Docker deploy of webauthn and azuremfa

The original deploy is kept intact. You should be able to deploy both the php7 VM variant of the apps as well as the php82 docker based apps
OpenConext · Jan 10, 2024 · f3dc44c · f3dc44c
1 parent 2610700
commit f3dc44c
Show file tree

Hide file tree

Showing 13 changed files with 363 additions and 148 deletions.
diff --git a/roles/stepupazuremfa/tasks/docker.yml b/roles/stepupazuremfa/tasks/docker.yml
@@ -0,0 +1,77 @@
+- name: Include docker vars
+  ansible.builtin.include_vars: docker.yml
+
+- name: Add group {{ appname }}
+  ansible.builtin.group:
+    name: "{{ appname }}"
+    state: present
+  register: azuremfa_guid
+
+- name: Add user {{ appname }}
+  ansible.builtin.user:
+    name: "{{ appname }}"
+    group: "{{ appname }}"
+    createhome: no
+    state: present
+  register: azuremfa_uid
+
+- name: Create some dirs
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - "{{ current_release_config_dir_name }}"
+    - "{{ current_release_appdir }}/public/images"
+
+- name: Install images
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copyimages
+
+- name: Install the GSSP certificates
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copygsspidpcerts
+
+- name: Place parameters.yml
+  ansible.builtin.template:
+    src: parameters.yaml.j2
+    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
+    mode: "0640"
+    owner: root
+    group: "{{ appname }}"
+
+- name: Put institutions.yaml from environment
+  ansible.builtin.template:
+    src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2"
+    dest: "{{ current_release_config_dir_name }}/institutions.yaml"
+    mode: "0640"
+    owner: root
+    group: "{{ appname }}"
+
+
+- name: Create the container
+  community.docker.docker_container:
+    name: "{{ appname }}"
+    image: ghcr.io/openconext/stepup-azuremfa/stepup-azuremfa:{{ azuremfa_version }}
+    pull: true
+    restart_policy: "always"
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.azuremfa.rule: "Host(`azuremfa.{{ base_domain }}`)"
+      traefik.http.routers.azuremfa.tls: "true"
+      traefik.enable: "true"
+    env:
+      APACHE_UID: "#{{ azuremfa_uid.uid }}"
+      APACHE_GUID: "#{{ azuremfa_guid.gid }}"
+    mounts:
+      - source: /opt/openconext/azuremfa/public/images/
+        target: /var/www/html/public/images/
+        type: bind
+      - source: /opt/openconext/azuremfa
+        target: /var/www/html/config/openconext
+        type: bind
diff --git a/roles/stepupazuremfa/tasks/main.yml b/roles/stepupazuremfa/tasks/main.yml
@@ -1,62 +1,7 @@
-- name: Install Apache and FPM config
-  include_role:
-    name: apachefpm
+- name: Include docker tasks when running docker
+  include_tasks: docker.yml
+  when: "'docker' in group_names"
 
-- name: Install the symfony app
-  include_role:
-    name: stepupapp
-
-- name: Install images
-  include_role:
-    name: stepupapp
-    tasks_from: copyimages
-
-- name: Install the GSSP certificates
-  include_role:
-    name: stepupapp
-    tasks_from: copygsspidpcerts
-
-- name: Place parameters.yml
-  template:
-    src: parameters.yaml.j2
-    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
-    mode: 0640
-    owner: root
-    group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Put institutions.yaml from environment
-  template:
-    src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2"
-    dest: "{{ current_release_config_dir_name }}/institutions.yaml"
-    mode: 0640
-    group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Place .env file
-  template:
-    src: env.j2
-    dest: "{{ current_release_appdir }}/.env.local"
-    mode: 0640
-    owner: root
-    group: "{{ appname }}"
-  notify:
-    - clear cache {{ appname }}
-    - reload php72-fpm {{ appname }}
-
-- name: Activate the symlink
-  file:
-    src: "{{ current_release_appdir }}/"
-    dest: "{{ current_release_symlink }}"
-    state: link
-
-- meta: flush_handlers
-
-- name: Include post installation tasks
-  include_role:
-    name: stepupapp
-    tasks_from: postinstall
+- name: Include docker tasks when running docker
+  include_tasks: vm.yml
+  when: "'docker' not in group_names"
diff --git a/roles/stepupazuremfa/tasks/vm.yml b/roles/stepupazuremfa/tasks/vm.yml
@@ -0,0 +1,62 @@
+- name: Install Apache and FPM config
+  include_role:
+    name: apachefpm
+
+- name: Install the symfony app
+  include_role:
+    name: stepupapp
+
+- name: Install images
+  include_role:
+    name: stepupapp
+    tasks_from: copyimages
+
+- name: Install the GSSP certificates
+  include_role:
+    name: stepupapp
+    tasks_from: copygsspidpcerts
+
+- name: Place parameters.yml
+  template:
+    src: parameters.yaml.j2
+    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
+    mode: 0640
+    owner: root
+    group: "{{ appname }}"
+  notify:
+    - clear cache {{ appname }}
+    - reload php72-fpm {{ appname }}
+
+- name: Put institutions.yaml from environment
+  template:
+    src: "{{ inventory_dir }}/files/stepup-azuremfa/institutions.yaml.j2"
+    dest: "{{ current_release_config_dir_name }}/institutions.yaml"
+    mode: 0640
+    group: "{{ appname }}"
+  notify:
+    - clear cache {{ appname }}
+    - reload php72-fpm {{ appname }}
+
+- name: Place .env file
+  template:
+    src: env.j2
+    dest: "{{ current_release_appdir }}/.env.local"
+    mode: 0640
+    owner: root
+    group: "{{ appname }}"
+  notify:
+    - clear cache {{ appname }}
+    - reload php72-fpm {{ appname }}
+
+- name: Activate the symlink
+  file:
+    src: "{{ current_release_appdir }}/"
+    dest: "{{ current_release_symlink }}"
+    state: link
+
+- meta: flush_handlers
+
+- name: Include post installation tasks
+  include_role:
+    name: stepupapp
+    tasks_from: postinstall
diff --git a/roles/stepupazuremfa/templates/parameters.yaml.j2 b/roles/stepupazuremfa/templates/parameters.yaml.j2
@@ -1,16 +1,21 @@
 parameters:
+{% if 'docker' in group_names %}
+    app_env: prod
+    app_debug: false 
+    app_secret: {{ azuremfa_secret }}
+{% endif %}
     # All locales supported by the application
     locales: [{{ enabled_locales | join(",") }}]
 
     # SAML configuration
-    saml_idp_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_idp_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_idp_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_idp_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
     # NOTE: same key used for metadata and response/assertion signing
-    saml_metadata_publickey: '{{ current_release_config_file_dir_name }}/cert.pem'
-    saml_metadata_privatekey: '{{ current_release_config_file_dir_name }}/key.pem'
+    saml_metadata_publickey: '{{ current_release_config_file_dir_name_in_config }}/cert.pem'
+    saml_metadata_privatekey: '{{ current_release_config_file_dir_name_in_config }}/key.pem'
 
     saml_remote_sp_entity_id: 'https://{{ gateway_vhost_name }}/gssp/azuremfa/metadata'
-    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name }}/gateway.crt'
+    saml_remote_sp_certificate: '{{ current_release_config_file_dir_name_in_config }}/gateway.crt'
     saml_remote_sp_acs: 'https://{{ gateway_vhost_name }}/gssp/azuremfa/consume-assertion'
 
     # View parameters

diff --git a/roles/stepupazuremfa/vars/docker.yml b/roles/stepupazuremfa/vars/docker.yml
@@ -0,0 +1,4 @@
+current_release_appdir: /opt/openconext/azuremfa
+current_release_config_file_dir_name: /opt/openconext/azuremfa
+current_release_config_file_dir_name_in_config: /var/www/html/config/openconext
+current_release_config_dir_name: /opt/openconext/azuremfa
diff --git a/roles/stepupazuremfa/vars/main.yml b/roles/stepupazuremfa/vars/main.yml
@@ -7,6 +7,7 @@ stepup_gh_appname: "Azure-MFA"
 current_release_symlink: "/opt/openconext/OpenConext-{{ appname }}" 
 current_release_appdir: "{{current_release_symlink }}-{{ appversion }}" 
 current_release_config_file_dir_name: "{{ current_release_appdir }}/app/files"
+#current_release_config_file_dir_name_in_config: "{{ current_release_config_file_dir_name }}"
 current_release_config_dir_name: "{{ current_release_appdir }}/config/packages"
 gssp_idp_private_key: "{{ lookup('file', inventory_dir+'/files/certs/stepup/azuremfa_idp.key') }}"
 fpmmemory: 128M
diff --git a/roles/stepupwebauthn/handlers/main.yml b/roles/stepupwebauthn/handlers/main.yml
@@ -6,3 +6,9 @@
   service:
     name: php72-php-fpm
     state: reloaded
+
+- name: restart webauthn
+  community.docker.docker_container:
+    name: webauthn
+    state: started
+    restart: true
diff --git a/roles/stepupwebauthn/tasks/docker.yml b/roles/stepupwebauthn/tasks/docker.yml
@@ -0,0 +1,97 @@
+- name: Include docker vars 
+  ansible.builtin.include_vars: docker.yml
+
+- name: Add group {{ appname }}
+  ansible.builtin.group:
+    name: "{{ appname }}"
+    state: present
+  register: webauthn_guid
+
+- name: Add user {{ appname }}
+  ansible.builtin.user:
+    name: "{{ appname }}"
+    group: "{{ appname }}"
+    createhome: no
+    state: present
+  register: webauthn_uid
+
+- name: Create some dirs
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - "{{ current_release_config_dir_name }}"
+    - "{{ current_release_appdir }}/public/images"
+
+- name: Install images
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copyimages
+
+- name: Install the GSSP certificates
+  ansible.builtin.include_role:
+    name: stepupapp
+    tasks_from: copygsspidpcerts
+
+- name: Create the trusted certificate dir
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    mode: "0755"
+  with_items:
+    - "{{ current_release_config_file_dir_name }}/trusted_certificates"
+
+- name: Place parameters.yml
+  ansible.builtin.template:
+    src: parameters.yml.j2
+    dest: "{{ current_release_config_dir_name }}/parameters.yaml"
+    mode: "0640"
+    owner: root
+    group: "{{ appname }}"
+  notify:
+    restart webauthn
+
+- name: Copy trusted certificates
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/"
+    mode: "444"
+  with_fileglob:
+    - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*"
+
+- name: Put webauthn configuration script in /root/
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/root/{{ item }}"
+    group: root
+    owner: root
+    mode: "0500"
+  with_items:
+    - "01-webauthn-db_init.sh"
+
+- name: Create the container
+  community.docker.docker_container:
+    name: "{{ appname }}"
+    image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }}
+    pull: true
+    restart_policy: "always"
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)"
+      traefik.http.routers.webauthn.tls: "true"
+      traefik.enable: "true"
+    env:
+      APACHE_UID: "#{{ webauthn_uid.uid }}"
+      APACHE_GUID: "#{{ webauthn_guid.gid }}"
+    mounts:
+      - source: /opt/openconext/webauthn/public/images/
+        target: /var/www/html/public/images/
+        type: bind
+      - source: /opt/openconext/webauthn
+        target: /var/www/html/config/openconext
+        type: bind