Skip to content

Commit

Permalink
Merge branch 'master' into feature/haproxy28_debian
Browse files Browse the repository at this point in the history
  • Loading branch information
@quartje
quartje authored Jul 19, 2024
2 parents 19dd3c2 + 3b19f33 commit e085c07
Show file tree
Hide file tree
Showing 166 changed files with 2,682 additions and 3,737 deletions.
30 changes: 22 additions & 8 deletions environments/template/group_vars/template.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
---
env: "%env%"
mariadb_host: localhost
rsyslog_host: localhost
database_clients: [ "{{ mariadb_host }}" ]
use_selfsigned_certs: true
update_hosts_file: true
use_welcome_role: true
Expand Down Expand Up @@ -207,7 +210,7 @@ springboot_server_services:
guest_qualifier: "urn:collab:org:{{ base_domain }}"

engine_database_name: eb
engine_database_host: "{{ mysql_host }}"
engine_database_host: "{{ mariadb_host }}"
engine_database_port: 3306
engine_database_user: ebrw
engine_database_password: "{{ mysql_passwords.eb }}"
Expand Down Expand Up @@ -254,20 +257,21 @@ shibboleth_apps:
baseurl: ""

shib:
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
shibboleth_database_backend: false

teams:
db_name: "teams"
db_user: "teamsrw"
db_password: "{{ mysql_passwords.teams }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
group_name_context: "urn:collab:group:{{ base_domain }}:"
voot_api_user: "voot"
spdashboard_api_user: "spdashboard"
spdashboard_person_urn: "urn:collab:person:surfnet.nl:sp-dashboard-C133A36F-CFCA-4F3D-87CE-7ECE29773FE0"
product_name: "OpenConext Teams"
default_stem_name: "demo:openconext:org"
feature_invite_migration_on: False
super_admins_team_urns:
- "nl:surfnet:diensten:teams_super_users"
- "nl:surfnet:diensten:teams_super_admin_users"
Expand Down Expand Up @@ -329,7 +333,7 @@ pdp:
password: "{{ pdp_password }}"
db_user: pdp-serverrw
db_password: "{{ mysql_passwords.pdp_server }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
db_name: pdp-server
spring_profiles_active: test
cache_policies: false
Expand All @@ -344,7 +348,7 @@ aa:
eb_password: "{{ aa_eb_password }}"
db_user: aa-serverrw
db_password: "{{ mysql_passwords.aa_server }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
db_name: aaserver
authz_client_id: "aa.{{base_domain}}"
authz_resource_server_id: aa
Expand All @@ -359,6 +363,9 @@ aa:
sab_username: coin-test
sab_password: "{{ aa_sab_password }}"
sab_endpoint: https://sab-ng.surfnet.nl/simplesaml/module.php/attributes/server.php
sab_rest_username: surfconexttest
sab_rest_password: "{{ aa_sab_rest_password }}"
sab_rest_endpoint: https://sab-ng.surfnet.nl
surfmarket_url: https://example.org
surfmarket_username: [email protected]
surfmarket_password: "{{ aa_surfmarket_password }}"
Expand Down Expand Up @@ -386,6 +393,7 @@ oidcng:
key_rollover_cron_expression: "0 0 0 * * *"
acr_values_supported:
- https://eduid.nl/trust/validate-names
- https://eduid.nl/trust/validate-names-external
- https://eduid.nl/trust/linked-institution
- https://eduid.nl/trust/affiliation-student
- https://refeds.org/profile/mfa
Expand All @@ -405,11 +413,12 @@ myconext:
mongo_password: "{{ mongo_passwords.myconext }}"
rp_client_id: myconext.ala.eduid
rs_client_id: myconext.rs
idp_external_validation_entity_id: http://mock-idp
verify_base_uri: "https://validate.test.eduid.nl"
feature_webauthn: false
feature_warning_educational_email_domain: false
feature_show_connections: false
feature_use_external_validation: false
feature_id_verify: true
feature_remote_creation_api: true
feature_deny_disposable_email_providers: true
feature_create_eduid_institution_enabled: true
feature_create_eduid_institution_landing: true
Expand Down Expand Up @@ -441,7 +450,7 @@ manage:
eb_db_user: "{{ engine_database_user }}"
eb_db_password: "{{ mysql_passwords.eb }}"
eb_db_name: "{{ engine_database_name }}"
eb_db_host: "{{ mysql_host }}"
eb_db_host: "{{ mariadb_host }}"
mongo_port: "{{ mongo_port }}"
mongo_user: managerw
mongo_password: "{{ mongo_passwords.manage }}"
Expand Down Expand Up @@ -481,6 +490,11 @@ manage:
password: "{{ manage_invite_secret }}",
scopes: ["READ"]
}
- {
name: "sram",
password: "{{ manage_sram_secret }}",
scopes: ["READ", "WRITE_SP", "DELETE_SP"]
}
- {
name: "attribute-aggregation",
password: "{{ aa_manage_password }}",
Expand Down
25 changes: 12 additions & 13 deletions environments/template/secrets/skeleton.yml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
env: "%env%"

mysql_host: localhost
rsyslog_host: localhost

database_clients: [ "{{ mysql_host }}" ]

mysql_root_password: secret

mysql_passwords:
Expand All @@ -27,12 +20,15 @@ engine_api_metadata_push_password: secret
oidcng_api_metadata_push_password: secret
oidcng_api_tokens_profile_password: secret
oidcng_api_tokens_eduid_password: secret
myconext_api_attribute_manipulation_password: secret
myconext_api_attribute_manipulation_password: "{noop}secret"
myconext_oidcng_rs_client_secret: secret
myconext_api_attribute_aggregation_password: secret
myconext_api_attribute_aggregation_password: "{noop}secret"
myconext_api_studielink_password: "{noop}secret"
myconext_client_secret: secret
myconext_rs_client_secret: secret
myconext_geo2lite_license_key: secret
myconext_verify_client_id: secret
myconext_verify_secret: secret
engine_api_profile_password: secret
engine_api_deprovision_password: secret
engine_parameters_secret: secret
Expand Down Expand Up @@ -63,6 +59,7 @@ pdp_sab_password: secret
aa_eb_password: secret
aa_authz_client_secret: secret
aa_sab_password: secret
aa_sab_rest_password: secret
aa_idin_client_secret: secret
aa_orcid_password: secret
aa_surfmarket_password: secret
Expand Down Expand Up @@ -99,6 +96,7 @@ pdp_push_endpoint_secret: secret
manage_sp_dashboard_secret: secret
manage_sysadmin_secret: secret
manage_invite_secret: secret
manage_sram_secret: secret

lifecycle_symfony_secret: secret
lifecycle_api_password: secret
Expand Down Expand Up @@ -138,11 +136,12 @@ myconext_private_key: |
invite_oidc_secret: secretsecret
invite_rs_secret: secretsecret
invite_voot_secret: secret
invite_teams_secret: secret
invite_attribute_aggregation_secret: secret
invite_voot_secret: "{noop}secret"
invite_teams_secret: "{noop}secret"
invite_attribute_aggregation_secret: "{noop}secret"
invite_manage_secret: secret
invite_lifecycle_secret: secret
invite_lifecycle_secret: "{noop}secret"
invite_profile_secret: "{noop}secret"
invite_private_key_pkcs8: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp
Expand Down
32 changes: 25 additions & 7 deletions environments/vm/group_vars/vm.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
---
env: vm

base_domain: "{{ env }}.openconext.org"

rsyslog_host: localhost
mariadb_host: localhost
database_clients: [ "{{ mariadb_host }}" ]
use_selfsigned_certs: true
update_hosts_file: true
use_welcome_role: true
Expand Down Expand Up @@ -150,13 +156,14 @@ teams:
db_name: "teams"
db_user: "teamsrw"
db_password: "{{ mysql_passwords.teams }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
group_name_context: "urn:collab:group:{{ base_domain }}:"
voot_api_user: "voot"
spdashboard_api_user: "spdashboard"
spdashboard_person_urn: "urn:collab:person:surfnet.nl:sp-dashboard-C133A36F-CFCA-4F3D-87CE-7ECE29773FE0"
product_name: "OpenConext Teams"
default_stem_name: "demo:openconext:org"
feature_invite_migration_on: False
super_admins_team_urns:
- "nl:surfnet:diensten:teams_super_users"
- "nl:surfnet:diensten:teams_super_admin_users"
Expand Down Expand Up @@ -220,7 +227,7 @@ pdp:
password: "{{ pdp_password }}"
db_user: pdp-serverrw
db_password: "{{ mysql_passwords.pdp_server }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
db_name: pdp-server
spring_profiles_active: test
cache_policies: false
Expand All @@ -234,7 +241,7 @@ aa:
eb_password: "{{ aa_eb_password }}"
db_user: aa-serverrw
db_password: "{{ mysql_passwords.aa_server }}"
db_host: "{{ mysql_host }}"
db_host: "{{ mariadb_host }}"
db_name: aaserver
authz_client_id: "aa.{{ base_domain }}"
authz_resource_server_id: aa
Expand All @@ -249,6 +256,9 @@ aa:
sab_username: coin-test
sab_password: "{{ aa_sab_password }}"
sab_endpoint: https://sab-ng.surfnet.nl/simplesaml/module.php/attributes/server.php
sab_rest_username: surfconexttest
sab_rest_password: "{{ aa_sab_rest_password }}"
sab_rest_endpoint: https://sab-ng.surfnet.nl
surfmarket_url: https://example.org
surfmarket_username: [email protected]
surfmarket_password: "{{ aa_surfmarket_password }}"
Expand Down Expand Up @@ -276,6 +286,7 @@ oidcng:
key_rollover_cron_expression: "0 0 0 * * *"
acr_values_supported:
- https://eduid.nl/trust/validate-names
- https://eduid.nl/trust/validate-names-external
- https://eduid.nl/trust/linked-institution
- https://eduid.nl/trust/affiliation-student
- https://refeds.org/profile/mfa
Expand All @@ -294,10 +305,11 @@ myconext:
mongo_password: "{{ mongo_passwords.myconext }}"
rp_client_id: myconext.ala.eduid
rs_client_id: myconext.rs
idp_external_validation_entity_id: http://mock-idp
verify_base_uri: "https://validate.test.eduid.nl"
feature_webauthn: false
feature_warning_educational_email_domain: false
feature_use_external_validation: false
feature_id_verify: true
feature_remote_creation_api: true
feature_deny_disposable_email_providers: true
feature_create_eduid_institution_enabled: true
feature_create_eduid_institution_landing: true
Expand Down Expand Up @@ -328,7 +340,7 @@ manage:
eb_db_user: "{{ engine_database_user }}"
eb_db_password: "{{ mysql_passwords.eb }}"
eb_db_name: "{{ engine_database_name }}"
eb_db_host: "{{ mysql_host }}"
eb_db_host: "{{ mariadb_host }}"
mongo_port: "{{ mongo_port }}"
mongo_user: "{{ manage_mongo_user }}"
mongo_password: "{{ mongo_passwords.manage }}"
Expand Down Expand Up @@ -359,13 +371,18 @@ manage:
- {
name: "sp-dashboard",
password: "{{ manage_sp_dashboard_secret }}",
scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH"]
scopes: [ "READ", "WRITE_SP", "DELETE_SP", "CHANGE_REQUEST_SP", "PUSH"]
}
- {
name: "invite",
password: "{{ manage_invite_secret }}",
scopes: ["READ"]
}
- {
name: "sram",
password: "{{ manage_sram_secret }}",
scopes: ["READ", "WRITE_SP", "DELETE_SP"]
}
- {
name: "sysadmin",
password: "{{ manage_sysadmin_secret }}",
Expand All @@ -385,6 +402,7 @@ manage:

manage_show_oidc_rp_tab: true
manage_exclude_oidc_rp_imports_in_push: false
manage_exclude_sram_imports_in_push: false
manage_mongo_db: metadata
manage_mongo_user: managerw

Expand Down
26 changes: 12 additions & 14 deletions environments/vm/secrets/vm.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,3 @@
env: vm
base_domain: "{{ env }}.openconext.org"

mysql_host: localhost
rsyslog_host: localhost

database_clients: [ "{{ mysql_host }}" ]

mysql_root_password: secret
galera_clustercheck_password: secret

Expand Down Expand Up @@ -37,12 +29,15 @@ engine_api_metadata_push_password: secret
oidcng_api_metadata_push_password: secret
oidcng_api_tokens_profile_password: secret
oidcng_api_tokens_eduid_password: secret
myconext_api_attribute_manipulation_password: secret
myconext_api_attribute_manipulation_password: "{noop}secret"
myconext_oidcng_rs_client_secret: secret
myconext_api_attribute_aggregation_password: secret
myconext_api_attribute_aggregation_password: "{noop}secret"
myconext_api_studielink_password: "{noop}secret"
myconext_client_secret: secret
myconext_rs_client_secret: secret
myconext_geo2lite_license_key: secret
myconext_verify_client_id: secret
myconext_verify_secret: secret
engine_api_profile_password: secret
engine_api_deprovision_password: secret

Expand All @@ -66,6 +61,7 @@ pdp_sab_password: secret
aa_eb_password: secret
aa_authz_client_secret: secretsecret
aa_sab_password: secret
aa_sab_rest_password: secret
aa_idin_client_secret: secret
aa_orcid_password: secret
aa_surfmarket_password: secret
Expand All @@ -91,6 +87,7 @@ manage_sp_dashboard_secret: secret
manage_sysadmin_secret: secret
manage_stats_api_password: secret
manage_invite_secret: secret
manage_sram_secret: secret

manage_prod_sp_dashboard_secret: secret
spdashboard_symfony_secret: secret
Expand Down Expand Up @@ -285,11 +282,12 @@ myconext_private_key: |
invite_oidc_secret: secretsecret
invite_rs_secret: secretsecret
invite_voot_secret: secret
invite_teams_secret: secret
invite_attribute_aggregation_secret: secret
invite_voot_secret: "{noop}secret"
invite_teams_secret: "{noop}secret"
invite_attribute_aggregation_secret: "{noop}secret"
invite_manage_secret: secret
invite_lifecycle_secret: secret
invite_lifecycle_secret: "{noop}secret"
invite_profile_secret: "{noop}secret"
invite_private_key_pkcs8: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp
Expand Down
8 changes: 4 additions & 4 deletions group_vars/all.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ environment_ribbon_colour: ""

httpd_csp:
lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_with_oidcng: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_with_oidcng: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict_with_static_img: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_for_idp: "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'"
strict_with_static_img: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_for_idp: "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'"
nothing: "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'"

error_subject_prefix: "[{{ ansible_hostname }}] "
Expand Down
Loading

0 comments on commit e085c07

Please sign in to comment.