Skip to content

Commit

Permalink
Merge pull request #450 from OpenConext/feature/diyidp_use_docker
Browse files Browse the repository at this point in the history
DIYIDP: Use docker for the diyidp. Uses the docker images from Cirrus
  • Loading branch information
quartje authored May 8, 2024
2 parents 33d7746 + bdd360c commit e87c52d
Show file tree
Hide file tree
Showing 16 changed files with 127 additions and 1,218 deletions.
1 change: 1 addition & 0 deletions provision.yml
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@
- { role: mujina-idp, tags: ["mujina-idp"] }
- { role: oidc-playground, tags: ["oidc-playground"] }
- { role: stats, tags: ["stats"] }
- { role: diyidp, tags: ["diyidp"] }
- { role: profile, tags: ["profile"] }

- import_playbook: "{{ environment_dir }}/playbook.yml"
Expand Down
12 changes: 5 additions & 7 deletions roles/diyidp/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
---
diyidp_fpm_user: diyidp
simplesamlphp_version: 1.19.5
diyidp_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-diyidp"
diyidp_domain: diyidp."{{ base_domain }}"
diyidp_cert: "diyidp.crt"
diyidp_welcome_text: |
"<strong>Congratulations<\/strong>, you have successfully installed SimpleSAMLphp. This is the start page of your installation, where you will find links to test examples, diagnostics, metadata and even links to relevant documentation."
diyidp:
db_host: "{{ mysql_host }}"
db_name: diyidp
db_user: diyidprw
dp_password: "{{ mysql_passwords.diyidp }}"
db_password: "{{ mysql_passwords.diyidp }}"
secretsalt: "{{ diyidp_secret_salt }} "
admin_password: "{{ diyidp_secret }}"
diyidp_secret_salt: secretsecret
diyidp_secret: secret
diyidp_remotesp:
- name: "{{ instance_name }} SP metadata"
metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata"
acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion"

6 changes: 2 additions & 4 deletions roles/diyidp/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
---
- name: restart apache
service:
name: "{{ 'apache2' if ansible_os_family == 'Debian' else 'httpd' }}"
state: restarted
- name: restart diyidp
command: docker restart diyidp
173 changes: 76 additions & 97 deletions roles/diyidp/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,127 +1,106 @@
---
- name: Add group {{ diyidp_fpm_user }}
group:
name: "{{ diyidp_fpm_user }}"
state: present

- name: Add user {{ diyidp_fpm_user }}
user:
name: "{{ diyidp_fpm_user }}"
group: "{{ diyidp_fpm_user }}"
createhome: no
state: present

- name: Create directory for vhosts to store PHP sessions
file:
path: "{{ php_session_dir}}/diyidp"
state: directory
owner: "{{ diyidp_fpm_user }}"
group: root
mode: 0770

- name: Download and unarchive the latest release
unarchive:
src: "https://github.com/simplesamlphp/simplesamlphp/releases/download/v{{ simplesamlphp_version }}/simplesamlphp-{{ simplesamlphp_version }}.tar.gz"
dest: "{{ openconext_releases_dir }}"
creates: "/opt/openconext/simplesamlphp-{{ simplesamlphp_version }}"
remote_src: yes

- name: Install Apache vhost
template:
src: "{{ item }}.j2"
dest: "/etc/httpd/conf.d/{{ item }}"
with_items:
- diyidp.conf
notify:
- "restart httpd"

- name: Clean up old php-fpm 5.6 config
file:
path: "/etc/php-fpm.d/diyidp-pool.conf"
state: absent

- name: php-fpm 72 config
template:
src: "{{ item }}.j2"
dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}"
with_items:
- diyidp-pool-72.conf
notify:
- "restart php72-fpm"

- name: Activate new DIY IDP release
file:
src: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}"
dest: "{{ diyidp_current_release_symlink }}"
state: link
notify:
- "restart httpd"

- name: Create directories
file:
path: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/{{ item }}"
ansible.builtin.file:
path: "/opt/openconext/diyidp/{{ item }}"
state: directory
owner: root
group: root
mode: 0775
mode: "0775"
with_items:
- config
- www
- metadata
- data
- cert

- name: Put metadata certificate in place
copy:
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/certs/{{ diyidp_cert }}"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.crt"
dest: "/opt/openconext/diyidp/cert/server.crt"
owner: root
group: root
mode: "0644"

- name: Put metadata key in place
copy:
ansible.builtin.copy:
content: "{{ diyidp_private_key }}"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.key"
owner: "{{ diyidp_fpm_user }}"
mode: 0400
dest: "/opt/openconext/diyidp/cert/server.key"
owner: root
group: root
mode: "0444"
notify: restart diyidp

- name: Copy simplesamlphp configuration files
template:
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/config/{{ item }}"
dest: "/opt/openconext/diyidp/{{ item }}"
mode: "0644"
with_items:
- config.php
- config-override.php
- authsources.php
notify: restart diyidp

- name: Copy simplesamlphp metadata files
template:
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/metadata/{{ item }}"
dest: "/opt/openconext/diyidp/metadata/{{ item }}"
mode: "0644"
with_items:
- saml20-idp-hosted.php
- saml20-sp-remote.php
notify: restart diyidp

- name: Copy showusers php script
template:
ansible.builtin.template:
src: "showusers.php.j2"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/www/showusers.php"
dest: "/opt/openconext/diyidp/www/showusers.php"
owner: root
mode: 0644
mode: "0644"
notify: restart diyidp

- name: Copy frontpage definitions
template:
src: "frontpage.definition.json.j2"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/modules/core/dictionaries/frontpage.definition.json"

- name: Copy login page definition
template:
src: "login.definition.json.j2"
dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/dictionaries/login.definition.json"

- name: Copy the database dump file
copy:
src: diyidp.sql
dest: "{{ openconext_releases_dir }}/builds/"
register: copy_diyidp_script

- name: Import the database
shell: mysql -u {{ diyidp.db_user }} -p{{ diyidp.db_password }} -h {{ diyidp.db_host }} -D {{ diyidp.db_name }} < {{ openconext_releases_dir }}/builds/diyidp.sql
args:
creates: /var/lib/mysql/{{diyidp.db_name}}/users.frm
- name: Copy the apache config
ansible.builtin.template:
src: "000-default.conf.j2"
dest: "/opt/openconext/diyidp/000-default.conf"
owner: root
group: root
mode: "0644"
notify: restart diyidp

- name: Create the container
community.docker.docker_container:
name: diyidp
image: cirrusid/simplesamlphp:v2.0.7
pull: true
restart_policy: "always"
state: started
networks:
- name: "loadbalancer"
labels:
traefik.http.routers.diyidp.rule: "Host(`diyidp.{{ base_domain }}`)"
traefik.http.routers.diyidp.tls: "true"
traefik.enable: "true"
hostname: diyidp
mounts:
- source: /opt/openconext/diyidp/config-override.php
target: /var/simplesamlphp/config/config-override.php
type: bind
- source: /opt/openconext/diyidp/authsources.php
target: /var/simplesamlphp/config/authsources.php
type: bind
- source: /opt/openconext/diyidp/metadata
target: /var/simplesamlphp/config/metadata
type: bind
- source: /opt/openconext/diyidp/cert
target: /var/simplesamlphp/config/cert
type: bind
- source: /opt/openconext/diyidp/www/showusers.php
target: /var/simplesamlphp/public/showusers.php
type: bind
- source: /opt/openconext/diyidp/000-default.conf
target: /etc/apache2/sites-enabled/000-default.conf
type: bind
env:
SSP_ENABLED_MODULES: "sqlauth themesurf"
SSP_LOG_HANDLER: stderr
COMPOSER_REQUIRE: "simplesamlphp/simplesamlphp-module-sqlauth surfnet/simplesamlphp-module-themesurf:dev-main"
SSP_ENABLE_IDP: "true"
SSP_SECRET_SALT: "{{ diyidp.secretsalt }}"
18 changes: 0 additions & 18 deletions roles/diyidp/tasks/main_config.yml

This file was deleted.

17 changes: 0 additions & 17 deletions roles/diyidp/tasks/vhost.yml

This file was deleted.

7 changes: 7 additions & 0 deletions roles/diyidp/templates/000-default.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<VirtualHost *:80>
DocumentRoot /var/simplesamlphp/public

<Directory /var/simplesamlphp/public>
Require all granted
</Directory>
</VirtualHost>
3 changes: 3 additions & 0 deletions roles/diyidp/templates/authsources.php.j2
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ $config = array(


'sql_user' => array(
'core:loginpage_links' => [
'users' => ['href' => '/showusers.php', 'text' => 'List of available users'],
],
'sqlauth:SQL',
'dsn' => 'mysql:host={{ diyidp.db_host}};port=3306;dbname={{ diyidp.db_name }}',
'username' => '{{ diyidp.db_user}}',
Expand Down
6 changes: 6 additions & 0 deletions roles/diyidp/templates/config-override.php.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?php
$config['certdir'] = 'config/cert/';
$config['metadatadir'] = 'config/metadata/';
$config['auth.adminpassword'] = '{{ diyidp.admin_password }}';
$config['baseurlpath'] = 'https://diyidp.{{ base_domain }}/';
$config['theme.use'] = '{{ diyidp.theme |default("default") }}';
Loading

0 comments on commit e87c52d

Please sign in to comment.