items: "{{ ssp_modules_db }}" diff --git a/roles/ssp-modules/tasks/main.yml b/roles/ssp-modules/tasks/main.yml index 50f1f83f..1f3b4547 100644 --- a/roles/ssp-modules/tasks/main.yml +++ b/roles/ssp-modules/tasks/main.yml @@ -1,18 +1,17 @@ --- - - +# ssp-modules/tasks/main.yml - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - always -# Install OS-specific packages -- include: install-common-Ubuntu.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-common-Ubuntu.yml when: ansible_os_family == 'Debian' and ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'focal' tags: - install @@ -20,22 +19,22 @@ - ssp:install:mods - ssp-modules:install -# Run OS-independent installation tasks -- include: install-common.yml +- name: Run OS-independent installation tasks + ansible.builtin.include_tasks: install-common.yml tags: - install - ssp:install - ssp:install:mods - ssp-modules:install -# Run OS-independent installation tasks -- include: install-db.yml +- name: Run OS-independent installation tasks + ansible.builtin.include_tasks: install-db.yml tags: - never - ssp-modules:install:db -# Apply OS-independent configuration -- include: configure-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml tags: - config - ssp:config diff --git a/roles/ssp-modules/vars/Debian.yml b/roles/ssp-modules/vars/Debian.yml index 61844771..4e10d47e 100644 --- a/roles/ssp-modules/vars/Debian.yml +++ b/roles/ssp-modules/vars/Debian.yml @@ -1,6 +1,5 @@ --- - +# ssp-modules/vars/Debian.yml ssp_default_webserver: "apache2" ssp_default_webuser: "www-data" ssp_default_webgroup: "www-data" - diff --git a/roles/ssp-modules/vars/RedHat.yml b/roles/ssp-modules/vars/RedHat.yml index 005c5582..14609c5d 100644 --- a/roles/ssp-modules/vars/RedHat.yml +++ b/roles/ssp-modules/vars/RedHat.yml @@ -1,6 +1,4 @@ --- - ssp_default_webserver: "httpd" ssp_default_webuser: "apache" ssp_default_webgroup: "apache" - diff --git a/roles/ssp-modules/vars/Ubuntu-focal.yml b/roles/ssp-modules/vars/Ubuntu-focal.yml index 377b555b..84bab750 100644 --- a/roles/ssp-modules/vars/Ubuntu-focal.yml +++ b/roles/ssp-modules/vars/Ubuntu-focal.yml @@ -1,3 +1,2 @@ --- - -postgresql_default_psycopg2_package: "python3-psycopg2" \ No newline at end of file +postgresql_default_psycopg2_package: "python3-psycopg2" diff --git a/roles/ssp-modules/vars/main.yml b/roles/ssp-modules/vars/main.yml index 849169c7..ed97d539 100644 --- a/roles/ssp-modules/vars/main.yml +++ b/roles/ssp-modules/vars/main.yml @@ -1,3 +1 @@ --- - - diff --git a/roles/ssp/defaults/main.yml b/roles/ssp/defaults/main.yml index 45278d19..cf5b40ae 100644 --- a/roles/ssp/defaults/main.yml +++ b/roles/ssp/defaults/main.yml @@ -2,18 +2,18 @@ # --- -ssp_version: "2.1.1" +ssp_version: 2.1.1 -ssp_repo_url: "https://github.com/simplesamlphp/simplesamlphp.git" -ssp_repo_version: "simplesamlphp-{{ ssp_version }}" +ssp_repo_url: https://github.com/simplesamlphp/simplesamlphp.git +ssp_repo_version: simplesamlphp-{{ ssp_version }} # Uncomment in order to install using the release # ssp_release_url: "https://github.com/simplesamlphp/simplesamlphp/releases/download/v{{ ssp_version }}/{{ ssp_repo_version }}-full.tar.gz" -ssp_path: "/var/simplesamlphp" +ssp_path: /var/simplesamlphp # The base path of the URLs to the content of the SimpleSAMPphp www folder. -ssp_baseurlpath: "simplesaml" -# Specify base URL path with the external scheme (protocol) and FQDN if your +ssp_baseurlpath: simplesaml +# Specify base URL path with the external scheme (protocol) and FQDN if your # SimpleSAMLphp installation is hosted behind a reverse proxy. -#ssp_external_baseurlpath: "https://example.com/simplesaml" +# ssp_external_baseurlpath: "https://example.com/simplesaml" ssp_configdir: "{{ ssp_path }}/config/" ssp_certdir: "{{ ssp_path }}/cert/" @@ -26,13 +26,13 @@ ssp_metadatadir: "{{ ssp_path }}/metadata/" ssp_www_path: "{{ ssp_path }}/../simplesaml-current" # Enable the installation of the composer -#ssp_composer_install: True +# ssp_composer_install: True -ssp_composer_executable: "/usr/local/bin/composer" -ssp_composer_install_directory: "/tmp/composer" +ssp_composer_executable: /usr/local/bin/composer +ssp_composer_install_directory: /tmp/composer # Enable the installation of nodejs and twig -#ssp_twig_install: True +# ssp_twig_install: True # Security configuration options @@ -41,12 +41,12 @@ ssp_composer_install_directory: "/tmp/composer" # The value can be any valid string of any length. # A possible way to generate a random salt is by running the following command: # LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo -#ssp_secretsalt: "defaultsecretsalt" +# ssp_secretsalt: "defaultsecretsalt" # Password giving access to the installation page of SimpleSAMLphp with # metadata listing and diagnostics pages. # This password must be kept secret, and modified from the default value 123. -#ssp_adminpassword: "123" +# ssp_adminpassword: "123" # Secret salt used to generate a secure hash of the ssp_adminpassword. # A possible way to generate a random salt is by running the following command: @@ -55,13 +55,12 @@ ssp_composer_install_directory: "/tmp/composer" # ssp_adminpassword_salt: "defaultsecretsalt" # Whether to require administrator password to access the web interface -ssp_admin_protectindexpage: no +ssp_admin_protectindexpage: false # Whether to require administrator password to access the metadata pages -ssp_admin_protectmetadata: no +ssp_admin_protectmetadata: false - -ssp_theme: "default" +ssp_theme: default # Set this option to true to activate the new UI based on Twig templates. # When this option is activated the index file redirects to the login page # where the a list of authentication sources (excluded admin) is displayed. @@ -71,58 +70,57 @@ ssp_twig_template: false # Set this option if a custom theme controller is required by the Theme # ssp_theme_controller_class: "" -ssp_session_cookie_name: "SimpleSAMLSessionID" +ssp_session_cookie_name: SimpleSAMLSessionID ssp_session_cookie_secure: false # Set the SameSite attribute in the cookie to support RFC6265bis. # You can set this to 'None', 'Lax', or 'Strict'. # If set to null, no SameSite attribute will be sent. -ssp_session_cookie_samesite: null -ssp_authtoken_cookiename: "SimpleSAMLAuthToken" +ssp_session_cookie_samesite: +ssp_authtoken_cookiename: SimpleSAMLAuthToken -ssp_tempdir: "/tmp/simplesaml" +ssp_tempdir: /tmp/simplesaml # Select where to store session information: # `phpsession` Uses the built-in session management in PHP (default). -# `memcache` Uses memcached to cache sessions in memory. +# `memcache` Uses memcached to cache sessions in memory. # Sessions can be distributed and replicated among several # memcached servers, enabling both load-balancing and fail-over. # `sql` Stores session information in a SQL database (WIP). -#ssp_store_type: "phpsession" +# ssp_store_type: "phpsession" # One or more memcached server groups for storing session information when # ssp_store_type is set to `memcache`. Every session data item will be mirrored # in every server group. Each server group is a list of servers. The data items # will be load-balanced between all servers in each server group. -#ssp_memcache_store_servers: -# - # Group A -# - "memcached1.acme.com" -# - "memcached2.acme.com" -# - # Group B -# - "memcached3.acme.com" -# - "memcached4.acme.com" +# ssp_memcache_store_servers: +# - # Group A +# - "memcached1.acme.com" +# - "memcached2.acme.com" +# - # Group B +# - "memcached3.acme.com" +# - "memcached4.acme.com" ssp_memcache_store_servers: - - - - "localhost" + - - localhost # Alternatively, define ssp_memcache_store_servers_group to dynamically build # the memcache server group configuration from the host group # See templates/config/config-x.y.php.j2 -#ssp_memcache_store_servers_group: "cache" +# ssp_memcache_store_servers_group: "cache" ssp_memcache_store_prefix: "" # Database configuration is optional. If you are not using core functionality # or modules that require a database, you can skip this configuration ssp_database: - dsn: "mysql:host=localhost;dbname=saml" - username: "simplesamlphp" - password: "secret" + dsn: mysql:host=localhost;dbname=saml + username: simplesamlphp + password: secret prefix: "" - persistent: no + persistent: false ssp_database_slaves: [] # - dsn: "mysql:host=myslave;dbname=saml" # username: "simplesamlphp" -# password: "secret" +# password: "secret" # persistent: no ssp_debug_saml: false @@ -137,14 +135,14 @@ ssp_showerrors: false ssp_errorreporting: true # Let SSP figure out timezone based on the host machine -ssp_timezone: 'null' +ssp_timezone: "null" # otherwise set it explicitly, e.g.: -#ssp_timezone: "'Europe/Athens'" +# ssp_timezone: "'Europe/Athens'" # The process name that should be used when logging to syslog -ssp_logging_processname: "simplesamlphp" +ssp_logging_processname: simplesamlphp # The name of the logfile when using the file handler for logging -ssp_logging_logfile: "simplesamlphp.log" +ssp_logging_logfile: simplesamlphp.log # Available log levels are: # ERR No statistics, only errors # WARNING No statistics, only warnings/errors @@ -156,53 +154,53 @@ ssp_logging_level: NOTICE ssp_logging_handler: syslog ssp_language_available: - - "en" + - en - "no" - - "nn" - - "se" - - "da" - - "de" - - "sv" - - "fi" - - "es" - - "ca" - - "fr" - - "it" - - "nl" - - "lb" - - "cs" - - "sl" - - "lt" - - "hr" - - "hu" - - "pl" - - "pt" - - "pt-br" - - "tr" - - "ja" - - "zh" - - "zh-tw" - - "ru" - - "et" - - "he" - - "id" - - "sr" - - "lv" - - "ro" - - "eu" - - "el" - - "af" - - "zu" - - "xh" + - nn + - se + - da + - de + - sv + - fi + - es + - ca + - fr + - it + - nl + - lb + - cs + - sl + - lt + - hr + - hu + - pl + - pt + - pt-br + - tr + - ja + - zh + - zh-tw + - ru + - et + - he + - id + - sr + - lv + - ro + - eu + - el + - af + - zu + - xh ssp_language_rtl: - - "ar" - - "dv" - - "fa" - - "ur" - - "he" + - ar + - dv + - fa + - ur + - he -ssp_language_default: "en" +ssp_language_default: en # Array of domains that are allowed when generating links or redirects # to URLs. SimpleSAMLphp will use this option to determine whether to @@ -218,7 +216,6 @@ ssp_language_default: "en" # Set to NULL to disable checking of URLs. # ssp_trusted_url_domains: null ssp_trusted_url_domains: [] - # Enable regular expression matching of ssp_trusted_url_domains. # Set to true to treat the values in ssp_trusted_url_domains as regular # expressions. Set to false to do exact string matching. @@ -233,31 +230,31 @@ ssp_trusted_url_domains: [] ssp_authproc_idp: - "30": # Adopts language from attribute to use in UI - class: "core:LanguageAdaptor" + class: core:LanguageAdaptor - "45": # Add a realm attribute from edupersonprincipalname - class: "core:StatisticsWithAttribute" - attributename: "realm" - type: "saml20-idp-SSO" + class: core:StatisticsWithAttribute + attributename: realm + type: saml20-idp-SSO - "50": - # Filter attributes by checking the 'attributes' parameter in metadata - # on IdP hosted and SP remote. - class: "core:AttributeLimit" + # Filter attributes by checking the 'attributes' parameter in metadata + # on IdP hosted and SP remote. + class: core:AttributeLimit - "99": - # If language is set in Consent module it will be added as an attribute. - class: "core:LanguageAdaptor" + # If language is set in Consent module it will be added as an attribute. + class: core:LanguageAdaptor # Authentication processing filters that will be executed for all SPs. # See https://simplesamlphp.org/docs/stable/simplesamlphp-authproc # The filters can be specified with PHP syntax using `ssp_authproc_sp_raw` or # alternatively, with YAML syntax using `ssp_authproc_sp`. -ssp_authproc_sp: +ssp_authproc_sp: - "90": # Adopts language from attribute to use in UI - class: "core:LanguageAdaptor" + class: core:LanguageAdaptor # This will be added before the config[] in SimpleSAMLphp authentication sources -#ssp_authsources_preamble: | +# ssp_authsources_preamble: | # function foo() { # // Do something # } @@ -273,341 +270,339 @@ ssp_authsources_saml: # this SP should contact. When NULL the user will be shown a list of # available IdPs. # idp_function: "findIdP()" - #disco_url: "/{{ ssp_alias }}/module.php/discopower/disco.php" + # disco_url: "/{{ ssp_alias }}/module.php/discopower/disco.php" # Set to true to generate self-signed SSL certificate for signing requests/ # response received from/sent to the IdP, as well as for receiving encrypted # responses. - ssl_certificate_generate: yes + ssl_certificate_generate: true # SSL certificate options (ignored when `ssl_certificate_generate` is set # to false): # SSL certificate Common Name (CN) - #ssl_certificate_cn: sp.example.com + # ssl_certificate_cn: sp.example.com # Alternatively, you can generate the certificate as follows: # openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN=sp.example.com" -nodes -out sp-default-sp.crt -keyout sp-default-sp.key # SSL certificate - #ssl_certificate: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + # ssl_certificate: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- # SSL certificate private key - #ssl_certificate_key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- + # ssl_certificate_key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- # Algorithm to use when signing any message generated by this SP: # - http://www.w3.org/2000/09/xmldsig#rsa-sha1 (default) # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 # Note: the use of SHA1 is deprecated and will be disallowed in the future. - #sign_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + # sign_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # Whether authentication requests, logout requests and logout responses # sent from this SP should be signed. Default is false. - #redirect_sign: true + # redirect_sign: true # Whether logout requests and logout responses received received by # this SP should be validated. Default is false. - #redirect_validate: true - # Whether to sign authentication requests sent from this SP. Default is + # redirect_validate: true + # Whether to sign authentication requests sent from this SP. Default is # false. - #sign_authnrequest: true + # sign_authnrequest: true # Whether to sign logout messages sent from this SP. Default is false. - #sign_logout: true + # sign_logout: true # SAML V2.0 Metadata Extensions for Login and Discovery # UIInfo Items # Localised list of names for this entity - #display_name: - # en: Example SP + # display_name: + # en: Example SP # Localised list of descriptions for this entity - #description: - # en: This is an SP used as an example + # description: + # en: This is an SP used as an example # Optional list of logos for this SP # - use a transparent background where appropriate # - use PNG or GIF (less preferred) images # - use HTTPS URLs in order to avoid mixed-content warnings within browsersk - #logos: - #- url: "https://example.com/logo-80x60.png" - # The rendered height of the logo measured in pixels. - #height: 60 - # The rendered width of the logo measured in pixels. - #width: 80 - # Optional language code for localised logos. - #lang: en - #- url: "https://example.com/logo-50x50.png" - # The rendered height of the logo measured in pixels. - #height: 50 - # The rendered width of the logo measured in pixels. - #width: 50 - # Optional language code for localised logos. - #lang: en + # logos: + # - url: "https://example.com/logo-80x60.png" + # The rendered height of the logo measured in pixels. + # height: 60 + # The rendered width of the logo measured in pixels. + # width: 80 + # Optional language code for localised logos. + # lang: en + # - url: "https://example.com/logo-50x50.png" + # height: 50 + # width: 50 + # lang: en # Localised list of URLs where more information about the entity is located - #information_url: + # information_url: # en: "http://sp.example.com/info/en" # Localised list of URLs where the entity's privacy statement is located - #privacy_statement_url: + # privacy_statement_url: # en: "http://sp.example.com/privacy/en" - #entity_attributes: - #- attribute_name: "http://macedir.org/entity-category" - # attribute_values: - # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" - # Optional list of contacts in addition to the technical contact configured + # entity_attributes: + # - attribute_name: "http://macedir.org/entity-category" + # attribute_values: + # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" + # Optional list of contacts in addition to the technical contact configured # through config/config.php - #contacts: - # The type of contact. The possible values are `technical`, `support`, - # `administrative`, `billing`, and `other`. - #- contact_type: "technical" - # Optional name of the company for the contact person. - #company: "ACME" - # Optional given (first) name of the contact person. - #given_name: "Jane" - # Optional surname of the contact person. - #sur_name: "Doe" - # Optional `mailto:` URI representing e-mail address of contact person. - #email_address: "mailto:jane.doe@acme.example.com" - # Optional telephone number of the contact person. - #telephone_numbers: "+31(0)12345678" - # To support a trust framework that requires extra attributes on the - # contact person element in your metadata (e.g. SIRTFI), you can specify - # an array of attributes on a contact - #- contact_type: "other" - # Optional given (first) name of the contact person. - #given_name: "Security Response Team" - # Optional `mailto:` URI representing e-mail address of contact person. - #email_address: "mailto:security@example.com" - #attributes: - # "xmlns:remd": "http://refeds.org/metadata" - # "remd:contactType": "http://refeds.org/metadata/contactType/security" + # contacts: + # The type of contact. The possible values are `technical`, `support`, + # `administrative`, `billing`, and `other`. + # - contact_type: "technical" + # Optional name of the company for the contact person. + # company: "ACME" + # Optional given (first) name of the contact person. + # given_name: "Jane" + # Optional surname of the contact person. + # sur_name: "Doe" + # Optional `mailto:` URI representing e-mail address of contact person. + # email_address: "mailto:jane.doe@acme.example.com" + # Optional telephone number of the contact person. + # telephone_numbers: "+31(0)12345678" + # To support a trust framework that requires extra attributes on the + # contact person element in your metadata (e.g. SIRTFI), you can specify + # an array of attributes on a contact + # - contact_type: "other" + # Optional given (first) name of the contact person. + # given_name: "Security Response Team" + # Optional `mailto:` URI representing e-mail address of contact person. + # email_address: "mailto:security@example.com" + # attributes: + # "xmlns:remd": "http://refeds.org/metadata" + # "remd:contactType": "http://refeds.org/metadata/contactType/security" # Localised names of the organisation responsible for this SP. - #organization_name: - # en: ACME + # organization_name: + # en: ACME # Localised user-friendly names of the organisation responsible for this # SP. - #organization_display_name: + # organization_display_name: # en: ACME # Localised URLs of the organisation responsible for this SP. - #organization_url: - # en: "https://www.acme.example.com/en" + # organization_url: + # en: "https://www.acme.example.com/en" # List of attributes this SP requests from the IdP. This list will be added # to the generated metadata. - # The attributes will be added without a `NameFormat` by default. Use the + # The attributes will be added without a `NameFormat` by default. Use the # name_format option to specify the `NameFormat` for the attributes. - #attributes: - #name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" - #required: - # uid: "urn:oid:0.9.2342.19200300.100.1.1" - #optional: - # eduPersonPrincipalName: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" - # eduPersonTargetedID: "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" - # commonName: "urn:oid:2.5.4.3" - # givenName: "urn:oid:2.5.4.42" - # sn: "urn:oid:2.5.4.4" - # displayName: "urn:oid:2.16.840.1.113730.3.1.241" - # mail: "urn:oid:0.9.2342.19200300.100.1.3" - # The format of the NameID we request from the IdP. Defaults to the + # attributes: + # name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" + # required: + # uid: "urn:oid:0.9.2342.19200300.100.1.1" + # optional: + # eduPersonPrincipalName: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" + # eduPersonTargetedID: "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" + # commonName: "urn:oid:2.5.4.3" + # givenName: "urn:oid:2.5.4.42" + # sn: "urn:oid:2.5.4.4" + # displayName: "urn:oid:2.16.840.1.113730.3.1.241" + # mail: "urn:oid:0.9.2342.19200300.100.1.3" + # The format of the NameID we request from the IdP. Defaults to the # transient format if unspecified. - #name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" + # name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" # List of supported ACS bindings. If unspecified, all will be added. # Possible values: # - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST # - urn:oasis:names:tc:SAML:1.0:profiles:browser-post # - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact # - urn:oasis:names:tc:SAML:1.0:profiles:artifact-01 - # - urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser - #acs_bindings: + # - urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser + # acs_bindings: # Optional list of processing filters to run after SP authentication. See # https://simplesamlphp.org/docs/stable/simplesamlphp-authproc # The filters can be specified with PHP syntax using `authproc_raw` or # alternatively, with YAML syntax using `authproc`. See examples below: - #authproc_raw: |- + # authproc_raw: |- # // Add the persistent NameID to the eduPersonTargetedID attribute # 60 => [ # 'class' => 'saml:PersistentNameID2TargetedID', # 'attribute' => 'eduPersonTargetedID', // The default # 'nameId' => true, // The default # ], - #authproc: - # - "60": - # class: "saml:PersistentNameID2TargetedID" - # attribute: "eduPersonTargetedID" - # nameId: no - -# Requires `authfacebook` module in `ssp_mods_enabled`. -#ssp_authsources_facebook: -# - name: facebook - # Register your Facebook application at http://www.facebook.com/developers - # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214) - #api_key: "123456789012345" - #secret: "1ab23456cdef78g90123h4ij56k789l0" - # Optional list of additional permissions to request from user. - # See https://developers.facebook.com/docs/facebook-login/permissions - #req_perms: "email" - # Optional list of user profile fields to request. - # When empty, only the app-specific user id and name will be returned - # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list - #user_fields: "email,birthday,third_party_id,name,first_name,last_name" - -# Requires `authlinkedin` and `oauth` modules in `ssp_mods_enabled`. -#ssp_authsources_linkedin: -# - name: "linkedin" - #key: "xxxxxxxxxxxxxx" - #secret: "xxxxxxxxxxxxxxxx" - # See https://developer.linkedin.com/docs/fields/basic-profile for the full list - #user_fields: "id,formatted-name,first-name,last-name,email-address" - -# Requires `authlinkedin` and `oauth` module in `ssp_mods_enabled`. -#ssp_authsources_facebook: -# - name: facebook - # Register your Facebook application at http://www.facebook.com/developers - # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214) - #api_key: "123456789012345" - #secret: "1ab23456cdef78g90123h4ij56k789l0" - # Optional list of additional permissions to request from user. - # See https://developers.facebook.com/docs/facebook-login/permissions - #req_perms: "email" - # Optional list of user profile fields to request. - # When empty, only the app-specific user id and name will be returned - # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list - #user_fields: "email,birthday,third_party_id,name,first_name,last_name" - -# IdP configuration -# Enable SAML 2.0 IdP functionality -ssp_idp_saml20_enabled: false -# Enable Shibboleth 1.3 IdP (SAML 1.1) functionality -ssp_idp_shib13_enabled: false -# Hosted IdP metadata -ssp_idp_hosts: [] - # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`, - # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated - # automatically. - # As of SimplesamlPHP version 2.x __DYNAMIC:.. is not supported. Thus we need to provide - # the entity ID ourselves, e.g. "https://rciam.example.org/saml-idp" - # or "urn:x-rciam:example-idp" (see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted) - #- entity_id: "__DYNAMIC:1__" + # authproc: + # - "60": + # class: "saml:PersistentNameID2TargetedID" + # attribute: "eduPersonTargetedID" + # nameId: no + + # Requires `authfacebook` module in `ssp_mods_enabled`. + # ssp_authsources_facebook: + # - name: facebook + # Register your Facebook application at http://www.facebook.com/developers + # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214) + # api_key: "123456789012345" + # secret: "1ab23456cdef78g90123h4ij56k789l0" + # Optional list of additional permissions to request from user. + # See https://developers.facebook.com/docs/facebook-login/permissions + # req_perms: "email" + # Optional list of user profile fields to request. + # When empty, only the app-specific user id and name will be returned + # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user + # for the full list + # user_fields: "email,birthday,third_party_id,name,first_name,last_name" + + # Requires `authlinkedin` and `oauth` modules in `ssp_mods_enabled`. + # ssp_authsources_linkedin: + # - name: "linkedin" + # key: "xxxxxxxxxxxxxx" + # secret: "xxxxxxxxxxxxxxxx" + # See https://developer.linkedin.com/docs/fields/basic-profile for the full list + # user_fields: "id,formatted-name,first-name,last-name,email-address" + + # Requires `authlinkedin` and `oauth` module in `ssp_mods_enabled`. + # ssp_authsources_facebook: + # - name: facebook + # Register your Facebook application at http://www.facebook.com/developers + # App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214) + # api_key: "123456789012345" + # secret: "1ab23456cdef78g90123h4ij56k789l0" + # Optional list of additional permissions to request from user. + # See https://developers.facebook.com/docs/facebook-login/permissions + # req_perms: "email" + # Optional list of user profile fields to request. + # When empty, only the app-specific user id and name will be returned + # See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list + # user_fields: "email,birthday,third_party_id,name,first_name,last_name" + + # IdP configuration + # Enable SAML 2.0 IdP functionality + ssp_idp_saml20_enabled: false + # Enable Shibboleth 1.3 IdP (SAML 1.1) functionality + ssp_idp_shib13_enabled: false + # Hosted IdP metadata + ssp_idp_hosts: [] + # The entity ID should be a URI. It can also be specified as `__DYNAMIC:1__`, + # `__DYNAMIC:2__`, ... in which case, the entity ID will be generated + # automatically. + # As of SimplesamlPHP version 2.x __DYNAMIC:.. is not supported. Thus we need to provide + # the entity ID ourselves, e.g. "https://rciam.example.org/saml-idp" + # or "urn:x-rciam:example-idp" (see https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted) + # - entity_id: "__DYNAMIC:1__" # The hostname for this IdP. One of the IdPs can also have its `host` set # to `__DEFAULT__`, and that IdP will be used when no other entries in the # metadata matches. - #host: "__DEFAULT__" + # host: "__DEFAULT__" # Set to true to generate self-signed SSL certificate which should be # used by this IdP, in PEM format - #ssl_certificate_generate: yes + # ssl_certificate_generate: yes # SSL certificate options (ignored when `ssl_certificate_generate` is set # to false): # SSL certificate Common Name (CN) - #ssl_certificate_cn: idp.example.com + # ssl_certificate_cn: idp.example.com # Alternatively, you can generate the certificate as follows: # openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN=idp.example.com" -nodes -out idp-__DYNAMIC:1__.crt -keyout idp-__DYNAMIC:1__.key # SSL certificate - #ssl_certificate: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + # ssl_certificate: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- # SSL certificate private key - #ssl_certificate_key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- + # ssl_certificate_key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- # Algorithm to use when signing any message generated by this IdP: # - http://www.w3.org/2000/09/xmldsig#rsa-sha1 (default) # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 # - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 # Note: the use of SHA1 is deprecated and will be disallowed in the future. - #sign_algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha256" + # sign_algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha256" # Whether logout requests and logout responses sent from this IdP should be # signed. Default is false. - #redirect_sign: true + # redirect_sign: true # Whether authentication requests, logout requests and logout responses # received/sent from this IdP should be validated. Default is false. - #redirect_validate: true + # redirect_validate: true # The authentication source to be used to authenticate users on this IdP. - #auth: default-sp - #contacts: - # The type of contact. The possible values are `technical`, `support`, - # `administrative`, `billing`, and `other`. - #- contact_type: "technical" - # Optional name of the company for the contact person. - #company: "ACME" - # Optional given (first) name of the contact person. - #given_name: "Jane" - # Optional surname of the contact person. - #sur_name: "Doe" - # Optional `mailto:` URI representing e-mail address of contact person. - #email_address: "mailto:jane.doe@acme.example.com" - # Optional telephone number of the contact person. - #telephone_numbers: "+31(0)12345678" - # A list with scopes for this IdP. The scopes will be added to the + # auth: default-sp + # contacts: + # The type of contact. The possible values are `technical`, `support`, + # `administrative`, `billing`, and `other`. + # - contact_type: "technical" + # Optional name of the company for the contact person. + # company: "ACME" + # Optional given (first) name of the contact person. + # given_name: "Jane" + # Optional surname of the contact person. + # sur_name: "Doe" + # Optional `mailto:` URI representing e-mail address of contact person. + # email_address: "mailto:jane.doe@acme.example.com" + # Optional telephone number of the contact person. + # telephone_numbers: "+31(0)12345678" + # A list with scopes for this IdP. The scopes will be added to the # generated XML metadata. A scope can either be a domain name or a regular # expression matching a number of domains. - #scopes: - # - domain1.example.com - # - domain2.example.com + # scopes: + # - domain1.example.com + # - domain2.example.com # Localised names of the organisation responsible for this IdP. - #organization_name: - # en: ACME + # organization_name: + # en: ACME # Localised user-friendly names of the organisation responsible for this # IdP. - #organization_display_name: - # en: ACME + # organization_display_name: + # en: ACME # Localised URLs of the organisation responsible for this IdP. - #organization_url: - # en: "https://www.acme.example.com/en" + # organization_url: + # en: "https://www.acme.example.com/en" # SAML V2.0 Metadata Extensions for Login and Discovery # UIInfo Items # Localised list of names for this entity - #display_name: - # en: Example IdP + # display_name: + # en: Example IdP # Localised list of descriptions for this entity - #description: - # en: This is an IdP used as an example + # description: + # en: This is an IdP used as an example # Localised list of URLs where more information about the entity is located # Optional list of logos for this IdP # - use a transparent background where appropriate # - use PNG or GIF (less preferred) images # - use HTTPS URLs in order to avoid mixed-content warnings within browsers - #logos: - #- url: "https://example.com/logo-80x60.png" - # The rendered height of the logo measured in pixels. - #height: 60 - # The rendered width of the logo measured in pixels. - #width: 80 - # Optional language code for localised logos. - #lang: en - #- url: "https://example.com/logo-50x50.png" - # The rendered height of the logo measured in pixels. - #height: 50 - # The rendered width of the logo measured in pixels. - #width: 50 - # Optional language code for localised logos. - #lang: en - #information_url: - # en: "https://idp1.example.com/info/en" + # logos: + # - url: "https://example.com/logo-80x60.png" + # The rendered height of the logo measured in pixels. + # height: 60 + # The rendered width of the logo measured in pixels. + # width: 80 + # Optional language code for localised logos. + # lang: en + # - url: "https://example.com/logo-50x50.png" + # The rendered height of the logo measured in pixels. + # height: 50 + # The rendered width of the logo measured in pixels. + # width: 50 + # Optional language code for localised logos. + # lang: en + # information_url: + # en: "https://idp1.example.com/info/en" # Localised list of URLs where the entity's privacy statement is located - #privacy_statement_url: - # en: "https://idp1.example.com/privacy/en" + # privacy_statement_url: + # en: "https://idp1.example.com/privacy/en" # DiscoHints items - # List of IPv4 and IPv6 addresses in CIDR notation serviced by or + # List of IPv4 and IPv6 addresses in CIDR notation serviced by or # associated with this IdP. - #ip_hints: - # - "130.59.0.0/16" - # - "2001:620::0/96" + # ip_hints: + # - "130.59.0.0/16" + # - "2001:620::0/96" # List of domain names serviced by or associated with this IdP. - #domain_hints: - # - "example.com" - # - "www.example.com" + # domain_hints: + # - "example.com" + # - "www.example.com" # List of geographic coordinates serviced by or associated with this IdP. # Coordinates are given in the geo URI scheme (RFC5870). - #geolocation_hints: - # - "geo:47.37328,8.531126" - # - "geo:19.34343,12.342514" - #entity_attributes: - #- attribute_name: "http://macedir.org/entity-category" - # attribute_values: - # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" + # geolocation_hints: + # - "geo:47.37328,8.531126" + # - "geo:19.34343,12.342514" + # entity_attributes: + # - attribute_name: "http://macedir.org/entity-category" + # attribute_values: + # - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" # SAML2-specific options # The value to set in the Format field of attribute statements. - #attributes_name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" + # attributes_name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" # The format of the NameID supported by this IdP. Defaults to the transient # format if unspecified. - #name_id_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" + # name_id_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" # Override the default URL for the SingleSignOnService for this IdP. # This is an absolute URL. The default value is: # /module.php/saml/idp/singleSignOnService @@ -615,7 +610,7 @@ ssp_idp_hosts: [] # in the messages sent to others. You must also configure your webserver # to deliver this URL to the correct PHP page. # Uncomment the following for backwards compatibility with SSP v1.x - #sso_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SSOService.php" + # sso_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SSOService.php" # Override the default URL for the SingleLogoutService for this IdP. # This is an absolute URL. The default value is: # /module.php/saml/idp/singleLogout @@ -623,12 +618,12 @@ ssp_idp_hosts: [] # in the messages sent to others. You must also configure your webserver # to deliver this URL to the correct PHP page. # Uncomment the following for backwards compatibility with SSP v1.x - #slo_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SingleLogoutService.php" + # slo_service: "https://{{ rciam_hostname }}/{{ ssp_baseurlpath }}/saml2/idp/SingleLogoutService.php" # Optional list of processing filters to run for this IdP. See # https://simplesamlphp.org/docs/stable/simplesamlphp-authproc # The filters can be specified with PHP syntax using `authproc_raw` or # alternatively, with YAML syntax using `authproc`. See examples below: - #authproc_raw: |- + # authproc_raw: |- # 80 => array( # // Maps attribute OIDs to names. # // Usually combined with SAML:2.0:attrname-format:uri @@ -645,36 +640,36 @@ ssp_idp_hosts: [] # 'hiddenAttributes' => array( # ), # ), - #authproc: - # - "80": - # Maps attribute OIDs to names. - # Usually combined with SAML:2.0:attrname-format:uri - #class: "core:AttributeMap" - #oid2name: - # - "90": - # Requires `consent` in `ssp_mods_enabled`. - #class: "consent:Consent" - # The Consent storage backend. Currently only `consent:Cookie` is - # supported. This option is optional. If omitted, the user is still - # asked to consent, but the decision is not saved. - #store: "consent:Cookie" - # Optional flag that indicates whether the values of the attributes - # should be used in calculating the unique hashes that identify the - # consent. If includeValues is set and the value of an attribute - # changes, then the consent becomes invalid. Defaults to false. - #includeValues: false - # Optional flag that indicates whether the "Remember" consent - # checkbox is checkd by default. Defaults to false. - #checked: false - # Indicates whether the "Yes" or "No" button is in fucus by default. - # This option is optional and can take the value 'yes' or 'no'. - # If omitted, neither will recive focus. - #focus: "yes" | "no" - # Optional list of attributes whose values should be hidden. - # Default behaviour is that all attribute values are shown. - #hiddenAttributes: - #- entity_id: "__DYNAMIC:2__" - # host: "idp2.example.com" + # authproc: + # - "80": + # Maps attribute OIDs to names. + # Usually combined with SAML:2.0:attrname-format:uri + # class: "core:AttributeMap" + # oid2name: + # - "90": + # Requires `consent` in `ssp_mods_enabled`. + # class: "consent:Consent" + # The Consent storage backend. Currently only `consent:Cookie` is + # supported. This option is optional. If omitted, the user is still + # asked to consent, but the decision is not saved. + # store: "consent:Cookie" + # Optional flag that indicates whether the values of the attributes + # should be used in calculating the unique hashes that identify the + # consent. If includeValues is set and the value of an attribute + # changes, then the consent becomes invalid. Defaults to false. + # includeValues: false + # Optional flag that indicates whether the "Remember" consent + # checkbox is checkd by default. Defaults to false. + # checked: false + # Indicates whether the "Yes" or "No" button is in fucus by default. + # This option is optional and can take the value 'yes' or 'no'. + # If omitted, neither will recive focus. + # focus: "yes" | "no" + # Optional list of attributes whose values should be hidden. + # Default behaviour is that all attribute values are shown. + # hiddenAttributes: + # - entity_id: "__DYNAMIC:2__" + # host: "idp2.example.com" ## Extra SSP files to copy, e.g. dictionaries, attribute maps, certificates, etc ssp_extra_files: [] @@ -717,30 +712,28 @@ ssp_mods_enabled: # List of SSP modules to disable # Deprecated for SSP v2.0 ssp_mods_disabled: [] - # - admin - # - authorize - # - consent - # - core - # - discopower - # - exampleattributeserver - # - expirycheck - # - ldap - # - memcookie - # - multiauth - # - portal - # - saml - # - sanitycheck - - +# - admin +# - authorize +# - consent +# - core +# - discopower +# - exampleattributeserver +# - expirycheck +# - ldap +# - memcookie +# - multiauth +# - portal +# - saml +# - sanitycheck # Configuration options for automated SAML metadata management. -# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`. +# Requires `metarefresh` and `cron` modules in `ssp_mods_enabled`. # # Options applicable to SSP version < 2 # # Cron module URL -ssp_mod_cron_url: "https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron.php" +ssp_mod_cron_url: https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron.php # # Options applicable to SSP version >= 2 @@ -748,7 +741,7 @@ ssp_mod_cron_url: "https://localhost/{{ ssp_baseurlpath }}/module.php/cron/cron. # Maximum amount of memory each metarefresh cron tag may consume # (see http://php.net/memory-limit) -ssp_mod_cron_job_memory_limit: "768M" +ssp_mod_cron_job_memory_limit: 768M # # Common options for all SSP versions @@ -759,91 +752,89 @@ ssp_mod_cron_job_memory_limit: "768M" ssp_mod_cron_job_max_execution_time: 90 # Secret key used to restrict access to your cron. -#ssp_mod_cron_secret: "secret" +# ssp_mod_cron_secret: "secret" ssp_mod_cron_entries: - - name: "SSP metarefresh [daily]" - tag: "daily" - file: "simplesamlphp" + - name: SSP metarefresh [daily] + tag: daily + file: simplesamlphp user: "{{ ssp_webuser }}" minute: "30" hour: "3" - - name: "SSP metarefresh [hourly]" - tag: "hourly" - file: "simplesamlphp" + - name: SSP metarefresh [hourly] + tag: hourly + file: simplesamlphp user: "{{ ssp_webuser }}" minute: "15" # Cron job variables ssp_mod_cron_vars: - - name: "MAILTO" - value: "na@example.org" - file: "simplesamlphp" - + - name: MAILTO + value: na@example.org + file: simplesamlphp # Global blacklist: Optional list of entityIDs that should be excluded from ALL # metadata sets. -#ssp_mod_metarefresh_blacklist: -# - "https://my.own.domain.com/ssp/saml2/idp/metadata.php" +# ssp_mod_metarefresh_blacklist: +# - "https://my.own.domain.com/ssp/saml2/idp/metadata.php" # -#ssp_mod_metarefresh_sets: - #- name: reep +# ssp_mod_metarefresh_sets: +# - name: reep # Can be `hourly` or `daily` - #cron: hourly + # cron: hourly # A list of one or more sources that will be included in this metadata set. # The filters can be specified with PHP syntax using `sources_raw` or # alternatively, with YAML syntax using `sources`. See examples below: - #sources_raw: include 'path-to-file.php' - #sources: - # The source URL where the metadata will be fetched from. - #- url: "https://reep.refeds.org/entity/69/latest_metadata/" - # The fingerprint of the certificate used to sign the metadata. + # sources_raw: include 'path-to-file.php' + # sources: + # The source URL where the metadata will be fetched from. + # - url: "https://reep.refeds.org/entity/69/latest_metadata/" + # The fingerprint of the certificate used to sign the metadata. # You can omit this option if you don't want to validate the signature # on the metadata. - #validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01" + # validate_fingerprint: "59:1D:4B:46:70:46:3E:ED:A9:1F:CC:81:6D:C0:AF:2A:09:2A:A8:01" # Optional list of tags/labels for the entities in the metadata. - #tags: + # tags: # - tag1 # - tag2 # Optional list of processing filters to run for this entity. See # https://simplesamlphp.org/docs/stable/simplesamlphp-authproc # The filters can be specified with PHP syntax using `authproc_raw` or # alternatively, with YAML syntax using `authproc`. See examples below: - #authproc_raw: |- + # authproc_raw: |- # 50 => [ # 'class' => 'core:ExampleFilter', # ], - #authproc: + # authproc: # - "50": # class: "core:ExampleFilter" - #extra_parameters: |- + # extra_parameters: |- # 'foo' => 'bar', # Optional list of entityIDs that should be excluded from this src. - #blacklist: + # blacklist: # - "https://black.example.com/idp" # - "https://black.example.com/sp" # Optional list of entityIDs that should be included from this src. - #whitelist: + # whitelist: # - "https://white.example.com/idp" # - "https://white.example.com/sp" # Maximum cache time in days - #expire_after: 7 + # expire_after: 7 # Output directory is relative to {{ ssp_path }}/metadata/ - #output_dir: metarefresh-aarc + # output_dir: metarefresh-aarc # Can be `flatfile` or `serialize` - #output_format: serialize - + # output_format: serialize # Configuration options for the discopower module that provides a more # user-friendly IdP discovery service compared to the default. # Requires `discopower` module in `ssp_mods_enabled`. # # List of tags (mapped to tabs) that should be listed in a specific order. -#ssp_mod_discopower_taborder: +# ssp_mod_discopower_taborder: # - tag1 # - tag2 # Filter list of IdPs by matching the beginning of search keywords -#ssp_mod_discopower_suggest: false +# ssp_mod_discopower_suggest: false # List of tab/tag translations to add -#ssp_mod_discopower_dictionaries: +# ssp_mod_discopower_dictionaries: # - tag1: # en: "Tab One" # - tag2: diff --git a/roles/ssp/handlers/main.yml b/roles/ssp/handlers/main.yml index c46a3249..a2babca4 100644 --- a/roles/ssp/handlers/main.yml +++ b/roles/ssp/handlers/main.yml @@ -1,10 +1,6 @@ --- - -- name: restart webserver - service: +- name: Restart webserver + ansible.builtin.service: name: "{{ ssp_webserver }}" state: restarted - become: yes - - - + become: true diff --git a/roles/ssp/tasks/composer.yml b/roles/ssp/tasks/composer.yml index c1921e87..106bf41a 100644 --- a/roles/ssp/tasks/composer.yml +++ b/roles/ssp/tasks/composer.yml @@ -1,77 +1,91 @@ --- - - name: Create installation directory for composer - file: + ansible.builtin.file: state: directory - path: '{{ ssp_composer_install_directory }}' - become: yes + path: "{{ ssp_composer_install_directory }}" + mode: "0644" + become: true tags: - ssp:install - ssp:install:composer -- name: check if exist composer executable exists - stat: +- name: Check if exist composer executable exists + ansible.builtin.stat: path: "{{ ssp_composer_executable }}" register: composer_exists - become: yes + become: true tags: - ssp:install - ssp:install:composer -- name: Download composer +# Use uri here +- name: Download composer # noqa command-instead-of-module no-changed-when ansible.builtin.command: curl -sS https://getcomposer.org/installer -o composer-setup.php args: - chdir: '{{ ssp_composer_install_directory }}' - when: composer_exists.stat.exists == False - become: yes + chdir: "{{ ssp_composer_install_directory }}" + when: not composer_exists.stat.exists + become: true tags: - ssp:install - ssp:install:composer + creates: "{{ ssp_composer_install_directory }}/composer-setup.php" -- name: Generate composer hash +# Use uri here +- name: Generate composer hash # noqa command-instead-of-module ansible.builtin.command: curl -sS https://composer.github.io/installer.sig register: composerhash - when: composer_exists.stat.exists == False - become: yes + when: not composer_exists.stat.exists + become: true tags: - ssp:install - ssp:install:composer + changed_when: false # noqa no-changed-when - name: Print composer hash ansible.builtin.debug: msg: "Composer hash is: {{ composerhash.stdout }}" when: composerhash.stdout is defined - become: yes + become: true tags: - ssp:install - ssp:install:composer -- name: Verify composer - command: php -r "if (hash_file('SHA384', 'composer-setup.php') === '{{ composerhash.stdout }}') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" +- name: Verify composer # noqa command-instead-of-module + ansible.builtin.command: |- + php -r \ + "if (hash_file('SHA384', 'composer-setup.php') === '{{ composerhash.stdout }}') \ + { echo 'Installer verified'; } \ + else \ + { echo 'Installer corrupt'; unlink('composer-setup.php'); } \ + echo PHP_EOL;" args: - chdir: '{{ ssp_composer_install_directory }}' - when: composer_exists.stat.exists == False - become: yes + chdir: "{{ ssp_composer_install_directory }}" + when: not composer_exists.stat.exists + become: true tags: - ssp:install - ssp:install:composer + changed_when: false + failed_when: false1 -- name: Composer setup +# Use community.general.composer here +- name: Composer setup # noqa no-changed-when ansible.builtin.command: php composer-setup.php args: - chdir: '{{ ssp_composer_install_directory }}' - when: composer_exists.stat.exists == False - become: yes + chdir: "{{ ssp_composer_install_directory }}" + when: not composer_exists.stat.exists + become: true tags: - ssp:install - ssp:install:composer + changed_when: false -- name: Move Composer globally - ansible.builtin.command: "mv composer.phar {{ ssp_composer_executable }}" +- name: Move Composer globally # noqa no-changed-when + ansible.builtin.command: mv composer.phar {{ ssp_composer_executable }} args: - chdir: '{{ ssp_composer_install_directory }}' - become: yes - when: composer_exists.stat.exists == False + chdir: "{{ ssp_composer_install_directory }}" + become: true + when: not composer_exists.stat.exists tags: - ssp:install - ssp:install:composer @@ -79,8 +93,8 @@ - name: Set permissions on Composer ansible.builtin.file: path: "{{ ssp_composer_executable }}" - mode: "a+x" - become: yes + mode: a+x + become: true tags: - ssp:install - ssp:install:composer diff --git a/roles/ssp/tasks/configure-common.yml b/roles/ssp/tasks/configure-common.yml index 008cce99..a324bda9 100644 --- a/roles/ssp/tasks/configure-common.yml +++ b/roles/ssp/tasks/configure-common.yml @@ -1,258 +1,279 @@ # file: ssp/tasks/configure-common.php # --- - - - name: Configure SSP - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_configdir }}/config.php" - backup: yes - force: yes + backup: true + force: true + mode: "0644" with_first_found: - - "config/config-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "config/config-{{ ssp_major_version }}.php.j2" - - "config/config.php.j2" - become: yes + - config/config-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - config/config-{{ ssp_major_version }}.php.j2 + - config/config.php.j2 + become: true tags: - ssp:config:config - name: Generate self-signed SP certificates - command: openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN={{ item.ssl_certificate_cn }}" -nodes -out sp-{{ item.name }}.crt -keyout sp-{{ item.name }}.key + ansible.builtin.command: |- + openssl req -newkey rsa:2048 \ + -new -x509 \ + -days 3652 \ + -subj "/CN={{ item.ssl_certificate_cn }}" \ + -nodes -out sp-{{ item.name }}.crt \ + -keyout sp-{{ item.name }}.key args: chdir: "{{ ssp_certdir }}" creates: "{{ ssp_certdir }}/sp-{{ item.name }}.key" with_items: "{{ ssp_authsources_saml }}" - when: item.ssl_certificate_generate | default(True) | bool == True - become: yes + when: item.ssl_certificate_generate | default(True) | bool + become: true tags: - ssp:config:authsources - name: Copy SP SSL certificate (.crt) - copy: - content: '{{ item.ssl_certificate }}' + ansible.builtin.copy: + content: "{{ item.ssl_certificate }}" dest: "{{ ssp_certdir }}/sp-{{ item.name }}.crt" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0644" with_items: "{{ ssp_authsources_saml }}" - when: item.ssl_certificate_generate | default(True) | bool == False - become: yes + when: not (item.ssl_certificate_generate | default(True) | bool) + become: true tags: - ssp:config:authsources - name: Copy SP SSL certificate (.key) - copy: - content: '{{ item.ssl_certificate_key }}' + ansible.builtin.copy: + content: "{{ item.ssl_certificate_key }}" dest: "{{ ssp_certdir }}/sp-{{ item.name }}.key" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0600" with_items: "{{ ssp_authsources_saml }}" - when: item.ssl_certificate_generate | default(True) | bool == False - become: yes - no_log: yes + when: not (item.ssl_certificate_generate | default(True) | bool) + become: true + no_log: true tags: - ssp:config:authsources - name: Ensure SP certificate keys are installed - file: + ansible.builtin.file: state: file path: "{{ ssp_certdir }}/sp-{{ item.name }}.key" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0600" with_items: "{{ ssp_authsources_saml }}" - when: item.ssl_certificate_generate | default(True) | bool == False or item.ssl_certificate_key is defined - become: yes + when: not (item.ssl_certificate_generate | default(True) | bool) or item.ssl_certificate_key is defined + become: true tags: - ssp:config:authsources - name: Ensure SP certificates are installed - file: + ansible.builtin.file: state: file path: "{{ ssp_certdir }}/sp-{{ item.name }}.crt" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0644" with_items: "{{ ssp_authsources_saml }}" - when: item.ssl_certificate_generate | default(True) | bool == False or item.ssl_certificate is defined - become: yes + when: not (item.ssl_certificate_generate | default(True) | bool) or item.ssl_certificate is defined + become: true tags: - ssp:config:authsources - name: Configure SSP authN sources - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_configdir }}/authsources.php" - backup: yes - force: yes + backup: true + force: true + mode: "0600" with_first_found: - - "config/authsources-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "config/authsources-{{ ssp_major_version }}.php.j2" - - "config/authsources.php.j2" - become: yes + - config/authsources-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - config/authsources-{{ ssp_major_version }}.php.j2 + - config/authsources.php.j2 + become: true tags: - ssp:config:authsources +# Use community.crypto modules here - name: Generate self-signed IdP certificates - command: openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj "/CN={{ item.ssl_certificate_cn }}" -nodes -out idp-{{ item.entity_id }}.crt -keyout idp-{{ item.entity_id }}.key + ansible.builtin.command: |- + openssl req -newkey rsa:2048 \ + -new -x509 -days 3652 \ + -subj "/CN={{ item.ssl_certificate_cn }}" \ + -nodes -out idp-{{ item.entity_id }}.crt \ + -keyout idp-{{ item.entity_id }}.key args: chdir: "{{ ssp_certdir }}" creates: "{{ ssp_certdir }}/idp-{{ item.entity_id }}.key" with_items: "{{ ssp_idp_hosts }}" when: (ssp_idp_saml20_enabled or ssp_idp_shib13_enabled) and item.ssl_certificate_generate | default(True) - become: yes + become: true tags: - ssp:config:saml20-idp-hosted - ssp:config:shib13-idp-hosted - name: Copy IdP certificate (.crt) - copy: - content: '{{ item.ssl_certificate }}' - dest: "{{ ssp_certdir }}idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.crt" + ansible.builtin.copy: + content: "{{ item.ssl_certificate }}" + dest: "{{ ssp_certdir }}idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.crt" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0644" with_items: "{{ ssp_idp_hosts }}" - when: item.ssl_certificate_generate | default(True) | bool == False and item.ssl_certificate is defined - become: yes - no_log: yes + when: not (item.ssl_certificate_generate | default(True) | bool) and item.ssl_certificate is defined + become: true + no_log: true tags: - ssp:config:saml20-idp-hosted - ssp:config:shib13-idp-hosted - name: Copy IdP certificate (.key) - copy: - content: '{{ item.ssl_certificate_key }}' - dest: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.key" + ansible.builtin.copy: + content: "{{ item.ssl_certificate_key }}" + dest: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.key" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0600" with_items: "{{ ssp_idp_hosts }}" - when: item.ssl_certificate_generate | default(True) | bool == False and item.ssl_certificate_key is defined - become: yes - no_log: yes + when: not (item.ssl_certificate_generate | default(True) | bool) and item.ssl_certificate_key is defined + become: true + no_log: true tags: - ssp:config:saml20-idp-hosted - ssp:config:shib13-idp-hosted - name: Ensure IdP certificate keys are installed - file: + ansible.builtin.file: state: file - path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.key" + path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.key" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0600" with_items: "{{ ssp_idp_hosts }}" when: ssp_idp_saml20_enabled or ssp_idp_shib13_enabled - become: yes + become: true tags: - ssp:config:saml20-idp-hosted - ssp:config:shib13-idp-hosted - name: Ensure IdP certificates are installed - file: + ansible.builtin.file: state: file - path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://','') | replace('/','_') | replace('.','_')}}.crt" + path: "{{ ssp_certdir }}/idp-{{ item.entity_id | replace('https://', '') | replace('/', '_') | replace('.', '_') }}.crt" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0644" with_items: "{{ ssp_idp_hosts }}" when: ssp_idp_saml20_enabled or ssp_idp_shib13_enabled - become: yes + become: true tags: - ssp:config:saml20-idp-hosted - ssp:config:shib13-idp-hosted - name: Configure SSP hosted SAML 2.0 IdP metadata - include_tasks: configure-saml20-idp-hosted.yml + ansible.builtin.include_tasks: configure-saml20-idp-hosted.yml when: ssp_idp_saml20_enabled tags: - ssp:config:saml20-idp-hosted - name: Configure SSP hosted SAML 1.1 IdP metadata - include_tasks: configure-shib13-idp-hosted.yml + ansible.builtin.include_tasks: configure-shib13-idp-hosted.yml when: ssp_idp_shib13_enabled tags: - ssp:config:shib13-idp-hosted - name: Ensure SSP extra files are copied - copy: + ansible.builtin.copy: src: "{{ item.src_path }}" dest: "{{ item.dest_path }}" - backup: yes + backup: true + mode: "0600" with_items: "{{ ssp_extra_files }}" when: item.src_path is defined and item.dest_path is defined - become: yes + become: true tags: - ssp:config:files +# No command - should be empty file with file module - name: Enable required SSP modules - command: touch "{{ ssp_path }}/modules/{{ item }}/enable" + ansible.builtin.command: touch "{{ ssp_path }}/modules/{{ item }}/enable" args: creates: "{{ ssp_path }}/modules/{{ item }}/enable" with_items: "{{ ssp_mods_enabled }}" - when: "{{ ssp_major_version|float < 2}}" - become: yes + when: ssp_major_version | float < 2 + become: true tags: - ssp:config:mods - name: Disable unnecessary SSP modules - command: touch "{{ ssp_path }}/modules/{{ item }}/disable" + ansible.builtin.command: touch "{{ ssp_path }}/modules/{{ item }}/disable" args: creates: "{{ ssp_path }}/modules/{{ item }}/disable" with_items: "{{ ssp_mods_disabled }}" - when: "{{ ssp_major_version|float < 2}}" - become: yes + when: ssp_major_version | float < 2 + become: true tags: - ssp:config:mods - name: Ensure required SSP metarefresh module dirs exist - file: path={{ ssp_metadatadir }}/{{ item.output_dir }} state=directory owner={{ssp_webuser }} group={{ ssp_webgroup }} + ansible.builtin.file: + path: "{{ ssp_metadatadir }}" + state: directory + owner: "{{ ssp_webuser }}" + group: "{{ ssp_webgroup }}" + mode: "0755" with_items: "{{ ssp_mod_metarefresh_sets }}" when: "'metarefresh' in ssp_mods_enabled" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:metarefresh - name: Configure SSP metarefresh module - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_configdir }}/{{ ssp_mod_metarefresh.template.dest }}" - backup: yes - force: yes + backup: true + force: true + mode: "0644" with_first_found: - "{{ ssp_mod_metarefresh.template.src }}-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - "{{ ssp_mod_metarefresh.template.src }}-{{ ssp_major_version }}.php.j2" - "{{ ssp_mod_metarefresh.template.src }}.php.j2" when: "'metarefresh' in ssp_mods_enabled" register: ssp_mod_metarefresh_config - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:metarefresh - name: Configure SSP cron module - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_configdir }}/module_cron.php" - backup: yes - force: yes + backup: true + force: true + mode: "0644" with_first_found: - - "config/module_cron-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "config/module_cron-{{ ssp_major_version }}.php.j2" - - "config/module_cron.php.j2" + - config/module_cron-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - config/module_cron-{{ ssp_major_version }}.php.j2 + - config/module_cron.php.j2 when: "'cron' in ssp_mods_enabled" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:cron - ssp:config:mods:metarefresh - name: Configure SSP cron jobs - cron: + ansible.builtin.cron: name: "{{ item.name }}" user: "{{ item.user | default('root') }}" cron_file: "{{ item.file }}" @@ -260,9 +281,14 @@ job: > {% if ssp_major_version | int < 2 %} # Set maximum time for preventing curl job from hanging - curl -k --silent -m {{ ssp_mod_cron_job_max_execution_time }} {{ ssp_mod_cron_url }}?key={{ ssp_mod_cron_secret }}&tag={{ item.tag }} + curl -k --silent -m {{ ssp_mod_cron_job_max_execution_time }} \ + {{ ssp_mod_cron_url }}?key={{ ssp_mod_cron_secret }}&\ + tag={{ item.tag }} {% else %} - php -d max_execution_time={{ ssp_mod_cron_job_max_execution_time }} -d memory_limit={{ ssp_mod_cron_job_memory_limit }} {{ ssp_path }}/modules/cron/bin/cron.php -t {{ item.tag }} + php -d max_execution_time={{ ssp_mod_cron_job_max_execution_time }} \ + -d memory_limit={{ ssp_mod_cron_job_memory_limit }} \ + {{ ssp_path }}/modules/cron/bin/cron.php \ + -t {{ item.tag }} {% endif %} minute: "{{ item.minute | default(omit) }}" hour: "{{ item.hour | default(omit) }}" @@ -270,55 +296,55 @@ month: "{{ item.month | default(omit) }}" with_items: "{{ ssp_mod_cron_entries }}" when: "'cron' in ssp_mods_enabled" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:cron - ssp:config:mods:metarefresh - name: Configure SSP cron job variables - cronvar: + community.general.cronvar: name: "{{ item.name }}" value: "{{ item.value }}" cron_file: "{{ item.file }}" with_items: "{{ ssp_mod_cron_vars }}" when: "'cron' in ssp_mods_enabled" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:cron - ssp:config:mods:metarefresh - name: Configure SSP discopower module - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_configdir }}/module_discopower.php" - backup: yes - force: yes + backup: true + force: true + mode: "0644" with_first_found: - - "config/module_discopower-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "config/module_discopower-{{ ssp_major_version }}.php.j2" - - "config/module_discopower.php.j2" + - config/module_discopower-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - config/module_discopower-{{ ssp_major_version }}.php.j2 + - config/module_discopower.php.j2 when: "'discopower' in ssp_mods_enabled" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:discopower - name: Update SSP discopower module dictionary definitions - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_path }}/modules/discopower/dictionaries/tabs.definition.json" - backup: yes - force: yes + backup: true + force: true + mode: "0644" with_first_found: - - "modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.{{ ssp_minor_version }}.json.j2" - - "modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.json.j2" - - "modules/discopower/dictionaries/tabs.definition.json.j2" + - modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.{{ ssp_minor_version }}.json.j2 + - modules/discopower/dictionaries/tabs.definition-{{ ssp_major_version }}.json.j2 + - modules/discopower/dictionaries/tabs.definition.json.j2 when: "'discopower' in ssp_mods_enabled and ssp_mod_discopower_dictionaries is defined" - become: yes + become: true tags: - ssp:config:mods - ssp:config:mods:discopower - - diff --git a/roles/ssp/tasks/configure-saml20-idp-hosted.yml b/roles/ssp/tasks/configure-saml20-idp-hosted.yml index 351df897..0504579f 100644 --- a/roles/ssp/tasks/configure-saml20-idp-hosted.yml +++ b/roles/ssp/tasks/configure-saml20-idp-hosted.yml @@ -1,15 +1,15 @@ --- - - name: Configure SSP hosted SAML 2.0 IdP metadata - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_metadatadir }}/saml20-idp-hosted.php" - backup: yes - force: yes + backup: true + force: true + mode: "0600" with_first_found: - - "metadata/saml20-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "metadata/saml20-idp-hosted-{{ ssp_major_version }}.php.j2" - - "metadata/saml20-idp-hosted.php.j2" - become: yes + - metadata/saml20-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - metadata/saml20-idp-hosted-{{ ssp_major_version }}.php.j2 + - metadata/saml20-idp-hosted.php.j2 + become: true tags: - ssp:config:saml20-idp-hosted diff --git a/roles/ssp/tasks/configure-shib13-idp-hosted.yml b/roles/ssp/tasks/configure-shib13-idp-hosted.yml index 65d8de14..305cdcf7 100644 --- a/roles/ssp/tasks/configure-shib13-idp-hosted.yml +++ b/roles/ssp/tasks/configure-shib13-idp-hosted.yml @@ -1,15 +1,15 @@ --- - - name: Configure SSP hosted SAML 1.1 IdP metadata - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ ssp_metadatadir }}/shib13-idp-hosted.php" - backup: yes - force: yes + backup: true + force: true + mode: "0600" with_first_found: - - "metadata/shib13-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2" - - "metadata/shib13-idp-hosted-{{ ssp_major_version }}.php.j2" - - "metadata/shib13-idp-hosted.php.j2" - become: yes + - metadata/shib13-idp-hosted-{{ ssp_major_version }}.{{ ssp_minor_version }}.php.j2 + - metadata/shib13-idp-hosted-{{ ssp_major_version }}.php.j2 + - metadata/shib13-idp-hosted.php.j2 + become: true tags: - ssp:config:shib13-idp-hosted diff --git a/roles/ssp/tasks/install-Debian.yml b/roles/ssp/tasks/install-Debian.yml index 9c06cb38..e0eaa5d4 100644 --- a/roles/ssp/tasks/install-Debian.yml +++ b/roles/ssp/tasks/install-Debian.yml @@ -1,25 +1,29 @@ --- - - name: Update package cache (Debian) - apt: update_cache=yes cache_valid_time=86400 - become: yes + ansible.builtin.apt: + update_cache: "yes" + cache_valid_time: "86400" + become: true - name: Ensure latest CA certificates are installed (Debian) - apt: pkg=ca-certificates state=latest install_recommends=no + ansible.builtin.apt: + pkg: ca-certificates + state: present + install_recommends: "no" become: true - name: Ensure SSP cron module dependencies are installed (Debian) - apt: + ansible.builtin.apt: pkg: "{{ ssp_mod_cron_deps }}" state: present - install_recommends: no + install_recommends: false when: "'cron' in ssp_mods_enabled" become: true -#- name: Ensure memcached dependencies are installed (Debian) -# apt: pkg={{ item }} state=present install_recommends=no -# with_items: "{{ ssp_memcache_deps }}" -# when: "ssp_store_type is defined and ssp_store_type == 'memcache'" -# become: true -# notify: -# - restart webserver +# - name: Ensure memcached dependencies are installed (Debian) +# apt: pkg={{ item }} state=present install_recommends=no +# with_items: "{{ ssp_memcache_deps }}" +# when: "ssp_store_type is defined and ssp_store_type == 'memcache'" +# become: true +# notify: +# - restart webserver diff --git a/roles/ssp/tasks/install-RedHat.yml b/roles/ssp/tasks/install-RedHat.yml index 4cd74b65..d0650879 100644 --- a/roles/ssp/tasks/install-RedHat.yml +++ b/roles/ssp/tasks/install-RedHat.yml @@ -1,24 +1,23 @@ --- - - name: Ensure latest CA certificates are installed (RedHat) - yum: + ansible.builtin.yum: name: ca-certificates - state: latest + state: present become: true - name: Ensure SSP cron module dependencies are installed (RedHat) - yum: + ansible.builtin.yum: name: "{{ ssp_mod_cron_deps }}" state: present when: "'cron' in ssp_mods_enabled" become: true -#- name: Ensure memcached dependencies are installed (RedHat) -# yum: -# name: "{{ item }}" -# state: present -# with_items: "{{ ssp_memcache_deps }}" -# when: "ssp_store_type is defined and ssp_store_type == 'memcache'" -# become: true -# notify: -# - restart webserver +# - name: Ensure memcached dependencies are installed (RedHat) +# yum: +# name: "{{ item }}" +# state: present +# with_items: "{{ ssp_memcache_deps }}" +# when: "ssp_store_type is defined and ssp_store_type == 'memcache'" +# become: true +# notify: +# - restart webserver diff --git a/roles/ssp/tasks/install-common.yml b/roles/ssp/tasks/install-common.yml index f17dc7ed..78f30cfd 100644 --- a/roles/ssp/tasks/install-common.yml +++ b/roles/ssp/tasks/install-common.yml @@ -1,59 +1,72 @@ --- - -- include_tasks: install-release.yml +- name: Include Release Tasks + ansible.builtin.include_tasks: install-release.yml when: ssp_release_url is defined tags: - ssp:install -- include_tasks: install-source.yml +- name: Include source install tasks + ansible.builtin.include_tasks: install-source.yml when: ssp_release_url is not defined tags: - ssp:install - name: Update symbolic link to SSP - file: + ansible.builtin.file: src: "{{ ssp_path }}/{{ 'public' if ssp_major_version == '2' else 'www' }}/" dest: "{{ ssp_www_path }}" state: link - become: yes + become: true tags: - ssp:install -- include_tasks: twig.yml - when: (ssp_twig_install is defined) and (ssp_twig_install|bool == True) +- name: Include Twig tasks + ansible.builtin.include_tasks: twig.yml + when: (ssp_twig_install is defined) and (ssp_twig_install | bool) - name: Ensure SSP config dir exists - file: path={{ ssp_configdir }} state=directory - become: yes + ansible.builtin.file: + path: "{{ ssp_configdir }}" + state: directory + mode: "0750" + become: true tags: - ssp:install - name: Ensure SSP logging dir exists - file: + ansible.builtin.file: state: directory path: "{{ ssp_loggingdir }}" owner: "{{ ssp_webuser }}" group: "{{ ssp_webgroup }}" mode: "0750" - become: yes + become: true tags: - ssp:install - name: Ensure SSP data dir exists - file: path={{ ssp_datadir }} state=directory - become: yes + ansible.builtin.file: + path: "{{ ssp_datadir }}" + state: directory + mode: "0750" + become: true tags: - ssp:install - name: Ensure SSP metadata dir exists - file: path={{ ssp_metadatadir }} state=directory - become: yes + ansible.builtin.file: + path: "{{ ssp_metadatadir }}" + state: directory + mode: "0750" + become: true tags: - ssp:install - name: Ensure SSP cert dir exists - file: path={{ ssp_certdir }} state=directory - become: yes + ansible.builtin.file: + path: "{{ ssp_certdir }}" + state: directory + mode: "0750" + become: true tags: - ssp:install - diff --git a/roles/ssp/tasks/install-release.yml b/roles/ssp/tasks/install-release.yml index 26b21eac..a8e092bd 100644 --- a/roles/ssp/tasks/install-release.yml +++ b/roles/ssp/tasks/install-release.yml @@ -1,47 +1,47 @@ --- - - name: Check if SSP path exists - stat: + ansible.builtin.stat: path: "{{ ssp_path }}" register: release_downloaded tags: - ssp:install:release -- block: - +- name: SSP Install + when: not release_downloaded.stat.exists + become: true + tags: + - ssp:install:release + block: - name: Create temp SSP installation directory - tempfile: + ansible.builtin.tempfile: state: directory register: ssp_basepath - name: Download and unarchive SSP release into temp installation directory - unarchive: + ansible.builtin.unarchive: src: "{{ ssp_release_url }}" dest: "{{ ssp_basepath.path }}/" - owner: "root" - group: "root" + owner: root + group: root list_files: true remote_src: true - name: Ensure SSP path exists - file: + ansible.builtin.file: path: "{{ ssp_path }}" state: directory - owner: "root" - group: "root" + owner: root + group: root + mode: "0750" - name: Copy release to SSP path - copy: + ansible.builtin.copy: src: "{{ ssp_basepath.path }}/{{ ssp_repo_version }}/" dest: "{{ ssp_path }}" remote_src: true + mode: "0600" - name: Remove temp SSP installation directory - file: + ansible.builtin.file: path: "{{ ssp_basepath.path }}" state: absent - - when: release_downloaded.stat.exists == False - become: yes - tags: - - ssp:install:release \ No newline at end of file diff --git a/roles/ssp/tasks/install-source.yml b/roles/ssp/tasks/install-source.yml index 69eec8d1..5ffb59cf 100644 --- a/roles/ssp/tasks/install-source.yml +++ b/roles/ssp/tasks/install-source.yml @@ -1,23 +1,23 @@ --- - - name: Checkout SSP source - git: + ansible.builtin.git: repo: "{{ ssp_repo_url }}" dest: "{{ ssp_path }}" version: "{{ ssp_repo_version }}" - accept_hostkey: yes - force: no - update: no - become: yes + accept_hostkey: true + force: false + update: false + become: true when: ssp_release_file is not defined tags: - ssp:install:source -- include_tasks: composer.yml - when: (ssp_composer_install is defined) and (ssp_composer_install|bool == True) +- name: Include composer tasks + ansible.builtin.include_tasks: composer.yml + when: (ssp_composer_install is defined) and (ssp_composer_install | bool) - name: Install/Update SimplesamlPHP - composer: + community.general.composer: command: update working_dir: "{{ ssp_path }}" composer_executable: "{{ ssp_composer_executable }}" @@ -25,4 +25,4 @@ no_scripts: true become: true tags: - - ssp:install:source \ No newline at end of file + - ssp:install:source diff --git a/roles/ssp/tasks/main.yml b/roles/ssp/tasks/main.yml index ae60ccc2..727711aa 100644 --- a/roles/ssp/tasks/main.yml +++ b/roles/ssp/tasks/main.yml @@ -1,94 +1,96 @@ --- - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - always -- block: +- name: Set SSP facts + tags: + - always + block: - name: Split SSP version string into parts - set_fact: + ansible.builtin.set_fact: ssp_version_parts: "{{ ssp_version.split('.') }}" - name: Define SSP major version number - set_fact: + ansible.builtin.set_fact: ssp_major_version: "{{ ssp_version_parts[0] }}" tags: - always - name: Define SSP minor version number - set_fact: + ansible.builtin.set_fact: ssp_minor_version: "{{ ssp_version_parts[1] }}" tags: - always - name: Define SSP patch version number only when specified in version string - set_fact: + ansible.builtin.set_fact: ssp_patch_version: "{{ ssp_version_parts[2] | default(omit) }}" - tags: - - always - name: Include SSP-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "ssp-{{ ssp_major_version }}.{{ ssp_minor_version }}.yml" - - "ssp-{{ ssp_major_version }}.yml" - ignore_errors: yes + - ssp-{{ ssp_major_version }}.{{ ssp_minor_version }}.yml + - ssp-{{ ssp_major_version }}.yml + failed_when: false # noqa ignore-errors tags: - always - name: Define SSP web server - set_fact: + ansible.builtin.set_fact: ssp_webserver: "{{ ssp_default_webserver }}" when: ssp_webserver is not defined tags: - always - name: Define SSP web user - set_fact: + ansible.builtin.set_fact: ssp_webuser: "{{ ssp_default_webuser }}" when: ssp_webuser is not defined tags: - always - name: Define SSP web group - set_fact: + ansible.builtin.set_fact: ssp_webgroup: "{{ ssp_default_webgroup }}" when: ssp_webgroup is not defined tags: - always - name: Define SSP cron module dependencies - set_fact: + ansible.builtin.set_fact: ssp_mod_cron_deps: "{{ ssp_default_mod_cron_deps | list }}" when: ssp_mod_cron_deps is not defined tags: - always - - name: Define SSP path - set_fact: + ansible.builtin.set_fact: ssp_path: "{{ ssp_path }}-{{ ssp_version_suffix }}" when: ssp_version_suffix is defined and ssp_version_suffix != "" tags: - always -# Install OS-specific packages -- include: install-Debian.yml +- name: Install Debian packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -- include: install-RedHat.yml + +- name: Install Redhat packages + ansible.builtin.include_tasks: install-RedHat.yml when: ansible_os_family == 'RedHat' -# Run OS-independent installation tasks -- include: install-common.yml +- name: Run OS-independent installation tasks + ansible.builtin.include_tasks: install-common.yml tags: - install - ssp:install -# Apply OS-independent configuration -- include: configure-common.yml +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml tags: - config - ssp:config diff --git a/roles/ssp/tasks/twig.yml b/roles/ssp/tasks/twig.yml index 4fa11d9a..4ce481cc 100644 --- a/roles/ssp/tasks/twig.yml +++ b/roles/ssp/tasks/twig.yml @@ -1,85 +1,92 @@ --- - ## Node Version Manager (nvm) | Installing and Updating ### http://nvm.sh ### https://github.com/nvm-sh/nvm#installing-and-updating ### https://github.com/nvm-sh/nvm#ansible -- name: Install Node Version Manager (nvm) - shell: "curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash" +- name: Install Node Version Manager (nvm) # noqa command-instead-of-module + ansible.builtin.shell: + executable: /bin/bash + cmd: | + set -o pipefaile + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash args: creates: "{{ ansible_env.HOME }}/.nvm/nvm.sh" - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool tags: - ssp:install - ssp:install:install_nvm - ssp:install:ssp_twig_template - name: Install Node.js v14.15.1 - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm install v14.15.1" + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm install v14.15.1 args: executable: /bin/bash register: v14 changed_when: v14 is changed and "is already installed" not in v14.stderr - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool tags: - ssp:install - ssp:install:install_nvm - install_node_14 - ssp:install:ssp_twig_template -- name: npm install - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm install --unsafe-perm=true --allow-root" +- name: Npm install + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm install --unsafe-perm=true --allow-root args: chdir: "{{ ssp_path }}/" executable: /bin/bash register: npm_install_results changed_when: npm_install_results is changed and "added" in npm_install_results.stdout - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool become: true tags: - ssp:install - ssp:install:ssp_twig_template -- name: npm audit fix - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm audit fix" +- name: Npm audit fix + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm audit fix args: chdir: "{{ ssp_path }}/" executable: /bin/bash - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool become: true tags: - ssp:install - ssp:install:ssp_twig_template + changed_when: false -- name: npm run build (1/3) - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/install.js" +- name: Npm run build (1/3) + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/install.js args: chdir: "{{ ssp_path }}/node_modules/node-sass/" executable: /bin/bash - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool become: true tags: - ssp:install - ssp:install:ssp_twig_template + changed_when: false -- name: npm run build (2/3) - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/build.js" +- name: Npm run build (2/3) + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && node scripts/build.js args: chdir: "{{ ssp_path }}/node_modules/node-sass/" executable: /bin/bash - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool become: true tags: - ssp:install - ssp:install:ssp_twig_template + changed_when: false -- name: npm run build (3/3) - shell: "source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm run build" +- name: Npm run build (3/3) + ansible.builtin.shell: source {{ ansible_env.HOME }}/.nvm/nvm.sh && nvm use v14.15.1 && npm run build args: chdir: "{{ ssp_path }}/" executable: /bin/bash - when: ssp_twig_template | default(False) | bool == True + when: ssp_twig_template | default(False) | bool become: true tags: - ssp:install - - ssp:install:ssp_twig_template \ No newline at end of file + - ssp:install:ssp_twig_template + changed_when: false diff --git a/roles/ssp/templates/config/module_discopower-1.14.php.j2 b/roles/ssp/templates/config/module_discopower-1.14.php.j2 index 6e91dba2..6581e1af 100644 --- a/roles/ssp/templates/config/module_discopower-1.14.php.j2 +++ b/roles/ssp/templates/config/module_discopower-1.14.php.j2 @@ -1,5 +1,5 @@ 'suggest', + 'score' => 'suggest', {% endif %} /* * The domain to use for common domain cookie support. @@ -49,4 +49,4 @@ $config = array ( ); -?> \ No newline at end of file +?> diff --git a/roles/ssp/templates/config/module_discopower-1.17.php.j2 b/roles/ssp/templates/config/module_discopower-1.17.php.j2 index 5d583c49..f26281da 100644 --- a/roles/ssp/templates/config/module_discopower-1.17.php.j2 +++ b/roles/ssp/templates/config/module_discopower-1.17.php.j2 @@ -1,6 +1,6 @@ - + "{{ inventory_dir }}/files/get_gh_asset_id.sh \ + {{ webapp_github_repo }} \ + {{ webapp_github_repo_token }} \ + {{ webapp_github_release_version }} \ + {{ webapp_github_release_file }}" register: github_asset_id -- name: Ensure WAR file is downloaded - command: wget -q --auth-no-challenge --header="Accept:application/octet-stream" "https://{{ webapp_github_repo_token }}:@api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}" -O "{{ webapp_file }}_{{ webapp_github_release_version }}" - args: - chdir: "{{ webapp_download_path }}/" - creates: "{{ webapp_file }}_{{ webapp_github_release_version }}" +# Replaced by get_url below +# - name: Ensure WAR file is downloaded +# ansible.builtin.command: wget \ + # -q --auth-no-challenge \ + # --header="Accept:application/octet-stream" \ + # "https://{{ webapp_github_repo_token }}:@api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}" \ + # -O "{{ webapp_file }}_{{ webapp_github_release_version }}" +# args: +# chdir: "{{ webapp_download_path }}/" +# creates: "{{ webapp_file }}_{{ webapp_github_release_version }}" +# become: true + +- name: Ensure WAR file + ansible.builtin.get_url: + url: "https://api.github.com/repos/{{ webapp_github_repo }}/releases/assets/{{ github_asset_id.stdout }}" + dest: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}" + headers: + Accept: application/octet-stream + Authorization: "Bearer {{ webapp_github_repo_token }}" + mode: "0644" become: true - name: Check that WAR file has been deployed - stat: + ansible.builtin.stat: path: "{{ webapp_path }}/{{ webapp_file }}" register: webapp_file_status become: true - name: Deploy WAR file when WAR file has not been deployed - copy: + ansible.builtin.copy: src: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}" dest: "{{ webapp_path }}/{{ webapp_file }}" remote_src: true - when: webapp_file_status.stat.exists == False + mode: "0644" + when: not webapp_file_status.stat.exists become: true - name: Calculate checksum of deployed WAR file - stat: + ansible.builtin.stat: path: "{{ webapp_path }}/{{ webapp_file }}" checksum_algorithm: sha256 get_checksum: true register: webapp_file_checksum_old - when: webapp_file_status.stat.exists == True + when: webapp_file_status.stat.exists become: true - name: Calculate checksum of downloaded WAR file - stat: + ansible.builtin.stat: path: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}" checksum_algorithm: sha256 get_checksum: true register: webapp_file_checksum_new - when: webapp_file_status.stat.exists == True + when: webapp_file_status.stat.exists become: true - name: Ensure Tomcat is stopped - service: + ansible.builtin.service: name: "{{ tomcat_service }}" - state: "stopped" - when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum + state: stopped + when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum become: true - name: Ensure previous WAR file is deleted - file: + ansible.builtin.file: path: "{{ webapp_path }}/{{ webapp_file }}" state: absent - when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum + when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum become: true - name: Ensure previous WAR directory is deleted - file: + ansible.builtin.file: path: "{{ webapp_path }}/{{ webapp_context_path }}" state: absent - when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum + when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum become: true - name: Deploy new version of WAR file - copy: + ansible.builtin.copy: src: "{{ webapp_download_path }}/{{ webapp_file }}_{{ webapp_github_release_version }}" dest: "{{ webapp_path }}/{{ webapp_file }}" + mode: "0644" remote_src: true - when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum + when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum become: true - name: Ensure Tomcat is started - service: + ansible.builtin.service: name: "{{ tomcat_service }}" state: "started" - when: webapp_file_status.stat.exists == True and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum + when: webapp_file_status.stat.exists and webapp_file_checksum_old.stat.checksum != webapp_file_checksum_new.stat.checksum become: true diff --git a/roles/tomcat/tasks/install-Debian.yml b/roles/tomcat/tasks/install-Debian.yml index a3c460fb..0a8b97f5 100644 --- a/roles/tomcat/tasks/install-Debian.yml +++ b/roles/tomcat/tasks/install-Debian.yml @@ -1,12 +1,11 @@ # file: tomcat/tasks/install-Debian.yml # --- - - name: Ensure Tomcat is installed (Debian) - apt: + ansible.builtin.apt: name: "{{ tomcat_package }}" state: present - update_cache: yes + update_cache: true cache_valid_time: 86400 - install_recommends: no - become: yes + install_recommends: false + become: true diff --git a/roles/tomcat/tasks/main.yml b/roles/tomcat/tasks/main.yml index b0899cdd..ef8ab3ac 100644 --- a/roles/tomcat/tasks/main.yml +++ b/roles/tomcat/tasks/main.yml @@ -1,70 +1,70 @@ # file: tomcat/tasks/main.yml # --- - - name: Include OS-specific variables - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_release}}.yml" - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" tags: - always - name: Define tomcat version - set_fact: + ansible.builtin.set_fact: tomcat_version: "{{ tomcat_default_version }}" when: tomcat_version is not defined tags: - always - name: Define tomcat package name - set_fact: + ansible.builtin.set_fact: tomcat_package: "{{ tomcat_default_package }}" when: tomcat_package is not defined tags: - always - name: Define tomcat service name - set_fact: + ansible.builtin.set_fact: tomcat_service: "{{ tomcat_default_service }}" when: tomcat_service is not defined tags: - always - name: Define tomcat configuration path - set_fact: + ansible.builtin.set_fact: tomcat_conf_path: "{{ tomcat_default_conf_path }}" when: tomcat_conf_path is not defined tags: - always - name: Define tomcat JAVA_HOME - set_fact: + ansible.builtin.set_fact: tomcat_java_home: "{{ tomcat_default_java_home }}" when: tomcat_java_home is not defined tags: - always -# Install OS-specific packages -- include: install-Debian.yml +- name: Install OS-specific packages + ansible.builtin.include_tasks: install-Debian.yml when: ansible_os_family == 'Debian' -#- include: install-CentOS.yml -# when: ansible_os_family == 'CentOS' -# Apply OS-independent configuration -- include: configure-common.yml +# - include: install-CentOS.yml +# when: ansible_os_family == 'CentOS' + +- name: Apply OS-independent configuration + ansible.builtin.include_tasks: configure-common.yml -# Deploy .war file -- include: deploy-webapp.yml +- name: Deploy .war file + ansible.builtin.include_tasks: deploy-webapp.yml tags: - never - tomcat:deploy - name: Ensure Tomcat service is started and enabled on boot - service: + ansible.builtin.service: name: "{{ tomcat_service }}" - state: "started" - enabled: yes - become: yes + state: started + enabled: true + become: true diff --git a/roles/tomcat/templates/server-8.5.xml.j2 b/roles/tomcat/templates/server-8.5.xml.j2 index 0a753779..9399d055 100644 --- a/roles/tomcat/templates/server-8.5.xml.j2 +++ b/roles/tomcat/templates/server-8.5.xml.j2 @@ -72,7 +72,7 @@ Define a non-SSL HTTP/1.1 Connector on port 8080 --> {% for connector in tomcat_connectors %} - {% for connector in tomcat_connectors %} - {% for connector in tomcat_connectors %} - - + cp -p config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER + "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" + when: not secrets_file.stat.exists + changed_when: false # TODO determine change conditions + + - name: "Set permissions of {{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" # noqa name[template] + ansible.builtin.file: path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" state: file - mode: 0600 - when: secrets_file.stat.exists == False - + mode: "0600" + when: not secrets_file.stat.exists - name: Generate self-signed SP certificates - command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out sp-{{ item.name }}.crt -keyout sp-{{ item.name }}.key" + ansible.builtin.command: >- + openssl req \ + -newkey rsa:2048 \ + -new -x509 \ + -days 3652 \ + -subj "/CN={{ rciam_hostname }}" \ + -nodes \ + -out "sp-{{ item.name }}.crt" \ + -keyout "sp-{{ item.name }}.key" args: chdir: config/PLACEHOLDER/ no_log: true register: new_sp_certificate with_items: "{{ ssp_authsources_saml }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists + changed_when: false + # TODO - use community.pki - name: Generate self-signed IdP certificates - command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out idp-{{ item.entity_id }}.crt -keyout idp-{{ item.entity_id }}.key" + ansible.builtin.command: >- + openssl req \ + -newkey rsa:2048 \ + -new -x509 \ + -days 3652 \ + -subj \"/CN={{ rciam_hostname }}\" \ + -nodes \ + -out "idp-{{ item.entity_id }}.crt" \ + -keyout "idp-{{ item.entity_id }}.key" args: chdir: config/PLACEHOLDER/ no_log: true register: new_sp_certificate with_items: "{{ ssp_idp_hosts }}" - when: secrets_file.stat.exists == False - - + when: not secrets_file.stat.exists + changed_when: false - name: Fill in random genarated passwords & salts - lineinfile: + ansible.builtin.lineinfile: dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "{{ item.regex }}" line: "{{ item.replace_with }}" state: present no_log: true loop: - - { regex: '^ssp_secretsalt: CHANGEME', replace_with: "ssp_secretsalt: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" } - - { regex: '^ssp_adminpassword: CHANGEME', replace_with: "ssp_adminpassword: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" } - - { regex: '^ssp_adminpassword_salt: CHANGEME', replace_with: "ssp_adminpassword_salt: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" } - - { regex: '^ssp_mod_cron_secret: CHANGEME', replace_with: "ssp_mod_cron_secret: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" } - when: secrets_file.stat.exists == False - + - regex: "^ssp_secretsalt: CHANGEME" + replace_with: 'ssp_secretsalt: "{{ lookup(''password'', ''/dev/null length=33 chars=ascii_lowercase,digits'') }}"' + - regex: "^ssp_adminpassword: CHANGEME" + replace_with: 'ssp_adminpassword: "{{ lookup(''password'', ''/dev/null length=15 chars=ascii_lowercase,digits'') }}"' + - regex: "^ssp_adminpassword_salt: CHANGEME" + replace_with: 'ssp_adminpassword_salt: "{{ lookup(''password'', ''/dev/null length=15 chars=ascii_lowercase,digits'') }}"' + - regex: "^ssp_mod_cron_secret: CHANGEME" + replace_with: 'ssp_mod_cron_secret: "{{ lookup(''password'', ''/dev/null length=33 chars=ascii_lowercase,digits'') }}"' + when: not secrets_file.stat.exists - name: Fill in certificate cn - replace: + ansible.builtin.replace: path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "ssl_certificate_cn: CHANGEME" replace: "ssl_certificate_cn: {{ rciam_hostname }}" - when: secrets_file.stat.exists == False - + when: not secrets_file.stat.exists - name: Fill in SP self-signed certificates - lineinfile: + ansible.builtin.lineinfile: dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "{{ item.ssl_certificate }}" line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.crt') | indent(width=6) }}" state: present with_items: "{{ ssp_authsources_saml }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists - name: Fill in IdP self-signed certificates - lineinfile: + ansible.builtin.lineinfile: dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "{{ item.ssl_certificate }}" line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.crt') | indent(width=6) }}" state: present with_items: "{{ ssp_idp_hosts }}" - when: secrets_file.stat.exists == False - + when: not secrets_file.stat.exists - name: Fill in SP self-signed certificate keys - lineinfile: + ansible.builtin.lineinfile: dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "{{ item.ssl_certificate_key }}" line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.key') | indent(width=6) }}" state: present no_log: true with_items: "{{ vault_ssp_authsources_saml }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists - name: Fill in IdP self-signed certificate keys - lineinfile: + ansible.builtin.lineinfile: dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}" regexp: "{{ item.ssl_certificate_key }}" line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.key') | indent(width=6) }}" state: present no_log: true with_items: "{{ vault_ssp_idp_hosts }}" - when: secrets_file.stat.exists == False - + when: not secrets_file.stat.exists - name: Delete SP certificates - file: + ansible.builtin.file: path: "config/PLACEHOLDER/sp-{{ item.name }}.crt" state: absent with_items: "{{ ssp_authsources_saml }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists - name: Delete SP certificate keys - file: + ansible.builtin.file: path: "config/PLACEHOLDER/sp-{{ item.name }}.key" state: absent with_items: "{{ ssp_authsources_saml }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists - name: Delete IdP certificates - file: + ansible.builtin.file: path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.crt" state: absent with_items: "{{ ssp_idp_hosts }}" - when: secrets_file.stat.exists == False + when: not secrets_file.stat.exists - name: Delete IdP certificate keys - file: + ansible.builtin.file: path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.key" state: absent with_items: "{{ ssp_idp_hosts }}" - when: secrets_file.stat.exists == False - + when: not secrets_file.stat.exists diff --git a/site.yml b/site.yml index a4df2eee..79b78fa9 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,9 @@ --- +- name: Deploy Cache Servers + ansible.builtin.import_playbook: cacheservers.yml -- import_playbook: cacheservers.yml +- name: Deploy Auth Servers + ansible.builtin.import_playbook: authservers.yml -- import_playbook: authservers.yml - -- import_playbook: webproxyservers.yml +- name: Deploy Web Proxy servers + ansible.builtin.import_playbook: webproxyservers.yml diff --git a/sspservers.yml b/sspservers.yml index 1f7d67e0..03634ac8 100644 --- a/sspservers.yml +++ b/sspservers.yml @@ -2,7 +2,8 @@ # --- -- hosts: ssp +- name: Deploy SSP + hosts: ssp roles: - { role: apache, tags: apache } - { role: php, tags: php } diff --git a/templates/rciam-sync-client-names/config.py.j2 b/templates/rciam-sync-client-names/config.py.j2 index 6d325ee7..e336d3fc 100644 --- a/templates/rciam-sync-client-names/config.py.j2 +++ b/templates/rciam-sync-client-names/config.py.j2 @@ -1,13 +1,13 @@ # {{ ansible_managed }} -mitreid_config = { +mitreid_config = { "dbname": "{{ rciam_dbs.oidc.name }}", "user": "{{ rciam_dbs.oidc.owner_username }}", "host": "{{ lookup('dig', groups['dbmaster'][0]) }}", "password": "{{ rciam_dbs.oidc.owner_password }}" } -proxystats_config = { +proxystats_config = { "dbname": "{{ rciam_dbs.proxy.name }}", "user": "{{ rciam_dbs.proxy.owner_username }}", "host": "{{ rciam_dbs.proxy.host | default(lookup('dig', groups['dbmaster'][0])) }}", diff --git a/utilservers.yml b/utilservers.yml index 3655b626..a7ab64ec 100644 --- a/utilservers.yml +++ b/utilservers.yml @@ -2,6 +2,7 @@ # --- -- hosts: util +- name: Configure Util machines + hosts: util roles: - { role: rciam-utils } diff --git a/webproxyservers.yml b/webproxyservers.yml index 7bfa1786..784c66cb 100644 --- a/webproxyservers.yml +++ b/webproxyservers.yml @@ -2,42 +2,43 @@ # --- -- hosts: webproxy +- name: Deploy Web Proxy + hosts: webproxy roles: - { role: rsyslog-pgsql, tags: [rsyslog-pgsql, nginx] } - { role: nginx, tags: nginx } tasks: - name: Set Maintenance Locations - set_fact: + ansible.builtin.set_fact: maintenance_locations: "['roles','registry','oidc','proxy']" tags: - nginx:maintenance_on - nginx:maintenance_off - never - name: Enter Maintenance Mode - copy: + ansible.builtin.copy: content: "" dest: "/var/www/html/{{ item }}.maintenance.enable" - force: no + force: false owner: root - mode: 0644 + mode: "0644" loop: "{{ maintenance | default(maintenance_locations) | default([]) }}" loop_control: label: "Add control file for Maintenance Mode {{ item }}" - become: yes - ignore_errors: yes + become: true + ignore_errors: true # noqa ignore-errors tags: - nginx:maintenance_on - never - name: Exit Maintenance Mode - file: + ansible.builtin.file: path: "/var/www/html/{{ item }}.maintenance.enable" state: absent loop: "{{ maintenance_locations | default([]) }}" loop_control: label: "Removing control file for Maintenance Mode {{ item }}" - become: yes - ignore_errors: yes + become: true + ignore_errors: true # noqa ignore-errors tags: - nginx:maintenance_off - - never \ No newline at end of file + - never diff --git a/webservers.yml b/webservers.yml index 710ab479..c3936773 100644 --- a/webservers.yml +++ b/webservers.yml @@ -2,21 +2,22 @@ # --- -- hosts: web +- name: Deploy Web Servers + hosts: web roles: - { role: apache, tags: apache } - { role: php, tags: php } tasks: - name: Ensure static files for each Virtual Host are copied - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/web/vhosts/{{ item.servername | urlsplit('hostname') }}/" dest: "{{ item.documentroot }}/" owner: root group: root - mode: 0644 + mode: "0644" loop: "{{ apache_vhosts | default([]) }}" loop_control: label: "Copying static files for Virtual Host {{ item.servername | urlsplit('hostname') }}" - ignore_errors: yes - become: yes + ignore_errors: true # noqa ignore-errors + become: true tags: web:static