Commit 6c628d6a authored by Martin van Es's avatar Martin van Es
Browse files

Merge branch 'martin' into 'main'

Martin

See merge request !1
parents e7e45e84 1f80f68e
files/*.crt
files/*.key
inventory/group_vars/all.yml
inventory/group_vars/geodns.yml inventory/group_vars/geodns.yml
inventory/group_vars/mdsigner.yml
.ssh/id_* .ssh/id_*
Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data This directory should contain:
* GeoDNS config in yaml format
* mdsigner signing certificates (key_spec/cert_spec)
...@@ -2,37 +2,27 @@ ...@@ -2,37 +2,27 @@
tld: srv.mdx.incubator.geant.org tld: srv.mdx.incubator.geant.org
hosts: proxies:
et2: et2:
hostname: srv1 hostname: srv1
altname: 'server-md2.et2.com' alias: 'server-md2.et2.com'
mdsigner:
test:
signer: hsm_signer
metadir: metadata/test
mdproxy: mdproxy:
test: test:
signer: 'http://localhost:5001' signer: 'http://localhost:5001'
altname: 'test-md.et2.com' realm_alias: 'test-md.et2.com'
edugain: edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org' signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
altname: 'edugain-md.et2.com' realm_alias: 'edugain-md.et2.com'
mdxcdn: mdxcdn:
hostname: srv2 hostname: srv2
altname: 'server-md2.et2.com' alias: 'server-md2.et2.com'
mdsigner:
edugain:
signer: hsm_signer
metadir: metadata/edugain
mdproxy: mdproxy:
test: test:
signer: 'http://srv1-signer.srv.mdx.incubator.geant.org' signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
altname: 'test-md.foobar.com' realm_alias: 'test-md.foobar.com'
edugain: edugain:
signer: 'http://localhost:5001' signer: 'http://localhost:5001'
...@@ -42,20 +32,15 @@ hosts: ...@@ -42,20 +32,15 @@ hosts:
mdproxy: mdproxy:
test: test:
signer: 'http://srv1-signer.srv.mdx.incubator.geant.org' signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
altname: 'test-md.barfoo.com' realm_alias: 'test-md.barfoo.com'
edugain: edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org' signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
alternative-mdx: alternative-mdx:
hostname: srv4 hostname: srv4
altname: 'server-md.example.com' alias: 'server-md.example.com'
mdsigner:
foobar:
signer: normal_signer
metadir: metadata/test
mdproxy: mdproxy:
edugain: edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org' signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
altname: 'edugain-md.blabla.com' realm_alias: 'edugain-md.blabla.com'
geodns_licence: *************
---
signers_tld: srv.mdx.incubator.geant.org
signers:
et2:
hostname: srv1
alias: mdx.et2.hu
mdsigner:
test:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
mdxcdn:
hostname: srv2
alias: mdx.cdn.nl
mdsigner:
edugain:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
alternative-mdx:
hostname: srv3
alias: mdx.alternative.nl
mdsigner:
test:
name: normal_signer
key_spec: "test.key"
cert_spec: "test.crt"
foobar:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
{% if hosts[inventory_hostname].get('mdsigner') %} {% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
# Signer configuration
<VirtualHost *:80> <VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }} ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
{% if hosts[inventory_hostname].get('altname') %} {% if signers[inventory_hostname].get('alias') %}
ServerAlias {{ hosts[inventory_hostname]['altname'] }} ServerAlias {{ signers[inventory_hostname]['alias'] }}
{% endif %} {% endif %}
DocumentRoot /var/www/html DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5001/" nocanon ProxyPass "/" "http://127.0.0.1:5001/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5001/" ProxyPassReverse "/" "http://127.0.0.1:5001/"
</VirtualHost> </VirtualHost>
{% endif %}
{% if hosts[inventory_hostname].get('mdproxy') %} {% endif %}
{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
# Global proxy configuration
<VirtualHost *:80> <VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }} ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
{% if proxies[inventory_hostname].get('alias') %}
ServerAlias {{ proxies[inventory_hostname]['alias'] }}
{% endif %}
DocumentRoot /var/www/html DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5002/" nocanon ProxyPass "/" "http://127.0.0.1:5002/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5002/" ProxyPassReverse "/" "http://127.0.0.1:5002/"
</VirtualHost> </VirtualHost>
{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %} {% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
# Realm specific proxy configuration
{% for realm, values in mdproxy.items() %} {% for realm, values in mdproxy.items() %}
<VirtualHost *:80> <VirtualHost *:80>
ServerName proxy-{{ realm }}.{{ tld }} ServerName proxy-{{ realm }}.{{ tld }}
{% if values.get('altname') %} {% if values.get('realm_alias') %}
ServerAlias {{ values['altname'] }} ServerAlias {{ values['realm_alias'] }}
{% endif %} {% endif %}
DocumentRoot /var/www/html DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode AllowEncodedSlashes NoDecode
...@@ -34,3 +40,4 @@ ...@@ -34,3 +40,4 @@
</VirtualHost> </VirtualHost>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
state: present state: present
name: name:
- netcat-openbsd - netcat-openbsd
- ansible
- name: Check if go binary exists - name: Check if go binary exists
stat: stat:
......
--- ---
- name: Install packages
apt:
state: present
name:
- ansible
- name: Clone MDX-SAAS-config repository - name: Clone MDX-SAAS-config repository
ansible.builtin.git: ansible.builtin.git:
......
--- ---
{{ hosts[inventory_hostname]['mdproxy'] | tojson }} {% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
{% for realm, values in mdproxies.items() %}
{{ realm }}:
signer: {{ values['signer'] }}
{% endfor %}
- name: check wheter we can copy certificates
ansible.builtin.stat:
path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
delegate_to: localhost
become: no
register: key_spec
- name: Copy certificates when key_spec exists
block:
- name: Copy Key spec
ansible.builtin.copy:
src: "{{ item.value.key_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
- name: Copy Cert spec
ansible.builtin.copy:
src: "{{ item.value.cert_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
when: key_spec.stat.exists
...@@ -22,22 +22,11 @@ ...@@ -22,22 +22,11 @@
path: "{{ altmdx_metadir }}/{{ item.key }}" path: "{{ altmdx_metadir }}/{{ item.key }}"
state: directory state: directory
mode: '0755' mode: '0755'
with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}" with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
- name: Check existence of metadata signing cert - name: Copy certificates
stat: include_tasks: certificates.yml
path: "{{ altmdx_metadir }}/meta.crt" loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
register: mdcert
- name: create self-signed Metadata Signing SSL certs
shell: >
openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-days 3650 -key "{{ altmdx_dir }}/meta.key"
-out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
args:
creates: "{{ altmdx_dir }}/meta.crt"
when: not mdcert.stat.exists
- name: Copy mdsigner service files - name: Copy mdsigner service files
ansible.builtin.template: ansible.builtin.template:
......
--- ---
{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }} {% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
{% for realm, values in mdsigners.items() %}
{{ realm }}:
signer:
name: {{ values['name'] }}
key_spec: {{ values.key_spec }}
cert_spec: {{ values.get('cert_spec') }}
metadir: metadata/{{ realm }}
{% endfor %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment