-
Notifications
You must be signed in to change notification settings - Fork 10
/
environment.conf
174 lines (152 loc) · 6.77 KB
/
environment.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# Set to 1 to encrypt all keys, secrets and passwords with a symmetric key using keyszar.
# Requires python keyszar to be installed (https://github.com/google/keyczar)
#
# Set to 0 to use Ansible Vault to encrypt keys, secrets and passwords, or to store them in plaintext.
#
# Using keyczar is deprecated as the project has been abandoned. Migration of existing environments to
# Ansible vault is supported using the migrate_environment.sh script.
USE_KEYSZAR=0
# Set KEYSTORE_DIR to the name of the KEYSTORE_DIR when using keyczar (USE_KEYSZAR=1)
# Name of the keystore dir in the environment.
# If you change this, update "vault_keydir" in group_vars/all.yml as well
KEYSTORE_DIR="stepup-ansible-keystore"
# Set to 1 to use Ansible Vault to encrypt the generated keys, secrets and passwords
# Set to 0 otherwise
#
# This option is mutually exclusive with USE_KEYSZAR
# If USE_ANSIBLE_VAULT is set to 1 the keyczar way for decrypting values must be disabled.
# To do this set "vault_keydir" in group_vars/all.yml to "" (i.e. it set it to an empty string)
# This stops the "vault" custom ansible filter from using keyczar decryption, effectivly turning it
# in a no-op
USE_ANSIBLE_VAULT=1
# The Ansible vault-id to set when encrypting new values
# Secrets are always encrypted using the password specified in the stepup-ansible-vault-password file
# in this environmet.
# Suggested use of STEPUP_VAULT_LABEL is to use different values for each stetup environment.
# This allows you to use ansible vault-id configuration options to handle the passwords.
# E.g. you can have an ~/.ansible.cfg you could have:
# vault_identity_list=stepup@~/environment_a/stepup-ansible-vault-password, stepup@~/environment_b/stepup-ansible-vault-password
# TODO: Set vault-id label for this environment
STEPUP_VAULT_LABEL=stepup
# Length of generated passwords in characters
PASSWORD_LENGTH=15
# List of passwords to generate. Specify the filename of the password file to create. Passwords are
# stored in the "password" directory
PASSWORDS=(
"middleware_selfservice_api"
"middleware_registration_authority_api"
"middleware_management_api"
"middleware_readonly_api"
"middleware_lifecycle_api"
"mariadb_root"
"mariadb_cluster"
"mariadb_backup"
"database_stepup_deploy"
"database_gateway"
"database_gateway_deploy"
"database_gateway_readonly"
"database_middleware"
"database_middleware_deploy"
"database_middleware_readonly"
"database_keyserver_deploy"
"database_keyserver"
"database_tiqr"
"database_tiqr_deploy"
"database_u2f"
"manage_kibana"
"database_webauthn"
"database_webauthn_deploy"
)
# Length of generated secrets in characters
SECRET_LENGTH=40
# List of secrets to generate. Specify the filename of the secret file to create. Secrets are
# stored in the "secret" directory
SECRETS=(
"gateway"
"middleware"
"ra"
"selfservice"
"tiqr"
"keyserver_secret"
"keyserver_consumerkey"
"keyserver_encryptionkey"
"webauthn"
"azuremfa"
)
# TODO: Set SAML_O to a descriptive name of your environment
# SAML_O is used as "Organization" in the ditinguished names (DNs) of the SAML signing certificates
SAML_O="Development VM"
# List of self signed certificates to generate. Format: "<basename>:<DN>"
# Where:
# - <filename> is the basename used for the certificate an key on disk
# - <DN> is the distinguised name of the certificate in OpenSSL format
#
# Because they are selfsigned, this certificates are perfect signing
# SAML messages
SAML_CERTS=(
"gateway_saml_idp:/CN=Gateway SAML IdP/O=${SAML_O}"
"gateway_saml_sp:/CN=Gateway SAML SP/O=${SAML_O}"
"selfservice_saml_sp:/CN=SelfService SAML SP/O=${SAML_O}"
"ra_saml_sp:/CN=RA SAML SP/O=${SAML_O}"
# The simplesaml certificates are used by the dev role only
"simplesaml_idp:/CN=simplesaml IdP/O=${SAML_O}"
"simplesaml_sp:/CN=simplesaml SP/O=${SAML_O}"
"simplesaml_sp2:/CN=simplesaml SP2/O=${SAML_O}"
# GSSP
# The four SAML signing certificates below are used to proxy GSSP SAML requests and responses through
# the Stepup-Gateway.
#
# GSSPs: Stepup-Gateway: Selfservice and RA
# tiqr_idp ---\ /-- selfservice_gssp_sp
# webauth_idp ----- gateway_gssp_sp <-> gateway_gssp_idp --
# xxx_idp ---/ \-- ra_gssp_sp
"selfservice_gssp_sp:/CN=SelfService GSSP SP/O=${SAML_O}"
"ra_gssp_sp:/CN=RA GSSP SP/O=${SAML_O}"
"gateway_gssp_idp:/CN=Gateway Tiqr IdP/O=${SAML_O}"
"gateway_gssp_sp:/CN=Gateway Tiqr SP/O=${SAML_O}"
# This is the SAML signing certificate of the Tiqr GSSP IdP
"tiqr_idp:/CN=Tiqr GSSP IdP/O=${SAML_O}"
# This is the SAML signing certificate of the Webauthn GSSP IdP
"webauthn_idp:/CN=Webauthn GSSP IdP/O=${SAML_O}"
# This is the SAML signing certificate of the Azure-MFA GSSP IdP
"azuremfa_idp:/CN=Azure-MFA GSSP IdP/O=${SAML_O}"
# These are the SAML signing certificates of the Demo GSSP IdPs
"demo_gssp_idp:/CN=Demo GSSP IdP/O=${SAML_O}"
"demo_gssp_2_idp:/CN=Demo GSSP 2 IdP/O=${SAML_O}"
)
# These SSL/TLS certificates are for testing / development purposes only
# SSL_DOMAIN is used to generate the vhost names (see SSL_CERTS below)
#TODO: Update SSL_DOMAIN to what you are using
SSL_DOMAIN='stepup.example.com' # Domain for SSL certs
#TODO: Update SSL_O and SSL_C to what you are using
SSL_O='Development VM' # Organisation for SSL certs
SSL_C='NL' # Country for SSL certs
# Distinguised name of the Root CA certificate for issuing the SSL certificates
SSL_ROOT_DN="/CN=Root CA/O=${SSL_O}/C=${SSL_C}" # DN for SSL root CA
# TODO: change CN part of the certificate DN to what you are using
# This should match what is configured in *_vhost_name group_vars/all.yml
# List of SSL/TLS certificates to generate. Format: "<basename>:<DN>"
# Where:
# - <filename> is the basename used for the certificate an key on disk
# - <DN> is the subject distinguished name of the certificate in OpenSSL format
SSL_CERTS=(
"gateway:/CN=gateway.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"ra:/CN=ra.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"selfservice:/CN=selfservice.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"manage:/CN=manage.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"middleware:/CN=middleware.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"tiqr:/CN=tiqr.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"webauthn:/CN=webauthn.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"azuremfa:/CN=azuremfa.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"keyserver:/CN=keyserver.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"simplesaml:/CN=simplesaml.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"demo-gssp:/CN=demo-gssp.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"demo-gssp-2:/CN=demo-gssp-2.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
)
### SSH keys ###
# List of ssh keypairs to generate. Format: "<basename>"
# Where:
# - <basename> is the basename used for the private and public key on disk
SSH_KEYS=(
"deploy"
)