From a5f0f7914d8b74b9f8e545ab853a38565c70a302 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Fri, 9 Feb 2024 16:11:00 +0100
Subject: [PATCH] Stepup tiqr: Add docker deployment option

---
 roles/stepuptiqr/handlers/main.yml            |  7 ++
 roles/stepuptiqr/tasks/docker.yml             | 79 ++++++++++++++++
 roles/stepuptiqr/tasks/main.yml               | 90 ++-----------------
 roles/stepuptiqr/tasks/vm.yml                 | 85 ++++++++++++++++++
 roles/stepuptiqr/templates/parameters.yaml.j2 | 18 ++--
 roles/stepuptiqr/vars/docker.yml              |  5 ++
 roles/stepuptiqr/vars/main.yml                |  1 +
 7 files changed, 195 insertions(+), 90 deletions(-)
 create mode 100644 roles/stepuptiqr/tasks/docker.yml
 create mode 100644 roles/stepuptiqr/tasks/vm.yml
 create mode 100644 roles/stepuptiqr/vars/docker.yml

diff --git a/roles/stepuptiqr/handlers/main.yml b/roles/stepuptiqr/handlers/main.yml
index 40eef830c..ab79436f4 100644
--- a/roles/stepuptiqr/handlers/main.yml
+++ b/roles/stepuptiqr/handlers/main.yml
@@ -6,3 +6,10 @@
   service:
     name: php72-php-fpm
     state: reloaded
+
+- name: restart tiqr
+  community.docker.docker_container:
+    name: tiqr
+    state: started
+    restart: true
+
diff --git a/roles/stepuptiqr/tasks/docker.yml b/roles/stepuptiqr/tasks/docker.yml
new file mode 100644
index 000000000..9b2175275
--- /dev/null
+++ b/roles/stepuptiqr/tasks/docker.yml
@@ -0,0 +1,79 @@
+- name: Include docker vars
+  ansible.builtin.include_vars: docker.yml
+
+- name: Add group {{ appname }}
+  ansible.builtin.group:
+    name: "{{ appname }}"
+    state: present
+  register: tiqr_guid
+
+- name: Add user {{ appname }}
+  ansible.builtin.user:
+    name: "{{ appname }}"
+    group: "{{ appname }}"
+    createhome: no
+    state: present
+  register: tiqr_uid
+
+- name: Create some dirs
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - "{{ current_release_config_dir_name }}"
+    - "{{ current_release_appdir }}/public/images"
+
+- name: Install images
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copyimages
+
+- name: Install GSSP IdP key and certificates
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copygsspidpcerts
+
+- name: Write tiqr APNS certificate
+  ansible.builtin.copy:
+    content: "{{ tiqr_apns_pemfile }}"
+    dest: "{{ current_release_config_file_dir_name }}/apns.pem"
+    owner: "{{ appname }}"
+    mode: "0400"
+  when: tiqr_apns_pemfile is defined
+
+- name: Place parameters.yml
+  ansible.builtin.template:
+    src: parameters.yaml.j2
+    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
+    mode: "0640"
+    owner: root
+    group: "{{ appname }}"
+  notify:
+    - restart tiqr
+
+- name: Create the container
+  community.docker.docker_container:
+    name: "{{ appname }}"
+    image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }}
+    pull: true
+    restart_policy: "always"
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)"
+      traefik.http.routers.tiqr.tls: "true"
+      traefik.enable: "true"
+    env:
+      APACHE_UID: "#{{ tiqr_uid.uid }}"
+      APACHE_GUID: "#{{ tiqr_guid.gid }}"
+      APP_ENV: prod
+    mounts:
+      - source: /opt/openconext/tiqr/public/images/header-logo.png
+        target: /var/www/html/public/images/header-logo.png
+        type: bind
+      - source: /opt/openconext/tiqr
+        target: /var/www/html/config/openconext
+        type: bind
diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml
index 4bbb1dd74..0d2d99c20 100644
--- a/roles/stepuptiqr/tasks/main.yml
+++ b/roles/stepuptiqr/tasks/main.yml
@@ -1,85 +1,7 @@
-- debug:
-    msg: "{{ tiqr_statestorage }}"
+- name: Include docker tasks when running docker
+  ansible.builtin.include_tasks: docker.yml
+  when: "'docker' in group_names"
 
-- name: Install Apache and FPM config
-  include_role:
-    name: apachefpm
-
-- name: Install the symfony app
-  include_role:
-    name: stepupapp
-
-- name: Install images
-  include_role:
-    name: stepupapp
-    tasks_from: copyimages
-
-- name: Install the GSSP certificates
-  include_role:
-    name: stepupapp
-    tasks_from: copygsspidpcerts
-
-- name: Write tiqr APNS certificate
-  copy:
-    content: "{{ tiqr_apns_pemfile }}"
-    dest: "{{ current_release_config_file_dir_name }}/apns.pem"
-    owner: "{{ appname }}"
-    mode: 0400
-  when: tiqr_apns_pemfile is defined
-
-- name: Place parameters.yml
-  template:
-    src: parameters.yaml.j2
-    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
-    mode: 0640
-    owner: root
-    group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Place .env file
-  template:
-    src: env.j2
-    dest: "{{ current_release_appdir }}/.env.local"
-    mode: 0640
-    owner: root
-    group: "{{ appname }}"
-  notify: clear cache {{ appname }}
-
-- name: Install assets
-  command: php72 {{ current_release_appdir }}/bin/console assets:install 
-
-- name: Activate the symlink
-  file:
-    src: "{{ current_release_appdir }}"
-    dest: "{{ current_release_symlink }}"
-    state: link
-
-- name: Put tiqr configuration script in /root/
-  template: 
-    src: "{{ item }}.j2"
-    dest: "/root/{{ item }}" 
-    group: root 
-    owner: root 
-    mode: "0500"
-  with_items:
-  - "01-tiqr-db_init.sh"
-
-- name: Put tiqr keyserver migration script in /root/
-  template: 
-    src: "{{ item }}.j2"
-    dest: "/root/{{ item }}" 
-    group: root 
-    owner: root 
-    mode: "500"
-  with_items:
-  - "02-tiqr-migrate-to-keyserver.php"
-  when: keyserver_consumerkey is defined
-
-- meta: flush_handlers
-
-- name: Include post installation tasks
-  include_role:
-    name: stepupapp
-    tasks_from: postinstall
+- name: Include docker tasks when running docker
+  ansible.builtin.include_tasks: vm.yml
+  when: "'docker' not in group_names"
diff --git a/roles/stepuptiqr/tasks/vm.yml b/roles/stepuptiqr/tasks/vm.yml
new file mode 100644
index 000000000..4bbb1dd74
--- /dev/null
+++ b/roles/stepuptiqr/tasks/vm.yml
@@ -0,0 +1,85 @@
+- debug:
+    msg: "{{ tiqr_statestorage }}"
+
+- name: Install Apache and FPM config
+  include_role:
+    name: apachefpm
+
+- name: Install the symfony app
+  include_role:
+    name: stepupapp
+
+- name: Install images
+  include_role:
+    name: stepupapp
+    tasks_from: copyimages
+
+- name: Install the GSSP certificates
+  include_role:
+    name: stepupapp
+    tasks_from: copygsspidpcerts
+
+- name: Write tiqr APNS certificate
+  copy:
+    content: "{{ tiqr_apns_pemfile }}"
+    dest: "{{ current_release_config_file_dir_name }}/apns.pem"
+    owner: "{{ appname }}"
+    mode: 0400
+  when: tiqr_apns_pemfile is defined
+
+- name: Place parameters.yml
+  template:
+    src: parameters.yaml.j2
+    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
+    mode: 0640
+    owner: root
+    group: "{{ appname }}"
+  notify:
+    - clear cache {{ appname }}
+    - reload php72-fpm {{ appname }}
+
+- name: Place .env file
+  template:
+    src: env.j2
+    dest: "{{ current_release_appdir }}/.env.local"
+    mode: 0640
+    owner: root
+    group: "{{ appname }}"
+  notify: clear cache {{ appname }}
+
+- name: Install assets
+  command: php72 {{ current_release_appdir }}/bin/console assets:install 
+
+- name: Activate the symlink
+  file:
+    src: "{{ current_release_appdir }}"
+    dest: "{{ current_release_symlink }}"
+    state: link
+
+- name: Put tiqr configuration script in /root/
+  template: 
+    src: "{{ item }}.j2"
+    dest: "/root/{{ item }}" 
+    group: root 
+    owner: root 
+    mode: "0500"
+  with_items:
+  - "01-tiqr-db_init.sh"
+
+- name: Put tiqr keyserver migration script in /root/
+  template: 
+    src: "{{ item }}.j2"
+    dest: "/root/{{ item }}" 
+    group: root 
+    owner: root 
+    mode: "500"
+  with_items:
+  - "02-tiqr-migrate-to-keyserver.php"
+  when: keyserver_consumerkey is defined
+
+- meta: flush_handlers
+
+- name: Include post installation tasks
+  include_role:
+    name: stepupapp
+    tasks_from: postinstall
diff --git a/roles/stepuptiqr/templates/parameters.yaml.j2 b/roles/stepuptiqr/templates/parameters.yaml.j2
index 9dd296728..8c372c20b 100644
--- a/roles/stepuptiqr/templates/parameters.yaml.j2
+++ b/roles/stepuptiqr/templates/parameters.yaml.j2
@@ -1,16 +1,22 @@
 parameters:
+{% if 'docker' in group_names %}
+    app_env: prod
+    app_debug: false 
+    app_secret: {{ tiqr_secret }}
+{% endif %}
+    
     # All locales supported by the application
     locales: [{{ enabled_locales | join(",") }}]
 
     # SAML configuration
-    saml_idp_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_idp_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_idp_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_idp_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
     # NOTE: same key used for metadata and response/assertion signing
-    saml_metadata_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_metadata_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_metadata_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_metadata_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
 
     saml_remote_sp_entity_id: 'https://{{ gateway_vhost_name }}/gssp/tiqr/metadata'
-    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name }}/gateway.crt'
+    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name_in_config }}/gateway.crt'
     saml_remote_sp_acs: 'https://{{ gateway_vhost_name }}/gssp/tiqr/consume-assertion'
 
     base_url: 'https://{{ vhost_name }}'
@@ -50,7 +56,7 @@ parameters:
             apikey: '{{ tiqr_firebase_apikey }}'
 {% endif %}
           apns:
-            certificate: '{{ current_release_config_file_dir_name }}/apns.pem'
+            certificate: '{{ current_release_config_file_dir_name_in_config }}/apns.pem'
             environment: production
         accountblocking:
             maxAttempts: 5
diff --git a/roles/stepuptiqr/vars/docker.yml b/roles/stepuptiqr/vars/docker.yml
new file mode 100644
index 000000000..f42194f3d
--- /dev/null
+++ b/roles/stepuptiqr/vars/docker.yml
@@ -0,0 +1,5 @@
+
+current_release_appdir: /opt/openconext/tiqr
+current_release_config_file_dir_name: /opt/openconext/tiqr
+current_release_config_file_dir_name_in_config: /var/www/html/config/openconext
+current_release_config_dir_name: /opt/openconext/tiqr
diff --git a/roles/stepuptiqr/vars/main.yml b/roles/stepuptiqr/vars/main.yml
index 23f1e5917..18fed7cfb 100644
--- a/roles/stepuptiqr/vars/main.yml
+++ b/roles/stepuptiqr/vars/main.yml
@@ -9,6 +9,7 @@ current_release_symlink: "/opt/openconext/OpenConext-{{ appname }}"
 current_release_appdir: "{{ current_release_symlink }}-{{ appversion }}"
 current_release_config_file_dir_name: "{{ current_release_appdir }}/app/files"
 current_release_config_dir_name: "{{ current_release_appdir }}/config/legacy"
+current_release_config_file_dir_name_in_config: "{{ current_release_config_file_dir_name }}"
 gssp_idp_private_key: "{{ lookup('file', inventory_dir+'/files/certs/stepup/tiqr_idp.key') }}"
 database_tiqr_user: tiqrrw
 database_tiqr_deploy_user: tiqrdeploy