From 55bef0450c17cf2b14da99e10bf4491d5af10735 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Tue, 31 Oct 2023 09:54:54 +0100 Subject: [PATCH] WIP --- docker/Dockerfile | 5 + docker/docker-compose.yml.py | 7 +- docker/hosts | 1 + environments/vm/inventory | 6 + provision.yml | 16 +- roles/docker/files/traefik.yml | 28 ++++ roles/docker/handlers/main.yml | 6 + roles/docker/tasks/main.yml | 76 +++++++++ roles/docker_metadata/defaults/main.yml | 10 ++ roles/docker_metadata/files/idps.xsl | 24 +++ roles/docker_metadata/files/nohide.xsl | 19 +++ roles/docker_metadata/files/nologo.xsl | 23 +++ roles/docker_metadata/files/nosc.xsl | 19 +++ roles/docker_metadata/files/rs_coco_nosc.xsl | 22 +++ roles/docker_metadata/files/sps.xsl | 17 ++ roles/docker_metadata/files/surf.png | Bin 0 -> 16016 bytes roles/docker_metadata/files/surf.svg | 2 + roles/docker_metadata/files/surf_bimi.svg | 15 ++ roles/docker_metadata/handlers/main.yml | 14 ++ roles/docker_metadata/tasks/main.yml | 153 ++++++++++++++++++ roles/docker_metadata/templates/index.html.j2 | 11 ++ .../templates/metadata.nginx.j2 | 13 ++ .../templates/sram-mdparser.conf.j2 | 1 + roles/docker_metadata/vars/main.yml | 7 + roles/docker_pyff/defaults/main.yml | 85 ++++++++++ roles/docker_pyff/files/01_idps.fd | 22 +++ roles/docker_pyff/files/02_backend.fd | 14 ++ roles/docker_pyff/files/03_frontend.fd | 14 ++ roles/docker_pyff/files/04_edugain.fd | 14 ++ roles/docker_pyff/files/edugain.crt | 3 + roles/docker_pyff/files/surfconext.crt | 3 + roles/docker_pyff/files/transform.xslt | 47 ++++++ .../docker_pyff/files/transform_edugain.xslt | 34 ++++ roles/docker_pyff/files/transform_proxy.xslt | 51 ++++++ roles/docker_pyff/handlers/main.yml | 13 ++ roles/docker_pyff/tasks/main.yml | 152 +++++++++++++++++ .../templates/pyff-metadata.service.j2 | 12 ++ .../templates/pyff-metadata.timer.j2 | 8 + start-vm | 2 +- 39 files changed, 962 insertions(+), 7 deletions(-) create mode 100644 roles/docker/files/traefik.yml create mode 100644 roles/docker/handlers/main.yml create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/docker_metadata/defaults/main.yml create mode 100644 roles/docker_metadata/files/idps.xsl create mode 100644 roles/docker_metadata/files/nohide.xsl create mode 100644 roles/docker_metadata/files/nologo.xsl create mode 100644 roles/docker_metadata/files/nosc.xsl create mode 100644 roles/docker_metadata/files/rs_coco_nosc.xsl create mode 100644 roles/docker_metadata/files/sps.xsl create mode 100644 roles/docker_metadata/files/surf.png create mode 100644 roles/docker_metadata/files/surf.svg create mode 100644 roles/docker_metadata/files/surf_bimi.svg create mode 100644 roles/docker_metadata/handlers/main.yml create mode 100644 roles/docker_metadata/tasks/main.yml create mode 100644 roles/docker_metadata/templates/index.html.j2 create mode 100644 roles/docker_metadata/templates/metadata.nginx.j2 create mode 100644 roles/docker_metadata/templates/sram-mdparser.conf.j2 create mode 100644 roles/docker_metadata/vars/main.yml create mode 100644 roles/docker_pyff/defaults/main.yml create mode 100644 roles/docker_pyff/files/01_idps.fd create mode 100644 roles/docker_pyff/files/02_backend.fd create mode 100644 roles/docker_pyff/files/03_frontend.fd create mode 100644 roles/docker_pyff/files/04_edugain.fd create mode 100644 roles/docker_pyff/files/edugain.crt create mode 100644 roles/docker_pyff/files/surfconext.crt create mode 100644 roles/docker_pyff/files/transform.xslt create mode 100644 roles/docker_pyff/files/transform_edugain.xslt create mode 100644 roles/docker_pyff/files/transform_proxy.xslt create mode 100644 roles/docker_pyff/handlers/main.yml create mode 100644 roles/docker_pyff/tasks/main.yml create mode 100644 roles/docker_pyff/templates/pyff-metadata.service.j2 create mode 100644 roles/docker_pyff/templates/pyff-metadata.timer.j2 diff --git a/docker/Dockerfile b/docker/Dockerfile index d9a7cd040..aaae236d1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -51,6 +51,11 @@ RUN systemctl enable ssh.service && \ systemctl disable systemd-timesyncd.service && \ echo "exit 0" > /usr/sbin/policy-rc.d +RUN systemctl disable getty@ && \ + systemctl disable getty.target && \ + rm /lib/systemd/system/multi-user.target.wants/getty.target && \ + rm /lib/systemd/system/getty.target.wants/getty-static.service + RUN useradd --create-home --shell /bin/bash --groups adm ansible && \ install -d -o ansible -m 0700 /home/ansible/.ssh && \ echo -n 'ansible:ansible' | chpasswd diff --git a/docker/docker-compose.yml.py b/docker/docker-compose.yml.py index 36c83584b..71fcc86dd 100755 --- a/docker/docker-compose.yml.py +++ b/docker/docker-compose.yml.py @@ -15,6 +15,7 @@ hosts = { 'sbs': 27, 'db': 28, + 'docker': 31, } if ci_enabled: hosts.update({ @@ -36,7 +37,7 @@ 'mdq', 'cm', 'comanage', 'ldap', 'meta', 'oidc-test', 'sp-test', 'idp-test', 'google-test', 'sbs', 'sandbox1', 'pam', - 'oidc-op', + 'oidc-op', 'docker' ] extra_options = {} @@ -57,9 +58,9 @@ def host_config(num: int, name: str) -> Dict[str, Any]: data: Dict[str, Any] = dict() data['image' ] = 'scz-base' data['hostname' ] = name - data['volumes' ] = [ './ansible_key.pub:/tmp/authorized_keys', '/sys/fs/cgroup:/sys/fs/cgroup:ro' ] + data['volumes' ] = [ './ansible_key.pub:/tmp/authorized_keys' ] data['tmpfs' ] = [ '/run', '/run/lock', '/tmp' ] - data['privileged' ] = False + data['privileged' ] = True data['security_opt'] = [ 'seccomp:unconfined', 'apparmor:unconfined' ] data['cap_add' ] = [ 'SYS_ADMIN', 'SYS_PTRACE' ] data['networks' ] = { diff --git a/docker/hosts b/docker/hosts index 0e823d142..be7145743 100644 --- a/docker/hosts +++ b/docker/hosts @@ -11,5 +11,6 @@ 172.20.1.28 db.vm.scz-vm.net 172.20.1.29 bhr.vm.scz-vm.net 172.20.1.30 test.vm.scz-vm.net +172.20.1.31 docker.vm.scz-vm.net 172.20.1.40 websso.scz-vm.net 172.20.1.41 webssod.scz-vm.net diff --git a/environments/vm/inventory b/environments/vm/inventory index ac2c11ea1..bacc7c33c 100644 --- a/environments/vm/inventory +++ b/environments/vm/inventory @@ -35,6 +35,9 @@ db.vm.scz-vm.net ansible_host=172.20.1.28 [vm_bhr] bhr.vm.scz-vm.net ansible_host=172.20.1.29 +[vm_docker] +docker.vm.scz-vm.net ansible_host=172.20.1.31 + [vm:children] vm_lb vm_ldap @@ -44,6 +47,7 @@ vm_sandbox1 vm_sbs vm_db vm_bhr +vm_docker ########################################## # role-based groups @@ -86,6 +90,8 @@ vm_bhr [bhr2:children] vm_bhr +[docker:children] +vm_docker ########################################## # all [all:children] diff --git a/provision.yml b/provision.yml index 27689e6b4..ecf699d69 100644 --- a/provision.yml +++ b/provision.yml @@ -87,6 +87,15 @@ - { role: 'http_apache', tags: ['bhr12','ci-runner']} - { role: 'ci-runner', tags: ['bhr12','ci-runner']} +- name: "docker" + hosts: docker + tasks: + - { import_tasks: "tasks/versions.yml", tags: ['common'] } + roles: + - { role: docker, tags: ['docker'] } + - { role: docker_pyff, tags: ['meta', 'docker_pyff'] } + - { role: docker_metadata, tags: ['meta', 'docker_metadata'] } + - name: "lb" hosts: lb tasks: @@ -129,9 +138,9 @@ hosts: meta tasks: - { import_tasks: "tasks/versions.yml", tags: ['common'] } - roles: - - { role: pyff-metadata, tags: ['meta','pyff-metadata']} - - { role: metadata, tags: ['meta','metadata'] } + # roles: + # - { role: pyff-metadata, tags: ['meta','pyff-metadata']} + # - { role: metadata, tags: ['meta','metadata'] } - name: "client" hosts: client @@ -165,3 +174,4 @@ - { import_tasks: "tasks/versions.yml", tags: ['common'] } roles: - { role: ci-test, tags: ['ci-test'] } + diff --git a/roles/docker/files/traefik.yml b/roles/docker/files/traefik.yml new file mode 100644 index 000000000..6cad3fb69 --- /dev/null +++ b/roles/docker/files/traefik.yml @@ -0,0 +1,28 @@ +--- +log: + level: INFO +entryPoints: + websecure: + address: ":443" +providers: + file: + filename: "/config/config/traefik.yml" + watch: true + docker: + endpoint: "unix:///var/run/docker.sock" + network: "traefik" + exposedByDefault: false +ping: + manualRouting: true +http: + routers: + ping: + rule: "PathPrefix(`/health`)" + service: "ping@internal" + tls: true +tls: + stores: + default: + defaultCertificate: + certFile: "/config/certs/backend.crt" + keyFile: "/config/certs/backend.key" diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 000000000..da43277ed --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: "restart docker" + ansible.builtin.systemd: + name: docker + state: restarted + enabled: true diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 000000000..ad48f8ab1 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,76 @@ +--- +- name: Add Docker GPG key. + ansible.builtin.apt_key: + url: "https://download.docker.com/linux/debian/gpg" + state: present + +- name: Add Docker repository. + ansible.builtin.apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable + state: present + +- name: Install docker + ansible.builtin.apt: + name: docker-ce + state: present + notify: + - "restart docker" + +- name: Create the traefik configuration file directory + ansible.builtin.file: + state: directory + path: "/opt/openconext/traefik/{{ item }}" + owner: root + mode: "0755" + with_items: + - config + - certs + +- name: Copy the (dynamic) configuration + ansible.builtin.copy: + src: "{{ item }}" + dest: "/opt/openconext/traefik/config/{{ item }}" + owner: root + mode: "0640" + with_items: + - traefik.yml + +- name: Create Traefik backend key + copy: + content: "{{wildcard_backend_cert.priv}}" + dest: "/opt/openconext/traefik/certs/backend.key" + owner: "root" + group: "ssl-cert" + mode: "0640" + no_log: "{{sram_ansible_nolog}}" + +- name: Create Traefik backend cert + copy: + content: "{{wildcard_backend_cert.pub}}" + dest: "/opt/openconext/traefik/certs/backend.crt" + owner: "root" + group: "root" + mode: 0644 + +- name: Create the Traefik gateway network + community.docker.docker_network: + name: traefik + +- name: Create the Traefik gateway + community.docker.docker_container: + name: traefik + image: traefik:latest + published_ports: + - "0.0.0.0:443:443" + pull: true + restart_policy: "always" + networks: + - name: "traefik" + command: "--configFile=/config/config/traefik.yml" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /opt/openconext/traefik/:/config/ + comparisons: + published_ports: strict + networks: strict + diff --git a/roles/docker_metadata/defaults/main.yml b/roles/docker_metadata/defaults/main.yml new file mode 100644 index 000000000..f4db900ab --- /dev/null +++ b/roles/docker_metadata/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# meta_port: 80 +metadata_basedir: "/opt/metadata" +metadata_dirs: + web: "{{metadata_basedir}}/web" +# metadata_documentroot: "/var/www/metadata" +# mdparser_repo_url: "https://github.com/SURFscz/mdparser.git" +# mdparser_version: "master" +# mdparser_dir: "/opt/mdparser" +# mdparser_venv_dir: "{{mdparser_dir}}/venv" diff --git a/roles/docker_metadata/files/idps.xsl b/roles/docker_metadata/files/idps.xsl new file mode 100644 index 000000000..735ee6104 --- /dev/null +++ b/roles/docker_metadata/files/idps.xsl @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + diff --git a/roles/docker_metadata/files/nohide.xsl b/roles/docker_metadata/files/nohide.xsl new file mode 100644 index 000000000..9ee60c1c0 --- /dev/null +++ b/roles/docker_metadata/files/nohide.xsl @@ -0,0 +1,19 @@ + + + + + + + + + + + diff --git a/roles/docker_metadata/files/nologo.xsl b/roles/docker_metadata/files/nologo.xsl new file mode 100644 index 000000000..9b9a8ac60 --- /dev/null +++ b/roles/docker_metadata/files/nologo.xsl @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/docker_metadata/files/nosc.xsl b/roles/docker_metadata/files/nosc.xsl new file mode 100644 index 000000000..0187d5c0b --- /dev/null +++ b/roles/docker_metadata/files/nosc.xsl @@ -0,0 +1,19 @@ + + + + + + + + + + + diff --git a/roles/docker_metadata/files/rs_coco_nosc.xsl b/roles/docker_metadata/files/rs_coco_nosc.xsl new file mode 100644 index 000000000..277eb2345 --- /dev/null +++ b/roles/docker_metadata/files/rs_coco_nosc.xsl @@ -0,0 +1,22 @@ + + + + + + + + + + + + diff --git a/roles/docker_metadata/files/sps.xsl b/roles/docker_metadata/files/sps.xsl new file mode 100644 index 000000000..e114bd711 --- /dev/null +++ b/roles/docker_metadata/files/sps.xsl @@ -0,0 +1,17 @@ + + + + + + + + + + + + diff --git a/roles/docker_metadata/files/surf.png b/roles/docker_metadata/files/surf.png new file mode 100644 index 0000000000000000000000000000000000000000..e2bc4a3c2b61cabcd3babac9f9b67ef8c860dfbc GIT binary patch literal 16016 zcmeHu2UJs8*XX4Ps5CzdA_6Lih%^Cd0fM41i~>3c7!j}}0VFhogiah$9BB#yhHga! zMT2w#2+~PFkP?!BfHZ*wX_5ZUW!}vH&3p5|nQ#67dh4yXzU5+h?>>9)b9OoV?7R2L zFQ+ZdL^kc(1VNC9`47i`f}jmd_)mx*Kw=HTIN(3t%O}l_Lu=tN%@yEnqt_28JOmX* z!hbx?^QCG4DClEuaYC?vvw*1FmeeWVb_m)7nIAuT)~{!RHF;giF6niDc-|uN@D_2E z4aPqFVRGWTdHRL;PwY|THQBQBZsloy0Xg-Z#7`Ib`Amrmd+7;i^I@~?ZwMXNUmY1w z(acQdbqZnSzjfu@Lv%h1XW2xP#6MC$K-*ae$ih6;%o>adI|mt5F$X( z?*JGT2K=9Ce`ofe(ynv=ZQkFR!PERXExfYd=KXWp-e(_&0?3X9fJOO;}fdPW#tF{DJnbt@yh}{&^w)6)XM? zA^zaTe`<+;QHcK^T~Q8%vEOv_*GBqtZ~23w|JlHQ!$|-3wEu>9@$aDb+d24Obwx!+ zMPx>H!IFEdgSPBipOhSrU&hDuwUIpy>eX8{c|$Z&Bcp&$GbBp4Pb>(0%_O?U2rl%|!RoXV--tD>m+S|xC7wQHcW;|A@g zCPD#Lp$gY6djd+GQXV|@iUM!~wU=xXijN2pMfIp!*7nX&f3I}YN?YenB2B;LQx9Sf z)2%R&>^IW9lgLIiX<0Az^7K1qPKLPRg^gpnb@_z2nh2p>g>eu80$n0HJy=ABKIX3iu%cL8zs5Q-yFtRVmy;qUvK4oHi$ zpLH9e$^zYmp`dt%4VdLlM+nvq0rhz&_$zd>ZnP}NY}wt(Ztz))!wG&a^_aGPzQo!Z z2d!SNS;@%B=kp?DqRtTnSJ5>q7k#a;ojp87;f&=6r0aywa);Q0WV)5~vQQ;o3T7-t za*r)j3|+o#b4JY|nZbN}8yX5(Cx zw`a#SW(9nESUmlz3?AbWzAA@b-)MF?FoW4iu4~G;XjLkL zZb)kMg`$TQ;s|ZhVF*IKZ;Uw>O?u%%)p0Q=h;<)I`LeMtsfXfe~%7@ru z+P#RA0>tSHXbe?azv1o@9~Ce-QF1L#$>+g#t{`eMRD&P7J9kpSmUXl!4#&M>_2Y(& zipH_=bTeKVSyZ#dAr+?asO-b)N_5G$X6QNFB87d)&5h2 z(H)1_TrEvrXqn0z7C5$>ccZc4Yxl$(mTzr_Wl|LQj2$fVXsy1Iqe1}hvz8?E^_p9$ zun^biyuO71@#_W55cRq^dxacGR_BM5v|8A|93*;i?$?w`nLruGbWnafxBC2?Y|TNJ zuEp$yP9H3MaZKl&cST(B7U=XVMmKw-!^N5v(at4V5gy{pm87>v2rp8$a}jSWd59Gl zqL*54&*6K}S&ovMC;6rqN8fE5^gU2Oh&zDt6wHvyDF!gz@vYGJn$i(fyfe6`;wl%7 z4o5)J*OOk!?R|92mRZpll?C~9x!ZP58W$02dH^ax6l_9=af zvJYWgl;}}fahM+p_^e=`i~-@Hd65rV9R?V@zRNtV683UXzbca_BghRrII1C-JfmWz zU^+XTJ3lmghf4yFZf^YGbHKQ0X@dZ?%H|QnU&b>sSG#nf(fBpQVZIl)wsWm;Xar<9 zIDb~0eSLLWgBJ>@#Y&2^L;Qh>f{9+-rp-{&n?1vrJRpBmd|-_+>OUn3E!Gul zoQ?>Ud@t*3)tq5IBDp*nT1bt04{hUeJ*RrN85h}MW@y4PTgL|F;dnhIyEenX&Ge`J z?4V5_DzR?YUBdA?EKRI>^~Vb9&vHF+ROzrlhXPYCj*k@P-kDnNs%OZZrEd}kD;iXj zao6mJv@A7gii45miIqv3sda7z$0%{w1HRQhcbjQgo6IG!JBgcon za}K|>$0TMy5e-r;jX5dA3QC*^Omp_Akq#^M;v_jsI#0(_#@(|niEyqk$N(n^bQ1EaQ6P7)Z5~rQ+X)XbazXDrn?^2wXpKTtS7ULnhy!N1PH( zns5?W*3aH&JyL#j>D#`;*B#`IT9$dnH1!%cG&=OHDDD+0MA?)U1m1Uz;FQE)Bjwj8 zr!C*EXg*eS(@TQw;FaL2AaCr+91#oYfEqG zQq9hpDInW9^rgs_yQojrI7msLHWI|yRg_g1HP5+gaW;FiIU^|KKn0~fTSmU;JMmB> zm-SA*PgZ}#=0IUxP~iKEJvR+GRlqpcO#=mcf>$HTz7$p^qNM!=zq)qD1j$}LfAoa| zdaiztv^0(~UHBD$Eg6$=E0<%mx>R1<^zzJz9jhg82iO+l1I1aPdQD|N=QmxqHDlgb zoO#k0p@Tb`nlH;nyhlEw)Vd-C=w{@C~8RXSxY>C~e9LwR>e! z!hkQKJ6E=Q*66ASK!B zh_zXGIkcx~S=lwB%)piVE-}I~{hCJO%X`R`8P~~X9q@oV2CRiPr@(lTA^WoOGCSnLn zT@Nw!J~KEqPZC57dWdnHoZ*>xBd4_8Ra$tbqhM_nDcAKGap;hz@#dm#%xa%CdZM&( zQM+s=%6HYh?~=1@lS!XB0U*XS2Y##NevsHTCQ9_m#3ma0`*Gjc9f)o%^a=G4f~rzq zBam%W_qvPJRCZFSy5XCsEdXd@KRbF_^T4H6%t@V#vY%)|P(SUGA;+d!H2D44ESK9R zE?R#V;DC^EksR|DLTjqsol0Th3VT7CCpt<_9BB|DEMB@urJQIg)8;oW!v8QR6GCG! zzgM+y?PM~@^_xwgyWiC0M#CG9uH|3%r7O^}OEu4`_f+3>Fx4%OTHT3Gu&Zr-<1p-h zMHo!`MihU6sW6VqTdmdSjszaJ(ri?`8L4@7a!xt8f2^aX*vqp`J6rjhn>avjt$lT1 zNhv$f{Zuj4=5=h@kJs*>sg0_rjgQipZB%cW?%cWS4NXBRk3S6IAk4)i6o-5=D{8cH zJWyP(8z(H~Z-b~S{8ou}t5s|mttr(7oDh!1o`UjE|kgP<@{z6QlqCr z_`986i*CDF#Q{+i$EaG;`5zbwA4R8QihP1Z1S*`Y=hdQqA+o z3nSN8{AkD-!N~U?H!bAw_v3p7I2dF z&HaJIRPJoG4C?Cn^m;8s_7<`+g;V?n+jVQkYLX8+a*xmAWv@q*?lOU=90j29o1J42#P zZ*K-eVvL&;9u*PxAESNNs=8fx^qXb4G=!%C^M*oOFuk#kqJAED|0@Ag=tNTCwW{Xs zi#%b7B5|Su3(G#R4GaY`mjx{R+pFYAw`<|K#1c&*5mfOz0pp^XaEn1%Z`_O1xFUuU z9}voRrbRdP3+e4K6J$CyvlNd3UcT&l-`a#|niB=85j5GPK4r~%C1-)nA}%2{!7eX= zQqSjm+s-PE*UC=v2Y*_|YWKtH>3kj^qhGJD=1#g{W-kTufmAWySHWLUouc7kmqU;7 zh_laP+Xw1ou=o3F5C&D9LZC7i%ma0fK#;+u{)_g-N&`($ZuwvjMLA zF{xjFSYxZ_DbMsRU*;l$s=MJimofgILWA%9!s1NXP}h#V=7L~jH`(=GA)^v~n2+AV;w8Yn&0{MdPxh5=BEXST?IFG){+d+F!tYHfjKACW$ z{H6I0`jW6}kcsxYKI@r?D@%B#Y`fFSDwy_~5>6HfMnsuwn%RcRTtq5G|ie+7@b7z&AgOswd zGs>GoI#JtUa4|U6d;)<&-__?KQQn1P$d<`e#m@hU95w7|sqcDfAwV%qP zDm5{`Pk)rmBo$uUNSVRMq90ybE&4`?e-jHgYzC8+G?S+FZW9G_z-_`3>$z-?McI=d29 z<88Y@zjXiXmwia*_G!7+&e~-MO-?6ImGoH1?snXCvqbDb>JTQxbJF*d6KpGp=b2|kj%Cj#%=z|% z@EtIyjl?85424ENLj+?eD@GLum(zfgcYuH~6uSBhv4WO6RmmTY#VJt;d*WamT9_HQ#3rF+=ly(PY+MgD@Fv`O~1BT0E+Md%UrX;&~4qx4%VXQ;t zkvA3~DpdC|zs%JIIoWMZQwyfweS73*TXOK_y}~O>smaS{E9Xh({ryJD zQ*K=oZs(USxhU$TGI~F313NUR9js%AS&xyXssZy=(M*dkY3LR%^xZ9jGN{z9P3Y$u z83oR@E*QB6<(m|5vU~fIdzIT~-PGKJ zOUK$dgz|5)my%sW$eq3Q@&|4MAM$f4m%YjfY`?_xxf8v4X;Et>Ag2h))EF!~a$6ur z({};XHvIg`D;h&J3@fRZEy4ra_nz<3zu2BzcXz2;qy{V3cOzoiB^F3l7mzF=nZKL! zQ-E~QiMofY%Zh+GJqzV$(JS^bNSy2p`Ht9}lSc+bUr zT<}d~W3!OV&WUVgjfRSu#`B0)$u$k$AAjMdlN%pDbM}qi)q9}K)o+RVE@S)qHqW8S zWN+1L9dBE*CX?F>Wyt(O1Q!M)C-3S|Wc+hALG7rD@}^_aOM#u=O(pwR&*jl>Ej`Dl zZ>hZ0tz>e>L(_HtY*O^c>w~#(9#A!?6`}xTz8Hj-u`?w)(rg`--5XKIQd0B9*`2ns zEk*>O&s)!z-hKD-yh5df>Dr%F&om+r!%5(29TomBuGO-hjQ6^wF8yatYd89gkVS#1 zoIVB>=>#{8m)vbx{O+yDEWL&jto){Db9*04JLL1__MYxy!{#PAnavAjx8~-13L0~y zid%QSdqdBTaBcz}wXr*G)rP2iFS!xrY&k>c*_>x{^Nhyw@uXs}U4>qDCnQ?%f}cZh z@sCcI4mkCf#K#2WOlnLTEMDzs=k)rP-v#mr5ft0re7Ebid=Nc7v&ASe-JY({-sctC zUPWzM7x&<&qVINojGq!LXO=6|8!(3g$#E7jvIZ5np(p3@g5vDcDKoa(9$N0Kwz|}j zX<~X!UT48bPQbEs84i<|cmyQHqBSJjZ%T~K?KSV)R>;rt`^&?ZUV(uyM6g%qv7$on zwD0b7VYLzR#hLy?E>vkE7KG7EqrSU8^*jo8|A0oM_m|v~+q;%j^=8PLc6gj}ANOj|A?5q6QkAQl&zF4B zr9Q5Sh(>pfM`?s!2*}^U2E^iQpI%oiDP$y}*s8XzZscA_3~W0VP2gx zebQ2D`Hu6#{_M_{2B*bGZj+_ez)kus!zn?P_`_x-=hVI#182d2_{@c8`NF*g^DjNc z?!Ab^O_T5YA*oHa+@ZDjNu7|1Smrw)^ou+=36h>0ms@QX(`-?w7{ZKab6Uu*hZPG| z%BO31%5UFnCO0&hIUG+N8cOXW_$x0l7%S{IaF#gsG*N{4Rj*Nbd^s&qWvJ>z2$kHC zfx}x(S-6Q^UOZp67TXk z$h7D0+nrVI4HJiM7IcM5sHEJSQHeW6{{H>Q_e=vLs_v6W(eGbZ9}2pM5_IiB6mLJA zsUrVrPu!_kK&w42n9dWLWNu2@jTZ51pRTKD{0c4AB3lZ)vE~KzkmZTa^yRhvH-$Cz zTNf7-a|%NjSa02j+CI@WK>lOtig)|4C+*;KlaF<4U;5oey{Z~4cKAvk zFi+TEP?fFaZuq<@2?2JiW}5W=IDBjVY^iSZ#sd)?qu!TlzMYJUZ?HCqb@-R3!lNQT z6Z=EP6Po=TzZO;q5?%#e;7o%^sec*AulMB%(XlXOD{id7e@Kcgm3X}=A*42S1hxXv z`Vd>Tdc|w8d^Pr`g|iSOvmL$*;JU(P>;N7GGS3K{RoiF(8G<)!T)KDj(yNN`Mi6N|&1Mfz z=foV!n7PT~y^vSXyGGin0^mKGW4ebI<}-9YBwUQwDQB^L&UDc}K5b8tRE0lRqZJH# z)5awzNvpN0;|RC$SP$Ggp!t&O{JvAw*ycHO-8L3COkKXgbi3_VKoG1RB|KQ8^LU-D9rx=~D%oRgr#l?aH zup`r^Z@xIOz<w$}shb-;HO4-?sv3`$h5TQnKN#*}GD3zJw~?V>fA*=5eSaA! zqUWD1n_V$@@xE-t$=6ufch`$lESesVw6f6!@K-^qOVG#ut=NPO!(X~6jYT~!bZo5M ziE^?+SCSaFjFoKKPFdMJqmcdq_XPepmMv>|dNWj=KpH-ABA2T_sFdzf+W4J#CJ;H! zi)?dH-nFv$Nz1w4@e8Nz02WAE_4r$OGa{c|-uR*<9AXV;HkNNHZJx1y&vC^a5@}4X zy%rdJFXH9!aGB^3y-br2uKrv%m8Nsbo8FD4EU(&Kxl>iA7hffA1|@oJ*8 zabE4Mx2Q^x!Ka2^VWY*qw5S14)XWYV%5IK`X($ayLkR$>9d_KxeHXe&VSd=(IxCd; zvoi`gJzhbJ5e&?i5IN3Ol?y+*W2`IE>J(3-a}A}?V|w2cWhKNAI@LVn>#2fJFuS5h z-I8iVgj?NB=c z$qj=k*aY+2C(07s6SmiOxY|k@e*Fm(^sec>lZL-nftBcTygqgK3`ZO{eG_@)Rse~# z9n>L@kS1~img(u(*l#!a9=n%b$y{{8*$uY<_lOLMBLpWtH`}hiJ zVTr2ozSrjTYM=Ta^uTsuBIwE=<^q> zS@{LMmgzJkzOIa~Ut>m)>TmacCJIhsvkx;W4u>I4E~lKSH7j=q1yS2nC+D?NlZvIc zjW54$4OqRFFhuEkT}aw-FOF+}9XUTq=T@}p))vUH1CJJnvq7s*qpw0cESG;-{fXJ6 zOnHSvCw*3fE|$v4&dK|F)-n~FFlMN#8*zNq1Nr_5WW z^*{bv)oplm##9pf&^vpLrazuTNnNc;Z$DGb2?;7v|H@9W(xlGH+JzBN*fZTHnoeN* z7B(K5w2Ucrkay1;?XJ0Gm+GtnIsjd0%GyV9_GjhlNR4_$SNXw0deE}$`_&a>_MkA5 zwt5NQi%quZH1t0(s0_;K(;gocl5v~Mae6KCPg+9A1@vt}kLE7fv!=4~>=uH(&T_h! zAZRr#i9fg*Bbkm|^9x0ccFC^22o-AhAo5kTX6B zmtx&9Tm0{%tvk-o`3rPVu&dL3nK!v`=VjlT+fHaU);aT-h=JaAD8SR1A5@30T>_1Z zwpvgm>%zFekDcp}7k}+xBzociESAq7^fj=vpM;^&%&52yfQz15{Ui>JIu}Xt2ysgy zBO#(=&n_Mz0=Q%`1Zos8EDFG`1u6+~d#YG`={%!Z`3!5Iry-`$f6%Styavs$#v;S* z#E=pV(DS%187QPMSuCHz7ht@7>?C6e0(i&lJMJ21$vU026N6}d4{GfZ|fCDJlY3SfUBDS#cils`Ai1e$v^ z-b}F&TOX&Z@)_(}|zTupE1KccHa3pZ-gM=&Gvxo=7JnRDKuVf58?NhMGyeE7}0 zfmI>Aa|vJTNjsWPxZIn8RmJ2L`NCST_LY<@8=%cLX{d3;`;^zYf<}Y3Q8cJ*&$ekv zjfaBpw3t5>BnbtKX>T2AB6{UEO?-hpz`3L%4!BV^`5v%fTfPt2psZip+a-L&|LrZ> zM-Unlt#Vi&lllBXuI2nM+!gTAnh{PTH;;bU4Vrc6;?PTA+E&*D$&+wgrcWFwJ|X}G zjEDNK@`rF-+M=l+kZ8*!m6ZRt3h& zKF>%VqD)D>@)ZDZDB}ayFF@Hv5Q2wWzLk?lq=}BTOY-1y20-^Xw;>~!rqT4_%zY5L z$jsc7nRQWPT}?ZC;TT-%RNI4qf_>7m@_{<@QIlQs6yO0Z8VMXg(8RUr-Ngq{@JZ&i zG9CO?l=7fHbiC9}D1)G?LF?`%gdwie*>-fa`;sugO7J$7bXNSlh5ZSg*N2YF-|hzm zjA#u;YBbi1`TY6AqiJoq=%V+@VnkC1;N-=J&$!JsO2 z@p7*)By%;6mA+Oe-^+UXk4#y$OSdKE!O8O$!3XY>&8iM_OLO9I& z%z~Rfqv>LVU9a4&o|5mZc^!)(O0c2UrZ6YxxG28BEY;5kqPsz1v$cy@$ZO?5)1ZA? zgoC3|k0FX;Kl1A6X`6B@jr>K>v^Fj`5us^PKb%PdW!J?d&LK1NpW>TN?cRG3G_=zT zmM{q(4$t;UkbZ%~V{ksxKG3X84h(G?Uui2Ryu8abe?9<*RiryNqU^B1OYekR@i6Lu z^wlY4eE5k?1W257y1f0AW+EG&L5hP9?9Hn6AJ(SAQsmBsq`6(m_(vis@OT_p;p%zz z2+cq9ADJlhW!4H2zV(~2yFHEyT+evB$BgxGCs7Rai=b`Jl=Pw6oiD2V6KEto@k4Cr zbjr7e;SVK<>qRu(Lxm^nZ0PebgRhH}6vADJFFw8YB#FdoS*Juuv= z3e&xt3;CKN`SN06AOlAESbHEjQ=-;*!)r}iZIV|64BIfg)OFiS3bNl=#tyw`j%SXlCWjj!;5*T0kRu@rHdUD ze_NnHrHHshz%!>rrv=D!)*0UO+gdhiTI3CgLLH>EWt`A94u~`*I*stSYhJqFW2G7d zwWs~8)D@VWmOe_4o(dL_#M+8?xxJkLy-2VjT=lvie}roaFW@TbdZvIK$^M{67(AE+ z2B+L=ZCSEZn4!Cmh7SK-=gh#Zusm}qz+Er+q2bLe^QF{Q!cW}N`UB^dP;)A3I6>J)ZcXWi4f#lM8egRmaZ4=t~!WTw& zz`93M=2p#2GF&WuLc!G-s8!Fm#Jc3x76T$YhArddirn}ag|9%uW9CgMyLdO`4FkU> z$~R1*uL4F&Zc<2ggRLYqs?5MB(ofiGH!&k%TIJ*|igX)o+k3YV&^>v%%%;=to^4@9 zywZSLFO?n`B0#Ew6tBkApI}}FQMdN%i`C0`2>6TzS%K!f9laOMp++HB_ z6zN+7Y47Q$`CGt7{A_J4m+^yd@n-Ni;}v>U;DO7p_zz6>9&C?VN5NkKC~k$BU`v0t zj*GK4$uLI9fqS!+5@R0x+v+E?VE$FzLW-@OLLhQY75~!CJb3Sw1`G}?k>aT-*5Cz^ zA;=ZSzs+U*f+YOBg>9Me=!2IIJg}_7idw%&1F|tVRRiS#z@}BKIu36FK+pqEH2*fN z8!U!6`$3D`LwJ(yS3v#*kBusW*bW(sfNT&TDE762jFk@>k^*Tb0m=w6Sw{m`Ydowr z0Q^stC~#);tml1D#zs*8hnWC>hmm=0LFZQq&taGjV}G>jh%pRH7dr&zy{pL7vi zL;0USLV)Kn?3Z7ke#3;fAV38rlYhDi4dQWt z1z;CY$WD3C&s_HmLt8!Xjo^SGDxDj9dgtU1>kPQ4v8Vhdzdar=0TsLEK_WjHdDK(n+B2HJs12 zt3pLS;4~z9{mgOH-?h$ctLkpB1@@$T{x|`y@IaNRQSj$NVie4#?}LzTY!>YDpw3g0 z7m0hY1z@lMh6qn$B+UQx)Di3Tg&OjG&64zT8L?bP2^Q%^YVwN)7rVedT2%3Ni`T`i zoEat^6bT?AQiNN0yYl@7?4>8osVHwj$msA9UeS7yk1$8}HqO2) zH06pU0)dKJaNM=S{Gy-t9U7nHUIrWeJ4ozBuUzHlqT!dHj}UqY2~l(NfpGK;dY^=t z%&S;g1tAFvy+Td(MR~4=&B{Jut29Yol_aV6d?0>7<(Erk>om{0hR>j7hSwOSPX<4{ zQWvgHZzGOEwMx+Si~8zWl|B~>c;hzNjuBt&dHVBdUVEZs+l@lrp?x}Zk{`~PSGdKx zDs=8^b7*u5tmrFeyN^CsTMrc(h?&bcq1n#|Vw5!GNMN1&Fj!41l7j3C+i}AqliyGX=h*VTjf)W^6 z)#_*!AFaHCC9f#@f_Fj=!%5_ZTvXo63nvYuw*udgjvHtY*Zq-H>jnp&(Z0t;I{eY< zR_+$VF18qmC^n@oA3h_5)`8b7tKJRb^iARR?{+W2OqR|+1s&m^x5c`a!r>?L2;MxN zk{68m^{r4*M&yQ}78xFL-gJ1379LDJTR^DK)_^M06ebBKpZVx)t1Q+vV224;n<$YR z1cOGkCcA{{@DHfLv9-vrX+C0ay)V5N0nd3KTO)fgs{c95*}4Iq=0chI+bo&L zeykzJMz~yf&=oUht}bNh7PGmlkw^AOQt#$w8X8tz;(inpI!|<1)D( zu&;=IBgWOunt8iHQb}aY1ay@tJDl4-33JpuS1`WpDlC!RtZZFj_Ya^n^XY)XAe8^u z%76hnDGLqj5y{AJ%9$=adV%PTC6$B$AAx!cT)RNF&RtQyO?pl{P6mMl;t3_aH!@E( zH{Eds_+aHD9&nSfbYh~CkaH^aj6jz4W>|x*&m2md^c#lzo)UIdBwjK#kJWz?`ICJ( zSSDm#5ptOKpJF;d|2?Mvd0hT2$ipYgder~z>{tf?0oOz7@3g-G{%}D2f%dNth(FN& zjl<=yh4{n41iS@As{iGOcJMU+f)MMdzs>tQGgw!Ds(`;C#6Q#iz7SYfe@^??Li~aD zudVpkLi~$X{2M~Ry83 +image/svg+xml diff --git a/roles/docker_metadata/files/surf_bimi.svg b/roles/docker_metadata/files/surf_bimi.svg new file mode 100644 index 000000000..f49b7a035 --- /dev/null +++ b/roles/docker_metadata/files/surf_bimi.svg @@ -0,0 +1,15 @@ + + + surf + + + + + + + + + + + + diff --git a/roles/docker_metadata/handlers/main.yml b/roles/docker_metadata/handlers/main.yml new file mode 100644 index 000000000..5996d698d --- /dev/null +++ b/roles/docker_metadata/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: restart nginx + service: + name: nginx + state: restarted + +- name: "systemd daemon-reload" + systemd: + daemon_reload: true + +- name: "restart zabbix-agent" + systemd: + name: "zabbix-agent2.service" + state: "restarted" diff --git a/roles/docker_metadata/tasks/main.yml b/roles/docker_metadata/tasks/main.yml new file mode 100644 index 000000000..812537c6c --- /dev/null +++ b/roles/docker_metadata/tasks/main.yml @@ -0,0 +1,153 @@ +--- +# - include_role: +# name: "nginx" +# +# - name: Ensure that packages are installed +# apt: +# name: +# - xalan +# - wget +# - xmlsec1 +# state: present + +# - name: Create directories + # file: + # path: "{{item.path}}" + # state: "directory" + # mode: "{{item.mode}}" + # owner: "root" + # group: "{{item.group}}" + # with_items: + # - { path: "{{metadata_documentroot}}", group: "root", mode: "0755" } + # - { path: "{{metadata_documentroot}}/metadata", group: "{{metadata_group}}", mode: "0775" } + +- name: Create metadata directories + file: + path: "{{ item.value }}" + state: "directory" + mode: "0755" + owner: "root" + loop: "{{ lookup('ansible.builtin.dict', metadata_dirs, wantlist=True) }}" + +# - name: Check if obsolete job exists +# command: +# cmd: "systemctl list-timers --all --output=json" +# register: "systemd_timers" +# changed_when: false + +# - name: Disable obsolete systemd job +# systemd: +# name: "metadata.timer" +# state: "stopped" +# enabled: false +# when: '"\"metadata.timer\"" in systemd_timers.stdout' + +# - name: Remove obsolete files +# file: +# path: "{{item}}" +# state: "absent" +# with_items: +# - "/opt/metadata/create_metadata" +# - "/opt/metadata/edugain.crt" +# - "/opt/metadata/idps.xsl" +# - "/opt/metadata/nohide.xsl" +# - "/opt/metadata/nologo.xsl" +# - "/opt/metadata/nosc.xsl" +# - "/etc/systemd/system/metadata.service" +# - "/etc/systemd/system/metadata.timer" +# notify: "systemd daemon-reload" + +# - name: Copy metadata nginx configuration +# template: +# src: metadata.nginx.j2 +# dest: "/etc/nginx/sites-available/metadata" +# mode: 0644 +# notify: restart nginx +# +# - name: Create symlink to metadata in /etc/nginx/sites-enabled +# file: +# src: "/etc/nginx/sites-available/metadata" +# dest: "/etc/nginx/sites-enabled/00-metadata" +# state: link +# notify: restart nginx + +- name: Install index page + template: + src: "index.html.j2" + # dest: "{{metadata_documentroot}}/index.html" + dest: "{{metadata_dirs.web}}/index.html" + mode: 0644 + +- name: Install logo + copy: + src: "{{item}}" + # dest: "{{metadata_documentroot}}/" + dest: "{{metadata_dirs.web}}/" + mode: "0644" + with_items: + - "surf.svg" + - "surf.png" + - "surf_bimi.svg" + +# - name: Install symlinks +# file: +# path: "{{metadata_documentroot}}/{{item}}" +# src: "metadata/{{item}}" +# state: "link" +# force: true +# with_items: +# - "idps.xml" +# - "proxy_idp.xml" +# - "proxy_sp.xml" + +# - name: Remove obsolete files +# file: +# path: "{{metadata_documentroot}}/{{item}}" +# state: "absent" +# with_items: +# - "Light-Bulb_icon_by_Till_Teenck.svg" +# - "Light-Bulb_icon_by_Till_Teenck_1000px.png" +# - "Light-Bulb_icon_by_Till_Teenck_200px.png" +# - "sc_edugain.xml" +# - "sc_edugain_idps.xml" +# - "sc_edugain_idps_nologo.xml" +# - "sc_edugain_idps_nologo_nohide.xml" +# - "sc_edugain_idps_nologo_nohide_nosc.xml" + +# - name: Fetch mdparser from {{ mdparser_repo_url }}, version {{ mdparser_version }} +# git: +# repo: "{{ mdparser_repo_url }}" +# dest: "{{ mdparser_dir }}" +# version: "{{ mdparser_version }}" +# accept_hostkey: "yes" +# force: "yes" + +# - name: Create python3 virtualenv +# import_role: +# name: "python-venv" +# vars: +# python_venv_dir: "{{ mdparser_venv_dir }}" +# python_venv_requirements: "{{ mdparser_dir }}/requirements.txt" + +# - name: Copy zabbix agent mdparser key +# template: +# src: sram-mdparser.conf.j2 +# dest: "/etc/zabbix/zabbix_agent2.d/sram-mdparser.conf" +# notify: "restart zabbix-agent" + +- name: Create the metadata-server container + docker_container: + name: metadataserver + image: sram-metadataserver + # restart_policy: "always" + # restart: true + state: started + # pull: true + volumes: + - "{{ metadata_dirs.web }}:/opt/web" + networks: + - name: "traefik" + labels: + traefik.http.routers.metadataserver.rule: "Host(`{{ hostnames.meta }}`)" + traefik.http.routers.metadataserver.tls: "true" + traefik.enable: "true" diff --git a/roles/docker_metadata/templates/index.html.j2 b/roles/docker_metadata/templates/index.html.j2 new file mode 100644 index 000000000..5aad8ec86 --- /dev/null +++ b/roles/docker_metadata/templates/index.html.j2 @@ -0,0 +1,11 @@ + +SRAM + + +

SRAM metadata

+

SRAM IdP proxy metadata
+(for use by Service Providers)

+

SRAM SP proxy metadata
+(for use by Identity Providers)

+ + diff --git a/roles/docker_metadata/templates/metadata.nginx.j2 b/roles/docker_metadata/templates/metadata.nginx.j2 new file mode 100644 index 000000000..6627cc763 --- /dev/null +++ b/roles/docker_metadata/templates/metadata.nginx.j2 @@ -0,0 +1,13 @@ +server { + listen {{ meta_port }} default_server ssl; + listen [::]:{{ meta_port }} default_server ssl; + + ssl_certificate {{ ssl_certs_dir }}/{{ internal_base_domain }}.crt; + ssl_certificate_key {{ ssl_certs_dir }}/{{ internal_base_domain }}.key; + + root {{ metadata_documentroot }}; + + location / { + autoindex off; + } +} diff --git a/roles/docker_metadata/templates/sram-mdparser.conf.j2 b/roles/docker_metadata/templates/sram-mdparser.conf.j2 new file mode 100644 index 000000000..d7681f43f --- /dev/null +++ b/roles/docker_metadata/templates/sram-mdparser.conf.j2 @@ -0,0 +1 @@ +UserParameter=sram.mdparser[*],{{mdparser_venv_dir}}/bin/python {{mdparser_dir}}/mdparser.py {{metadata_documentroot}}/$1 diff --git a/roles/docker_metadata/vars/main.yml b/roles/docker_metadata/vars/main.yml new file mode 100644 index 000000000..a779eea8d --- /dev/null +++ b/roles/docker_metadata/vars/main.yml @@ -0,0 +1,7 @@ +--- +# list of xsl files to copy +xsl_files: + - "idps.xsl" + - "nologo.xsl" + - "nohide.xsl" + - "nosc.xsl" diff --git a/roles/docker_pyff/defaults/main.yml b/roles/docker_pyff/defaults/main.yml new file mode 100644 index 000000000..93f6b2167 --- /dev/null +++ b/roles/docker_pyff/defaults/main.yml @@ -0,0 +1,85 @@ +--- +metadata_basedir: "/opt/metadata" +# metadata_target_dir: "{{metadata_basedir}}/metadata" +metadata_dirs: + web: "{{metadata_basedir}}/web" + feeds: "{{metadata_basedir}}/feeds" + src: "{{metadata_basedir}}/src" + certs: "{{metadata_basedir}}/certs" + xslt: "{{metadata_basedir}}/xslt" + +metadata_group: metadata + +# metadata_idps_source: "https://metadata.surfconext.nl/idps-metadata.xml" +# metadata_idps_cert: | +# -----BEGIN CERTIFICATE----- +# MIIEKjCCAhICEG12w6QqayYAWntxDN59dU0wDQYJKoZIhvcNAQELBQAwPDELMAkG +# A1UEBhMCTkwxEDAOBgNVBAoMB1NVUkZuZXQxGzAZBgNVBAMMElNVUkZjb25leHQg +# Um9vdCBDQTAeFw0xOTAxMTQxNjM5MDVaFw0yNDAxMTgxNjM5MDVaMGsxCzAJBgNV +# BAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQKDAdTVVJGbmV0MRMwEQYD +# VQQLDApTVVJGY29uZXh0MSMwIQYDVQQDDBpTVVJGY29uZXh0IG1ldGFkYXRhIHNp +# Z25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMckFyqXzW7dbMt4 +# wDdSLaAjFAbNziUgQaivu4dl9Uf/cZ4f36a9DfQBUSraNoIR76ruwK3TPfFalemp +# xmWTsoVSQpb3AOsWbU+i0YKS1cmcqMUC1fef2j1IbuK4B4nEu9S5saGNVGNvUJ+Y +# jDUpC5vyyp7boW9E1md2jIBI6Mw+ZhlmkPucqaphxurWnm0KbxTZrYLOBZ1IXj6r +# yrRoFwwtjEH+CW8cRn8OATK0q4yb0BVr2gY2tp/lTpASHZ3WVWBK0prwK0KkusY6 +# ck+/vvlk46IdEr803NB0Dm3ECh3i65mfCaWzVTtd/md874paK+65f1JeVyd5I5al +# M2KEpvkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAjvJXXkxOqh3K0k2NdDG5EOTy +# bA+koRbAqhdY/qJoSnqTzwBxJc6aPs+L4q2PIoLo0gNJj1Nm1taLusaaK+CBx3ar +# 1kxEika5FM0dqFjD3i7Y5U0FMeDB5cReo8TNdo31VGoY7CbRjtqHLRTuKzNmIfEm +# ahLnHIBtarE82b7Mpg0aLxjrRR+t8wSCriy+e9AEPzC5bWxtPJA+OhU8U9hMuOs5 +# SzKmHwYue4WY3q1rRaDpK3fqgXRDRfznNn9/RDDbBos7CRMSAPEmAO28qLKBW/1z +# a2TKQLddZ3uoCurFNbToSTueKYVEnveQNO2P5X6uy4rcYkjeSiwbmHo7jYuHAxx4 +# uGzHMpoqoGNx+2iYjtUo3dJUXzcZai3X+RuuMKXXvqGzrxJsoKayNVAE1dWoUHJl +# RouPhDLTdZq/pblORhFS8r10rKhSScgrNuN9LTTV7EPFeVr8trocNwl8IruH+eNL +# 6/7b5Y7fb7rvpxeHjWrTz8a9BXAIAv+bgyrg4OHGRcNIQb0XF438HD9r8Zb92B6Z +# VCR3aVS5496+1td+8aN/Blzo59LhKPiHyGZCPHFV/oBqG7nxp603kcWmJOcG+AgB +# 9bFiAimF5LLk/LnMfplK9w0vvxWVcdQkDgVPYvEGNtttj0QC7/jM4ZeihGb6Oyzy +# DZA6aeg73/ygOATQ13A= +# -----END CERTIFICATE----- +metadata_idps_filters: [] + +metadata_idps_files: + - name: "dummy-idp" + metadata: | + + + + + + + SRAM VM Dummy IdP + SRAM VM Dummy IdP + https://test-idp.sram.example.org/ + + + Administrator + mailto:sinterklaas@example.nl + + + +# metadata_idps_xrd: "{{metadata_basedir}}/certs/surfconext.xrd" +# metadata_idps_source_dir: "/opt/metadata-src" +# metadata_idps_feed: "{{ metadata_basedir }}/idps_feed.fd" +# metadata_idps_file: "idps.xml" +# +# metadata_edugain_source: "https://metadata.surfconext.nl/edugain-downstream-idp.xml" +# metadata_edugain_cert: "{{metadata_idps_cert}}" +# metadata_edugain_xrd: "{{metadata_basedir}}/certs/edugain.xrd" +# metadata_edugain_feed: "{{ metadata_basedir }}/edugain_feed.fd" +# metadata_edugain_file: "edugain.xml" +# +# metadata_proxy_frontend_source: "https://satosa.local/frontend.xml" +# metadata_proxy_frontend_feed: "{{ metadata_basedir }}/frontend_feed.fd" +# metadata_proxy_frontend_file: "proxy_idp.xml" +# +# metadata_proxy_backend_source: "https://satosa.local/metadata/backend.xml" +# metadata_proxy_backend_feed: "{{ metadata_basedir }}/backend_feed.fd" +# metadata_proxy_backend_file: "proxy_sp.xml" diff --git a/roles/docker_pyff/files/01_idps.fd b/roles/docker_pyff/files/01_idps.fd new file mode 100644 index 000000000..89e30045e --- /dev/null +++ b/roles/docker_pyff/files/01_idps.fd @@ -0,0 +1,22 @@ +- load fail_on_error True: + - "https://metadata.test.surfconext.nl/idps-metadata.xml verify certs/surfconext.crt" + - "src/" +- select: + - "https://idp.diy.surfconext.nl/saml2/idp/metadata.php" + - "http://mock-idp" + - "https://login.test.eduid.nl" + - "https://idp-acc.surfnet.nl" + - "https://login.uaccess-a.leidenuniv.nl/nidp/saml2/metadata" + - "test-idp.lab.surf.nl" + - "https://test-idp.sram.surf.nl/saml/saml2/idp/metadata.php" + - "https://idp.ci-runner.sram.surf.nl/saml/saml2/idp/metadata.php" +- xslt: + stylesheet: "xslt/transform.xslt" +- finalize: + cacheDuration: P7D + validUntil: P14D +- sign: + key: "certs/signing.key" + cert: "certs/signing.crt" +- publish: "out/idps.xml.new" +- stats diff --git a/roles/docker_pyff/files/02_backend.fd b/roles/docker_pyff/files/02_backend.fd new file mode 100644 index 000000000..698d615a4 --- /dev/null +++ b/roles/docker_pyff/files/02_backend.fd @@ -0,0 +1,14 @@ +- load fail_on_error True: + - "https://proxy.acc.sram.eduteams.org/metadata/backend.xml" +- select +- xslt: + stylesheet: "xslt/transform_proxy.xslt" +- finalize: + cacheDuration: P7D + validUntil: P14D + name: "SURF Research Access Management" +- sign: + key: "certs/signing.key" + cert: "certs/signing.crt" +- publish: "out/proxy_sp.xml.new" +- stats diff --git a/roles/docker_pyff/files/03_frontend.fd b/roles/docker_pyff/files/03_frontend.fd new file mode 100644 index 000000000..252206d42 --- /dev/null +++ b/roles/docker_pyff/files/03_frontend.fd @@ -0,0 +1,14 @@ +- load fail_on_error True: + - "https://proxy.acc.sram.eduteams.org/metadata/frontend.xml" +- select +- xslt: + stylesheet: "xslt/transform_proxy.xslt" +- finalize: + cacheDuration: P7D + validUntil: P14D + name: "SURF Research Access Management" +- sign: + key: "certs/signing.key" + cert: "certs/signing.crt" +- publish: "out/proxy_idp.xml.new" +- stats diff --git a/roles/docker_pyff/files/04_edugain.fd b/roles/docker_pyff/files/04_edugain.fd new file mode 100644 index 000000000..e704adcaf --- /dev/null +++ b/roles/docker_pyff/files/04_edugain.fd @@ -0,0 +1,14 @@ +- load fail_on_error True: + - "https://metadata.surfconext.nl/edugain-downstream-idp.xml verify certs/edugain.crt" + - "out/idps.xml.new" +- select +- xslt: + stylesheet: "xslt/transform_edugain.xslt" +- finalize: + cacheDuration: "P7D" + validUntil: "P14D" +- sign: + key: "certs/signing.key" + cert: "certs/signing.crt" +- publish: "out/edugain.xml.new" +- stats diff --git a/roles/docker_pyff/files/edugain.crt b/roles/docker_pyff/files/edugain.crt new file mode 100644 index 000000000..5362d3abd --- /dev/null +++ b/roles/docker_pyff/files/edugain.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAhICEG12w6QqayYAWntxDN59dU0wDQYJKoZIhvcNAQELBQAwPDELMAkGA1UEBhMCTkwxEDAOBgNVBAoMB1NVUkZuZXQxGzAZBgNVBAMMElNVUkZjb25leHQgUm9vdCBDQTAeFw0xOTAxMTQxNjM5MDVaFw0yNDAxMTgxNjM5MDVaMGsxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQKDAdTVVJGbmV0MRMwEQYDVQQLDApTVVJGY29uZXh0MSMwIQYDVQQDDBpTVVJGY29uZXh0IG1ldGFkYXRhIHNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMckFyqXzW7dbMt4wDdSLaAjFAbNziUgQaivu4dl9Uf/cZ4f36a9DfQBUSraNoIR76ruwK3TPfFalempxmWTsoVSQpb3AOsWbU+i0YKS1cmcqMUC1fef2j1IbuK4B4nEu9S5saGNVGNvUJ+YjDUpC5vyyp7boW9E1md2jIBI6Mw+ZhlmkPucqaphxurWnm0KbxTZrYLOBZ1IXj6ryrRoFwwtjEH+CW8cRn8OATK0q4yb0BVr2gY2tp/lTpASHZ3WVWBK0prwK0KkusY6ck+/vvlk46IdEr803NB0Dm3ECh3i65mfCaWzVTtd/md874paK+65f1JeVyd5I5alM2KEpvkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAjvJXXkxOqh3K0k2NdDG5EOTybA+koRbAqhdY/qJoSnqTzwBxJc6aPs+L4q2PIoLo0gNJj1Nm1taLusaaK+CBx3ar1kxEika5FM0dqFjD3i7Y5U0FMeDB5cReo8TNdo31VGoY7CbRjtqHLRTuKzNmIfEmahLnHIBtarE82b7Mpg0aLxjrRR+t8wSCriy+e9AEPzC5bWxtPJA+OhU8U9hMuOs5SzKmHwYue4WY3q1rRaDpK3fqgXRDRfznNn9/RDDbBos7CRMSAPEmAO28qLKBW/1za2TKQLddZ3uoCurFNbToSTueKYVEnveQNO2P5X6uy4rcYkjeSiwbmHo7jYuHAxx4uGzHMpoqoGNx+2iYjtUo3dJUXzcZai3X+RuuMKXXvqGzrxJsoKayNVAE1dWoUHJlRouPhDLTdZq/pblORhFS8r10rKhSScgrNuN9LTTV7EPFeVr8trocNwl8IruH+eNL6/7b5Y7fb7rvpxeHjWrTz8a9BXAIAv+bgyrg4OHGRcNIQb0XF438HD9r8Zb92B6ZVCR3aVS5496+1td+8aN/Blzo59LhKPiHyGZCPHFV/oBqG7nxp603kcWmJOcG+AgB9bFiAimF5LLk/LnMfplK9w0vvxWVcdQkDgVPYvEGNtttj0QC7/jM4ZeihGb6OyzyDZA6aeg73/ygOATQ13A= +-----END CERTIFICATE----- diff --git a/roles/docker_pyff/files/surfconext.crt b/roles/docker_pyff/files/surfconext.crt new file mode 100644 index 000000000..0e8f074e8 --- /dev/null +++ b/roles/docker_pyff/files/surfconext.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIFbjCCA1agAwIBAgIQagXJvtKqIRRO8zD41OktRjANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJOTDEQMA4GA1UEBwwHVXRyZWNodDEQMA4GA1UECAwHVXRyZWNodDESMBAGA1UECgwJU1VSRiBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSAwHgYDVQQDDBdTVVJGY29uZXh0IENBIDIwMjMgVEVTVDAeFw0yMzA2MDcxMTQxNDRaFw0yNTA2MDYxMTQxNDRaMIGVMQswCQYDVQQGEwJOTDEQMA4GA1UEBwwHVXRyZWNodDEQMA4GA1UECAwHVXRyZWNodDESMBAGA1UECgwJU1VSRiBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MTkwNwYDVQQDDDBTVVJGY29uZXh0IHRlc3QgZW52aXJvbm1lbnQgbWV0YWRhdGEgc2lnbmVyIDIwMjMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC1Wj1MYwzY646Wa9td4zUZb5W27+cbARhNbIZsteUIPV6unxoO6tHCLJhRxC4pBTQsdrhfhh3+s5rwm8mjhJs2rciQkCdPiTl860jqihhWi5bFXyGX5o1U5mZgomUT+o7+nUj0et1l/kbFJ0GqIKtf0uPj7R/zqTpqeT0c6VFxchU6LA8GOI9w5XIISEGi/IWlDKyM69I3DmbCip/rm8u6kIQ0qqXh58lNNOsZw8WYokCXP0IPFQWpPkKC1VGYtivwKLzzvNxSGcuvp39ui+37hrdjqiTxK68Z48vJ6l+KsJP+jpDXYBYE/NsSVYez3vbVTB/l664yvBfKyGIHHDdTq5akLCQDgYQzjeNOU1oSZbcsub0k+osp7MFGkslYRhLb0V9tX0Xu+7jXzGthPUWicN0XdlHS0JOlSgOBftPn8kcqYNMF0IZVe6V/AVgfj4/4iDk3OKl9FRctFp3kSa8GzLIbjqmYXpGGIEse6U2gfqHS9WHu4odfKH7rhD3hZssCAwEAAaNSMFAwHQYDVR0OBBYEFNclSgPTrGp4QJQZGjFu6VEBTX4PMB8GA1UdIwQYMBaAFI5kmzwW92s2rRY2B5NNjSYI2oj1MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAORNL7FGBkeq6u/rmcNf+jZZz27vw86COPOiN6ygTyxaBq5fmJ4JZlDnlfO4C/4iek2QjKdgPlpvATGUUMXJdO6a7A3/vXNuoIGu3Ug9GW4vpTVPulaYZedPHC8zBsxwRKwxpSTda7ubWDxH3vUxHz/zDOD2O71O6KFj6Ph8JXwa3TLH0xRN5CXa0UMKX0S+ck8MahCYnMtd99EBL/uOr0+D4q2HwxDRDpL4I9yRwyWxCafoR+6OfzO/vc/SGcjEk/9s0DrMKDkDTJlE9eZbaaWFFCkAkg3LHHLMYjykcTvjDEV75OohYcEC5/6uKHcB/ZQjHwkPBqv9pUF897yZ7sxS66GEJmqqVIC+ayWRvC8N+UmvMGWAdohrY7r7CPeTE+iVHaeB7xGTSI9BhTEv3yMNHhqzqIOvgr8h5iCv7B5hQL+V7MRqD7e7X9uRR7wbyGmwT4p4VFbz5VqthCOFobsMxam9Axt+saebRyH6Mg3Ro9D5WgGoZmTP1yyiMrmEHQdf9+iblbfTbRW0irlaX5t58fWB1u4QZqcamlhVcl65Fub0g+QkSyGDMD9G57z3CKOluNy6TxFZOxMynY6CEtaozDaiETm7NaNC1lkhi+SOHKRX5+q0KqJdnEC7GOX69hSDsCT905dpVnr8JgFKoUfXWSmbwTMj45190dw7RMzk= +-----END CERTIFICATE----- diff --git a/roles/docker_pyff/files/transform.xslt b/roles/docker_pyff/files/transform.xslt new file mode 100644 index 000000000..80673b688 --- /dev/null +++ b/roles/docker_pyff/files/transform.xslt @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/docker_pyff/files/transform_edugain.xslt b/roles/docker_pyff/files/transform_edugain.xslt new file mode 100644 index 000000000..96b6c6786 --- /dev/null +++ b/roles/docker_pyff/files/transform_edugain.xslt @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/docker_pyff/files/transform_proxy.xslt b/roles/docker_pyff/files/transform_proxy.xslt new file mode 100644 index 000000000..97bc6c945 --- /dev/null +++ b/roles/docker_pyff/files/transform_proxy.xslt @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + Security Response Team + mailto:securityincident@surf.nl + + + + + + + + + + + https://refeds.org/sirtfi2 + https://refeds.org/sirtfi + + + + + + diff --git a/roles/docker_pyff/handlers/main.yml b/roles/docker_pyff/handlers/main.yml new file mode 100644 index 000000000..2c58770cb --- /dev/null +++ b/roles/docker_pyff/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: "enable pyff-metadata job" + systemd: + name: "pyff-metadata.timer" + enabled: true + state: "started" + daemon_reload: true + +- name: "run pyff-metadata job" + systemd: + name: "pyff-metadata.service" + state: "started" + daemon_reload: true diff --git a/roles/docker_pyff/tasks/main.yml b/roles/docker_pyff/tasks/main.yml new file mode 100644 index 000000000..4b4ee152e --- /dev/null +++ b/roles/docker_pyff/tasks/main.yml @@ -0,0 +1,152 @@ +--- +- name: Create metadata directories + file: + path: "{{ item.value }}" + state: "directory" + mode: "0755" + owner: "root" + loop: "{{ lookup('ansible.builtin.dict', metadata_dirs) }}" + +- name: Copy source certificates + copy: + src: "{{ item }}" + dest: "{{ metadata_dirs.certs }}" + with_items: + - edugain.crt + - surfconext.crt + +- name: create self-signed Metadata Signing SSL certs + shell: + cmd: > + openssl genrsa -out "{{ metadata_dirs.certs }}/signing.key" 2048; + openssl req -new -nodes -x509 -subj "/C=NL/CN=signing" + -days 3650 -key "{{ metadata_dirs.certs }}/signing.key" + -out "{{ metadata_dirs.certs }}/signing.crt" -extensions v3_ca + creates: "{{ metadata_dirs.certs }}/signing.crt" + when: "metadata_signing_cert is not defined" + +- name: write fixed Metadata signing certificates + copy: + dest: "{{ metadata_dirs.certs }}/{{ item.file }}" + content: "{{item.contents}}" + mode: "{{item.mode}}" + with_items: + - { file: "signing.key", mode: "0640", contents: "{{metadata_signing_cert.priv}}" } + - { file: "signing.crt", mode: "0644", contents: "{{metadata_signing_cert.pub}}" } + when: "metadata_signing_cert is defined" + +# - name: Write source metadata certificates +# template: +# src: "feed.xrd.j2" +# dest: "{{item.filename}}" +# loop: +# - filename: "{{metadata_idps_xrd}}" +# source: "{{metadata_idps_source}}" +# cert: "{{metadata_idps_cert}}" +# - filename: "{{metadata_edugain_xrd}}" +# source: "{{metadata_edugain_source}}" +# cert: "{{metadata_edugain_cert}}" +# notify: "run pyff-metadata job" +# +# - name: Create metadata source directory +# file: +# path: "{{ metadata_idps_source_dir }}" +# state: "directory" +# mode: "0755" +# owner: "root" +# group: "{{metadata_group}}" + +- name: install IdP metadata + copy: + content: "{{item.metadata}}" + dest: "{{ metadata_dirs.src }}/{{item.name}}.xml" + mode: "0644" + owner: "root" + with_items: "{{ metadata_idps_files }}" + # notify: + # - "run pyff-metadata job" + +# - name: Remove old files +# file: +# path: "{{item}}" +# state: "absent" +# with_items: +# - "{{ pyff_env_dir }}/idp_feed.fd" + +- name: Copy pyFF feeds + copy: + src: "{{item}}" + dest: "{{metadata_dirs.feeds}}" + with_items: + - 01_idps.fd + - 02_backend.fd + - 03_frontend.fd + - 04_edugain.fd + +- name: Copy pyFF xslt transformations + copy: + src: "{{item}}" + dest: "{{metadata_dirs.xslt}}" + with_items: + - transform_edugain.xslt + - transform_proxy.xslt + - transform.xslt + +# - name: Create pyFF mdq configuration +# template: +# src: "{{item.path}}.j2" +# dest: "{{metadata_basedir}}/{{item.path}}" +# owner: "root" +# group: "root" +# mode: "{{item.mode}}" +# with_items: +# - { path: "idps_feed.fd", mode: "0644" } +# - { path: "frontend_feed.fd", mode: "0644" } +# - { path: "backend_feed.fd", mode: "0644" } +# - { path: "edugain_feed.fd", mode: "0644" } +# - { path: "feeds.sh", mode: "0755" } +# - { path: "transform.xslt", mode: "0644" } +# - { path: "transform_proxy.xslt", mode: "0644" } +# - { path: "transform_edugain.xslt", mode: "0644" } +# notify: "run pyff-metadata job" + +# - name: Create pyFF systemd job timer +# template: +# src: "{{item}}.j2" +# dest: "/etc/systemd/system/{{item}}" +# with_items: +# - "pyff-metadata.service" +# - "pyff-metadata.timer" +# notify: +# - "enable pyff-metadata job" +# - "run pyff-metadata job" + +# - name: check if an obsolete directory is present +# stat: +# path: "/opt/pyff/pyff-env/idps_feed.fd" +# register: "old_dir" +# changed_when: false +# +# - name: remove old directory +# file: +# path: "/opt/pyff" +# state: "absent" +# when: "old_dir.stat.exists" + +- name: Create the pyFF container + docker_container: + name: metadata + image: sram-metadata + # restart_policy: "always" + # restart: true + state: started + # pull: true + volumes: + - "{{ metadata_dirs.feeds }}:/opt/pyff/feeds" + - "{{ metadata_dirs.src }}:/opt/pyff/src" + - "{{ metadata_dirs.certs }}:/opt/pyff/certs" + - "{{ metadata_dirs.xslt }}:/opt/pyff/xslt" + - "{{ metadata_dirs.web }}:/opt/pyff/web" + networks: + - name: "bridge" + diff --git a/roles/docker_pyff/templates/pyff-metadata.service.j2 b/roles/docker_pyff/templates/pyff-metadata.service.j2 new file mode 100644 index 000000000..945cfe992 --- /dev/null +++ b/roles/docker_pyff/templates/pyff-metadata.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=pyFF Metadata processing +After=syslog.target network.target + +[Service] +Type=oneshot +WorkingDirectory={{metadata_basedir}} +ExecStart=echo "pyff-metadata" +SyslogIdentifier=pyff-metadata + +[Install] +WantedBy=multi-user.target diff --git a/roles/docker_pyff/templates/pyff-metadata.timer.j2 b/roles/docker_pyff/templates/pyff-metadata.timer.j2 new file mode 100644 index 000000000..b1231af1f --- /dev/null +++ b/roles/docker_pyff/templates/pyff-metadata.timer.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Create Metadata timer + +[Timer] +OnCalendar=*:00 + +[Install] +WantedBy=multi-user.target diff --git a/start-vm b/start-vm index 30225e9cd..a62c712ee 100755 --- a/start-vm +++ b/start-vm @@ -68,7 +68,7 @@ else # Bring up the VMs if they're not running echo "Bringing docker containers up" ./docker/docker-compose.yml.py $CI > ./docker/docker-compose.yml - time docker-compose -f docker/docker-compose.yml up --no-recreate -d --remove-orphans + time docker compose -f docker/docker-compose.yml up --no-recreate -d --remove-orphans echo "Waiting until containers have booted" TIMEOUT=120